InMotion: New Domestic Violence Protections: Connected Vehicle Privacy Laws in California & New York

In an effort to protect victims of domestic violence, California and New York have enacted new laws requiring motor vehicle manufacturers (OEMs) and their service providers to promptly terminate remote access to connected vehicle features when requested by a qualifying individual.

• California Laws: Cal. Veh. Code §§ 28220 and 28222
• New York Law: General Business Law § 399-ccccc
• Effective Dates:
  • New York: May 15, 2025
  • California: July 1, 2025

These laws apply to “covered providers,” which include vehicle manufacturers or entities acting on their behalf that provide connected vehicle services (e.g., remote unlocking, GPS tracking, app-based controls). While dealers are not expressly mentioned, there is some risk that “covered providers” could be interpreted to include dealers. Regardless, dealers could be a helpful resource for victims of domestic violence seeking guidance on how to terminate access to connected services.

Compliance Responsibilities for OEMs & Other Covered Providers

1. Driver Request Processing: Termination of Connected Services

Under these statutes:

• OEMs and other covered providers must terminate access to connected services within two business days of receiving a valid request.
• A valid request must include:
  • Vehicle Identification Number (VIN)
  • Proof of ownership
  • In New York only: An attestation stating the requester is a victim of domestic violence.

If it is technologically infeasible for the OEM or covered provider to terminate access, then they must:

• Notify the requester promptly (this may be a significant obligation for OEMs).
• Offer alternative solutions such as instructions for disabling or modifying service settings manually.

Fees for this service are prohibited.

2. Website & App Accessibility Requirements

To ensure victims can easily request disconnection of remote vehicle access, covered providers must:

In California:

• Add a clearly visible link titled “HOW TO DISCONNECT REMOTE VEHICLE ACCESS” on the manufacturer's website.
• The page must allow users to:
  1. Submit a request to terminate access
  2. Create a new connected vehicle service account

Upon request submission:

• Providers must email a confirmation with a reference number and next steps.
• After review, they must notify the driver of the outcome, any missing documents, and guidance for setting up a new account if applicable.

In New York (by July 1, 2026):

• Covered providers must include clear instructions on the website to make a request to disable connected services and vehicle apps detailing:
  • Required documentation (VIN, proof of ownership, attestation)
  • Step-by-step termination procedures
• The language must be plain, accessible, and victim-centered.

3. In-Vehicle Disabling Mechanism

Both states require that by July 1, 2028, all connected vehicles must offer a built-in method to immediately disable location tracking from inside the vehicle. OEMs should include this in product development plans for model year 2028 and beyond. The mechanism must:

• Be clearly visible and easy to use
• Not require:
  
  • Internet access or mobile app
  • Account login or passwords
  • Two-factor authentication

Permissible Verification: The driver may be asked to input a mobile phone number associated with the service, but no additional verification steps are allowed.

• Once disabled, location access can only be re-enabled by a driver who is physically inside the vehicle.

4. Penalties for Noncompliance

In New York, violations may result in civil penalties up to $500 per violation.

• Covered providers and their staff (employees, officers, vendors, etc.) are not liable for civil claims related to actions taken in good faith to comply with these laws, except for the specified penalty in New York.
• A violation in New York is any of the following:

1. Failing to disable tracking access within 2 business days of receiving a valid request
2. Charging a fee or penalty for disabling tracking access
3. Disclosing or misusing a survivor’s documentation or information
4. Refusing to process a valid request based on survivor status
5. Failing to offer a method for survivors to submit requests

OEMs should be aware that, while these statutes do not create a private right of action, the obligations set forth in these statutes may nonetheless be relied upon in pursuing other claims, potentially increasing the legal risks for both OEMs and service providers.

Summary for Motor Vehicle Compliance Teams

Vehicle manufacturers must:

• OEMs should make sure that processes are in place to field and respond to customer requests for services to be disconnected;
• Make sure that websites in California comply with requirements as soon as possible and in New York by the July 1, 2026 deadline; and
• Implement the required in-vehicle location disabling systems by 2028.

In addition, OEMs should consider informing New York and California dealers of these laws and require them to train personnel on responding to customer inquiries about disabling connected services. Customers seeking to disable connected service may reach out to dealers with questions, and if dealers can assist customers, it may help the OEM avoid liability.

For more information on how these laws aim to close a critical safety gap as motor vehicles become more digitally connected, please see the articles below:

• https://cybernews.com/privacy/california-passes-anti-vehicle-tracking-law-domestic-abuse-protection/
• https://opdv.ny.gov/nys-connected-vehicle-service-laws
• https://iapp.org/news/a/new-state-laws-protect-abuse-survivors-from-misuse-of-vehicle-connectivity 
• https://connectontech.bakermckenzie.com/california-moves-to-disable-vehicular-data-access-used-in-domestic-abuse/ 

Practice Areas

Industries

Professionals