Automotive

EU Data Act

New EU Battery Passport rules: What’s changing for OEMs?

Marcin Wiśniewski

Head of Automotive Business Development

Adam Kozłowski

Head of Automotive R&D

March 4, 2025

•

5 min read

Schedule a consultation with automotive software experts

The road to electrification isn’t straightforward, and concerns about battery sustainability, safety, and lifecycle management are growing. For years, battery manufacturers, automotive OEMs , and other industries have faced a key challenge: tracking and verifying a battery’s entire lifecycle, from production to recycling.

Until now, important details about a battery's origin, carbon footprint, and material makeup have been hard to access. This has led to inconsistent sustainability claims, challenges in second-life applications, and regulatory confusion.

Now, consumers, industries, and regulators are demanding more transparency . To meet this demand, the EU is introducing the Digital Battery Passport as part of the Eco-design for Sustainable Products Regulation (ESPR) and the EU Battery Regulation.

This new approach could bring benefits like increased recycling revenue, reduced carbon emissions, and lower recycling costs. It will also give consumers the information they need to make more sustainable choices.

But what does the Digital Battery Passport actually entail, and how will it impact the entire battery value chain?

Understanding the Digital Battery Passport

The Digital Battery Passport is an electronic record that stores critical information about a battery, providing transparency across its entire lifecycle.

It serves as a structured database that allows different stakeholders (including regulators, manufacturers, recyclers, and consumers) to retrieve relevant battery data.

This passport is part of the EU's broader effort to support a circular economy and making sure that batteries are sourced sustainably, used responsibly, and recycled properly.

The information stored in the Battery Passport falls into several key areas:

General battery and manufacturer details such as model identification, production date, and location.

Carbon footprint data , including emissions generated during production and expected lifetime energy efficiency.

Supply chain due diligence , ensuring responsible sourcing of raw materials like lithium, cobalt, and nickel.

Battery performance and durability – State of Health (SoH), charge cycles, and degradation tracking.

End-of-life management – Guidance for battery recycling, second-life applications, and disposal.

The goal is to bring transparency and accountability to battery production, prevent greenwashing, and confirm that sustainability claims are backed by verifiable data.

How the Battery Passport’s implementation will affect OEMs

While the responsibility varies, OEMs must verify that all batteries in their vehicles meet EU regulations before being sold. This includes confirming supplier compliance, tracking battery data, and preparing for enforcement.

The responsibility for issuing the Battery Passport lies with the economic operator who places the battery on the market or puts it into service in the EU.

Meeting the Battery Passport requirements

OEMs must incorporate Battery Passport requirements into procurement strategies, data infrastructure , and compliance processes to avoid supply chain disruptions and regulatory penalties.

Here’s what OEMs must do to comply:

FAQs about the Digital Battery Passport

Who needs to implement a Battery Passport, and by when?

Starting February 18, 2027, all EV batteries, industrial batteries over 2 kWh, and light means of transport (LMT) batteries (including those used in e-bikes, e-scooters, and other lightweight electric vehicles) sold in the EU must include a Digital Battery Passport.

OEMs, battery manufacturers, importers, and distributors will need to comply by this deadline.

However, some requirements take effect earlier:

February 18, 2025 – Companies must start reporting the carbon footprint of their batteries.

August 18, 2026 – The European Commission will finalize the implementation details and provide further technical clarifications.

What information must be included in the Battery Passport?

The Battery Passport stores comprehensive battery lifecycle data, structured into four access levels:

1) Publicly available information (Accessible to everyone, including consumers and regulators)

This section contains general battery identification and sustainability data, which must be available via a QR code on the battery.

Battery model, manufacturer details, and plant location
Battery category, chemistry, and weight
Date of manufacture (month/year)
Carbon footprint declaration and sustainability data
Critical raw materials content (e.g., cobalt, lithium, nickel, lead)
Presence of hazardous substances

2) Information available to authorities and market surveillance bodies

Safety and compliance test results
Detailed chemical composition (anode, cathode, electrolyte materials)
Instructions for battery dismantling, recycling, and repurposing
Risk and security assessments

3) Private information (Available to battery owners & authorized third parties)

This section contains real-time performance and operational data and is accessible to the battery owner, fleet operators, and authorized maintenance providers.

