Is rise of data and AI regulations a challenge or an opportunity?
Right To Repair and EU Data Act as a step towards data monetization.
Legislators try to shape the future
In recent years the automotive market has witnessed a growing amount of laws and regulations protecting customers across various markets. At the forefront of such legislation is the European Union, where the most significant disruption for modern software-defined vehicles come from the EU Data Act and EU AI Act. The legislation aims to control the use of AI and to make sure that the equipment/vehicle owner is also the owner of the data generated by using the device. The vehicle owner can decide to share the data with any 3rd party he wants, effectively opening the data market for repair shops, custom applications, usage-based insurance or fleet management.
Across the Atlantic, in the United States, there is a strong movement called “Right to Repair”, which effectively tries to open the market of 3rd party repair of all customer devices and appliances. This also includes access to the data generated by the vehicle. While the federal legislation is not there, there are two states that that stand out in terms of their approach to Right to Repair in the automotive industry – Massachusetts and Maine.
Both states have a very different approach, with Maine leaning towards an independent entity and platform for sharing information (which as of now does not exist) and Massachusets towards OEMs creating their own platforms. With numerous active litigations, including lawsuits OEMs vs State, it’s hard to judge what will be the final enforceable version of the legislation.
The current situation
Both pieces of legislation impose a penalty when it’s not fulfilled – severe in the case of EDA (while not final, the fines are expected to be substantial, potentially reaching up to €20 million or 4% of total worldwide annual turnover!), and slightly lower for state Right to Repair (for civil law suits it may be around $1000 per VIN per day, or in Massachusets $10.000 per violation).
The approach taken by the OEMs to tackle this fact varies greatly. In the EU most of the OEMs either reused existing software or build/procured new systems to fulfill the new regulation. In the USA, because of the smaller impact, there are two approaches: Subaru and Kia in 2022 decided to just disable their connected services (Starlink and Kia Connect respectively) in states with strict legislation. Others decided to either take part in litigation, or just ignore the law and wait. Lately federal judges decided in favor of the state, making the situation of OEMs even harder.
Data is a crucial asset in today’s world
Digital services, telematics, and in general data are extremely important assets. This has been true for years in e-commerce, where we have seen years of tracking, cookies and other means to identify customers behavior. The same applies to telemetry data from the vehicle. Telemetry data is used to repair vehicles, to design better features and services offering for existing and new models, identify market trends, support upselling, lay out and optimize charging network, train AI models, and more. The list never ends.
Data is collected everywhere. And in a lot of cases stored everywhere. The sales department has its own CRM, telemetry data is stored in a data lake, the mobile app has its own database. Data is siloed and dispersed, making it difficult to locate and use effectively.
Data platform importance
To solve the problem with both mentioned legislations you need a data sharing platform. The platform is required to manage the data owner consent, enable collection of data in single place and sharing with either data owner, or 3rd party. While allowing to be compliant with upcoming legislation, it also helps with identifying the location of different data points, describing it and making available in single place – allowing to have a better use of existing datasets.
A data platform like Grape Up Databoostr helps you quickly become compliant, while our experienced team can help you find, analyze, prepare and integrate various data sources into the systems, and at the same time navigate the legal and business requirements of the system.
Cost of becoming compliant
Building a data streaming platform comes at the cost. Although not terribly expensive, platform requires investment which does not immediately seem useful from a business perspective. Let’s then now explore the possibilities of recouping the investment.
- You can use the same data sharing platform to sell the data, even reusing the mechanism used to get user consent for sharing the data. For B2B use cases, the mechanism is not required.
- Legislation mainly mandates to share data “as is”, which means raw, unprocessed data. Any derived data, like predictive maintenance calculation from AI algorithms, proprietary incident detection systems, or any data that is processed by OEM. This allows not just to put a price tag on data point, but also to charge more due to additional work required to build analytics models.
- You can share the anonymized datasets, which then can be used to train AI models, identify EVs charging patterns, or plan marketing campaigns.
- And lastly, EU Data Act allows to charge fair amount for sharing the data, to recoup the cost of building and maintaining the platform. The allowed price depends on the requestor, where enterprises can be charged with a margin, and the data owner should be able to get data for free.
We can see that there are numerous ways to recoup the cost of building the platform. This is especially important as the platform might be required to fulfill certain regulations, and procuring the system is required, not optional.
