More than 13 million vehicles were recalled in the United States in 2024 due to software-related issues - a 35% surge from the prior year135% surge from the prior year. Yet the data generated by those same over-the-air (OTA) fix pipelines remains largely locked inside proprietary manufacturer ecosystems, inaccessible to the independent repair shops that service most American cars. That tension is now breaking into the open.
A coordinated wave of state-level legislation, reinforced by federal proposals and a landmark court ruling, is forcing automakers and their suppliers to fundamentally rethink how OTA software update data is disclosed, shared, and governed - particularly as electric vehicles expand the volume and sensitivity of connected vehicle data.
The State-Level Tipping Point: Massachusetts and Maine Lead the Way
The regulatory story begins in Massachusetts. In November 2020, voters approved a ballot initiative expanding the state's existing right-to-repair law to cover telematics - the wireless data streams that connected vehicles transmit to manufacturers and dealers. The law, Chapter 93K2Chapter 93K, requires that model year 2022 and later vehicles equipped with a telematics system include "an inter-operable, standardized and open access platform" giving owners and their authorized independent repair shops direct access to mechanical data through a mobile application.
After a four-year legal battle, a federal district court upheld the Massachusetts Data Access Law in February 2025, rejecting a challenge brought by the Alliance for Automotive Innovation. The court found that the law's "plain language" provided OEMs with multiple compliance pathways. Auto Innovators appealed the decision to the U.S. Court of Appeals for the First Circuit in July 20253Auto Innovators appealed the decision to the U.S. Court of Appeals for the First Circuit in July 2025, arguing that the law conflicts with the federal Motor Vehicle Safety Act - a preemption question that could set a binding national precedent.
Maine followed closely. Maine voters approved a right-to-repair ballot initiative in November 2023 requiring manufacturers of telematics-equipped vehicles to provide owners and authorized independent repair facilities direct access to vehicle data through a standardized, owner-authorized platform. The law took effect January 5, 2025, but implementation has stalled amid ongoing legislative review of the statute's technical ambiguities and cybersecurity concerns.
Several other states have introduced proposals modeled in varying degrees after Massachusetts4Several other states have introduced proposals modeled in varying degrees after Massachusetts, with Wisconsin and others actively monitoring the First Circuit appeal before advancing their own measures. In 2025, over 40 bills in at least 20 U.S. states were proposed or passed targeting right-to-repair obligations across multiple industries.
What OTA Transparency Rules Actually Require
At their core, the emerging state frameworks impose three categories of disclosure and access obligations on OEMs:
- Data transparency: Consumers must be informed at point of sale that their vehicle collects and transmits telematics data and must receive the option to control that access.
- Standardized access platforms: Manufacturers must provide a common, interoperable mechanism - typically a mobile application - through which owners can access vehicle-generated mechanical data without OEM permission gates.
- Independent repair access: With owner authorization, independent technicians must be able to retrieve the same diagnostic and repair-relevant data that authorized dealerships receive.
The Massachusetts Attorney General's office confirmed that Bluetooth-based local access to in-vehicle telematics represents one compliant pathway, following a 2023 agreement with NHTSA. Physical OBD-II dongle systems with wireless capabilities represent another. However, if a chosen implementation method yields data that is less accurate, complete, or timely than backend server access, it fails to meet the quality obligation5if a chosen implementation method results in data that is less accurate, complete, or timely than backend server access, it fails to meet the quality obligation under emerging standards.
Notable OEM response: Honda, Subaru, and Kia have responded to Massachusetts compliance pressure by disabling telematics features on vehicles sold in the state - including OTA update capabilities - rather than building new standardized platforms. The trade-off leaves Massachusetts customers without connected services but avoids the legal exposure of non-compliance.
The Federal Layer: REPAIR Act and the BIS Connected Vehicle Rule
State-level rules are only part of the picture. Two significant federal developments are reshaping OTA compliance requirements simultaneously.