State of Health (SoH) & expected lifetime
Charge/discharge cycles and total energy throughput
Thermal event history and operational temperature logs
Warranty details and remaining usable life in cycles
Original capacity vs. current degradation rate
Battery classification status: "original," "repurposed," "remanufactured," or "waste"

4) Information available only to the European Commission, National Regulatory Bodies & market surveillance authorities

This is the most restricted category, which contains highly technical and competitive data that is only accessible to designated authorities for compliance verification and regulatory oversight.

Additional technical compliance reports and proprietary safety testing results
Performance benchmarking and lifecycle assessment reports
Detailed breakdown of emissions calculations and regulatory certifications

A note on secure access and retrieval

Each Battery Passport must be linked to a QR code with a unique identifier to allow standardized and secure data retrieval via a cloud-based system.

QR codes “shall be printed or engraved visibly, legibly and indelibly on the battery.” If the battery is too small to have a QR code engraved on it, or it is not possible to engrave it, the code should be included with the battery’s documentation and packaging.

What happens if an OEM fails to comply?

Non-compliance with the Battery Passport requirements carries serious consequences for OEMs and battery manufacturers.

Batteries without a passport will be banned from sale in the EU starting in 2027.

Fines and penalties may be imposed for missing transparency and reporting obligations.

Legal and reputational risks will increase, particularly if battery safety, sustainability, or performance issues arise.

Given these risks, proactive compliance planning is essential. OEMs must act now to integrate Battery Passport requirements into their supply chains and product development strategies.

Will repaired or second-life batteries need a new passport?

Yes. Batteries that are repaired, repurposed, or remanufactured must receive a new Battery Passport linked to the original battery’s history. Recycled batteries entering the market after 2027 must also follow passport regulations, keeping second-life batteries traceable. This allows used batteries to be resold or repurposed in energy storage applications.

Will the Battery Passport apply to older batteries?

No. The regulation only applies to batteries placed on the market after February 18, 2027. However, OEMs that remanufacture or recycle batteries after this date must take care of compliance before reselling or repurposing them.

How to store EU Battery Passport data: Two approaches

Companies need to decide how to store and manage the large volumes of data required for compliance. There are two main options:

Blockchain-based systems – A decentralized ledger where data is permanently recorded and protected from tampering. This preserves long-term transparency and integrity.
Cloud-based systems – A centralized storage model that allows for real-time updates, scalability, and flexibility. This makes managing compliance data easier.

Each option has its benefits.

Blockchain offers security and traceability, which makes it ideal for regulatory audits and builds consumer trust. Cloud storage provides flexibility, which allows companies to manage and update battery lifecycle data efficiently.

Many companies may choose a hybrid solution, using blockchain for immutable regulatory data and cloud storage for real-time operational tracking.

Regulatory landscape: A complex web of compliance

The Digital Battery Passport is part of a broader effort to improve data transparency, sustainability, and resource management. However, it doesn’t exist in isolation. Companies working in global supply chains must navigate a growing web of regulations across various jurisdictions.

The EU Battery Regulation aligns with major policy initiatives like the EU Data Act, which governs access to and sharing of industrial data, and the Ecodesign for Sustainable Products Regulation (ESPR), which broadens sustainability requirements beyond energy efficiency. These laws reflect the EU’s push for a circular economy, but they also present significant compliance challenges for OEMs, battery manufacturers, and recyclers.

Outside the EU, similar regulatory trends are emerging. Canada’s Consumer Privacy Protection Act (CPPA) expands on the country's existing privacy framework, while the California Consumer Privacy Act (CCPA) and China’s Personal Information Protection Law (PIPL) set strict rules for how businesses collect, store, and share data.

While these laws focus on privacy, they also signal a global move toward tighter control over digital information, which is closely tied to the requirements for battery passports.

How an IT partner can help OEMs prepare for the EU Battery Passport

Here’s where an IT enables can help.

Make Battery Passport data easy to access – Set up systems that store and connect passport data with Battery Management Systems (BMS) and internal databases.

Make sure QR codes work properly – Integrate tracking so every battery’s passport is linked and scannable when needed.

Simplify compliance reporting – Automate data collection for regulators, recyclers, and customers to reduce manual work.

