Tracking Technology And Vehicle Data Laws Are Changing Fast
- 01. Tracking technology and vehicle data: who really owns it?
- 02. Why this matters now
- 03. Who controls what
- 04. What the EU rules say
- 05. Tracking technology at work
- 06. Common legal risks
- 07. What businesses should do
- 08. How disputes arise
- 09. What consumers should ask
- 10. Bottom line for readers
Tracking technology and vehicle data: who really owns it?
The short answer is that vehicle data is usually not "owned" in the simple, consumer-property sense; instead, different parties control different rights to collect, access, use, and share it, and those rights depend on the data type, the contract, and the jurisdiction. In the EU, the Data Act now gives vehicle users stronger rights to access data generated by connected cars, while privacy rules still limit how personal and location data can be processed.
Why this matters now
Modern cars are rolling computers. A connected vehicle can generate location traces, diagnostic codes, driver behavior metrics, battery performance data, route history, and infotainment records, which means the question of ownership is really a question about control over a valuable digital asset called vehicle data.
The issue became sharper as regulators moved from treating car data as a technical byproduct to treating it as a commercial and privacy-sensitive resource. The EU Data Act, which became applicable on 12 September 2025, is the clearest example of that shift because it forces manufacturers to provide users with access to certain data and to share some of it with third parties under fair, reasonable, and non-discriminatory terms.
Who controls what
In practice, control is split across several actors: the driver or fleet operator, the vehicle manufacturer, the telematics provider, the repair shop, the insurer, and sometimes the app developer or data broker. The core rule is that the person or business using the vehicle may have rights to access the data, but the manufacturer or service provider may still hold the systems that collect and process it, which creates a layered ownership structure around connected vehicles.
- User rights: Access to data generated by use of the vehicle, especially where the data is needed for repair, maintenance, or third-party services.
- Manufacturer control: Control of onboard software, cloud platforms, and proprietary analytics, even when the user can request copies of data.
- Privacy limits: Personal data such as geolocation, driver identity, and usage patterns are protected by privacy law and cannot be handled freely.
- Contract terms: Leasing agreements, fleet policies, and app terms can shape access, retention, and deletion rights.
What the EU rules say
The EU's current framework is important because it separates access from property. Under the Data Act, manufacturers must make relevant vehicle-generated data available to users and, in some cases, to third parties chosen by the user, while charging only fair and non-discriminatory fees to data recipients where fees are allowed.
The European Commission's guidance also clarifies that the rules apply to the data that falls within the scope of Chapter II of the Data Act, so not every signal from a car is automatically open for reuse. That matters because the law is trying to balance innovation, repairability, and competition against cybersecurity, trade secrets, and privacy obligations.
| Data type | Typical controller | Likely user right | Main legal pressure |
|---|---|---|---|
| Location history | Manufacturer, fleet platform, app provider | Access, correction, deletion in many cases | Privacy and consent rules |
| Diagnostic fault codes | Manufacturer or telematics provider | Access for maintenance and repair | Data Act access rules |
| Driver behavior scores | Insurer or fleet operator | Notice, access, objection depending on context | Privacy and employment law |
| Infotainment and app data | Platform owner or service provider | Access depends on service terms | Contract and privacy rules |
Tracking technology at work
Fleet tracking is legal in many settings, but it is not a blank check. In employment contexts, monitoring must usually be transparent, limited to a legitimate purpose, and proportionate to what the employer actually needs, especially when the vehicle is also used privately.
That is why many compliant fleet programs now separate business-hours tracking from off-hours privacy settings, publish written tracking policies, and minimize collection to route, safety, and maintenance data instead of continuous personal surveillance. In other words, the legal risk rises sharply when GPS tracking stops being operational and starts becoming intrusive.
Common legal risks
The biggest mistake companies make is assuming that because data comes from a company car, the company can do anything it wants with it. That assumption is wrong in the EU and increasingly risky elsewhere, because geolocation, driver identifiers, and vehicle usage data can all qualify as personal data when they can be linked to an individual.
Another common problem is over-collection. Regulators generally look more favorably on systems that collect the minimum data needed for a defined business purpose than on systems that quietly record every movement, every stop, and every private trip for months at a time.
"Access does not always mean ownership; it often means a regulated right to use data under specific conditions."
What businesses should do
Companies that rely on telematics, leasing, or connected-vehicle services should treat vehicle data as a compliance issue, not just an IT feature. A good program starts with mapping what data is collected, who receives it, how long it is kept, and whether it can identify a person directly or indirectly.
- Inventory every data stream from the vehicle and related apps.
- Classify each stream as personal, operational, or commercial.
- State the purpose of collection in plain language.
- Limit access to only the people and vendors who need it.
- Publish retention, deletion, and off-hours privacy rules.
- Review contracts with manufacturers, fleets, insurers, and repair partners.
How disputes arise
Disputes usually happen when a user wants data for repair, resale, insurance, or portability and the manufacturer refuses, delays, or charges too much. The Data Act was designed to reduce that friction by making access more predictable, especially for independent workshops and service providers that need vehicle-generated data to compete on fair terms.
At the same time, companies can still push back when access would reveal trade secrets, weaken cybersecurity, or expose personal data without a lawful basis. That tension is the heart of the new regime: regulators want more openness, but they do not want a free-for-all around vehicle-generated data.
What consumers should ask
Consumers buying or leasing a connected car should ask who can see the data, whether the vehicle tracks location by default, whether the owner can export or delete data, and whether third parties can access it through apps or service portals. Those questions matter because the most valuable part of a car today is often not the engine or battery alone, but the information the car continuously produces.
A useful rule of thumb is this: if a car feature seems "free," the data may be part of the payment model. That does not automatically make the practice unlawful, but it does make transparency and consent central to the deal.
Bottom line for readers
The decisive shift is that car data is no longer treated as an invisible manufacturer asset; it is now a regulated resource with user access rights, privacy constraints, and commercial value. For drivers, fleets, and businesses, the safest assumption is that data rights are shared, conditional, and increasingly enforceable rather than absolute.
Everything you need to know about Tracking Technology And Vehicle Data Laws Are Changing Fast
Who owns the data from a connected car?
There is usually no single owner in the traditional sense; instead, the user may have access rights, the manufacturer may control the platform, and privacy law may restrict how personal data is processed.
Can an employer track a company vehicle?
Yes, but only with a lawful purpose, clear notice, and proportionate monitoring, and private use of the vehicle typically requires stronger privacy safeguards.
Does the EU Data Act give drivers full ownership?
No. It gives users stronger rights to access and share certain vehicle-generated data, but it does not erase privacy, cybersecurity, or contract limits.
Can repair shops access vehicle data?
In the EU, yes in many cases, because the Data Act is designed to support access for independent service providers on fair, reasonable, and non-discriminatory terms.
Is GPS data considered personal data?
Often yes, because location information can identify or profile a specific driver or household when combined with other records.