AB 1197 bars rental companies from using information obtained via electronic surveillance technology about how a renter uses a vehicle, except in tightly defined circumstances tied to vehicle recovery, law enforcement orders, and a small set of operational functions. It also prohibits using tracking to impose fines or surcharges and creates notice and recordkeeping obligations when tracking is activated to locate a vehicle.
The bill matters to rental operators, telematics vendors, and compliance teams because it forces operational changes—how and when companies can activate location-based features, what they must tell renters, and what records they must keep—while preserving narrow recovery and law enforcement access. It shifts several routine business practices into clearly regulated, privacy-sensitive activities that require process and audit trails.
At a Glance
What It Does
The bill forbids rental companies from using, accessing, or obtaining renter-use information from vehicle electronic surveillance technology, except to locate stolen, abandoned, or missing vehicles; in response to lawful process; or when limited geofence detections occur. It also allows certain onboard features (navigation, remote locking/unlocking, roadside assistance) only if the company does not access usage data beyond what is necessary for those features.
Who It Affects
Car rental and lease companies that equip vehicles with telematics, telematics hardware and software vendors, insurance and claims teams that rely on usage data, and renters whose privacy and liability exposure depend on how and when tracking is activated.
Why It Matters
The law draws a line between operational telematics (navigation, roadside help, return/mileage accounting) and surveillance-driven uses (continuous tracking, behavioral fines), requiring new renter disclosures, activation protocols, and records that will change contract language, vendor integrations, and compliance monitoring.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1197 creates a general prohibition: rental companies may not use, access, or obtain information about a renter’s use of a vehicle that comes from electronic surveillance technology, except in a short list of circumstances. The first and most detailed exception allows activation of tracking to locate a vehicle that is missing, stolen, or abandoned.
That activation can occur after the renter or law enforcement informs the company the vehicle is missing or stolen, and the statute gives the company additional triggers and procedures tied to missed returns.
When a vehicle isn’t returned, the rental company may activate tracking after 24 hours past the contracted return date or 24 hours after the end of an agreed extension—but only after the company provides a 24-hour advance notice by telephone and electronic means (when the renter has provided contact information and consent to electronic communications). The rental agreement must contain a written advisement that tracking may be activated under that rule and the renter must acknowledge it with initials; the company must also give an oral advisement at in-person or telephone transactions.
Separately, the bill allows activation after one week without the 24-hour notice pathway (a ‘‘notwithstanding’’ provision), and it expressly permits activation if the rental company discovers the vehicle is stolen or abandoned, with an obligation to file a stolen vehicle report unless law enforcement already has.The bill imposes recordkeeping for activations used to recover vehicles: the rental agreement, return date, the date and time tracking was activated, communications with the renter, and interaction with law enforcement must be retained for at least 12 months and made available to the renter on request; companies must also provide explanatory codes necessary to read those records. There is a carve-out: the rental company does not have to maintain that recovery record when the technology is activated to recover a vehicle that was stolen or missing at a time outside a rental period.
The statute also allows access to telematics data in response to subpoenas or search warrants.AB 1197 defines limited, allowed uses of onboard technology. GPS navigation systems, remote lock/unlock features, and roadside-assistance functions may be installed so long as the rental company does not access usage information obtained from them except as minimally necessary to repair defects, lock or unlock at the renter’s request, or provide the requested roadside service.
The bill further permits a narrow operational use of surveillance data to determine the date/time a vehicle departs and returns to the company and to confirm total mileage driven and fuel level on return, but limits the data to those purposes. Finally, the bill flatly prohibits using electronic surveillance technology to track a renter for the purpose of imposing fines or surcharges tied to how the renter used the vehicle.
The Five Things You Need to Know
The bill requires a 24-hour advance notice by phone and electronic message before activating tracking for a vehicle not returned 24 hours after its contracted return date—provided the renter gave contact info and agreed to electronic communication.
A rental agreement must include an advisement that tracking may be activated after a late return and the renter must initial that advisement; the advisement must also be given orally during in-person or phone transactions.
When tracking is activated to recover a vehicle, the rental company must keep a record (rental agreement, return date, activation time, communications, police reports) for at least 12 months and provide explanatory codes so a renter can read the record.
Geofence technology may be used only to detect cross-border travel when unauthorized and to detect if a vehicle is in an impound/tow yard; if the vehicle remains inside an impound perimeter 24 hours after notification, it is deemed abandoned by the renter.
The bill bans using electronic surveillance technology to track a renter for the purpose of imposing fines or surcharges related to how the renter used the vehicle.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
General prohibition on using surveillance-derived renter data
This subsection establishes the default rule: rental companies may not use, access, or obtain information about a renter’s use of the vehicle that was obtained via electronic surveillance technology. Practically, it requires companies to segregate operational telematics uses from any monitoring that produces renter-behavior data. The provision sets the compliance baseline against which all exceptions are tightly drawn.