Manage second-life batteries – Track when batteries are repurposed or remanufactured and update their passports without losing original data.

Choose the right storage – Whether it’s cloud, blockchain, or a hybrid approach, IT support ensures that battery data stays secure and available.

With the 2027 deadline approaching, OEMs need systems that make compliance manageable.

Let’s talk about the best way to integrate the Battery Passport requirements.

‍

Data Sharing & Monetization Platform

Databoostr - your customized solution for handling data sharing challenges

Check our offer

Blog

Check related articles

Read our blog and stay informed about the industry's latest trends and solutions.

EU Data Act vehicle guidance 2025: What automotive OEMs must share by September 2026

The European Commission issued definitive guidance in September 2025 clarifying which vehicle data automotive manufacturers must share under the EU Data Act.

With enforcement beginning September 2026, OEMs must provide access to raw and pre-processed vehicle data while protecting proprietary algorithms. Direct user access is free, but B2B data sharing can be monetized under reasonable compensation rules.

As the September 2026 deadline nears, the European Commission has issued comprehensive guidance that clarifies exactly which vehicle data must be shared and how. For automotive manufacturers still planning their compliance strategy, it’s now essential to understand these details.

Why this guidance matters for automotive OEMs?

EU Data Act becomes enforceable in September 2026, requiring all connected vehicle manufacturers to provide direct data access to end users and their chosen third parties. While the regulation itself established the legal framework, the Commission's guidance document - published September 12, 2025 - provides automotive specific interpretation that removes much of the ambiguity manufacturers have faced.

This is no longer just a paper exercise. If you fall short, expect:

Heavy financial consequences
Serious business risk and reputational damage
Potential legal exposure across EU markets
A competitive disadvantage as compliant competitors gain market access

For OEMs without appropriate technological infrastructure or clear understanding of these requirements, the deadline is rapidly approaching.

At Grape Up, our expert team and Databoostr platform have already helped multiple OEMs achieve compliance before the September deadline. Learn more about our solution .

What vehicle data must be shared?

The September 2025 guidance establishes clear boundaries between data that falls within and outside the Data Act's scope, resolving one of the most contested issues in implementation planning.

In-scope data: Raw and pre-processed vehicle data

Manufacturers must provide access to data that characterizes vehicle operation or status. The guidance defines two categories that must be shared:

Raw Data Examples:

Sensor signals: wheel speed, tire pressure, brake pressure, yaw rate
Position signals: windows, throttle, steering wheel angle
Engine metrics: RPM, oxygen sensor readings, mass airflow
Raw image/point cloud data from cameras and LiDAR
CAN bus messages
Manual command results: wiper on/off, air conditioning usage; component status: door locked/unlocked, handbrake engaged

Pre-Processed Data Examples:

Temperature measurements (oil, coolant, engine, battery cells, outside air)
Vehicle speed and acceleration
Liquid levels (fuel, oil, brake fluid, windshield wiper fluid)
GNSS-based location data
Odometer readings
Fuel/energy consumption rates
Battery charge level
Normalized tire pressure
Brake pad wear percentage
Time or distance to next service
System status indicators (engine running, battery charging status) and malfunction codes and warning indicators

Bottom line is this: If the data describes real-world events or conditions captured by vehicle sensors or systems, it's in scope - even when normalized, reformatted, filtered, calibrated, or otherwise refined for use.

The guidance clarifies that basic mathematical operations don't exempt data from sharing requirements. Calculating current fuel consumption from fuel flow rate and vehicle speed still produces in-scope data that must be accessible.

Out-of-scope data: Inferred and derived information

Data excluded from mandatory sharing requirements represents entirely new insights created through complex, proprietary algorithms:

Dynamic route optimization and planning algorithms
Advanced driver-assistance systems outputs (object detection, trajectory predictions, risk assessment)
Engine control algorithms optimizing performance and emissions
Driver behavior analysis and eco-scores
Crash severity analysis
Predictive maintenance calculations using machine learning models

The main difference is this: The guidance emphasizes that exclusion isn't about technical complexity alone - it's about whether the data represents new information beyond describing vehicle status. Predictions of future events typically fall out of scope due to their inherent uncertainty and the proprietary algorithms required to generate them.

