The list of industries being targeted for privacy enforcement is continuing to grow. California Attorney General Rob Bonta has announced that his next wave of privacy reviews is aimed at connected vehicle manufacturers and related technologies. Vehicles are connected to their operators in a way they never have been before, underlining privacy issues with “location sharing, web-based entertainment, smartphone integration, and cameras,” because “vehicles often automatically gather consumers’ locations, personal preferences, and details about their daily lives.”

Why does this matter to me if I don’t work for a vehicle manufacturer? Because it continues to reinforce the priorities of AG Bonta. You need to know where your data is, how it’s used, the retention policy, and where that data is shared externally. This needs to be accurately reflected in your privacy policy. This foreshadows their enforcement strategy.

Computers on Wheels

The California Privacy Protection Agency is holding these manufacturers accountable as they’re capturing the PI of its owner, and sometimes passengers, essentially in the same way and as frequently as personal devices like cell phones and laptops. The CCPA’s Executive Director Ashkan Soltani says, “Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built-in apps, sensors, and cameras, which can monitor people both inside and near the vehicle.”

Many new vehicles connect to phones, capturing data that vehicle manufacturers would not otherwise have access to and can now collect, use, and sell like online entities. “Our Enforcement Division is making inquiries into the connected vehicle space to understand how these companies are complying with California law when they collect and use consumers’ data,” Soltani said.

With this latest round of inquiry letters, we expect a heavy emphasis on disclosures and notices that use vague and intentionally misleading language about the collection and sale of data. There could be, and likely will be, a trickle-down effect on non-autonomous vehicles that also have technology capturing user data. Letters are going out and will likely inquire as to the auto manufacturer’s data collection practices, data storage, and if/how that data is shared or sold and how transparently this is reflected in the privacy policy.

Inquiries Snowballing in Wake of Future Operating Rules Enforcement Date

This is yet another reminder that the CPPA and AG Bonta are not sitting on the sideline and waiting for March 29th, 2024, but proactively asking questions via inquiries that could potentially be used against organizations that have resisted or not met compliance requirements. This trend of the CPPA and AG targeting new categories of companies that have expanded into consumer data collection is going to continue as we inch closer to enforcing the operating rules of CPRA.

If you receive an inquiry letter and would like to discuss your obligations or have questions about compliance via the Truyo platform, reach out to

About Ale Johnson

Ale Johnson is the Marketing Manager at Truyo.