Vehicle Data Ownership Laws Are Shifting-and Drivers Should Worry
- 01. What "vehicle data ownership" means
- 02. Key legal regimes and dates
- 03. Who holds what rights
- 04. How this applies to common data types
- 05. Practical examples and illustrative table
- 06. What the EU Data Act changed (practical effects)
- 07. U.S. federal and state developments
- 08. What vehicle owners should do now
- 09. Common questions
- 10. Statistics and enforcement signals
- 11. Expert quote and historical context
- 12. Quick checklist for fleet managers
Short answer: Vehicle data ownership is split: in the United States event-recorder (EDR) and vehicle-generated data are generally treated as the property of the vehicle owner or lessee under federal law, while in the European Union the EU Data Act and GDPR give vehicle users explicit rights to access, port, and control much vehicle-generated data - manufacturers and service providers retain processing roles but cannot unilaterally own or indefinitely withhold user data.
What "vehicle data ownership" means
Definition: Vehicle data ownership refers to legal claims and rights over data produced by a vehicle's sensors, telematics, infotainment systems, and event data recorders (EDRs), including who may access, copy, transfer, sell, or delete that data.
Key legal regimes and dates
United States federal law: The Driver Privacy Act of 2015 explicitly states that data retained by an EDR is the property of the vehicle owner or lessee, giving owners primary legal control over EDR downloads absent narrow statutory exceptions.
EU law - Data Act and GDPR: The EU Data Act (Regulation (EU) 2023/2854) took practical effect with guidance in 2025-2026 and requires OEMs to provide users access to vehicle-generated data in a standard, usable format while preventing unjustified barriers to third-party services; GDPR governs personal data processing and imposes consent, portability, minimization, and erasure obligations.
Recent enforcement (2024-2026): The U.S. Federal Trade Commission signalled heightened enforcement on vehicle geolocation and sensitive driver data in 2024 and reached a settlement with a major OEM in January 2026 restricting some disclosures and requiring opt-outs and technical controls.
Who holds what rights
Vehicle owner / user rights: Owners and designated users typically hold access, portability, deletion, and consent rights for personal data and EDR information under U.S. federal law, EU Data Act, and GDPR.
OEMs and service providers: Manufacturers and connected-service vendors act as data controllers/processors; they often retain copies for diagnostics, safety, and commercial services but must comply with user access rights, transparency and lawful bases for processing.
Third parties (insurers, repair shops, data brokers): Third parties may obtain vehicle data only with user consent or under narrow lawful exceptions; regulators are increasingly limiting undisclosed sharing, resale, and use for targeted advertising or unbounded profiling.
How this applies to common data types
- Location and trip logs - treated as sensitive personal data; often require explicit consent and strong safeguards.
- EDR (black box) data - ownership typically vested in owner/lessee; downloads require owner consent except for limited investigatory exceptions.
- Diagnostics and vehicle health - OEMs usually retain this data for warranty/maintenance but must provide user access under EU rules.
- In-cab cameras and biometric data - high sensitivity under privacy rules; many regulators treat facial and behavior metrics as special categories requiring opt-in.
Practical examples and illustrative table
Illustration: A leased SUV's EDR file, GPS traces, and driver habit scores may be accessible to the lessee; the manufacturer may keep anonymized telemetry for product safety but cannot sell identifiable driver location histories without consent under recent regulatory trends.
| Data type | Typical legal owner / controller | Access required from user | Common restrictions |
|---|---|---|---|
| Event Data Recorder (EDR) | Vehicle owner / lessee | Owner consent for download | Federal Driver Privacy Act protections (US) |
| Location & trip logs | Controller (OEM/service) - user has rights | Explicit opt-in/consent required in many cases | GDPR protections; FTC scrutiny in US |
| Diagnostics / fault codes | OEM/controller | User access rights under EU Data Act | Retention policies, business-need limits |
| Biometric/in-cab video | Controller with high sensitivity | Usually explicit, granular consent | Enhanced protections; potential bans for certain uses |
What the EU Data Act changed (practical effects)
Access and portability: The EU Data Act requires manufacturers to provide users (owners and stable users) with access to vehicle data in a standard, usable format - enabling portability and third-party services to connect with user consent.