However, if predicted data relates to information that would otherwise be in-scope, and less sophisticated alternatives are readily available, those alternatives must be shared. For example, if a complex machine learning model predicts fuel levels, but a simpler physical fuel sensor provides similar data, the physical sensor data must be accessible.

How must data access be provided?

The Data Act takes a technology-neutral approach as of September 2025, allowing manufacturers to choose how they provide data access - whether through remote backend solutions, onboard access, or data intermediation services. However, three essential requirements apply:

1. Quality equivalence requirement

Data provided to users and third parties must match the quality available to the manufacturer itself. This means:

Equivalent accuracy - same precision and correctness
Equivalent completeness - no missing data points
Equivalent reliability - same uptime and availability
Equivalent relevance - contextually useful data
Equivalent timeliness - real-time or near-real-time as per manufacturer's own access

The guidance clearly prohibits discrimination: data cannot be made available to independent service providers at lower quality than what manufacturers provide to their own subsidiaries, authorized dealers, or partners.

2. Ease of access requirement

The "easily available" mandate means manufacturers cannot impose:

Undue technical barriers requiring specialized knowledge
Prohibitive costs for end-user access
Complex procedural hurdles

In practice: If data access requires specialized tools like proprietary OBD-II readers, manufacturers must either provide these tools at no additional cost with the vehicle or implement alternative access methods such as remote backend servers.

3. Readily available data obligation

The guidance clarifies that “readily available data” includes:

Data manufacturers currently collect and store
Data they “can lawfully obtain without disproportionate effort beyond a simple operation”

For OEMs implementing extended vehicle concepts where data flows to backend servers, this has significant implications. Even if certain data points aren’t currently transmitted due to bandwidth limitations, cost considerations, or perceived lack of business use-case, they may still fall within scope if retrievable through simple operations.

When assessing whether obtaining data requires “disproportionate effort,” manufacturers should consider:

Technical complexity of data retrieval
Cost of implementation
Existing vehicle architecture capabilities

What are vehicle-related services under the Data Act?

The September 2025 guidance distinguishes between services requiring Data Act compliance and those that don’t.

Services requiring compliance (vehicle-related services)

Vehicle-related services require bi-directional data exchange affecting vehicle operation:

Remote vehicle control: door locking/unlocking, engine start/stop, climate pre-conditioning, charging management
Predictive maintenance: services displaying alerts on vehicle dashboards based on driver behavior analysis
Cloud-based preferences: storing and applying driver settings (seat position, infotainment, temperature)
Dynamic route optimization: using real-time vehicle data (battery level, fuel, tire pressure) to suggest routes and charging/gas stations

Services NOT requiring compliance

Traditional aftermarket services generally aren't considered related services:

Auxiliary consulting and analytics services
Financial and insurance services analyzing historical data
Regular offline repair and maintenance (brake replacement, oil changes)
Services that don't transmit commands back to the vehicle

The key distinction: services must affect vehicle functioning and involve transmitting data or commands to the vehicle to qualify as "vehicle-related services" under the Data Act.

Understanding the cost framework for data sharing

The guidance issued in September 2025 draws a clear line in the Data Act's cost structure that directly impacts business models.

Free access for end users

When vehicle owners or lessees request their own vehicle data - either directly or through third parties they've authorized - this access must be provided:

Easily and without prohibitive costs
Without requiring expensive specialized equipment through user-friendly interfaces or methods

Paid access for B2B partners

Under Article 9 of the Data Act, manufacturers can charge reasonable compensation for B2B data access. This applies when business partners request data, including:

Fleet management companies
Insurance providers
Independent service providers
Car rental and leasing companies
Other commercial third parties

For context: The Commission plans to issue detailed guidelines on calculating reasonable compensation under Article 9(5), which will provide specific methodologies for determining fair pricing. This forthcoming guidance will be crucial for manufacturers developing their data plans to monetize data while ensuring compliance.

Key Limitation: These compensation rights have no bearing on other existing regulations governing automotive data access, including technical information necessary for roadworthiness testing. The Data Act's compensation framework applies specifically to the new data sharing obligations it creates.

Practical implementation considerations for September 2026

Backend architecture and extended vehicle obligations

The extended vehicle concept, where data continuously flows from vehicles to manufacturer backend servers, creates both opportunities and obligations. This architecture makes data readily available to OEMs, who must then provide equivalent access to users and third parties.