The REPAIR Act
The Right to Equitable and Professional Auto Industry Repair (REPAIR) Act was reintroduced in the U.S. House in February 2025 (H.R. 1566) and introduced in the Senate in April 2025. The bill would require automakers to provide independent repair facilities with access to diagnostic codes, calibration tools, and essential repair information4Several other states have introduced proposals modeled in varying degrees after Massachusetts through a standardized national platform. It would also grant vehicle owners explicit rights to:
- Receive vehicle-generated data and repair information directly
- Designate and de-designate third parties (including independent repair shops) to access that data
- Request deletion of their data within 72 hours, subject to limited exceptions
The House Energy and Commerce Committee advanced the bill, with supporters arguing that federal action would prevent the fragmented state-by-state system currently burdening OEMs. A competing proposal - the SAFE Repair Act, backed by the Alliance for Automotive Innovation and collision repair associations - emphasizes manufacturer-standard repair procedures over consumer data access but has not yet been formally introduced as legislation.
The BIS Connected Vehicle Rule
Separately, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) issued a final rule effective March 17, 2025, that directly governs how connected vehicle data and OTA infrastructure can be sourced and operated. The BIS Connected Vehicle Rule bans U.S. companies from using hardware, software, or services in connected vehicles if the supplying entities are owned, controlled by, or subject to the jurisdiction of China or Russia, with software prohibitions taking effect for Model Year 2027 and hardware restrictions beginning January 1, 2029.
The practical implications for OEM compliance teams are significant. Because OTA update systems depend on cloud platforms, cryptographic signing infrastructure, telematics control units, and remote server architectures, manufacturers must conduct supply chain due diligence across their entire OTA ecosystem6manufacturers are required to conduct supply chain due diligence across their entire OTA ecosystem and file Declarations of Conformity with BIS. Records must be maintained for a minimum of 10 years. The cost of building compliant supply chain audit capabilities - particularly for Tier 1 and Tier 2 suppliers - is projected to be substantial.
OTA Data: The Security and Cost Calculus for OEMs
The transparency push arrives as OTA updates already face intense scrutiny for security vulnerabilities. Research published in a 2025 automotive cybersecurity conference found that 60% of intelligent vehicles encountered security risks during OTA updates, including cloud-based attacks, transmission hijacking, and firmware tampering at the vehicle terminal.
At the same time, the operational and financial case for robust OTA capability is compelling. ABI Research projects that by 2028, U.S. automakers will save $1.5 billion annually by remediating recalls through OTA updates rather than requiring dealer visits. Software-focused recalls currently average $300 to $500 per vehicle - costs that scale rapidly into the billions for large campaigns.
The compliance market itself is growing sharply. The global automotive OTA updates compliance market surpassed $4.8 billion in 2025 and is projected to reach $18 billion by 2036, representing a 12.75% compound annual growth rate.
Opening telematics data to independent repairers adds further complexity. Regulators generally permit OEMs to apply cryptographic protections to OTA pipelines and telematics systems - but only where those protections do not block lawful access by vehicle owners or their authorized technicians. The FTC's 2025 enforcement action against a leading U.S. manufacturer for selling driver data to insurance companies without proper consent7FTC's 2025 enforcement action against a leading U.S. manufacturer for selling driver data to insurance companies without proper consent - resulting in a 20-year audit requirement and a $20 million fine - has accelerated industry-wide attention to data governance.
Compliance Timelines: A Snapshot for OEMs and Suppliers
| Rule / Law | Jurisdiction | Key Deadline | Status |
|---|---|---|---|
| Massachusetts Data Access Law (2020 Telematics Amendment) | Massachusetts | In effect (MY 2022+) | Upheld Feb. 2025; First Circuit appeal pending |
| Maine Right-to-Repair Telematics Law | Maine | Effective Jan. 5, 2025 | Implementation under legislative review |
| REPAIR Act (H.R. 1566) | Federal (proposed) | Reintroduced Feb. 2025 | Advancing through House Energy & Commerce |
| BIS Connected Vehicle Rule | Federal | MY 2027 (software); Jan. 1, 2029 (hardware) | Effective March 17, 2025 |
| NHTSA AV STEP (Proposed) | Federal (proposed) | NPRM issued Jan. 2025 | Comment analysis ongoing |
| UNECE R156 / ISO 24089 | International | In effect for EU type-approval | Binding for EU market access |
What OEMs and Suppliers Should Do Now
The regulatory picture may not fully resolve before the end of 2026, but the direction is clear. OEMs and suppliers that wait for final legislative outcomes before acting risk costly emergency retrofits to vehicle architectures and OTA infrastructure never designed for standardized third-party access.
