A wave of state enforcement actions and new legislation is reshaping how automakers and Tier 1 suppliers must handle vehicle-generated data. As over-the-air (OTA) software updates become standard across new model lines, a fragmented compliance landscape is emerging that industry analysts warn could significantly raise operating costs. Multiple states moved in 2025 to enact or enforce disclosure, consent, and data-access mandates tied to connected vehicle technologies, while competing federal proposals have yet to establish a unified national framework.
Background
OTA updates have become a cornerstone of the modern connected vehicle. As of 2025, more than 55% of new vehicles support OTA capabilities, enabling manufacturers to remotely deploy software enhancements, security patches, and performance improvements. The global automotive OTA updates market was valued at approximately $5.9 billion in 2025 and is projected to reach $20.6 billion by 2032, growing at a compound annual growth rate of 19.5%, according to market research firm ReAnIn.
That commercial momentum has drawn regulatory attention. Vehicle-generated data - covering location, driving behavior, diagnostics, and biometrics - is now treated by regulators as highly sensitive consumer information. Industry projections estimate vehicle data monetization could reach as much as $750 billion by 2030, according to data cited by the U.S. House of Representatives, creating strong incentives for third-party data sharing that state regulators are increasingly scrutinizing.
The regulatory pressure is not new. California's privacy regulator, the California Privacy Protection Agency (CPPA), first announced a review of connected vehicle privacy practices in July 2023. However, enforcement has accelerated sharply since 2025.
Details
State action intensified across multiple jurisdictions through 2025 and into 2026. In March 2025, the CPPA announced its first enforcement action against an auto manufacturer, resulting in a $632,500 fine and required changes to the company's data practices. Separately, the California Attorney General launched an investigatory sweep in March 2025 targeting location data practices across the industry, focusing on whether consumers were receiving adequate opt-out rights under the California Consumer Privacy Act (CCPA).
In Oregon, a 2025 update to the state privacy law extended coverage to all motor vehicle manufacturers and affiliates, removing prior exemptions for companies below certain data-processing thresholds. Oregon's requirement to honor universal opt-out requests took effect in January 2026. Texas took an enforcement path: in January 2025, the Texas Attorney General filed suit against an insurer and its analytics affiliate, alleging the unlawful collection, use, and sale of more than 45 million Americans' driving data to insurance companies, citing violations of the Texas Data Privacy and Security Act and the state's insurance code. Connecticut's Attorney General issued dozens of violation notices and warning letters to companies in 2025, with connected vehicle location and driving-habit data among its priority areas.
At the federal level, the Federal Trade Commission finalized a significant action. The FTC's settlement with General Motors and OnStar, finalized in January 2026, includes a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies and requires the manufacturer to provide customers the ability to disable geolocation data collection from their vehicles. The FTC adopted a broad definition of "covered driver data" that includes location data and algorithmically generated information derived from vehicle and mobile device sources.
On the legislative front, the House Energy and Commerce Committee voted in late February 2026 to advance the Right to Equitable and Professional Auto Industry Repair (REPAIR) Act to the full U.S. House of Representatives. The REPAIR Act would require OEMs to make vehicle-generated data available to owners and independent repair workshops through a standardized access platform, with the FTC empowered to enforce compliance. A separate bill, the Auto Data Privacy and Autonomy Act, introduced in December 2025, would bar manufacturers from accessing, selling, or sharing covered vehicle data without explicit owner consent.
The right-to-repair dimension adds further complexity for Tier 1 suppliers. Maine's Right to Repair law, applicable to vehicles sold from January 1, 2025, remains stalled in implementation because the independent entity required to administer its data-access platform has not yet been established. OEMs have challenged these state mandates in court; a federal judge in Massachusetts ruled in February 2025 that the state's auto telematics data law was not preempted by federal law, a decision with potential implications for similar disputes.
Outlook
The absence of federal preemption remains the central compliance risk for OEMs and Tier 1 suppliers. As of early 2025, 20 states had active Right to Repair legislation under consideration, and legal analysts at Nelson Mullins noted in early 2026 that automakers should anticipate "more aggressive enforcement, more state-specific rules, and more pressure to demonstrate responsible data stewardship" through the year. Whether the REPAIR Act passes with a preemption clause - overriding conflicting state mandates - or without one will determine whether the industry faces a single unified framework or an expanding patchwork of state requirements. The CCPA provides for fines of up to $7,500 per intentional violation, underscoring the financial stakes for suppliers and OEMs that have not yet built consent-management and data-governance infrastructure aligned with the most restrictive state standards.
