AB 1833 amends Section 28200 of the California Vehicle Code to revise the statutory definition of “connected vehicle location access.” The amendment explicitly excludes a covered provider and a vehicle cellular data provider from the category of a “person who is outside of a vehicle” who may view or track that vehicle’s location.
On its face the bill is technical: it aligns the location-access definition with parallel language elsewhere in the section and narrows the class of external actors that the statute addresses. For manufacturers, privacy teams, and compliance officers, the change clarifies which parties the driver-facing disable mechanism is meant to block and which parties may remain outside that prohibition — raising practical questions about scope, implementation, and how disabling interacts with manufacturer access for safety, diagnostics, and telematics services.
At a Glance
What It Does
The bill edits the definition of “connected vehicle location access” to exclude a covered provider and a vehicle cellular data provider from the phrase “a person who is outside of a vehicle” who can view or track vehicle location. It leaves the remainder of the definition (GPS, internet, apps, remote wireless connectivity) intact.
Who It Affects
Primary stakeholders include vehicle manufacturers and their compliance/legal teams (the statute’s “covered providers”), telematics and cellular data carriers that serve vehicles, and drivers or account holders who use vehicle-connected services and may want to disable external location tracking.
Why It Matters
Although technical, the change shifts the statutory focus onto third-party access rather than provider access — which affects how the required in-vehicle “disable” mechanism will operate and what kinds of actors it will control. That distinction matters for privacy, safety functions, and vendor contracts.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1833 touches only one statutory definition, but that definition sits at the center of a driver’s ability to cut off remote location tracking. Previously, the statute described “connected vehicle location access” as a service that allows a person outside the vehicle to view or track location.
This amendment inserts language that explicitly excludes two categories — the covered provider and a vehicle cellular data provider — from being treated as that “person outside” for the purposes of the definition.
In practical terms, the bill appears intended to draw a line between external third parties (for example, an unknown app or private fleet manager) and parties that supply or operate the vehicle’s own connected systems. Where the statute requires a mechanism that lets a driver inside the vehicle immediately disable connected vehicle location access, AB 1833 narrows the target of that disablement to non-provider third parties unless other text elsewhere states otherwise.The bill also aligns the location-access definition with adjacent language in Section 28200 that already excludes covered providers and vehicle cellular data providers from certain parts of the connected-service definitions.
That alignment reduces internal inconsistency, but it leaves open operational questions: how the disable mechanism differentiates provider traffic from third-party access, which transmissions count, and whether safety- or maintenance-critical telemetry will continue when a driver disables external tracking.Finally, the amendment is phrased as a non-substantive, technical change in the legislative digest; nonetheless, because the definitions determine scope across enforcement and compliance duties, the tweak has downstream implications for product design, consent flows, contracts with cellular carriers, and legal exposure for manufacturers and vendors.
The Five Things You Need to Know
Section 28200(b) is amended to exclude a covered provider and a vehicle cellular data provider from the phrase “a person who is outside of a vehicle” in the definition of “connected vehicle location access.”, The definition still covers viewing or tracking location by GPS, internet, app-based technology, or other remote wireless connectivity — the bill does not change the technical means listed.
Section 28200(c) already excludes covered providers and vehicle cellular data providers from the separate definition of “connected vehicle service”; this amendment brings the location-access language into line with that exclusion.
The statute retains the driver-facing obligation (in existing law) to provide a mechanism for a driver inside the vehicle to immediately disable connected vehicle location access; AB 1833 changes which external parties that mechanism is aimed at controlling.
The amendment introduces a drafting artifact — the phrase “any other another remote wireless connectivity technology” — that suggests a minor typographical error remains in the text.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Account holder — who counts as a user
Subsection (a) restates the broad definition of “account holder” to include anyone party to a connected vehicle service contract: subscribers, customers, or registered users. For compliance teams this is a reminder that contractual parties and named users are within the statute’s reach for notices, consent mechanisms, and any in-vehicle controls tied to account status.
