A growing patchwork of state-level regulations is reshaping how automakers and Tier-1 suppliers handle over-the-air (OTA) software updates and the vehicle data those updates generate, creating a fragmented compliance landscape already drawing enforcement actions. With three additional state comprehensive privacy laws - covering Indiana, Kentucky, and Rhode Island - taking effect on January 1, 2026, the compliance burden on automotive original equipment manufacturers (OEMs) is accelerating into mid-year and beyond.
Background
The automotive industry is entering an era in which vehicle-generated data is no longer viewed as a byproduct of innovation but as highly sensitive consumer information warranting strict regulatory oversight. In 2026, automakers should anticipate more aggressive enforcement, more state-specific rules, and greater pressure to demonstrate responsible data stewardship.
The issue is tightly coupled to OTA update capabilities. Automotive OTA software updating has become a cornerstone of the modern connected vehicle, enabling manufacturers to remotely deploy bug fixes, security patches, and new features. Because each update cycle can alter what data a vehicle collects, transmits, or processes, regulators increasingly treat OTA delivery as a trigger for fresh consent and disclosure obligations.
Autonomous and connected vehicles are governed by a patchwork of state-by-state requirements that vary on permitting, commercial operation standards, safety and data reporting obligations, and expectations for interactions with law enforcement and emergency responders. Federal NHTSA Director Sean Duffy has publicly acknowledged the problem, directing NHTSA to move swiftly in updating key federal requirements to provide clarity for developers, mitigate risks posed by divergent state laws, and streamline existing processes. No unified federal OTA disclosure standard has yet been finalized.
State-by-State Developments
California continues to set the highest bar. In March 2025, the California Attorney General announced an investigatory sweep examining privacy practices in the location data industry, focusing on whether businesses adequately provided consumers a right to opt out of the sale or sharing of precise geolocation data - classified as sensitive personal information under the California Consumer Privacy Act (CCPA). Enforcement followed: in March 2025, the California Privacy Protection Agency (CPPA) entered a stipulated final order with an auto manufacturer, requiring the company to pay a $632,500 fine and change its data practices. Separately, California's pending AB 1833 - the Consumer Driving Data Protection Act of 2026 - would set explicit consent and privacy requirements for the collection and use of telematics data by insurers, with civil penalties and potential program suspension for violations.
Oregon moved faster on legislative reform. The state's requirement to honor universal opt-out requests took effect in January 2026, meaning all carmakers operating in Oregon must honor consumers' requests to access, delete, and opt out of the sale of vehicle-generated data, and must assess their use of minors' data and precise geolocation data.
Texas is pursuing enforcement through litigation rather than new statute. In January 2025, the Texas Attorney General sued an insurer and its analytics affiliate for "unlawfully collecting, using, and selling over 45 million Americans' driving data to insurance companies," citing violations of the Texas Data Privacy and Security Act, the Data Broker Law, and the Texas Insurance Code.
Connecticut and Virginia are adding further complexity. The Connecticut Attorney General's office announced it had issued dozens of violation notices and warning letters in 2025, focusing on connected vehicles and data revealing drivers' location and driving habits. On February 3, 2026, the Virginia Senate passed SB 338, which would amend Virginia's Consumer Data Protection Act to ban the sale of precise geolocation data.
At the federal level, the FTC has signaled the scope of its authority. A settlement between the FTC, General Motors, and OnStar, finalized in January 2026, includes a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies and requires GM to provide customers the ability to disable geolocation data collection. These actions indicate that federal regulators are prepared to apply traditional deception and unfairness authorities under Section 5(a) of the FTC Act to the connected-vehicle ecosystem.
Meanwhile, the Department of Commerce's Connected Vehicle Rule adds a parallel compliance obligation tied specifically to software updates. With the rule's software prohibitions taking effect for model year 2027 vehicles - generally set for release in mid-2026 - OEMs have only months to ensure compliance. At a minimum, manufacturers and suppliers must maintain a full inventory of hardware and software components used in any product connected to a CVR-regulated system, including Software Bills of Materials (SBOMs) for all embedded code, libraries, and dependencies.
Outlook
For manufacturers, the challenge in 2026 is maintaining the convenience and flexibility of OTA updates while strengthening the security framework around the entire update process, from cloud servers to the vehicle's own verification systems. Legal analysts at Nelson Mullins warn that as automakers move deeper into software-powered vehicles, telematics-enabled services, subscription-based features, and data-driven partnerships with insurers and analytics providers, regulators are increasingly scrutinizing how vehicle-generated data is collected, used, shared, and secured. Without a federal preemption standard, OEMs and Tier-1 suppliers face the prospect of managing materially different disclosure templates, consent mechanisms, and audit obligations across multiple jurisdictions simultaneously - directly affecting product release timelines, warranty documentation, and service network readiness.
