Data Privacy Risks For Automotive, EV And Connected Mobility Businesses Under India’s DPDP Regime: Telematics, Location Data And Accountability

Introduction: When Vehicles Become Data Platforms

The modern automobile is no longer a purely mechanical product. Cars, two-wheelers, electric vehicles (EVs), fleet vehicles and mobility platforms now function as rolling data ecosystems. Telematics units, sensors, cameras, infotainment systems, mobile apps and cloud dashboards continuously collect, transmit and analyse personal data.

Automotive OEMs, EV manufacturers, fleet operators, ride-hailing platforms and mobility-as-a-service providers today process:

• Real-time location and movement data
• Driving behaviour and usage patterns
• Biometric and in-cabin data
• Vehicle diagnostics linked to individuals
• Payment and subscription information

This convergence of physical mobility and digital surveillance places the automotive sector squarely within the focus of India’s data protection framework and more prone to data privacy risks.

With the enactment of the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the Digital Personal Data Protection Rules, 2025 (“DPDP Rules”), connected mobility businesses must now confront privacy as a core product-design and governance issue, not merely a backend compliance obligation.

Applicability of the DPDP Act to Automotive and Mobility Businesses

A. Entities Covered

The DPDP Act applies to any entity processing digital personal data, including:

• Automotive OEMs and EV manufacturers
• Connected vehicle and telematics providers
• Ride-hailing and mobility platforms
• Fleet operators and logistics companies
• Vehicle subscription and leasing services
• Automotive dealers and authorised service centres

Both consumer and enterprise mobility models fall within the scope of the Act.

B. Automotive Companies as Data Fiduciaries

Automotive OEMs and mobility platforms typically qualify as data fiduciaries, as they determine:

• What vehicle and driver data is collected
• How data is processed and analysed
• Whether data is shared with insurers, partners or regulators
• Retention and monetisation strategies

Third-party vendors namely cloud providers, telematics vendors, analytics firms usually act as data processors, though primary accountability remains with the fiduciary. Large OEMs, EV platforms and ride-hailing companies may be notified as Significant Data Fiduciaries (SDFs) due to:

• Continuous tracking at scale
• High-risk location and behavioural data
• Use of AI-driven analytics

Telematics and Location Data: The Core Privacy Risk

A. What Data Is Collected?

Connected vehicles routinely collect:

• GPS location and travel routes
• Speed, braking and acceleration patterns
• Time, frequency and duration of journeys
• Charging behaviour (for EVs)
• In-vehicle infotainment usage

When linked to an identifiable individual, such data constitutes personal data under the DPDP Act.

B. Why Location Data Is High-Risk

Location data can reveal an individual’s home and workplace, daily routines, religious, medical or political inferences, and even personal relationships. Continuous tracking significantly heightens the risk of harm, making regulators particularly sensitive to misuse or over-collection.

Consent and Transparency in Connected Mobility

A. Consent Must Be Meaningful

Under the DPDP Act, consent must be:

• Free
• Informed
• Specific
• Unambiguous
• Capable of withdrawal

In automotive contexts, consent is often obtained through:

• In-vehicle screens
• Mobile companion apps
• Purchase or onboarding documentation

Generic disclosures buried in manuals or apps are unlikely to meet statutory standards.

B. DPDP Rules: Notice Requirements

The DPDP Rules require clear notice specifying:

• Categories of data collected (including telematics)
• Purpose of processing (safety, diagnostics, analytics, marketing)
• Data sharing with third parties
• Retention periods
• Rights of drivers and users

Failure to clearly disclose continuous tracking poses a serious compliance risk.

Purpose Limitation and Function Creep

A. Safety vs Monetisation

Vehicle data is often collected for safety and diagnostics, preventive maintenance or theft detection. However, many OEMs and platforms repurpose this data for:

• Insurance scoring
• Targeted advertising
• Cross-selling services

Under the DPDP Act, such secondary use requires fresh, explicit consent.

B. Insurance and Partner Sharing

Sharing driver behaviour data with insurers, financiers or advertisers without clear consent exposes companies to enforcement risk, even where such practices are commercially attractive.

In-Cabin Data, Cameras and Biometrics

A. Driver Monitoring Systems

Advanced vehicles increasingly deploy:

• Driver-facing cameras
• Facial recognition
• Drowsiness and attention tracking

Such systems significantly raise privacy stakes, particularly where data is stored or analysed off-vehicle.

B. Biometric and Voice Data

Use of voice assistants and biometric authentication requires strong necessity justification, enhanced security safeguards, and strict retention limits. Biometric misuse can lead to irreversible harm, attracting heightened scrutiny.

Dealerships, Service Centres and Ecosystem Risk

A. Dealer Access to Customer Data

Authorised dealers and service centres often access:

• Owner identity data
• Vehicle usage history
• Location and diagnostic data

Uncontrolled access and informal sharing practices expose OEMs to downstream liability.

B. Fleet and Corporate Mobility Models

Fleet operators process data of multiple drivers across vehicles. Ambiguity around:

• Who is the data fiduciary
• Who provides notice and consent
• Who bears breach liability

must be addressed through contractual clarity.

Cross-Border Data Transfers in Automotive Ecosystems

Global OEMs frequently transfer vehicle data to overseas servers for analytics, software updates, or AI training. Under the DPDP Act, cross-border transfers are permitted only to government-notified jurisdictions, requiring companies to:

• Map global data flows
• Monitor regulatory notifications
• Prepare for localisation or segmentation if required

Data Breaches and Safety Implications

A. Mandatory Breach Notification

Under the DPDP Act and Rules, automotive and mobility companies must notify the Data Protection Board of India, and affected individuals. This obligation applies even where no immediate financial loss occurs.

B. Physical Safety and Security Risks

Breaches involving vehicle data can even compromise personal safety, enable stalking or tracking or also expose critical infrastructure vulnerabilities. The physical-digital overlap amplifies regulatory concern.

Penalties and Enforcement Exposure

A. Monetary Penalties

The DPDP Act permits penalties up to INR 250 crore per contravention, assessed based on:

• Nature and sensitivity of data
• Scale and duration of processing
• Mitigation measures taken

Continuous, large-scale tracking increases systemic exposure.

B. Business and Reputational Impact

Beyond penalties, companies may face:

• Product redesign mandates
• Loss of consumer trust
• Regulatory scrutiny across jurisdictions
• Partner and investor concerns

Compliance Roadmap for Automotive and Mobility Businesses

1. Data Mapping and Classification: Identify all telematics, location and behavioural data flows.

2. Consent and UX Design: Design clear, granular consent mechanisms across vehicle and app interfaces.

3. Purpose Limitation Controls: Separate safety-critical processing from commercial analytics.

4. Dealer and Vendor Governance: Limit access and impose DPDP-compliant contractual safeguards.

5. Breach Preparedness: Develop incident response plans considering physical safety risks.

Conclusion: Privacy as the Foundation of Trust in Connected Mobility

As vehicles evolve into connected platforms, privacy will define consumer trust and regulatory acceptance. The DPDP Act and Rules make it clear that constant surveillance cannot be the default price of mobility.

Automotive and mobility businesses that embed privacy-by-design, limit data excesses and respect user autonomy will be best positioned to lead India’s connected mobility future.