Connected vehicle location access — exclusion of providers
This is the provision AB 1833 changes. It now defines location access as the capability that lets a person outside the vehicle (explicitly excluding the covered provider and vehicle cellular data provider) view or track the vehicle’s location via GPS or other remote connectivity. The practical implication is that the statutory concept of external location-tracking targets third parties rather than the manufacturer or its carrier — which affects the legal scope of the driver’s disable control and how vendors will implement filtering between provider and non-provider data flows.
Connected vehicle service — scope and exclusion
Subsection (c) defines connected vehicle service as any capability provided by or on behalf of the vehicle manufacturer that lets an outside person (again excluding covered providers and vehicle cellular data providers) remotely obtain data or send commands. That exclusion already existed here; the bill harmonizes subsection (b) to match (c). For product teams this alignment clarifies the intended distinction between manufacturer-operated capabilities and independent third-party services.
Connected vehicle service request — driver’s termination right
Subsection (e) defines a “connected vehicle service request” as a driver’s request to terminate someone’s access to connected vehicle service. That defined term will be the hook for any process or UI that lets a driver invoke the in-vehicle disable mechanism; drafting around this term determines notice, confirmation, and logging requirements.
Covered provider — who the statute governs
Subsection (f) defines “covered provider” as the vehicle manufacturer or an entity acting on its behalf that provides connected vehicle service. With subsection (b)’s change, covered providers are both the subject of regulatory duties and explicitly outside the class of external actors the disable mechanism targets — a dual role that creates implementation nuance because these entities will design and operate the controls themselves.
This bill is one of many.
Codify tracks hundreds of bills on Transportation across all five countries.
Explore Transportation in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Drivers and vehicle account holders who want to block third-party tracking: the amendment narrows the statutory target to external third parties, clarifying that the in-vehicle disable feature is aimed at outside actors rather than the manufacturer itself.
- Privacy and compliance teams at consumer-privacy organizations: clearer statutory text reduces ambiguity when advocating for controls and when auditing vendor behavior against the statute.
- Vehicle manufacturers’ product and legal teams seeking predictability: alignment between subsections reduces internal inconsistency in the code, which helps when designing in-vehicle UX and vendor contracts.
Who Bears the Cost
- Third-party telematics vendors and non-manufacturer service providers: the bill makes those external actors the primary target of driver disable controls, which may force changes to access models, consent flows, and business practices.
- Vehicle manufacturers and vehicle cellular data providers: although excluded from the ‘person outside’ label, these entities face operational complexity in implementing mechanisms that selectively disable third-party access while preserving manufacturer/diagnostic flows.
- Contracting teams and integrators who manage vendor and carrier agreements: they must translate the statutory distinction into technical filtering, contractual obligations, and liability allocation, potentially increasing legal and engineering work.
Key Issues
The Core Tension
The central tension is between driver control over location privacy and the legitimate operational needs of manufacturers and carriers: the bill clarifies that disable controls target external third parties, but that very clarification could permit continued provider access to location data that drivers may expect to stop — forcing a trade-off between privacy autonomy and safety/maintenance functionality.
The amendment is small on its face but significant in interaction. By excluding covered providers and vehicle cellular data providers from the ‘person outside’ phrase, the bill appears to preserve manufacturer and carrier access even when a driver disables connected vehicle location access for external parties.
That may be intentional — manufacturers typically need ongoing telemetry for safety recalls, over-the-air updates, theft recovery, or emergency services — but the statute as amended does not specify which types of provider access must continue and which may be subject to disablement.
Implementation raises technical and contractual questions. The statute assumes a clean distinction between provider-originated traffic and third-party access, but in practice data often flows through shared platforms, gateways, or APIs managed by third parties.
Determining whether an access attempt is from a bona fide covered provider or a third party could require authentication standards, certificates, or carrier-level agreements that the bill does not mandate or fund. The text also introduces a small drafting artifact that should be cleaned up.
Finally, enforcement and transparency remain unresolved. The amendment tightens definitions but does not create new audit, logging, or reporting obligations to verify that disable mechanisms function as intended.
Regulators, plaintiffs, or consumer auditors will need additional guidance or rulemaking to translate the definitional change into verifiable compliance standards.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.