Compliance

Compliant connected-vehicle data access, by architecture

Regulators on three continents now require consent-first, revocable, auditable access to vehicle data. DIMO was built that way from the start — compliance is a byproduct of the architecture, not a retrofit.

Talk to our team

Connected vehicle data compliance means giving drivers and owners consent-first, revocable control over what is shared, with whom, and for how long, and produces a verifiable record of every access. As of 2026, that is no longer a best practice. It is the law in the United States and the European Union, and consent-first vehicle data access is now legally required, not ethically preferred.

This page maps the regulations reshaping the connected-vehicle market and how a session-based access model satisfies all of them at once, without a multi-year in-house build.

The regulatory wave

Four moving pieces are converging on the same requirement: that access to vehicle data be explicitly consented, scoped, revocable, and auditable.

  • The EU Data Act requires OEMs to expose vehicle data to authorized third parties. It took effect in September 2025, with OEM enforcement following in September 2026.
  • The FTC GM/OnStar consent order bans non-consented sharing of driver-behavior data, and effectively ends bulk telematics brokerage as a business model.
  • GDPR and session-scoped consent make consent structurally part of the access event, not a separate policy bolted on afterward.
  • California SB-1394 and UNECE R155 require vehicle access to be revocable by the owner and auditable by design.

Why a session model satisfies all of them at once

Each of these rules asks for the same four things: explicit authorization, scoped access, atomic revocation, and a verifiable trail. A vehicle session bundles exactly those properties. A session is created with a driver's identity, a specific data scope, a spend limit, and a time limit; when the use case ends, everything revokes at once and a cryptographically signed, independently verifiable record is sealed.

Because consent is part of the session-creation primitive rather than a downstream policy, the same architecture answers GDPR, the EU Data Act, the FTC standard, and SB-1394. See session-scoped consent for how that works, and vehicle session infrastructure for the broader model. Operators can read how this applies to fleets in rental operations, and developers can start in the consent product docs.

Note: formal certification review should be completed before using compliance language in European OEM procurement; this page is educational, not legal advice.