Action items:

Audit which data points your current architecture makes readily available
Ensure access mechanisms can deliver this data with equivalent quality to all authorized recipients
Evaluate whether data points not currently collected could be obtained "without disproportionate effort"

Edge processing and data retrievability

Data processed "on the edge" within the vehicle and immediately deleted isn't subject to sharing requirements. However, the September 2025 guidance encourages manufacturers to consider the importance of certain data points for independent aftermarket services when deciding whether to design these data points as retrievable.

Critical data points for aftermarket services:

Accelerometer readings
Vehicle speed
GNSS location
Odometer values

Making these retrievable benefits the broader automotive ecosystem and may provide competitive advantages in partnerships.

Technology choices and flexibility

While the Data Act is technology-neutral, chosen access methods must meet quality requirements. If a particular implementation - such as requiring users to physically connect devices to OBD-II ports - results in data that is less accurate, complete, or timely than backend server access, it fails to meet the quality obligation.

Manufacturers should evaluate access methods based on:

Data quality delivered to recipients
Ease of use for different user types
Cost-effectiveness of implementation
Scalability for B2B partnerships
Integration with existing digital infrastructure

Databoostr: Purpose-built for EU Data Act compliance

Grape Up's Databoostr platform was developed specifically to address the complex requirements of the EU Data Act. The solution combines specialized legal, process, and technological consulting with a proprietary data sharing platform designed for automotive data compliance.

Learn more about Databoostr and how it can help your organization meet EU Data Act requirements.

Addressing the EU Data Act requirements

Databoostr's architecture directly addresses the key requirements established in the Commission's guidance:

Quality Equivalence: The platform ensures data shared with end users and third parties matches the quality available to manufacturers, with built-in controls preventing discriminatory access patterns.

Ease of Access: Multiple access methods—including remote backend integration and user-friendly interfaces - eliminate technical barriers for end users while supporting sophisticated B2B integrations.

Readily Available Data Management : The platform handles both currently collected data and newly accessible data points, managing the complexity of determining what constitutes "readily available" under the guidance.

Check our case studies : EU Data Act Connected Vehicle Portal and Connected Products Data Sharing Platform

Modular architecture for compliance and monetization

Databoostr's modular design addresses both immediate compliance needs and strategic opportunities. Organizations implementing the platform for EU Data Act requirements can seamlessly activate additional modules for data monetization:

Data catalog management for showcasing available data products
Subscription and package sales for B2B partners
Automatic usage calculation tracking data sharing volumes
Billing infrastructure supporting the Article 9 reasonable compensation framework

This setup supports both compliance and revenue growth from a single platform, reducing IT complexity while meeting the guidance's technical requirements.

Comprehensive implementation methodology

The Databoostr implementation approach aligns with the guidance's requirements through:

Legal Consulting

Analyzing regulatory requirements specific to your vehicle types
Translating Data Act provisions into specific organizational obligations
Interpreting the September 2025 guidance within your business context
Creating individual implementation roadmaps

Process Consulting

Designing compliant data sharing workflows for end users and B2B partners
Determining which data points fall in-scope based on your architecture
Establishing quality equivalence controls
Planning for reasonable compensation structures

Technical Consulting

Pre-implementation analysis of existing data infrastructure
Solution architecture tailored to your extended vehicle implementation
Integration planning with backend systems
Addressing readily available data retrieval requirements

Platform Customization

Integration with existing digital ecosystems
Custom components for specific vehicle architectures
Access method implementation (backend, onboard, or hybrid)
Quality assurance mechanisms

Comprehensive Testing

Quality equivalence validation
Integration verification with existing IT infrastructure
Security testing ensuring compliant data sharing
Functional testing confirming alignment with guidance requirements

Post-implementation support

With the extended vehicle concept creating readily available data obligations, manufacturers need ongoing platform management. Databoostr provides:

Continuous monitoring of platform operation
Response to technical or functional issues
Supervision of ongoing compliance with Data Act requirements
Platform updates reflecting evolving regulatory interpretations

Timeline: What automotive OEMs should do now

Now - March 2026: Complete data inventory, classify according to guidance definitions, design technical architecture, begin platform implementation

March - July 2026: Finalize platform integration, conduct comprehensive testing, establish B2B partnership frameworks, train internal teams

July - September 2026: Run parallel systems, validate compliance, prepare documentation for regulatory authorities, establish monitoring processes

September 2026 and Beyond: Full enforcement begins, ongoing compliance monitoring, response to Commission's forthcoming compensation calculation guidelines

The path forward: Clear requirements, fixed deadline

The Commission's September 2025 guidance removes ambiguity that has delayed planning for some organizations. With regulatory requirements now precisely defined and less than eleven months until enforcement begins, manufacturers should be finalizing their compliance plans and beginning implementation.