Permitted activation to locate missing, stolen, or abandoned vehicles and miss-return triggers
The statute permits activation of tracking to locate a vehicle when the renter or law enforcement reports it missing or stolen, or when the vehicle is not returned 24 hours after the contracted return date (or 24 hours after an agreed extension), subject to a 24-hour advance notice requirement. There is also a separate trigger allowing activation after one week without the 24-hour notice pathway, and an obligation to report discovered stolen vehicles to law enforcement unless police already notified the company.
AMBER Alert and geofence exceptions (impound and cross-border)
If a rental vehicle is the subject of an AMBER Alert, the company may use tracking and must notify law enforcement that one of its vehicles is involved. Geofence technology is limited to two narrow uses: detecting when a vehicle is moved out of the country contrary to the agreement, and detecting when a vehicle has entered an impound or tow yard. When a vehicle is detected in an impound and the renter is notified, remaining inside the yard for 24 hours after notification leads to a statutory presumption that the renter abandoned the vehicle.
Activation recordkeeping and renter access
When tracking is activated under the recovery exception, the rental company must create and keep a record containing the rental agreement, return date, activation timestamp, and communications with the renter or law enforcement (including police reports). The company must retain these records for at least 12 months and provide explanatory codes necessary to interpret the record if a renter requests it. The statute expressly excludes the obligation to keep such a record when tracking is activated to recover a vehicle that was stolen or missing outside a rental period.
Law enforcement lawful process access
The bill allows rental companies to obtain or share surveillance-derived information in response to a subpoena or search warrant. This is a standard legal-process carve-out that preserves law enforcement access while keeping the rental company from proactively using the data for other purposes.
Permitted onboard functions and limited operational data use
The statute lists allowed onboard technologies and circumscribes how their data may be used: GPS navigation that provides occupant assistance is permitted only if the company does not access usage data (except to diagnose or repair defects), remote lock/unlock is allowed only to perform locking/unlocking at the renter’s request, and roadside-assistance technology may be used only to provide the requested services. Separately, the company may access surveillance data solely to determine the vehicle’s departure and return times and to confirm total mileage and fuel level at return.
Ban on tracking-based fines or surcharges
This short but consequential subsection forbids rental companies from using surveillance technology to track renters for the purpose of imposing fines or surcharges tied to how the renter used the vehicle, closing a common operating practice that monetized telematics-driven behavior data.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Renters concerned about location privacy — the statute sharply limits nonconsensual access to telematics-derived behavior data and restricts companies from monetizing tracking into fines or surcharges.
- Consumers who return vehicles late but within short grace periods — the advance-notice and written advisement requirements create predictable rules about when tracking may be activated and ensure renters are informed in advance.
- Privacy- and compliance-focused telematics vendors — vendors that offer privacy-by-design solutions will gain a clearer product market as rental companies seek hardware and software that separates operational signals from locational surveillance.
Who Bears the Cost
- Rental and lease companies — they must change contracts, implement 24-hour notice flows, maintain 12-month activation records with explanatory codes, and segregate data access controls, all of which create operational and IT costs.
- Smaller regional rental operators — compliance and recordkeeping burdens fall disproportionately on smaller firms that lack centralized compliance teams and may need to purchase vendor support or upgrade systems.
- Telematics providers and integrators — vendors will need to rework APIs and feature sets to enforce purpose-limited access, provide diagnostic-only data channels, and support record-export formats with explanatory codes for renter requests.
- Membership program administrators at rental companies — the statutory exception for membership-program transactions (no initial advisement required at the time of rental) creates onboarding complexity and potential legal exposure if members are not informed upon enrollment.
Key Issues
The Core Tension
The central dilemma is clear: protect renter privacy by locking down telematics-derived behavioral data, while preserving rental companies’ legitimate need to find, recover, and secure stolen or abandoned vehicles. The bill narrows commercial use of tracking data and creates notice and record obligations that enhance transparency, but those safeguards also add cost, operational friction, and ambiguity about when speedy recovery efforts can lawfully begin.
The bill balances recovery and privacy, but several implementation questions create real risk and administrative complexity. The ‘‘24-hour notice’’ pathway depends on the renter having provided contact information and consent to electronic communications; companies will need robust consent capture and audit trails to rely on the expedited activation route.
The ‘‘one-week notwithstanding’’ trigger allows firms to activate without the 24-hour notice, but the bill does not define whether certain communications or attempted contacts are required before relying on that longer trigger—leaving room for disputes about whether activation was lawful.
The recordkeeping carve-out for activations to recover vehicles that were stolen or missing ‘‘at a time other than during a rental period’’ is ambiguous. Companies and courts will disagree about when a vehicle’s status falls inside or outside the rental period (for example, long-term leases, disputes about extensions, or membership holds).
The technical requirement that companies provide explanatory codes to read records also presumes a standardized export format; smaller firms may struggle to translate proprietary telemetry logs into a renter-readable record without vendor cooperation. Finally, the membership-program advisement exception creates an attack surface: companies could shift regular renters into programs to avoid immediate advisements, which may prompt regulatory scrutiny or litigation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.