The power of scale in data monetization
As we now know, building a data streaming platform is more of a necessity, than an option, but there is a way to change the problem into an opportunity. Let’s see if the opportunity is worth the struggle.
We can begin with dividing the data into two types – raw and derived. And let’s put a price tag on both to make the calculation easier. To further make our case easier to calculate and visualize, I went to high-mobility and checked current pricing for various brands, and took the average of lower prices.
The raw data in our example will be $3 per VIN per month, and derived data will be $5 per VIN per month. In reality the prices can be higher and associated with selected data package (the data from powertrain will be different from chassis data).
Now let’s assume we start the first year with a very small fleet, like the one purchased for sales representatives by two or three enterprises – 30k of vehicles. Next year we will add a leasing company which will increase the number to 80k of vehicles, and in 5 years we will have 200k VINs/month with subscription.
Of course, this represents just a conservative projection, which assumes rather small usage of the system and slow growth, and exclusive subscription to VIN (in reality the same VIN data can be shared to an insurance company, leasing company, and rental company).
This is constant additional revenue stream, which can be created along the way of fulfilling the data privacy and sharing regulations.
Factors influencing the value
$3 per VIN per month may initially appear modest. Of course with the effect of scale we have seen before, it becomes significant, but what are the factors which influence the price tag you can put on your data?
- Data quality and veracity – the better quality of data you have, the less data engineering is required on the customer side to integrate it into their systems.
- Data availability (real-time versus historical datasets) – in most cases real-time data will be more valuable – especially when the location of the vehicle is important.
- Data variety – more variety of data can be a factor influencing the value, but more importantly is to have the core data (like location and lock state). Missing core data will reduce the value greatly.
- Legality and ethics – the data can only be made available with the owner consent. That’s why consent management systems like the ones required by EDA are important.
What is required
To monetize the data you need a platform, like Grape Up’s Databoostr. This platform should be integrated into various data sources in the company, making sure that data is streamed in a close to real-time way. This aspect is important, as quite a lot of modern use cases (like Fleet Management System) requires data to be fresh.
Next step is to create pricing strategy and identify customers, who are willing to pay for the data. It is a good start to ask the business development department if there are customers who already asked for data access, or even required to have this feature before they invest in bigger fleet.
The final step would be to identify the opportunities to further increase revenue, by adding additional data points for which customers are willing to pay extra.
Summary
Ultimately, data is no longer a byproduct of connected vehicles – it is a strategic asset. By adopting platforms like Grape Up’s Databoostr, OEMs can not only meet regulatory requirements but also position themselves to capitalize on the growing market for automotive data. With the right strategy, what begins as a compliance necessity can evolve into a long-term competitive advantage.
Data Sharing & Monetization Platform
Databoostr - your customized solution for handling data sharing challenges
Check related articles
Read our blog and stay informed about the industry's latest trends and solutions.
Consumer Privacy Protection Act: What Canada’s privacy overhaul means for the auto industry
Cars used to just get us from point A to point B. Today, they function more like high-tech hubs that track GPS locations, store phone contacts, and gather details about our driving habits. This shift hasn’t escaped the attention of lawmakers and regulators. In Canada, conversations about data privacy have become louder and more urgent , especially with the Consumer Privacy Protection Act (CPPA) on the way.
Even though the CPPA is designed to handle personal data in general, it still lays down important rules for handling personal information. In other words, if you’re in the automotive business, you’ll want to pay close attention. Understanding how this new legislation applies to the data you collect and protect is critical for maintaining trust with customers and staying on the right side of the law.
The CPPA at a glance
Think of the Consumer Privacy Protection Act as the next chapter in Canada’s privacy story. Currently, the Personal Information Protection and Electronic Documents Act (PIPEDA) guides how companies handle personal data. But as online services grow more complex, the government wants to give Canadians stronger rights and clearer protections.
CPPA aims to refine or replace key parts of PIPEDA, focusing on three main things: giving people more control over their data, making sure businesses are upfront about what they do with it, and creating tougher consequences for those who violate the rules.
Key provisions
- Consent
Under the CPPA, organizations must get informed, meaningful permission before collecting or using someone’s personal data.
- Data portability and erasure
The CPPA allows individuals to direct the secure transfer of their data, which simplifies switching providers. Plus, you can request that a company delete your information if it’s no longer needed or you no longer agree to its use.
