The case caused a lot of noise: the location data of 800,000 vehicles from the Volkswagen group exposed on the internet following a bad configuration. This incident highlighted a reality that is often ignored: our modern cars are real information collectors on our most intimate habits. In response to these abuses and to anticipate future risks, the National Commission for Information Technology and Liberties has just published a highly anticipated recommendation to clarify the rules of the game for manufacturers, rental companies and other players in the sector.
Why did the CNIL have to intervene?
A modern connected car doesn’t just transport you. It constantly records your position, speed and times, drawing a precise map of your daily life. This location data is considered by the CNIL as “ highly personal ”, because their analysis can reveal your home, your place of work, your interests, and even sensitive information such as your religious opinions or your state of health. The risk for the private life is therefore major, especially when this information interests a chain of actors, from manufacturers to data aggregators.
The trigger for this intervention was the massive data leak from Cariad, the software subsidiary of Volkswagen. There security breach exposed the journeys of 800,000 vehicles, including 460,000 with centimeter accuracy. To prove the danger, experts from the Chaos Computer Club reconstructed the movements of a German defense official, chillingly illustrating the potential for intrusion such information once in the wrong hands.
What are the new rules imposed by the CNIL?
The recommendation of the French authority is based around a central principle inherited from the GDPR: the consent required of the user. Concretely, a manufacturer or rental company will no longer be able to collect and use your location data without your explicit consent, unless it is essential for a service that you have expressly requested, such as breakdown assistance. In this specific case, the CNIL points out that the last known position is often sufficient, invalidating the need to keep a complete history of journeys.
Beyond consent, the authority pushes for concrete changes to give control back to drivers. She strongly recommends the establishment of authenticated profilesallowing each user of the same vehicle to manage their own data. In addition, it emphasizes an essential reflex: the possibility of disconnecting an account remotely and the need toerase all personal information before selling or returning a rental vehicle. This simple measure aims to prevent your addresses or call logs from falling into the hands of the next user.

Concretely, what rights do motorists have?
This recommendation reinforces the concrete rights motorists. You have all the prerogatives provided for by the GDPR: right of access to your data, rectification, erasure, and portability. Above all, you have the right to withdraw your consent at any time, as simply as you gave it. To facilitate this, professionals are encouraged to make their privacy policies clearer, for example via pictograms or QR codes.
Pour regain controlthe first instinct is to check your vehicle’s privacy settings and deactivate non-essential connected services. The CNIL recommends a single button to disable all optional sharing at once. Although a recommendation is not binding law, it serves as an official guide for GDPR compliance. The CNIL has also planned to support the sector in the coming months to ensure that these good practices do not remain a dead letter.
