A growing patchwork of state-level privacy laws enacted and amended through early 2026 is forcing automakers to overhaul how they disclose, obtain consent for, and manage vehicle-generated data flowing through over-the-air (OTA) update channels - with implications for Tier 1 suppliers, telematics partners, and independent repair networks.
Background
The auto industry is entering an era in which vehicle-generated data is no longer a byproduct of innovation but a category of highly sensitive consumer information. Automakers should anticipate more aggressive enforcement and additional state-specific rules in 2026.
As of March 2026, 20 U.S. states have comprehensive privacy laws. Indiana, Kentucky, and Rhode Island added new assessment, notice, and transparency obligations effective January 1, 2026. In 2025, eight comprehensive state laws took effect across Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee.
Unless Congress passes a federal privacy law that preempts state statutes such as the CCPA, OEMs and companies across the automotive and mobility sector must comply with the state-level legal patchwork and heed the FTC's enforcement authority.
Key State Actions and Enforcement
Among the most consequential recent moves, Oregon's HB 3875 amended the state's privacy act to cover all motor vehicle manufacturers that control or process personal data obtained from a consumer's use of a vehicle; a companion bill prohibits the sale of precise geolocation data. Oregon's requirement to honor universal opt-out requests took effect in January 2026, meaning automakers operating in the state must be prepared to fulfill consumer requests to access, delete, and opt out of the sale of vehicle-generated data.1Nelson Mullins - Privacy Regulation of Auto Industry to Accelerate in 2026 – Part 1
On February 3, 2026, the Virginia Senate passed SB 338, which would amend Virginia's Consumer Data Protection Act to ban the sale of precise geolocation data - legislation unanimously reported out of the Communications, Technology and Innovation Committee. If enacted, Virginia would join Maryland and Oregon in banning such sales, with several other states expected to consider similar bans during the 2026 legislative session.
Connecticut's Attorney General announced that the office issued dozens of violation notices and warning letters to companies in 2025, identifying connected vehicles and data revealing drivers' location and driving habits as a priority enforcement area.
At the federal level, a landmark enforcement action set the baseline for regulatory demands. The FTC's settlement with General Motors and OnStar, finalized in January 2026, includes a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies and requires the manufacturer to give customers the ability to disable geolocation data collection from their vehicles.
According to a February 2026 CNN investigation cited by industry analysts, 90% of new cars track driving behavior approximately every three seconds, monitoring speed, braking, phone use, and exact location.
Implications for OEMs, Suppliers, and Repair Networks
Regulators are evaluating whether data uses underpinning subscription features, usage-based insurance integrations, driver-monitoring services, and personalized in-vehicle experiences are clearly disclosed and whether consent is valid. Data-sharing arrangements - particularly with insurers, analytics providers, and consumer reporting agencies - must be reevaluated in light of both FTC Section 5 authority and FCRA risk.
The compliance burden extends beyond OEMs to independent repair operators. The House Energy and Commerce Committee voted in late February 2026 to advance the REPAIR Act to the full U.S. House of Representatives. The legislation would grant car owners access to vehicle-generated data and repair data from manufacturers while preventing recipients from selling or transferring that data absent certain exceptions.
Compliance programs in the automotive sector will need to resemble those of sophisticated digital platforms, incorporating robust consent architecture and data minimization controls. Connecticut's amendments to its Data Privacy Act, effective August 1, 2026, will separately require controllers engaged in profiling that produces legal or significant effects on consumers to conduct dedicated impact assessments.
Outlook
Maine has advanced a comprehensive privacy law containing a prohibition on the sale of sensitive data including precise geolocation. Consumer Reports has released model legislation - the State Location Privacy Act - providing states with a framework for prohibiting location data sales. State regulators' and legislators' postures suggest connected-vehicle data will remain a priority across multiple states, not just those with auto-centric laws. For OEMs and their Tier 1 data and software supply chains, the trajectory points toward compliance architectures capable of accommodating jurisdiction-specific consent and disclosure rules across an expanding roster of states.