- Algorithmic transparency
Companies using AI and machine learning must be prepared to explain how they arrive at certain conclusions if they rely on personal information. No more mystery algorithms making big calls without any explanation.
- Penalties and enforcement
In the past, fines for privacy violations could be sizable, but the CPPA raises the stakes. Businesses that break the rules could face penalties of up to 5% of their global revenue or CAD 25 million, whichever is greater.
CPPA implications for the automotive sector
Modern vehicles collect a surprising amount of personal information, from real-time locations to driver preferences. Although the CPPA doesn’t single out car manufacturers or dealers, it covers any organization that handles personal data. That puts the automotive industry on notice for meeting these new standards, and here’s what that might look like:
1. Consent and transparency
- Drivers should know exactly what data their vehicle is collecting, how it’s being used, and who sees it. Clearer privacy notices are needed to avoid complex legal language whenever possible.
- While the CPPA emphasizes explicit consent, it doesn’t require opt-in or opt-out choices for every single scenario. Still, offering these options shows respect for drivers’ control over their own data and helps build trust.
2. Data minimization and retention
- If certain information isn’t essential for safety alerts, maintenance reminders, or other valid functions, OEMs shouldn’t gather it.
- Rather than holding onto everything, develop guidelines that clearly define how long data is stored and destroy it once it’s no longer needed.
3. Data security measures
- Connected cars face cyber threats just like computers and smartphones. Strong safeguards (encryption, firewalls, regular audits) help prevent breaches.
- Be prepared to show regulators you have solid security strategies in place, such as incident response plans and routine vulnerability checks.
4. Rights to erasure and portability
- When a driver requests that you remove their personal data, it shouldn’t be a struggle. Have a clear process for swift and permanent deletion.
- Whether it’s transferring service history to another dealership or updating digital profiles, make sure customers can take their data elsewhere with minimal friction.
5. Enforcement and fines
- The CPPA ties potential fines to a company’s global revenue, which means large automotive players could face steep financial hits if they fall short.
- Privacy regulators will have more power to investigate, so expect them to keep a closer eye on your data practices.
Privacy compliance isn’t the only area automakers need to watch.
Bill C-27 introduced the CPPA, but it also includes the Artificial Intelligence and Data Act (AIDA), which sets rules for AI-powered systems. While the CPPA focuses on protecting personal data, AIDA applies to high-impact AI applications like those used in autonomous driving, predictive maintenance, and driver behavior analysis.
If AI plays a role in setting insurance rates, making in-car recommendations, or adjusting vehicle safety settings, companies may need to document AI training methods, track potential biases, and provide explanations for automated decisions that affect individuals.
The CPPA already requires transparency when personal data feeds into AI-driven outcomes, but AIDA adds another layer of oversight.
6 practical steps to keep automotive data privacy on track
The future of vehicle information exchange
The Consumer Privacy Protection Act already affects modern vehicles, which capture everything from location data to driver habits and phone contacts.
However, because the CPPA is designed for all businesses, many people anticipate future rules specifically tailored to connected cars. Such regulations would go beyond the CPPA’s general standards, addressing the unique ways automotive data flows through telematics, in-car apps, and onboard sensors.
On the international front, the EU Data Act sets out rules for cross-border data handling, which matters if your cars or data move beyond Canada’s borders. The US Right to Repair Act also gives drivers and independent repair shops greater access to diagnostic information, raising new questions about how personal data is managed.
With these overlapping developments, it’s wise for automotive companies to adopt a comprehensive approach to privacy and data sharing. One that covers both home-grown regulations and global shifts.
Need help adapting to new rules?
As an OEM, you need to balance international obligations, regional privacy laws, and the technical demands of connected vehicles.
We’re here to assist. Our team not only provides IT consulting but also develops custom software solutions to help you meet complex regulatory requirements.
REPAIR Act and State Laws: What automotive OEMs must prepare for
Right to Repair is becoming a key issue in the U.S., with the REPAIR Act (H.R. 906) at the center. This proposed federal law would require OEMs to give vehicle owners and independent repair shops access to vehicle-generated data and critical repair tools.
The goal? Protect consumer choice and promote fair competition in the automotive repair market, preventing manufacturers from monopolizing repairs.
For OEMs, it means growing pressure to open up data and tools that were once tightly controlled. The Act could fundamentally change how repairs are managed , forcing companies to rethink their business models to avoid risks and stay competitive.