The guidance encourages affected industry stakeholders to engage in dialogue achieving balanced implementation. The Commission also emphasizes coordination between Data Act enforcement authorities and other automotive regulators, including those overseeing type approval and data protection, to ensure smooth interplay between regulations.

For automotive manufacturers, three facts are now clear:

The requirements are defined: The September 2025 guidance specifies exactly which data must be shared, at what quality level, and through what access methods
The deadline is fixed: September 2026 enforcement is approaching rapidly
The consequences are significant: Non-compliance risks financial penalties, business disruption, and competitive disadvantage

Organizations that haven't yet begun implementation should treat the Commission's guidance as a final call to action.

Building EU-compliant connected car software under the EU Data Act

The EU Data Act is about to change the rules of the game for many industries, and automotive OEMs are no exception. With new regulations aimed at making data generated by connected vehicles more accessible to consumers and third parties, OEMs are experiencing a major shift. So, what does this mean for the automotive space?

First, it means rethinking how data is managed, shared, and protected . OEMs must now meet new requirements for data portability, security, and privacy, using software compliant with the EU Data Act.

This guide will walk you through how they can prepare to not just survive but thrive under the new regulations.

The EU Data Act deadlines OEMs can’t miss

- Chapter II (B2B and B2C data sharing) has a deadline of September 2025.
- Article 3 (accessibility by design) has a deadline of September 2026.
- Chapter IV (contractual terms between businesses) has a deadline of September 2027.

Compliance requirements for automotive OEMs

The EU Data Act establishes specific obligations for automotive OEMs to ensure secure, transparent, and fair data sharing with both consumers (B2C) and third-party businesses (B2B). The following key provisions outline the requirements that OEMs must fulfill to comply with the Act.

B2C obligations

Data accessibility for users:
- Connected products, such as vehicles, must be built in a way that makes data generated by their use accessible in a structured, machine-readable format. This requirement applies from the manufacturing stage, meaning the design process must incorporate data accessibility features.
User control over data:
- Users should have the ability to control how their data is used, including the right to share it with third parties of their choice. This requires OEMs to implement systems that allow consumers to grant and revoke access to their data seamlessly.
Transparency in data practices:
- OEMs are required to provide clear and transparent information about the nature and volume of collected data and the way to access it.
- When a user requests to make data available to a third party, the OEM must inform them about:

a) The identity of the third party

b) The purpose of data use

c) The type of data that will be shared

d) The right of the user to withdraw consent for the third party to access the data

B2B obligations

1. Fair access to data:

OEMs must ensure that data generated by connected products is accessible to third parties at the user’s request under fair, reasonable, and non-discriminatory conditions.
This means that data sharing cannot be restricted to certain partners or proprietary platforms; it must be available to a broad range of businesses, including independent repair shops, insurers, and fleet managers.

2. Compliance with security and privacy regulations:

While sharing non-personal data, OEMs must still comply with relevant data security and privacy regulations. This means that data must be protected from unauthorized access and that any data-sharing agreements are in line with the EU Data Act and GDPR.

3. Protection of trade secrets

OEMs have a right and obligation to protect their trade secrets and should only disclose them when necessary to meet the agreed purpose. This means identifying protected data, agreeing on confidentiality measures with third parties, and suspending data sharing if these measures are not properly followed or if sharing would cause significant economic harm.

Understanding the specific obligations is only the first step for automotive OEMs. Based on this information, they can build software compliant with the EU Data Act. To navigate these new requirements effectively, OEMs need to adopt an approach that not only meets regulatory demands but also strengthens their competitive edge.

