Modern cars are quietly turning into rolling data centers, and the companies that build them are working to keep that information under tight corporate control, not in drivers’ hands. As lawmakers and regulators start to push back, some automakers and their allies are floating penalties that would treat independent access to vehicle data as a crime on par with serious hacking, with talk of 3 to 5 year punishments for what many drivers assume is routine tinkering.
The fight is no longer just about who fixes a broken sensor or replaces a battery. It is about whether the data trail from every commute, school run, and late‑night drive belongs to the person behind the wheel or to the manufacturer that wants to monetize and lock it down.
Connected cars are already harvesting your every move
The starting point for any debate over criminal penalties is the sheer volume of information that connected vehicles already collect. If you drive a car made in the past five years, there is a strong chance it is logging detailed records of your speed, braking, location, and even how hard you turn the wheel, often without any clear explanation of where that information goes or how it is used. That quiet shift from mechanical machine to networked computer on wheels has happened faster than most drivers realize, and it sets the stage for aggressive control over who can see or reuse that data.
Privacy advocates have documented how this data flow can spill far beyond the dashboard. One investigation found that Mar drivers who enrolled in telematics programs discovered their behavior data had been funneled into reports for insurers and data brokers, even when they did not understand that was part of the deal, and that General Motors had been reprimanded by federal officials for sharing precise driving information with firms such as Experian, Equifax, and TransUnion, a pattern detailed in guidance on how to stop your car from collecting and sharing driving data. That same reporting warns that if you drive a car made in the past five years, chances are it is collecting reams of data about your driving, even if you have never opened the privacy settings, a reality underscored in a separate explanation of how modern vehicles track where your information goes.
From privacy scandal to regulatory crackdown
Regulators have started to treat this quiet data extraction as more than a customer‑service problem. Earlier this year, the FTC announced that it would not tolerate carmakers turning location and behavior logs into a side business without clear consent, signaling that the era of unchecked surveillance from the driver’s seat is ending. That shift reflects a broader recognition that vehicle data is sensitive in the same way smartphone location histories are, because it can reveal where people live, work, worship, and seek medical care.
The most visible example so far is the case of General Motors. In a detailed enforcement action, the FTC described how it Takes Action Against General Motors for Sharing Drivers, Precise Location and Driving Behavior Data Without Consen, laying out how the company’s telematics programs had transmitted granular trip information to third parties without adequate permission, a pattern captured in the agency’s account of how the FTC Takes Action Against General Motors for Sharing Drivers’ Precise Location and Driving Behavior Data Without Consen. A related settlement bars General Motors from disclosing consumer driving data for 5 years, with the FTC and General Motors agreeing to terms that are described as a step toward protecting people from unchecked surveillance in coverage of how the FTC bans GM from disclosing consumer driving data for 5 years. Those moves show regulators are willing to punish misuse of data, even as automakers lobby to keep control over the same information when independent repairers or drivers want access.
Automakers’ push to criminalize access to your own car’s data
Against that backdrop, some industry voices are arguing that drivers and independent technicians should face criminal penalties if they bypass digital locks to read or modify vehicle data. In practice, that means treating access to diagnostic logs, sensor readings, or software configurations as a potential crime, even when the goal is simply to repair a car or understand how it is being monitored. The proposed penalties, often framed in the range of 3 to 5 years, would lean on anti‑circumvention rules that were originally designed to stop large‑scale piracy, not to keep owners away from their own odometers.
The logic is on full display in a widely shared video in which Louis Ro walks through how Automakers are leaning on the DMCA to argue that bypassing software protections on a vehicle should be treated as a criminal act, a stance that has sparked intense debate among technologists and drivers who see it as an overreach, as discussed in the clip on how Automakers think it should be criminal to access your own car’s data – DMCA fail. That argument has spilled into online forums as well, where Dec commenters dissect the idea that accessing your own car’s data could be criminalized and warn that such a move would be a strong reason to avoid heavily digital vehicles, a sentiment captured in a discussion thread titled automakers think it should be criminal to access. Together, they show how a law meant to protect copyrighted media is being repurposed to lock down the digital guts of cars.
Right to repair collides with data lock‑in
The push to criminalize access does not happen in a vacuum. It sits squarely on top of a long‑running fight over the right to repair, where manufacturers have already used software locks and warranty terms to steer customers back to authorized service centers. When the same companies argue that reading or modifying vehicle data should carry 3 to 5 year penalties, they are effectively turning a business preference into a legal threat, one that could chill independent garages and tech‑savvy owners alike.
Legal scholars have noted that Companies are increasingly lobbying against right to repair laws to protect their interests, while Consumer advocates argue that this trend will ultimately impact consumers by raising costs and limiting choices, a tension laid out in an analysis of how Companies and Consumer advocates clash over the right to repair. In the automotive world, that lobbying now extends to the data layer, where access to logs and software is essential for diagnosing problems in modern vehicles. If circumventing a digital lock to read an error code can be painted as a DMCA violation, the right to repair becomes a hollow promise, and the threat of multi‑year penalties becomes a powerful deterrent.
Who owns the data: driver or manufacturer?