We’ll walk you through the REPAIR Act’s key provisions and practical steps automotive OEMs can take to adapt early and avoid compliance risks.
What’s inside the REPAIR Act (H.R. 906)
The REPAIR Act (H.R. 906), also known as the Right to Equitable and Professional Auto Industry Repair Act, aims to give consumers and independent repair shops access to vehicle data, tools, and parts that are crucial for repairs and maintenance.
Its goal is to level the playing field between manufacturers and independent repairers while protecting consumer choice. This could mean significant changes in how OEMs manage vehicle data and repair services.
REPAIR Act timeline – where are we now
The REPAIR Act (H.R. 906) was introduced in February 2023 and forwarded to the full committee in November 2023.
As of January 3, 2025, the bill has not moved beyond the full committee stage and was marked "dead" because the 118th Congress ended before its passage. But the message remains clear - Right to Repair isn’t going away. The growing momentum behind repair access and data rights is reshaping the conversation.
REPAIR Act provisions
Which obligations for manufacturers are covered by the Repair Act?
1) Access to vehicle-generated data
- Direct data access: OEMs would be required to provide vehicle owners and their repairers with real-time, wireless access to vehicle-generated data. This includes diagnostics, service, and operational data.
- Standardized access platform: OEMs must develop a common platform for accessing telematics data to provide consistent and easy access across all vehicle models.
2) Standardized repair information and tools
- Fair access: Critical repair manuals, tools, software, and other resources must be made available to consumers and independent repair shops at fair and reasonable costs.
- No barriers: OEMs cannot restrict access to essential repair information. The aim is to prevent them from monopolizing repair services.
3) Ban on OEM part restrictions
- Aftermarket options: The Act prohibits manufacturers from requiring the use of OEM parts for non-warranty repairs. Consumers can choose aftermarket parts and independent service providers.
- Fair competition: This provision supports competition by allowing aftermarket parts manufacturers to offer compatible alternatives without interference.
4) Cybersecurity and data protection
- Security standards: The National Highway Traffic Safety Administration (NHTSA) will set standards to balance data access with cybersecurity.
- Safe access: OEMs can apply cryptographic protections for telematics systems and over-the-air (OTA) updates, provided they do not block legal access to data for independent repairers and vehicle owners.]
These provisions go beyond theory and will directly affect how OEMs handle repairs and manage data access. Even more challenging? The existing patchwork of state laws that already demand similar access makes compliance tricky.
Complex regulatory landscape: How Right to Repair influences automotive OEMs
The regulatory environment for the Right to Repair in the U.S. is becoming increasingly complex, with state-level laws already in effect and a potential nationwide federal law still pending. This evolving framework presents both immediate and long-term challenges for automotive OEMs, requiring them to navigate overlapping requirements and conflicting standards.
State-level laws: A growing patchwork
As of February 2025, several states have enacted comprehensive Right to Repair laws.
Massachusetts and Maine have laws explicitly targeting automotive manufacturers. (Automakers have sued to block the law’s implementation in Maine.)
These regulations require manufacturers to provide vehicle owners and independent repairers with access to diagnostic and repair information, as well as a standardized telematics platform.
Other states like California, Minnesota, New York, Colorado, and Oregon have focused on consumer electronics or agricultural equipment without directly impacting automotive OEMs.
However, the broader push for repair rights means automotive manufacturers cannot ignore the implications of this trend.
Additionally, as of early 2025, 20 states had active Right to Repair legislation, reflecting the momentum behind this movement. While most of these bills remain under consideration, they highlight the growing pressure for more open access to repair information and vehicle data.
Federal vs. state regulations: Compliance challenges
The pending federal REPAIR Act (H.R. 906) aims to create a unified national framework for the Right to Repair, focusing on vehicle-generated data and repair tools. However, until it becomes law, OEMs must comply with varying state laws that could contradict or go beyond future federal requirements.
Key scenarios:
- If the REPAIR Act includes a preemption clause , federal law will override conflicting state laws, providing a single set of rules for OEMs.
- If preemption is not included , OEMs will face a dual compliance burden, adhering to both federal and state-specific requirements.
This uncertainty complicates planning and increases the risk of non-compliance, making it essential for OEMs to prepare now.
Global pressures: The EU's Right to Repair mandates
The U.S. isn’t the only region focusing on the Right to Repair. European Union regulations are setting global standards for OEMs selling internationally.