Thriving under the EU Data Act: smart investments and privacy-first strategies

Automotive OEMs must take a strategic approach to both their software and operational frameworks, balancing compliance requirements with innovation and customer trust. The key is to prioritize solutions that improve data accessibility and governance while minimizing costs. This starts with redesigning connected products and services to align with the Act’s data-sharing mandates and creating solutions to handle data requests efficiently.

Another critical focus is balancing privacy concerns with data-sharing obligations . OEMs must handle non-personal data responsibly under the EU Data Act while managing personal data in accordance with GDPR. This includes providing transparency about data usage and giving customers control over their data.

To achieve this balance, OEMs should identify which data needs to be shared with third parties and integrate privacy considerations across all stages of product development and data management. Transparent communication about data use, supported by clear policies and customer controls, helps to reinforce this trust.

Opportunities under the EU Data Act

The EU Data Act presents compliance challenges, but it also offers significant opportunities for OEMs that are prepared to adapt. By meeting the Act’s requirements for fair data sharing, OEMs can expand their services and build new partnerships. While direct monetization from data access fees is limited, there are numerous opportunities to leverage shared data to develop new value-added services and improve operational efficiency.

Next steps for automotive OEMs

To move to implementation, OEMs must take targeted actions that address the compliance requirements outlined earlier. These steps lay the groundwork for integrating broader strategies and turning compliance efforts into opportunities for operational improvement and future growth.

Integrate data accessibility into vehicle design

Start integrating data accessibility into vehicle design now to comply by 2026. This involves adapting both front and back-end components of products and services to enable secure and seamless data access and transfer according to the EU Data Act.

Provide user and third-party access to generated data

Introduce easy-to-use mechanisms that let users request access to their data or share it with chosen third parties. Access control should be straightforward, involving simple user identification and making data accessible to authorized users upon request. Develop dedicated data-sharing solutions, applications, or portals that enable third parties to request access to data with user consent.

Implement trade secret protection measures

OEMs should protect their trade secrets by identifying which vehicle data is commercially sensitive. Implement measures like data encryption and access controls to safeguard this information when sharing data. Clearly communicate your approach to protecting trade secrets without disclosing the sensitive information itself.

Implement transparent and secure data handling

Provide clear information to users about what data is collected, how it is used, and with whom it is shared. Transparent data practices help build trust and align with users' data rights under the EU Data Act.

Remember about the non-personal data that is being collected, too. Apply appropriate measures to preserve data quality and prevent its unauthorized access, transfer, or use.

Enable data interoperability and portability

The Act sets out essential requirements to facilitate the interoperability of data and data-sharing mechanisms, with a strong emphasis on data portability. OEMs need to make their data systems compatible with third-party services, allowing data to be easily transferred between platforms.

For example, if a car owner wants to switch from an OEM-provided app to a third-party app for vehicle diagnostics, OEMs must not create technical, contractual, or organizational barriers that would make this switch difficult.

Prepare the data

Choose a data format that fulfills the EU Data Act’s requirement for data to be shared in a “commonly used and machine-readable format.” This approach supports data accessibility and usability across different platforms and services.

Moving forward with confidence

The EU Data Act is bringing new obligations but also offering valuable opportunities. Navigating these changes may seem challenging, but with the right approach, they can become a catalyst for growth.

‍

Consumer Privacy Protection Act: What Canada’s privacy overhaul means for the auto industry

Cars used to just get us from point A to point B. Today, they function more like high-tech hubs that track GPS locations, store phone contacts, and gather details about our driving habits. This shift hasn’t escaped the attention of lawmakers and regulators. In Canada, conversations about data privacy have become louder and more urgent , especially with the Consumer Privacy Protection Act (CPPA) on the way.

Even though the CPPA is designed to handle personal data in general, it still lays down important rules for handling personal information. In other words, if you’re in the automotive business, you’ll want to pay close attention. Understanding how this new legislation applies to the data you collect and protect is critical for maintaining trust with customers and staying on the right side of the law.

The CPPA at a glance

Think of the Consumer Privacy Protection Act as the next chapter in Canada’s privacy story. Currently, the Personal Information Protection and Electronic Documents Act (PIPEDA) guides how companies handle personal data. But as online services grow more complex, the government wants to give Canadians stronger rights and clearer protections.

