top of page

SBD Explores: Data Privacy, Regulation, and Driver Consent

Data from vehicles is used for positive outcomes. Data can help insurers understand the circumstances of an impact. It can be used by fleet operators to check a vehicle is being used appropriately, or by OEMs to help inform future product improvements.

The storage and use of vehicle data is regulated, and these regulations vary around the world. In the EU, there are GDPR requirements. The USA does not regulate automotive data at a national level, but some states have introduced specific requirements. Data is regulated in China, but the requirements are different to those in USA and Europe.

In this edition of SBD Explores, we discuss the variation in data privacy regulation and highlight how some OEMs are making data consent more accessible.

What is happening?

Data protection requirements for vehicles are not harmonized. Furthermore, general data protection requirements (not automotive specific) are not harmonized.

Harmonization of vehicle regulations is preferred by OEMs. Harmonization allows a vehicle or component to be developed for multiple markets which saves costs and reduces complexity. Like with any other regulations, differences in requirements create a homologation and compliance challenge. Differences add cost and can result in features not being made available in some regions.

In Europe, OEMs must observe GDPR when collecting and processing data. Some markets outside of Europe are revising their data protection policies to more closely align with GDPR. OEMs not in Europe may choose to align with GDPR to help compliance with those markets.

A customer’s informed consent to the use of their data should always be obtained upon purchase. ​This is slowing down the process of onboarding vehicles into fleets. SBD report 643 contains more information on how an OEM can develop a smoother consent process for fleet operators.

Why does it matter?

Globally, the number of incidents involving data protection or data privacy leaks is increasing. The data in graph 2 is not exhaustive, but indicative of a trend. UN ECE R155 was introduced to help OEMs manage cybersecurity risks but does not define data privacy or set requirements on how to provide in vehicle consent.

Data sharing is not the problem. The issue lies in how the data is being used and by whom.

Being transparent with customers about how their data is handled is also an important factor OEMs need to consider. For example, customers could have saved money on insurance premiums based on their driving if their driving data is shared with the insurance company by the OEM. The customer’s consent must be provided, and importantly, it must be easy to manage consent preferences.

The outcome is more interest from users in where personal data is used and more of a desire to want control over how data is used. The interest is not necessarily in regulation, but in how best to provide the user with consent options.

Where next?

All trendlines point to consumers caring more about privacy. Expect privacy start-ups to flourish, offering new types of data anonymization and giving consumers greater control.

Some car makers are already working towards positioning themselves as leaders in data protection and privacy. This could be a leader both data security and accessibility of consent controls.

In SBDs view, it is unlikely that countries will harmonize their national legislation. This would require political will and dedicated resources. OEMs will have to accept this. What can be harmonized, however, is the process of providing consent and verification of who is providing consent. This may happen.

In preparation for potential future pressures, it is recommended that OEMs work on a process for ensuring that the correct data consent preferences are selected. For example, if a family have access to a vehicle, the vehicle should be able to know who is driving and adjust consent options depending on the driver.

  1. The automotive sector has some data protection regulations, but they vary in each region. Given the fast pace of development, OEMs should monitor development to ensure you are aware of any overlap in requirements or duplication of work.

  2. Improving depth and accessibility in the vehicle could be the first step. Systems with more depth could give consent prompts, allow the disabling of consent for third party applications and allow the viewing of documents.

  3. The next stage may be the development of a way of verifying the identity of the user so that consent preferences can be adjusted automatically. A system that can tell who the user is. Also, effort may be put into developing an off-board server for data analysis and management, and on-board system serving as a ‘lock’.

  4. Part of data protection is a political decision, and even if harmonized requirements are put in place, some countries may choose to opt out or put in place their own requirements. In the long term, it may be a reasonable to expect data protection requirements to still be fragmented.

Who to watch out for?

SBD expects privacy to become a differentiator for many brands (particularly in the premium sector), who will build into their vehicles new types of privacy experiences.

The automotive industry can focus on harmonization of the method for a user to provide, or revoke, data consent. The degree of ease with which the consumer can understand and control who has access to their data and how it is being used will be a differentiating factor for OEMs.

The important thing is to focus on the process of allowing the user to manage data consent options from the vehicle infotainment screen. Requiring the user to visit a website is not following the principal of privacy and accessibility by design.

Making it easy to manage consent is important. The next step is to determine how to link consent preferences with an individual person, not link with a vehicle. Some vehicles may have consent in place when passed onto second owners for example (without the OEM’s knowledge). The second owner may have different preferences.

How should you react?


Monitor the progress of any privacy standards being drafted.


Identify OEMs providing data consent options in the vehicle, and any innovative designs


Improve the ability of the vehicle to adjust consent automatically depending on the driver.

Interested in finding out more?

Most of our work is helping clients go deeper into new challenges and opportunities through custom projects. If you would like to discuss recent projects we've completed relating to Data Privacy, contact us today!


Also, be sure to view our related content:



bottom of page