Constraints on safety arguments: Manufacturers cannot use vague safety or security claims to refuse reasonable access requests; regulators can challenge disproportionate fees for third-party access.
Applies to used vehicles: The Data Act's scope explicitly covers second-hand connected vehicles, so resale does not strip user rights to data access.
U.S. federal and state developments
Driver Privacy Act (2015): Establishes EDR ownership with owner/lessee and limits unauthorized downloads, creating an early federal baseline for black-box protections.
Recent federal enforcement: The FTC's 2024-2026 focus treated geolocation and driver behavior as sensitive data deserving enhanced safeguards and led to settlements that restrict disclosure to consumer reporting agencies and impose opt-out/disable controls.
Legislative proposals: Bills such as the Auto Data Privacy and Autonomy Act (introduced in state/federal variants) propose opt-in defaults, NIST technical standards, and prohibitions on resale without consent; these proposals signal likely future tightening.
What vehicle owners should do now
- Review in-car privacy settings and disable nonessential telemetry where possible; many systems provide toggles for location sharing and voice/data collection.
- Use manufacturer portals or EU Data Act channels to request your vehicle's data export (JSON or standard format).
- When buying or leasing, check contract clauses about data sharing, resale, and third-party access; negotiate explicit limits where necessary.
- Document and retain consent records if you allow insurers or shops to access telemetry-consent withdrawal timelines matter legally.
Common questions
Statistics and enforcement signals
Numbers and trends: Recent industry analyses and regulator reports indicate that by Q1 2026 over 80% of new vehicles sold in the EU and US include telematics capable of continuous location or diagnostic uploads, and regulators reported a 230% increase in privacy complaints about connected cars between 2023 and 2025.
Enforcement milestones: The FTC's 2024 guidance and January 2026 settlement with a major OEM illustrate active enforcement; the EU's Data Act guidance issued in September 2025 and full enforcement steps that followed created new compliance obligations for OEMs across member states.
Expert quote and historical context
"As connected vehicles become software platforms, data is now core to vehicle safety, servicing and business models; the legal framework must balance consumer control with innovation," said a European Commission guidance note published in September 2025.
Quick checklist for fleet managers
- Audit what telematics and driver data you collect and why; map legal bases for processing.
- Implement explicit consent flows for drivers and customers, and log consents.
- Offer data portability and delete options mechanistically to comply with GDPR/Data Act rules.
- Prepare for stronger enforcement and vendor audits-document vendor contracts and security controls.
Key concerns and solutions for Vehicle Data Ownership Laws Are Shifting And Drivers Should Worry
Who legally owns my car's black box data?
Under the federal Driver Privacy Act of 2015 in the United States, data retained by an event data recorder (EDR) is the property of the vehicle owner or lessee, giving them download and access rights subject to narrow exceptions.
Can my automaker sell my driving data?
Not without a lawful basis or your explicit consent in many jurisdictions; EU rules plus GDPR limit commercial resale of identifiable vehicle-user data, and proposed U.S. laws and FTC enforcement actions have restricted certain resale and sharing practices.
Does the EU Data Act let me port my car data to other services?
Yes-the EU Data Act requires access in a standard, usable format and facilitates transfer to third-party service providers after user consent, supporting portability and competitive service markets.
Are insurers allowed to use my trip or behavior data?
Insurers may use telematics if you consent and if disclosures and data minimization rules are followed; regulators are scrutinizing automated decisions and algorithmic uses to prevent discriminatory outcomes.
What happens when I sell my car-do I lose data rights?
The EU Data Act and good practice require user rights and data access to continue to be governed by contractual and technical handovers; data stored on OEM servers or tied to user accounts may remain controllable by the original user unless explicitly transferred.