CPPA aims to refine or replace key parts of PIPEDA, focusing on three main things: giving people more control over their data, making sure businesses are upfront about what they do with it, and creating tougher consequences for those who violate the rules.

Key provisions

Consent

Under the CPPA, organizations must get informed, meaningful permission before collecting or using someone’s personal data.

Data portability and erasure

The CPPA allows individuals to direct the secure transfer of their data, which simplifies switching providers. Plus, you can request that a company delete your information if it’s no longer needed or you no longer agree to its use.

Algorithmic transparency

Companies using AI and machine learning must be prepared to explain how they arrive at certain conclusions if they rely on personal information. No more mystery algorithms making big calls without any explanation.

Penalties and enforcement

In the past, fines for privacy violations could be sizable, but the CPPA raises the stakes. Businesses that break the rules could face penalties of up to 5% of their global revenue or CAD 25 million, whichever is greater.

CPPA implications for the automotive sector

Modern vehicles collect a surprising amount of personal information, from real-time locations to driver preferences. Although the CPPA doesn’t single out car manufacturers or dealers, it covers any organization that handles personal data. That puts the automotive industry on notice for meeting these new standards, and here’s what that might look like:

1. Consent and transparency

Drivers should know exactly what data their vehicle is collecting, how it’s being used, and who sees it. Clearer privacy notices are needed to avoid complex legal language whenever possible.
While the CPPA emphasizes explicit consent, it doesn’t require opt-in or opt-out choices for every single scenario. Still, offering these options shows respect for drivers’ control over their own data and helps build trust.

2. Data minimization and retention

If certain information isn’t essential for safety alerts, maintenance reminders, or other valid functions, OEMs shouldn’t gather it.
Rather than holding onto everything, develop guidelines that clearly define how long data is stored and destroy it once it’s no longer needed.

3. Data security measures

Connected cars face cyber threats just like computers and smartphones. Strong safeguards (encryption, firewalls, regular audits) help prevent breaches.
Be prepared to show regulators you have solid security strategies in place, such as incident response plans and routine vulnerability checks.

4. Rights to erasure and portability

When a driver requests that you remove their personal data, it shouldn’t be a struggle. Have a clear process for swift and permanent deletion.
Whether it’s transferring service history to another dealership or updating digital profiles, make sure customers can take their data elsewhere with minimal friction.

5. Enforcement and fines

The CPPA ties potential fines to a company’s global revenue, which means large automotive players could face steep financial hits if they fall short.
Privacy regulators will have more power to investigate, so expect them to keep a closer eye on your data practices.

Privacy compliance isn’t the only area automakers need to watch.

Bill C-27 introduced the CPPA, but it also includes the Artificial Intelligence and Data Act (AIDA), which sets rules for AI-powered systems. While the CPPA focuses on protecting personal data, AIDA applies to high-impact AI applications like those used in autonomous driving, predictive maintenance, and driver behavior analysis.

If AI plays a role in setting insurance rates, making in-car recommendations, or adjusting vehicle safety settings, companies may need to document AI training methods, track potential biases, and provide explanations for automated decisions that affect individuals.

The CPPA already requires transparency when personal data feeds into AI-driven outcomes, but AIDA adds another layer of oversight.

6 practical steps to keep automotive data privacy on track

The future of vehicle information exchange

The Consumer Privacy Protection Act already affects modern vehicles, which capture everything from location data to driver habits and phone contacts.

However, because the CPPA is designed for all businesses, many people anticipate future rules specifically tailored to connected cars. Such regulations would go beyond the CPPA’s general standards, addressing the unique ways automotive data flows through telematics, in-car apps, and onboard sensors.

On the international front, the EU Data Act sets out rules for cross-border data handling, which matters if your cars or data move beyond Canada’s borders. The US Right to Repair Act also gives drivers and independent repair shops greater access to diagnostic information, raising new questions about how personal data is managed.

With these overlapping developments, it’s wise for automotive companies to adopt a comprehensive approach to privacy and data sharing. One that covers both home-grown regulations and global shifts.

Need help adapting to new rules?

As an OEM, you need to balance international obligations, regional privacy laws, and the technical demands of connected vehicles.

We’re here to assist. Our team not only provides IT consulting but also develops custom software solutions to help you meet complex regulatory requirements.