top of page
Search

Industry Briefing: The Data Act & the DRIVER Act — Vehicle Data Becomes a Regulated Asset

  • May 2
  • 4 min read

The Industry Brief – May 2026


Executive Summary


Vehicle data is becoming a regulated asset class.


The European Union’s Data Act and the proposed United States DRIVER Act mark a structural shift in who controls vehicle data—and how it is accessed, governed, and monetised. For insurers, fleet operators, and telematics providers, this is not a compliance exercise. It is a redefinition of the operating environment.


As access expands, a new challenge emerges: access to data does not guarantee trust in data.


The EU Data Act: A Structural Shift in Data Control


The EU Data Act (Regulation (EU) 2023/2854), adopted in 2023, entered into force on 12 September 2025, with a second major implementation deadline on 12 September 2026. It establishes a harmonised framework for accessing and using data generated by connected devices across the European Union.


For the automotive sector, this represents a direct shift away from manufacturer-controlled data models. Vehicles are formally recognised as connected products, and users—vehicle owners, drivers, and fleet operators—are granted the right to access data generated by their vehicles.


This includes:


  • Raw sensor data (wheel speed, brake pressure, yaw rate)

  • Engine metrics (RPM, oxygen sensor data)

  • CAN bus messages

  • Processed outputs such as location, fuel consumption, and battery levels


Access must be provided free of charge, in a structured, machine-readable format, and in real time where technically feasible.


The implications are immediate:


  • OEM-controlled data silos are weakened

  • Data portability becomes enforceable

  • Barriers to third-party innovation are reduced


For insurers, this expands access to telematics and operational data while introducing stricter requirements around data governance, consent, and security, particularly where personal data intersects with GDPR obligations.


The DRIVER Act: Reasserting Data Ownership in the United States


In the United States, the proposed Data Rights to Information and Vehicle Electronic Records (DRIVER) Act (H.R. 1012, 119th Congress), introduced in December 2025, seeks to establish a parallel principle:


vehicle owners should have full access to data generated by their vehicles, without additional cost.


The legislation would prevent manufacturers from restricting access through contractual or technical barriers and would give consumers control over how their data is shared.


A parallel proposal, the Auto Data Privacy and Autonomy Act (ADPA), reinforces this direction by requiring explicit consent for data access and limiting unauthorised data use.


Industry support is emerging through coalitions representing insurers, fleet operators, and mobility providers, signalling a broader shift toward data transparency and user control.


State-Level Fragmentation: The Emerging Compliance Challenge


While federal legislation evolves, individual US states are advancing their own frameworks.


Examples include:


  • California’s Consumer Driving Data Protection Act (AB-1833)

  • New York’s proposed telematics disclosure requirements (S05486)

  • North Carolina’s consent-based telematics legislation (H81)


These measures introduce:


  • Stricter consent requirements

  • Expanded transparency obligations

  • Limitations on how telematics data may be used


For insurers and telematics providers operating across jurisdictions, this creates a fragmented regulatory landscape, increasing both operational complexity and compliance costs.


Litigation Risk: The Cost of Opaque Data Practices


Regulation is being reinforced by litigation.


Recent cases highlight the risks associated with unclear or non-consensual data practices:


  • A federal case against Allstate alleges unauthorised driver tracking via mobile applications, raising questions under the Federal Wiretap Act and the Fair Credit Reporting Act.

  • General Motors faces multiple lawsuits related to the sale of telematics data, including state-level actions seeking financial penalties and changes in data practices.


These cases reinforce a clear pattern: when data practices outpace consent and transparency, legal and reputational risk follows.


Strategic Implications


The convergence of regulation and litigation is reshaping the competitive landscape.


For Insurers


  • Expanded access to telematics data enables more precise underwriting and claims validation

  • Increased responsibility for data governance, consent management, and security architecture

  • Greater need for infrastructure capable of ingesting and processing high-volume data streams


For Fleet Operators


  • Improved access to vehicle data without additional OEM-imposed costs

  • Greater control over operational data and analytics

  • Reduced dependency on proprietary manufacturer ecosystems


For Telematics Providers


  • A more level competitive environment as data access becomes standardised

  • Differentiation shifts from data access to data interpretation and insight

  • Increased compliance requirements across jurisdictions


From Access to Verification: The Next Competitive Layer


The regulatory direction is clear: vehicle data is becoming more accessible and more user-controlled.


However, access alone does not resolve a critical issue:


  • Data may be incomplete

  • Data may be manipulated

  • Data may not meet evidentiary standards


As a result, the next phase of competition will be defined not by access—but by trustworthiness.


Access to data does not equal trust in data.


Systems capable of generating independent, tamper-resistant, and cryptographically verifiable evidence will become essential—particularly in high-stakes environments such as insurance claims and asset recovery.


Implications for Vehicle Security


As regulatory frameworks expand access and control, they expose a fundamental gap: who verifies the integrity of the data?


Vehicle security systems must evolve beyond tracking alone.


Solutions that operate independently of standard tracking—and that can produce verifiable evidence of events such as theft, tampering, or dismantling—will become increasingly important in aligning:


  • insurers (proof and claims validation)

  • fleet operators (operational certainty)

  • regulators (compliance and transparency)


Norovari’s approach is grounded in this principle: not just access to data, but confidence in its integrity.


Conclusion


The walls around vehicle data are coming down.


Regulation is shifting control toward users. Litigation is enforcing accountability. Market structures are adjusting accordingly.


For industry participants, the implications are clear:


  • Data access will expand

  • Compliance requirements will increase

  • Verification will become a defining capability

Those prepared for this shift will operate with greater clarity, control, and trust.

Those who are not will face rising legal, financial, and operational risk.


The Industry Brief is published monthly by Norovari.

This briefing draws on Regulation (EU) 2023/2854 (EU Data Act), the DRIVER Act (H.R. 1012, 119th Congress), related US state legislation, and recent court filings.


 
 
 

Comments

bottom of page