This bill restricts vehicle manufacturers from accessing, selling, or otherwise sharing in-vehicle data without affirmative owner consent and requires manufacturers to give owners direct, real-time access and control of data generated onboard their vehicles. It directs the Federal Trade Commission to enforce the law and produce a report on industry practices and risks.
For fleet operators, automakers, app developers and privacy officers, the bill would reallocate control over telematics and driver data to vehicle owners while creating new technical and compliance obligations for manufacturers. The bill also carves out confidentiality for proprietary business information and sets a short implementation timeline.
At a Glance
What It Does
The bill bars manufacturers from accessing or sharing ‘‘covered data’’ absent an owner’s affirmative written consent (freely given, informed, specific, and withdrawable) and lists narrow exceptions (safety/performance, lawful warrants, court orders with notice, or emergencies). It requires manufacturers to provide owners free, real-time access to onboard user and vehicle-generated data via wired ports and wireless transmission, and to support an open API for deletion and setting user preferences.
Who It Affects
New-vehicle manufacturers (including makers of farming and construction vehicles), telematics and connected-service vendors, aftermarket developers that use vehicle data, insurers and advertisers who purchase or license telematics, and vehicle owners and fleet managers who will receive new data controls. The FTC must also build a report and enforce violations with its unfair-or-deceptive-act authority.
Why It Matters
The bill shifts legal control of vehicle data from manufacturers to owners, which could fracture current telematics business models, force design changes (hardware ports, APIs, encryption practices), and change how law enforcement, insurers, and third-party service providers obtain and use vehicle data. It also introduces national-security restrictions by banning transfers of personally identifiable information to specified foreign governments.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill defines two broad categories of data: user data (data the owner or user transfers to the vehicle) and vehicle-generated data (all electronic data generated or processed onboard, including geolocation). That definition is expansive; it covers sensor outputs, processing-unit logs, and location history, so most modern telematics and ADAS telemetry will fall within the statute.
Manufacturers may not access covered data unless the vehicle owner (or next of kin if the owner is incapacitated or deceased) gives affirmative consent that is written, freely given, informed, specific, and easily withdrawn. The bill provides narrow operational exceptions: manufacturers can access data to improve vehicle safety or performance, and government requests are permitted only via warrant, a court order that includes notice and a 48-hour window to object, or in emergency-response situations.
The statute also forbids manufacturers from making personally identifiable information available to a named list of foreign governments.To operationalize owner control, the bill requires manufacturers to deliver all covered data to owners at no charge beyond the vehicle purchase price, in real time, without arbitrary limits on third-party access, and without locking data behind proprietary decryption or paid devices. Access must be possible through the vehicle’s physical interface port and wirelessly when the vehicle supports wireless transmission, and manufacturers must enable an open API that allows owners to delete user data and set any user-configurable preference.
The law preempts conflicting state or local rules on these access requirements.Enforcement is delegated to the Federal Trade Commission, which will treat violations as unfair or deceptive practices under the FTC Act; the FTC must also produce a congressionally directed report within 180 days describing who accesses vehicle data, occurrences of compromise, cybersecurity risks, foreign-government ties, and the feasibility of a neutral, standards-based secure interface. The bill takes effect three months after enactment and includes no new appropriation funding for FTC implementation.
The Five Things You Need to Know
Consent must be written, freely given, informed, specific, and easily withdrawn — manufacturers cannot rely on bundled terms-of-sale or purely electronic opt-outs that do not meet those standards.
Manufacturers may access covered data without owner consent only to improve vehicle performance or safety; other routine telemetry uses (analytics, targeted advertising) require owner consent.
The bill bans manufacturers from providing personally identifiable information to five named countries (North Korea, China, Russia, Iran, Venezuela).
Owner access obligations include: free access beyond the vehicle’s purchase price, real-time delivery, availability via the vehicle’s interface port and wireless transmission, and support for an open API that enables deletion and setting user preferences.
A court order exception requires manufacturers to give the owner notice and at least 48 hours to object and request a hearing before turning over data, except in emergency situations or where a warrant applies.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the 'Auto Data Privacy and Autonomy Act.' This is purely stylistic but signals congressional intent to center both privacy and owner autonomy in the vehicle-data context.