Beneath the legal maneuvering sits a more basic question that courts and regulators have not fully resolved: who actually owns the data that a car generates. Automakers often behave as if they hold full rights over every byte, from GPS traces to camera feeds, while drivers assume that information about their own movements belongs to them. That gap in expectations is exactly what makes criminal penalties so fraught, because they would effectively enshrine the corporate view of ownership into law.
Academic work on autonomous driving underscores how unsettled this is. One detailed study notes that Controversy persists over whether driving data belongs to users or automakers, and that the mainstream view is still evolving as connected and self‑driving systems spread, a debate mapped out in research on Controversy over driving data ownership. Industry guidance for companies working with smart vehicle data echoes that uncertainty, noting that Ownership Challenges The question of who ultimately owns and controls vehicle data remains contested despite regulatory changes, a point made explicit in a briefing on Ownership Challenges The question of who ultimately owns and controls vehicle data. Until that core issue is settled, treating independent access as a crime effectively picks a side in a live policy fight.
Europe’s “extended vehicle” model and the global access fight
While the United States wrestles with DMCA arguments, Europe has been quietly building a different framework around what it calls the “extended vehicle,” where data flows from cars to manufacturer‑controlled servers before anyone else can see it. That model gives automakers a central gatekeeping role over who can access information, from insurers to repair shops, and it has already raised alarms among competition and privacy experts. If similar ideas take hold elsewhere, the combination of centralized control and criminal penalties could make it nearly impossible for independent actors to work with vehicle data at all.
Legal analysis of the extended vehicle concept notes that However, the discussion on third-party access to vehicle data raises not only competition law issues, but also a number of data protection questions, since routing everything through manufacturer platforms concentrates both market power and sensitive information, as explored in a review of car data protection in the extended vehicle. A separate assessment of the broader ecosystem notes that As a result, the industry faces a complex and evolving landscape, where legal frameworks and technological developments shape access, ownership, and control over vehicle data, a dynamic described in research on how the industry faces a complex and evolving landscape. Those European debates matter globally, because they show how data access rules can harden into structures that are difficult to unwind once they are in place.
Lawmakers test new limits on automakers’ data power
In Washington, some members of Congress are trying to move the pendulum in the opposite direction, away from corporate lock‑in and toward explicit rights for drivers. Proposed legislation would limit how automakers can collect and use vehicle data, and would give consumers clearer control over what is stored, shared, or deleted. If those bills advance, they could undercut the logic for treating independent access as a crime by affirming that drivers have a legitimate stake in the information their cars generate.
One proposal, described in a Cybersecurity Policy Report, would create Bicameral Legislation Would Restrict Automakers, Use of Vehicle Data by setting boundaries on how companies can exploit information from connected vehicles and by giving drivers the ability to see what is held about them and to delete it, as outlined in a summary of how Bicameral Legislation Would Restrict Automakers’ Use of Vehicle Data. In Europe, regulators are layering on their own rules, with legal commentators warning that While the Data Act, Act and other incoming EU legislation may be grabbing the legal headlines for automobile manufacturers, data protection obligations specific to autonomous driving should not be forgotten in the regulatory onslaught, a reminder captured in guidance on While the Data Act, Act and other EU rules reshape autonomous driving. Together, these efforts show lawmakers trying to catch up with technology before criminal penalties lock in a one‑sided status quo.
Regulators warn fines alone may not be enough
Even with new laws and headline‑grabbing enforcement actions, there is a growing sense that fines alone will not change automakers’ incentives. For large companies, a penalty for mishandling data can be written off as a cost of doing business, especially if the underlying data streams remain lucrative. That is part of what makes the industry’s interest in criminal penalties so striking: it suggests a desire not just to pay for missteps, but to deter others from touching the data at all.
Commentary on the FTC’s posture toward automakers has been blunt on this point, warning that IF anything happens with this, it will be, at best, a cost of doing business and that fines are likely to be a fraction of the revenue at stake, a skepticism laid out in an analysis of how the FTC hints at regulatory action against automakers for terrible privacy practices. That dynamic helps explain why some privacy advocates argue for structural remedies, such as mandated data portability or default local storage, rather than simply higher fines. Without those deeper changes, the temptation to lock down data and criminalize outside access will remain strong.
What drivers can do while the law catches up
For now, drivers are stuck in the middle of a fast‑moving policy fight. On one side, automakers and their allies are testing how far they can push DMCA arguments and criminal penalties to keep control over vehicle data. On the other, regulators and lawmakers are only beginning to sketch out rules that recognize drivers’ interests in privacy, repair, and ownership. Until those rules solidify, the practical question is how much control an individual can reclaim without running afoul of the very restrictions being debated.
Privacy guides recommend starting with the basics, such as turning off optional telematics programs, pruning app permissions, and asking dealers to disable data‑sharing features where possible, steps that can reduce how much information a car sends back to corporate servers even before new laws take effect. At the same time, the growing backlash in communities of drivers, technologists, and independent repairers, visible in everything from detailed enforcement write‑ups to viral videos and Dec comment threads, suggests that attempts to attach 3 to 5 year penalties to routine access will not go unchallenged. The outcome will determine whether the next generation of cars feels like a tool you own or a subscription service that watches you, and punishes you, for looking under the hood.
More from MorningOverview
