California regulator to assess connected vehicle manufacturers’ privacy practices

On July 31, the California Privacy Protection Agency’s Enforcement Division announced that it would be reviewing connected vehicle manufacturers’ and technologies’ privacy practices. Connected vehicles contain features that collect information about owners and riders, including location sharing, web-based entertainment, cameras, and smartphone integrations.

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the Agency has the right to investigate potential violations of the CCPA. Violations can include using personal information for purposes not disclosed to consumers, not fulfilling consumer rights requests, and more. Section 1798.140(o)(1) of the CCPA defines “personal information” as “information that identifies, relates to, or could reasonably be linked with you or your household.” The California Attorney General’s Office provides examples of personal information on its website, such as geolocation data, fingerprints, records of products purchased, and individuals’ full names.

Due to the approximately 35 million vehicles currently registered in California, the Agency believes that connected vehicles, especially as they become more widespread, affect the majority of California consumers. When announcing its intentions, the Agency’s Executive Director, Ashkan Soltani, concluded that “modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.” The fact that connected vehicles can monitor devices near a vehicle presents broader concerns regarding the privacy of individuals who are neither drivers nor passengers.

The Agency’s concerns are timely. On April 6, Reuters published a report outlining findings about driver and rider privacy in Tesla vehicles. Although Tesla’s website represented that all vehicles are “designed from the ground up to protect your privacy,” interviews conducted by Reuters with nine former indicate that, between 2019 and 2022, Tesla employees shared internally “highly invasive videos and images recorded by customers’ car cameras,” in addition to more mundane images.

Reuters’ findings may not have been the catalyst for the Agency’s investigation, but a number of lawsuits have been filed against connected vehicle manufacturers over alleged data privacy violations. Although the lawsuits have so far been unsuccessful, the growing concern about how these vehicle manufacturers are collecting and using consumer data explain the Agency's decision to investigate. .

As the Agency initiates its first investigation, there is the potential for a large shift, not only in the automotive industry, but also in any field relying heavily on data and mobile technology. As these technologies continue to emerge and be adopted, the implications for organizations’ privacy practices will only grow.

The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address these complex and evolving developments. If you would like additional information on how to prepare your organization, please contact us at

  • Jordan L. Fischer
    Of Counsel

    Jordan is a member of the Constangy Cyber Team and brings substantial expertise and leadership to the provision of compliance advisory services.  With her extensive experience in the global intersection of law and technology ...

  • Rebecca  Pollack

    Rebecca is a member of the Constangy Cyber Team, focusing her practice on advising clients regarding data privacy and cybersecurity matters. She leverages her business background and education in technology and privacy law to aid ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page