A wave of state-level laws and enforcement actions is reshaping how automakers disclose over-the-air (OTA) software updates and handle vehicle-generated data, forcing manufacturers to navigate an increasingly fragmented regulatory landscape as federal legislators struggle to deliver a unified standard. The pressure spans consumer privacy, cybersecurity compliance, and independent repair access-with significant compliance deadlines already in effect and multiple legal battles underway in 2025 and 2026.
Background
Connected vehicles now generate and transmit enormous volumes of data, and OTA software updates have become the primary mechanism through which automakers alter vehicle functionality after sale. OTA systems are software-defined, meaning manufacturers can expand monitoring capabilities after a vehicle has been purchased. This has drawn scrutiny from state regulators concerned about consumer consent, repair access, and data monetization.
Virginia and West Virginia were among the earliest states to act. As OTA updates grew more prevalent, both states adopted laws requiring OEMs to compensate dealers for assisting customers whose vehicles receive an OTA update and to disclose OTA update capabilities to prospective buyers. Under West Virginia's law, manufacturers must disclose each accessory or function that may be initiated, updated, changed, or maintained through over-the-air or remote means, including the charge to the customer for such updates known at the time of sale.
On the data-privacy front, California has moved most aggressively. On July 24, 2025, the California Privacy Protection Agency (CPPA) Board adopted updated CCPA regulations implementing requirements for cybersecurity audits, risk assessments, and consumer opt-out rights for automated decision-making technology. The new regulations took effect January 1, 2026.
Details
State enforcement activity has accelerated markedly. In March 2025, the CPPA announced a settlement with American Honda Motor Co.-its first-ever enforcement action-under which Honda agreed to pay a $632,500 fine and alter its consumer consent practices. The CPPA alleged the manufacturer violated Californians' privacy rights by requiring excessive personal information to exercise opt-out rights, using consent tools that did not offer symmetrical privacy choices, and making it difficult for authorized agents to act on consumers' behalf.
Oregon went further through legislation. The Oregon Legislature enacted House Bill 3875, amending the Oregon Consumer Privacy Act effective September 28, 2025, to broaden its scope to include motor vehicle manufacturers and their affiliates that control or process personal data from a consumer's use of a vehicle or its components. Previously, carmakers and affiliates may have been exempt if they did not meet certain thresholds, such as processing data from fewer than 100,000 Oregon consumers.
In January 2025, the Texas Attorney General sued an insurer and its analytics affiliate for allegedly collecting, using, and selling over 45 million Americans' driving data to insurance companies, citing violations of the Texas Data Privacy and Security Act. A key concern was the sale of telematics data to insurers that then penalized drivers by raising rates or dropping coverage. The Connecticut AG's office also issued dozens of violation notices and warning letters in 2025 focused on connected vehicles.
At the federal level, the FTC finalized a settlement with General Motors and OnStar. In January 2025, the FTC announced an agreement with GM and OnStar to resolve concerns about how the companies collected and shared vehicle-generated data. The settlement, finalized in January 2026, includes a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies and requires the manufacturer to offer customers the ability to disable geolocation data collection.
The right-to-repair dimension adds further complexity. The REPAIR Act-the Right to Equitable and Professional Auto Industry Repair Act-was reintroduced in the House in February 2025 and introduced in the Senate in April 2025. The bill would require automakers to provide independent repair facilities with access to diagnostic codes, calibration tools, and essential repair information, creating a nationwide parity model that obliges vehicle manufacturers to give owners and independent shops access to the same repair and maintenance data available to themselves or their franchised dealerships. According to Auto Care Association data, automaker data restrictions currently cost independent repair shops $3.1 billion per year.
On cybersecurity standards, regulatory and standardization activity has accelerated, including the EU Data Act effective September 2025 and ISO/TS 20003:2026 governing OTA updates. In the U.S., any OTA update that affects vehicle safety must comply with Federal Motor Vehicle Safety Standards (FMVSS).
Outlook
Unless Congress passes a comprehensive federal privacy law that preempts state statutes such as the CCPA, OEMs and other companies in the automotive and mobility sector will need to comply with a legal patchwork at the state level while heeding the FTC's enforcement authority. State privacy law compliance now rivals ransomware as the top concern for automotive cybersecurity professionals, reflecting the proliferation of comprehensive state privacy laws and the recognition that connected vehicles are explicit enforcement priorities for state regulators.
The REPAIR Act remains pending before Congress, and while state-level expansion is possible, a uniform national framework has not materialized. With automakers expected to face more aggressive enforcement, additional state-specific rules, and growing pressure to demonstrate responsible data stewardship in 2026, the cost of inaction on a federal standard continues to rise.
