CNIL concludes public consultation regarding a proposed recommendation to provide guidance on GDPR compliance for the processing of location data from connected vehicles.
The French data protection authority, CNIL, recently closed its public consultation on a draft recommendation addressing the use of location data generated by connected vehicles. Launched on March 25, 2025, the consultation concluded on May 20, 2025, and aimed to assist stakeholders in navigating GDPR compliance in a domain where privacy and innovation intersect.
Location data offers substantial benefits but presents heightened privacy risks.
Location data is essential to a range of services provided by connected vehicles, including navigation support, fleet optimisation, predictive maintenance, and emergency response. These services can significantly enhance user experience, increase safety, and improve vehicle performance.
However, location data is also one of the most sensitive forms of personal data. It can reveal extensive details about an individual’s daily movements, frequent destinations, and personal interests. The CNIL characterises it as “particularly intrusive for people’s privacy,” highlighting the importance of implementing safeguards. This concern is not merely theoretical as demonstrated by a December 2024 major data leak affecting over 800,000 electric vehicle owners, and reinforcing the importance of proper data handling practices.
The draft recommendation is aimed at stakeholders involved in the private use of connected vehicles.
The CNIL’s draft guidance focuses on connected vehicles used by individuals, whether as owners or lessees. It excludes company vehicles made available to employees, which are already covered under earlier CNIL recommendations.
Targeted stakeholders include:
- Vehicle manufacturers;
- Fleet managers, including rental providers (cars, bikes, scooters);
- Telematics solution providers (e.g., black boxes or tracking modules);
- Data aggregators and integrators facilitating the transmission of vehicle-related data.
The recommendation seeks to support compliance with core GDPR principles.
Building on its 2017 “Connected Vehicles” compliance pack and the broader guidance of the European Data Protection Board (EDPB), the CNIL’s draft guidance focuses on practical use cases involving geolocation data. These include vehicle recovery and assistance, accident response, theft prevention, rental fleet management, and service optimisation.
Throughout the draft, the CNIL emphasises the importance of respecting GDPR principles such as data minimisation, purpose limitation, transparency, and security. The recommendation aims to help stakeholders implement these principles in a way that is specific to the operational realities of connected mobility services.
The CNIL reiterates that location data requires specific legal bases and careful safeguards.
The draft confirms that processing location data generally requires a legal basis, as well as freely given, specific, informed, and unambiguous consent. The CNIL stresses that, in some cases, French ePrivacy rules (transposing the ePrivacy Directive) will also apply, particularly when location data is accessed via telematics tools or software embedded in the vehicle. The CNIL highlights that the French cookie rules will apply in case of access to location data from a connected vehicle.Moreover, the authority warns that certain secondary uses—such as using location history to develop profiles for advertising or behavioural analysis—may go beyond what is compatible with the original purposes for which the data was collected.
A Data Protection Impact Assessment may be required depending on the nature and scale of the processing.
Due to the sensitivity of geolocation data and the potential for large-scale processing, some of the activities described in the CNIL’s draft recommendation may require a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR. While not every use case will trigger this requirement, the need for a DPIA should be considered.
The EDPB outlines several criteria for determining whether processing is “likely to result in a high risk.” In these cases a DPIA would be required. Relevant examples include:
- Systematic monitoring of individuals in a public space;
- Processing of sensitive data (or data of a highly personal nature, such as location data);
- Large-scale processing;
- Use of new technologies or innovative solutions.
In the context of connected vehicles, scenarios such as real-time location tracking of multiple users, or cross-referencing geolocation with behavioural data, could meet this threshold. A DPIA can serve as a valuable tool to help organisations assess and mitigate privacy risks, ensure transparency, and accountability under the GDPR.
Where DPIAs are required, they must document the necessity and proportionality of the processing, assess associated risks, and implement appropriate technical and organisational measures to mitigate them. Failing to conduct a DPIA where required may expose organisations to regulatory scrutiny or sanctions.
The public consultation closed on May 20, 2025, and a final version is expected soon.
The consultation invited feedback from manufacturers, rental companies, software and telematics providers, data intermediaries, as well as civil society and end-users. Stakeholders were encouraged to consolidate feedback through federations or representative organisations.
With the public consultation now closed, the CNIL will analyse submissions and is expected to publish a final version of the recommendation in the coming months. The final text will likely reflect sector-specific insights while reinforcing existing GDPR obligations in the context of connected mobility.
The final CNIL recommendation will play a key role in shaping compliance practices in the connected vehicle ecosystem.
As the automotive sector continues its transformation through data-driven services, regulators must ensure that innovation does not come at the expense of individuals’ fundamental rights. The CNIL’s forthcoming recommendation will serve as a critical compliance resource for stakeholders managing the delicate balance between technical advancement and personal data protection. Those involved in connected mobility should begin assessing their current practices in light of the draft, in anticipation of binding guidance.