Compliance teams should prioritize:
Audit the OTA supply chain for any hardware, software, or cloud services linked to restricted foreign entities under the BIS Connected Vehicle Rule. Hardware and software bills of materials (HBOM/SBOM) are not formally required for Declarations of Conformity, but regulators have noted their practical utility.
Develop a standardized vehicle data access platform that accommodates state-level telematics requirements (Massachusetts, Maine) while remaining extensible to a potential federal REPAIR Act standard. Bluetooth-local and OBD-II dongle pathways are available interim solutions, but data access quality and completeness must meet regulatory standards.
Implement cryptographic protections across OTA update pipelines in line with UNECE R156 and ISO 24089 requirements - essential for both cybersecurity compliance and demonstrating that access controls do not improperly block independent repair access.
Establish data governance and consent frameworks that give vehicle owners granular control over which parties can access their vehicle-generated data - and for what purpose - in anticipation of federal REPAIR Act data rights provisions.
Monitor the First Circuit appeal in the Massachusetts case. A ruling finding federal preemption could reshape the entire state-level OTA disclosure landscape, while an affirmation would accelerate adoption of similar laws in other states.
As Bill Hanvey, president and CEO of the Auto Care Association, has stated4Several other states have introduced proposals modeled in varying degrees after Massachusetts: "As vehicles become more software-driven and connected, manufacturers increasingly control the data needed for diagnostics, calibrations, and repairs. Right-to-repair policies aim to ensure independent shops can continue to perform the full scope of repairs without being forced to rely on manufacturer-controlled channels."
The OTA transparency debate is ultimately a question about who controls the software-defined vehicle - and the answer, increasingly, will be shaped not just by engineering choices but by regulation.
Frequently Asked Questions
What is an OTA update in the context of connected vehicles? An OTA update is a wireless software patch or feature upgrade transmitted remotely to a vehicle's electronic control units, infotainment systems, or safety modules - without requiring a dealership visit. As vehicles become software-defined, OTA updates handle recall remediations, new feature unlocks, and security patches.
Which states have laws requiring automakers to share vehicle telematics data with independent repair shops? Massachusetts and Maine are currently the only states with laws explicitly requiring OEMs to provide owners and independent repair facilities with wireless access to vehicle mechanical and telematics data. Massachusetts' law was upheld by a federal court in February 2025. Maine's law took effect January 5, 2025, but implementation remains under legislative review.
What is the REPAIR Act and how does it differ from state laws? The REPAIR Act (H.R. 1566), reintroduced in Congress in 2025, would create a national standard requiring automakers to provide vehicle owners and independent repair shops with real-time, wireless access to vehicle-generated data. Unlike fragmented state laws subject to federal preemption challenges, the REPAIR Act would establish uniform national rules - reducing the compliance burden facing multi-state OEMs.
How does the BIS Connected Vehicle Rule affect OTA data compliance? The BIS rule, effective March 17, 2025, restricts connected vehicle hardware and software from entities linked to China or Russia. OEMs must audit their entire OTA pipeline - including cloud platforms, telematics modules, and signing infrastructure - for foreign adversary exposure and file Declarations of Conformity maintained for at least 10 years.
Why are some automakers disabling telematics in Massachusetts rather than complying? Several OEMs - including Honda and some Subaru and Kia models - have chosen to disable telematics features in vehicles sold in Massachusetts rather than build a standardized open-access platform. This avoids legal risk but leaves customers without OTA updates and connected services, highlighting the tension between compliance cost, cybersecurity obligations, and consumer expectations.
What security risks arise from opening OTA and telematics data to third parties? Opening vehicle telematics to third parties introduces risks including unauthorized access, transmission hijacking, and firmware tampering. Regulators generally permit OEMs to apply cryptographic protections provided these do not block lawful access for owners or authorized independent repairers.
