On 30 June 2026, the French Data Protection Authority (CNIL) published comprehensive new guidance on the processing of personal data generated by connected vehicles, with a particular focus on geolocation data (available in French here). For automotive manufacturers, suppliers, and mobility companies with operations or customers in the EU, this 60-page guidance provides much-needed clarity on how to navigate EU privacy and data protection requirements applicable to vehicle-related data processing.
The guidance is relevant to vehicle OEMs, fleet managers, rental and leasing providers, telematics companies, and data aggregators. It offers practical examples and actionable recommendations to help organizations address the privacy and data protection challenges arising throughout the connected vehicle ecosystem and strengthen their compliance programs.
What Does the Guidance Cover?
The guidance provides a practical overview of the automotive digital ecosystem, clarifying the roles of the various stakeholders involved and the different sources from which location data may be collected – including in-vehicle sensors, telematics devices, mobile applications, and data aggregators. It also examines key privacy and data protection challenges arising from the use of location data in common real-world scenarios, such as fleet management, roadside and emergency assistance, fraud prevention and anti-theft measures, and the development and improvement of products and services. Throughout, the CNIL offers practical recommendations to help organizations balance innovation with compliance and ensure that location data is processed in accordance with the GDPR.
Among its key recommendations, the CNIL encourages organizations to:
- Assess when connected vehicle data qualifies as personal data, including where individuals can be identified through a vehicle identification number (VIN), registration documents, insurance contracts, vehicle rental agreements, or user profiles authenticated within an in-vehicle infotainment system;
- Consider the applicability of the EU ePrivacy rules when accessing or storing information on connected vehicle systems and determine whether user consent may be required. For example, consent may be necessary where location data from a rental vehicle is used to improve or optimize rental services;
- Clearly define the purposes for which connected vehicle data is processed and ensure compliance with the GDPR’s purpose limitation principle. The CNIL highlights a range of legitimate use cases, including fleet management, roadside and breakdown assistance, emergency response following an accident, fraud and theft prevention, and the optimization and improvement of products and services through the analysis of vehicle data;
- Identify the roles and responsibilities of stakeholders across the connected vehicle ecosystem. The CNIL provides a number of practical examples, such as a fleet manager geolocating rented vehicles to recover them in the event of non-return, or a telematics provider processing location data on behalf of a fleet manager;
- Determine who qualifies as a data subject, including vehicle owners, renters, drivers, and users authenticated within an infotainment system;
- Establish an appropriate legal basis for each processing activity and ensure it is implemented correctly in practice. The CNIL warns against bundling consent with the acceptance of terms and conditions, and provides practical examples of when specific GDPR legal bases may apply. For instance, processing may be necessary for the performance of a contract – such as where vehicle data is used to verify compliance with a mileage limit in a rental agreement – or to comply with a legal obligation, such as the EU eCall system, which automatically contacts emergency services following a serious accident;
- Apply the principles of data minimization and storage limitation, for example in use cases involving emergency assistance services or the processing of geolocation data in vehicle rental arrangements for theft prevention and fraud detection purposes;
- Provide clear and accessible privacy information through vehicle sales or rental agreements, service contracts, separate documentation (such as maintenance booklets or vehicle manuals), and in-vehicle infotainment systems;
- Facilitate the exercise of data subject rights, including access, erasure, portability, and deletion, through both in-vehicle interfaces and dedicated applications; and
- Implement robust cybersecurity and data protection measures, including adherence to relevant international vehicle cybersecurity standards, as well as technical safeguards such as encryption (in transit and at rest), access controls, authentication mechanisms, and pseudonymization.
The CNIL also provides targeted guidance on a number of specific topics, including the anonymization of location data, the use of location data for commercial fleet management, and the operation of location technologies such as telematics devices and data aggregators. In addition, it explores the GDPR roles and responsibilities that may arise across complex data-sharing arrangements – a particularly important issue for international automotive supply chains – and highlights the cybersecurity and data protection measures organizations should implement when deploying and relying on these technologies.
Why This Matters – and What to Do Next
The CNIL’s guidance is particularly valuable because it complements the European Data Protection Board’s earlier guidance on connected vehicles and mobility-related applications with updated, practical insights that reflect recent technological and market developments. For automotive businesses selling into or operating in the European market the guidance serves as a useful roadmap for identifying compliance gaps and strengthening data protection programs ahead of potential regulatory scrutiny.
The A&B Privacy, Cyber & Data Strategy Team regularly advises automotive manufacturers, suppliers, and technology companies on the applicability of EU privacy and data protection requirements to connected vehicle operations. We would be pleased to assist your organization in assessing its obligations and implementing practical measures to enhance compliance.
