A growing patchwork of state-level regulations is tightening disclosure requirements for over-the-air (OTA) data generated by connected and electric vehicles, forcing automakers and their suppliers to navigate competing compliance demands across multiple jurisdictions. California, Texas, Oregon, and Connecticut have each taken distinct enforcement or legislative actions in 2025, compounding pressure from parallel federal rules already reshaping supply chain obligations for OEMs.
Background
The global automotive OTA update market was valued at USD 4.9 billion in 2025 and is projected to reach USD 29 billion by 2035, at a compound annual growth rate of 19.5%, according to Global Market Insights. As OTA capability becomes standard across EV platforms-enabling remote software patches, telematics data streams, and diagnostics transmissions-it has drawn scrutiny from regulators who view connected vehicles as mobile data collection systems. A 2023 Mozilla Foundation study found that 92 percent of car brands give drivers little or no control over their personal data. Industry projections estimate vehicle data monetization could reach as much as $750 billion by 2030.
Against that backdrop, autonomous vehicles are currently governed by a patchwork of state-by-state requirements that can vary on permitting and commercial operation requirements, safety and data reporting standards, and interactions with law enforcement. The same fragmentation now applies to consumer vehicle data privacy. The passage of the California Consumer Privacy Act in 2018 ushered in a wave of similar comprehensive consumer privacy laws in almost 20 other states.
Details
State action has escalated sharply over the past 12 months. In March 2025, the California Attorney General announced an ongoing investigatory sweep examining privacy practices of the location data industry, with precise geolocation data treated as sensitive personal information under the California Consumer Privacy Act. Separately, in March 2025, the California Privacy Protection Agency entered into a stipulated final order with an auto manufacturer pursuant to which the company agreed to pay a $632,500 fine and make certain changes to its practices to comply with state privacy laws - the CPPA's first enforcement action.
Texas has moved through litigation. In January 2025, the Texas Attorney General sued an insurer and its analytics affiliate for "unlawfully collecting, using, and selling over 45 million Americans' driving data to insurance companies," citing violations of the Texas Data Privacy and Security Act. Central to the complaint was whether drivers had knowingly opted into telematics programs and whether their data was used for insurance-related scoring without effective notice. Oregon updated its privacy law in 2025 to cover motor vehicle manufacturers and affiliates that control or process personal data obtained from a consumer's use of a motor vehicle. Connecticut's Attorney General's office issued dozens of violation notices and warning letters to companies in 2025, with a focus on areas including connected vehicles.
At the federal level, two parallel tracks are developing. The U.S. Department of Commerce Bureau of Industry and Security published a final rule in January 2025 prohibiting transactions involving vehicle connectivity system hardware and covered software designed, developed, manufactured, or supplied by entities linked to China or Russia, with the rule taking effect on March 17, 2025. The rule's software prohibitions apply to model year 2027 vehicles, generally set for release in mid-2026. Separately, Rep. Eric Burlison and Sen. Mike Lee reintroduced the Auto Data Privacy and Autonomy Act in December 2025, legislation that would prohibit manufacturers from accessing or selling vehicle data without explicit, written consent from the owner and would require manufacturers to provide owners free access to their vehicle data with the ability to delete it.
The data categories under scrutiny span diagnostics, precise geolocation, driving behavior patterns, and safety-related telemetry. U.S. state consumer privacy laws generally have heightened protections for "sensitive" personal data, defined to include precise geolocation data and biometric data - exactly the data that vehicles collect in large quantities. OEMs must now conduct data protection assessments and, in most state jurisdictions, obtain affirmative consumer consent before processing such information.
Compliance infrastructure is evolving into a commercial market of its own. The automotive OTA updates compliance market surpassed USD 4.8 billion in 2025 and is projected at USD 5.41 billion in 2026, with momentum tied to stringent regulatory mandates for vehicle cybersecurity and traceability. Manufacturers and suppliers must maintain full software bills of materials (SBOMs) covering all embedded code, libraries, and dependencies to satisfy both state and federal auditors.
Outlook
As states have taken different approaches to regulating privacy related to vehicle geolocation data, Congress may include preemption provisions in legislation to reduce variation in approaches across states. Without a federal floor, automakers building standardized OTA data disclosure frameworks across model lines risk designing to the most restrictive state standard-a de facto national rule driven by California's enforcement posture. The CPPA and the California Attorney General both have authority to enforce various California privacy laws and may collaborate in investigations and enforcement, including cooperation with other state privacy regulators and international data protection authorities. Industry groups have called for a harmonized federal framework, arguing that the compliance burden of managing more than 20 distinct state-level regimes diverts resources from technology development.
