In a recent post, we examined the scrutiny applied by the Federal Trade Commission (FTC) to the practices of the automobile industry with respect to consumer privacy and vehicle-generated data, including geolocation and other telematics information. But federal regulators are not alone in their regulatory and enforcement efforts in this space, and in this post, we will examine regulatory enforcement and legislative activity at the state level.

California Sets its Sights on Location Tracking

California’s privacy regulator, the California Privacy Protection Agency (CPPA), first turned its attention to the automobile industry in July 2023 when it announced a review of connected vehicle privacy practices. The CPPA and the California Attorney General (AG) both have authority to enforce various California privacy laws and may collaborate in investigations and enforcement. The agencies also cooperate with other state privacy regulators and international data protection authorities.

In March 2025, the California AG announced an ongoing investigatory sweep intended to examine the privacy practices of the location data industry. Because precise geolocation data is considered to be sensitive personal information under the California Consumer Privacy Act (CCPA), the AG was particularly focused on determining whether businesses were providing consumers with an adequate right to opt out of the sale or sharing of such information and giving them the right to limit the use of such information. Virtually every comprehensive privacy law considers precise geolocation data to be sensitive information subject to heightened controls.

In March 2025, the CPPA announced its first enforcement action and entered into a stipulated final order with an auto manufacturer pursuant to which the company agreed to pay a $632,500 fine and make certain changes to its practices to comply with state privacy laws. Specifically, the CPPA alleged the manufacturer had violated the privacy rights of Californians by:

• Requiring Californians to verify themselves and provide excessive personal information to exercise certain privacy rights, such as the right to opt-out of sale or sharing and the right to limit the use of their personal information;

• Utilizing an online consent management tool that did not offer symmetrical privacy choices (e.g., “reject all” or “accept all”);

• Making it challenging for authorized agents to exercise the privacy rights of Californians who had authorized such parties to act on their behalf; and

• Failing to include the necessary privacy-protective and legally required terms in the contracts with ad tech companies with whom they shared the personal information of consumers.

For the automobile industry, the additional state-level scrutiny marked an inflection point—confirmation that regulators now view connected vehicles through a privacy lens, with the compliance expectations that entails. The California AG’s more recent $2.75 million settlement with a large entertainment company over purportedly ineffective opt-outs focused on the company’s failure to opt users out across devices and services, highlighting the importance of applying opt-outs in a comprehensive manner for any industry that collects data from users across multiple devices and services.

Oregon Updates its Privacy Law to Target Vehicle-Generated Data

In addition to regulatory scrutiny, there were legislative changes in 2025 targeting data collected by automobiles, reflecting a growing trend among states to close perceived regulatory gaps and protect sensitive vehicle data. Oregon updated its privacy law in 2025 to cover motor vehicle manufacturers and affiliates that control or process personal data obtained from a consumer's use of a motor vehicle, mandating that those entities must comply with the requirements of Oregon’s privacy laws regardless of the number of consumers from which the motor vehicle manufacturer or affiliate obtains personal data. Previously, car makers and affiliates may have been exempt from the law if they did not meet certain thresholds (e.g., processing the personal data of fewer than 100,000 Oregon consumers or deriving less than 25 percent of their revenue from selling data).

Oregon also amended its privacy law to prohibit the sale of precise geolocation data relating to an individual or their device (past or present), the sale of personal data of children under 16, and using the data of children under 16 for targeted advertising and certain types of profiling. Oregon’s requirement to honor universal opt-out requests also went into effect in January 2026. These changes mean that all car makers operating in Oregon must be prepared to honor consumers’ requests to access, delete, and opt out of the sale of their vehicle-generated data (including or in addition to, as relevant, “back-end” personal data – such as marketing profiles or shopping patterns), and, at a minimum, assess their use of minors’ data and precise geolocation data and implement appropriate controls.

Texas Investigates an Insurer, its Analytics Affiliate and Others

In January 2025, the Texas AG sued an insurer and its analytics affiliate for “unlawfully collecting, using, and selling over 45 million Americans’ driving data to insurance companies,” citing violations of the Texas Data Privacy and Security Act (TDPSA), the Data Broker Law, and the Texas Insurance Code’s prohibition on unfair and deceptive acts and practices in the business of insurance. This lawsuit is one of numerous Texas AG investigations, which have focused on whether drivers knowingly opted into telematics programs and whether their data was being used for insurance‑related scoring without effective notice. Key to the complaints and inquiries included the sale of telematics data to insurance companies that then penalized drivers by increasing rates or dropping them from insurance coverage.

Connecticut Applies Increasing Regulatory Pressure

The Connecticut AG’s office recently announced that it had issued dozens of violation notices and warning letters to companies in 2025, with a focus on key areas such as connective vehicles and data showing drivers’ location and driving habits, geolocation data, minors’ data, data brokers, and chatbots. The Connecticut AG reiterated its priorities around other sensitive data as well, with a particular emphasis on the data of minors and consumer health data. This year, we anticipate additional enforcement related to the notices and letters issued by the AG. We also anticipate a convergence of sensitive data issues as use cases involving geolocation tracking, minors, and/or health related data pose heightened risks and test companies’ data minimization practices.

Virginia and Other States Move to Ban Location Data Sales

On February 3, 2026, the Virginia Senate passed a bill (SB 338) that would amend Virginia’s Consumer Data Protection Act to ban the sale of precise geolocation data. SB 338 is currently making its way through the Virginia legislature and was unanimously reported out of the Communications, Technology and Innovation Committee. If SB 338 is enacted, Virginia would join Maryland and Oregon in banning the sale of precise geolocation data, with a number of other states expected to consider similar bans in the 2026 legislative session. Maine, for example, recently advanced a comprehensive privacy law, which contains a prohibition on the sale of sensitive data, including precise geolocation and minors’ data, and last month, Consumer Reports released new model legislation that provides states with a framework for prohibiting location data sales (the State Location Privacy Act).

State regulators’ and state legislators’ postures suggest that connected‑vehicle data will remain a priority across multiple states—not just those with auto‑centric laws.

What Automobile Manufacturers Should Expect in 2026

In this rapidly evolving regulatory landscape, manufacturers should expect to see the following developments in the coming year:

• Vehicle‑Generated Data Will Continue to Be Treated as Highly Sensitive.  Regulators increasingly classify location data as requiring special protections. This will be especially critical when location data implicates other sensitive information, such as minors’ data or visits to healthcare facilities.

• Data‑Driven Revenue Models Will Face Heightened Scrutiny. If an automaker offers subscription features, usage‑based insurance integrations, driver‑monitoring services, or personalized in‑vehicle experiences, regulators will evaluate whether the underlying data uses are clearly disclosed and whether consent is valid. This will be relevant to consider when related apps are developed and used by the automakers or a third-party vendor.

• Multistate and Federal Enforcement Will Increase. Manufacturers should expect parallel investigations rather than isolated inquiries, increasing response complexity. Look out for increased international regulatory focus on vehicle and driver-related data as well.

• Private Litigation Will Rise. Plaintiffs’ attorneys are increasingly targeting issues such as infotainment‑system data extraction, persistent tracking, and undisclosed sharing of vehicle telemetry.

Manufacturers should remain vigilant in monitoring, anticipating, and responding to the complex vendor management landscape and likely increase in government requests for location data and other sensitive information.