Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
New laws in California and New York may require vehicle manufacturers to provide drivers and domestic abuse survivors the right to terminate an abuser's access to connected vehicle services.
The laws on connected vehicle services, Section 399-ccccc of New York's General Business Law and Section 28220 of California's Vehicle Code, took effect 15 May and 1 July, respectively.
The legislation is an expansion of the federal Safe Connections Act of 2022, which requires telecommunications providers, upon the survivor's request, to separate a mobile phone line from an abuser, which is defined as an individual who has committed or allegedly committed crimes against the individual seeking relief, such as domestic violence or human trafficking.
The New York and California laws were passed to provide in-vehicle protections to survivors and prevent abusers from stalking, threatening and/or engaging in violence and other harmful acts against victims who may not have resources, options and/or meaningful support to gain independence from abusers. Under the laws, victims can cancel connected vehicle services without incurring any fees or penalties.
The laws have very specific procedural and technical requirements vehicle manufacturers and providers of connected vehicle services may need to implement. Manufacturers who fail to comply may be assessed a civil penalty of up to USD500 per violation under New York's connected vehicle services law. The California law is silent on penalties, but it could be enforced as a violation of the state's Vehicle Code.
Website disclosure
Both the New York and California connected vehicle services laws require certain disclosures on the covered provider's website. The New York law requires the covered provider to include information regarding the process for terminating an abuser's access to connected vehicle services in clear and accessible language on its website and applications.
Under California's law, the covered provider is required to include a link on its website entitled, "HOW TO DISCONNECT REMOTE VEHICLE ACCESS." This link guides victims to a page where they can submit a request to terminate an abuser's access to connected vehicle services and obtain a new connected vehicle services account.
Deadline to honor request
Both laws give the covered provider two business days to honor a victim's request.
Necessary information for a request
When making a request under New York's law, the victim must provide: the vehicle identification number; proof of legal possession of the vehicle, which may include the vehicle title or title paired with a lease agreement in the victim's name, a court order, proof of marriage with the abuser at the time the car was bought or leased, or other proof the commissioner of motor vehicle later provides; and a written attestation that the victim is a victim of domestic violence under New York law.
Under California's law, a victim's request must include: the vehicle identification number and proof of legal possession of the vehicle, which may include legal title to the vehicle, or a dissolution decree, temporary court order, or domestic violence restraining order that awards possession or exclusive use of the vehicle to the victim. California does not require a written attestation to confirm domestic violence.
The covered provider's response
Under New York's law, the covered provider must promptly notify the victim if terminating access is technologically infeasible. The covered provider must also notify the victim that they or a representative may be contacted to confirm the abuser's access to the connected vehicle services has been terminated.
Under the California law, the covered provider must automatically confirm receipt of the request via email, which must provide a reference number for the request and describe the next steps in the process. After the covered provider completes its review of the request, it must inform the victim of the action taken or if additional information or action is required and, if applicable, guidance on how to create their own connected vehicle services account.
Confidentiality, security and privacy
The covered provider must treat any information the victim provides as confidential and securely dispose it within 90 days of processing the request under the New York law. The covered provider, however, may maintain a record verifying it completed the request.
Under the California law, the covered provider: cannot provide the abuser any data or information regarding the victim, the vehicle, or any new connected vehicle service account generated after access was terminated; must handle information provided by the victim confidently, securely and privately, as required under applicable laws; and cannot share information the victim submitted with any third party without the victim's affirmative consent, unless sharing the information is required to complete the request.
Obligations inside the vehicle
Under the New York law, unless technologically impossible, a covered provider is required to provide a notification inside the vehicle that shows when a connected vehicle service is enabled and inform the victim of how to disable or modify the settings. Effective dates are staggered: 1 July 2026 for vehicles manufactured prior to 1 Jan. 2028, and 1 Jan. 2028 for vehicles manufactured on or after that date with connected vehicle services.
Beginning 1 Jan. 2028, the California law requires a covered provider to clearly inform the victim inside the vehicle when someone outside the vehicle has accessed a connected vehicle service or location.
In addition, the California law requires a covered provider to offer a mechanism for the survivor to use inside the vehicle that immediately disables connected vehicle location access that: is prominently located and easy to use; does not require access to, or use of, a remote or online application; does not require creating an account, password or login information (it is permissible to require the victim to input a mobile number); allows connected vehicle location access that has been disabled from inside the vehicle to be enabled only by the victim who is located inside the vehicle; and does not result in an account holder, vehicle manufacturer or a third-party service provider receiving any notification related to the connected vehicle location access being disabled, including an alert, email, text or telephone call.
California's obligations are also staggered: 1 July 2026 for vehicles manufactured before 1 Jan. 2028 that can receive necessary software updates, and 1 Jan. 2028 for vehicles manufactured after that date, which cannot receive such software updates.
Arsen Kourinian, AIGP, CIPP/A, CIPP/C, CIPP/E, CIPP/US, CIPM, FIP, is data privacy and AI governance partner at Mayer Brown.