Key definitions (covered data, covered vehicle, PII)
Sets the scope by defining 'covered data' (user data and vehicle-generated data) and expands 'vehicle-generated data' to include sensor outputs and geolocation. The PII definition explicitly includes geolocation and internet activity, which pulls a wide range of telemetry into the statute; manufacturers that previously treated location as non-identifying will need to reassess classification and handling practices.
Prohibitions, consent standard, and enforcement-related reporting
Prohibits manufacturers from accessing, selling, or sharing covered data without affirmative owner consent and enumerates exceptions: safety/performance access, warrants, court orders (with owner notice and 48-hour objection window), and emergencies. The section also blocks transfers of PII to specified foreign governments. It compels the FTC to deliver a 180‑day report detailing data flows, compromise incidents, cybersecurity risks, and the feasibility of a technology‑neutral secure interface, creating an evidence base for later rulemaking or standards development.
Owner access and technical requirements
Requires manufacturers to provide owners free, real-time access to all covered data, via wired interface ports and wireless transmission, without forcing owners to buy proprietary decryption or devices. It mandates support for an open API that enables deletion of user data and setting any user preference, and it expressly preempts state or local laws that would conflict with these access requirements. Practically, this forces design choices around port retention, telemetry streams, encryption key management, and API standardization.
FTC enforcement
Classifies violations as unfair or deceptive acts under the FTC Act and gives the Commission full FTC Act enforcement powers and remedies. That means civil penalties and administrative orders are available, but implementation will rely on the FTC's existing budget and rulemaking capacity because the bill authorizes no new appropriations.
Confidential business information carve-out
Affirms that manufacturers need not disclose confidential business information as defined in DOT regulations, which preserves some proprietary safeguards but leaves open disputes about what qualifies as 'confidential' when interoperability and owner access are at issue.
Effective date and funding
The law becomes effective three months after enactment and contains a no-new-appropriations clause, meaning the FTC must implement the statute using existing funds—an important practical constraint for enforcement, reporting, and potential standard-setting activities.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individual vehicle owners — gain statutory rights to retrieve, delete, and control all in-vehicle data in real time without paying extra fees, increasing personal privacy and autonomy over location, usage, and preference data.
- Aftermarket app developers and independent service providers — benefit from mandated open APIs and physical/wireless access paths that reduce vendor lock-in and make it technically easier to offer third‑party telematics and personalization services.
- Privacy-conscious fleet managers and renters — receive clearer legal grounds to control telemetry and purge user data across vehicles under their control, simplifying compliance with corporate privacy policies and customer expectations.
Who Bears the Cost
- Vehicle manufacturers and their suppliers — must redesign hardware and software to provide ports, open APIs, key management, and safe decryption without monetizing access; they will face engineering, cybersecurity, and legal compliance costs.
- Insurers, advertisers, and analytics firms that monetize telematics — face loss of data sources or must obtain explicit owner consent, disrupting business models and potentially increasing acquisition costs for data.
- Federal Trade Commission — must produce a detailed report and enforce a new statutory regime without additional appropriations, stretching existing resources and prioritization within the agency.
Key Issues
The Core Tension
The central dilemma is between returning control of highly sensitive vehicle data to owners (protecting privacy and preventing commercial exploitation) and preserving the operational, safety, and security functions that depend on manufacturers’ access and proprietary technologies; tightening owner control reduces data-driven business models and could increase cybersecurity and public-safety costs, but loosening control exposes drivers to surveillance and monetization without clear consent.
The bill aggressively favors owner control, but that clarity creates a cluster of implementation challenges. First, the written, informed, freely given, withdrawable consent standard is strict and may be operationally hard to capture for transient users (loaner vehicles, rental cars, shared fleets) or for telemetry that is continuously generated.
Systems will need consent-granularity, session management, and next-of-kin flows, which are nontrivial for manufacturers that currently collect data under broad platform agreements.
Second, the technical mandates (real-time access, wired and wireless delivery, open APIs, no paid decryption) collide with legitimate cybersecurity and intellectual-property concerns. Exposing telemetry streams and retaining physical interface ports raises attack surface and liability questions; at the same time, the confidential-business-information carve-out will invite disputes over whether encryption schemes, API specifications, or diagnostic protocols are legitimately proprietary.
Finally, the statute’s national-security-oriented ban on transfers to specified foreign governments and the court-order notice requirement introduce friction for lawful cross-border supply chains and for urgent law‑enforcement needs, respectively—balancing rapid emergency access against procedural safeguards is unresolved and may produce conflicting operational requirements for manufacturers and third-party responders.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.