- European Court of Justice Ruling (October 2023): Automotive manufacturers cannot limit repair data access under cybersecurity claims, expanding rights for independent repairers.
- EU Data Act (September 12, 2025): Requires OEMs to provide third-party access to vehicle-generated data, making open data compliance mandatory for the EU market.
For OEMs operating internationally, aligning early with these standards is a smart move. While the 2024 Right to Repair Directive doesn’t directly target vehicles, it reflects the broader trend toward increased data access and repairability.
How automotive OEMs should prepare for the Right to Repair (Even without a federal law)
Waiting is risky. Regardless of whether the REPAIR Act becomes law, preparation is key. Waiting for final outcomes could lead to costly adjustments and missed opportunities. Here’s where to start:
1. Develop a standardized vehicle data access platform
Why: Regulations require open and transparent data-sharing for diagnostics and updates. Without a standardized platform, compliance becomes difficult.
How: Focus on building a secure platform that gives vehicle owners and independent repair shops transparent access to the necessary data.
2. Provide open access to repair information and tools
Why: Some states already require OEMs to provide critical repair information and tools at fair prices. This trend is likely to expand.
How: Start creating a centralized repository for repair manuals, diagnostic tools, and other key resources.
3. Strengthen cybersecurity without restricting repair access
Why: Protecting data is critical, but legitimate repairers need safe entry points for service.
How: Develop security protocols that protect key vehicle functions without blocking legitimate access. This means securing software updates and repair-related data while allowing repairers safe entry points for diagnostics and service.
4. Improve OTA software update capabilities
Why: Having strong OTA capabilities helps comply with future regulations requiring real-time access and updates.
How: Upgrade your current OTA systems to allow secure updates and diagnostics. Include tools authorized third parties can use for updates and software repairs.
5. Transition to modular and repairable product design
Why: Designing products for easier repair reduces costs and improves compliance.
How: Shift toward using modular components that can be replaced individually. Avoid locking parts to specific manufacturers, as some states have banned this practice. Modular designs also support longer spare part availability, which many laws will require.
6. Align supply chain and warranty systems with Right-to-Repair laws
Why: Warranty terms and parts availability are common regulatory targets.
How: Make spare parts available for several years after the sale of a vehicle. Update warranty policies to allow third-party repairs and non-OEM parts without penalty.
7. Monitor regulations and adapt quickly
Why: The regulatory landscape is evolving rapidly. Staying informed about new laws and adjusting plans early will help avoid costly last-minute changes.
How: Track new laws and build flexible systems that can easily adjust as regulations change.
How an IT enabler helps OEMs prepare for Right to Repair
Managing compliance can feel overwhelming, but it doesn’t have to disrupt operations. An IT enabler helps manufacturers build systems and processes that meet regulatory demands without adding unnecessary complexity.
Here’s how:
Turning regulations into practical solutions
Right to Repair regulations vary across states and countries. An IT enabler translates these requirements into practical tools - systems for managing access to repair data, diagnostics, and tools – to make compliance more manageable.
Building the right technology
OEMs need reliable platforms that allow repairers to access diagnostic data and tools while keeping vehicle systems secure. IT experts develop scalable solutions that work across different models and markets without compromising safety.
Balancing security and access
Access to repair data must be balanced with strong security. IT solutions help protect sensitive vehicle functions while providing authorized repairers with the necessary information.
Keeping operations simple
Compliance shouldn’t add complexity. Automating key processes and streamlining workflows lets internal teams focus on core operations rather than administrative tasks.
Long-term support
Laws and standards evolve. IT partners provide continuous updates and maintenance to keep systems aligned with the latest regulations, reducing the risk of falling behind.
Delivering custom solutions
Every manufacturer has unique needs. Whether it’s updating your warranty system for third-party repairs, improving OTA update capabilities, or adapting your supply chain for spare part availability, custom solutions help you stay compliant and competitive.
At Grape Up , we help OEMs adapt to Right to Repair regulations with practical solutions and long-term support.
We have experience working with automotive, insurance, and financial enterprises, building systems that account for differences in regulations across various states.
Preparing for changes? Contact us today.
From secure diagnostics to repair information management, we provide the expertise and tools to help you stay compliant and ready for what’s next.
Interested in our services?
Reach out for tailored solutions and expert guidance.