CNIL connected-vehicle location rules: what fleet managers and telematics providers should check

Scott Dooley
9 min read · Jul 13, 2026

A connected car, van, or scooter generates location data every time it moves. Fleet dashboards, rental recovery tools, and telematics boxes make that data easy to collect, and easy to over-collect. In June 2026, France’s CNIL published updated recommendations on how professionals may use connected-vehicle location data, following a public consultation and recent press coverage of location-data leaks affecting electric-vehicle owners. The document is not a fine headline, but it is a board-level signal that regulators expect authenticated user profiles, purpose-specific consent, and multi-user rights handling before location feeds product analytics or fleet control rooms. The full CNIL recommendation PDF is the anchor source for every operational claim below.

What the CNIL published in June 2026

Deliberation n° 2026-063, adopted on 16 April 2026, led to a final recommendation published on 30 June 2026 after a public consultation that ran in March 2025. The scope covers professionals using location data from connected vehicles owned or rented by individuals: cars, cycles, and scooters. Company cars and employee geolocation sit outside this document; the CNIL has separate guidance on employee vehicle tracking.

The audience is practical: vehicle manufacturers, fleet and rental managers, telematics box providers, and data aggregators or integrators who sit between OEMs and downstream services. The recommendation updates the CNIL’s 2017 connected-vehicle compliance pack and sits alongside the EDPB connected-vehicles guidelines 01/2020, which cover a wider set of vehicle data types. The June 2026 document narrows to location use by professionals.

Why location data from connected vehicles is a higher-risk category

Location reveals habits as well as coordinates

The CNIL treats vehicle location as highly personal and intrusive. Coordinates can expose movements, frequented places, and interests over time. That sensitivity matters for retention limits, access controls, and vendor contracts. Regulators and courts increasingly treat coarse location as a proxy for lifestyle data, not a neutral technical feed.

Multi-user vehicles blur controller responsibilities

Rental cars, shared vans, and family vehicles pass between drivers who may never see the same privacy notice. A manufacturer, a rental firm, and a telematics integrator can each process the same location stream for different purposes. Without profile-aware controls, transparency statements and consent records attach to the wrong person.

Recent EV location-data leak coverage raised regulator attention

The CNIL references press coverage of significant location-data leaks affecting electric-vehicle owners as context for heightened vigilance. The recommendation does not restate specific breach facts, but the signal is clear: location pipelines that leak or over-retain data will attract scrutiny. Security failures in telematics backends are enforcement bait, as the General Motors CCPA settlement showed for vehicle-derived personal data in another jurisdiction.

When consent is required, and when it is not

French Article 82 of the loi Informatique et Libertés transposes the ePrivacy directive. For vehicle location, consent is generally required unless the data is strictly necessary for a service expressly requested by the user. That gate sits alongside GDPR Article 6 lawful-basis choices. A fleet team can have a valid GDPR basis and still need ePrivacy consent for a location purpose, or fall within an Article 82 exemption. Readers confuse the two constantly; keep them separate in policy documents and product flows.

The CNIL maps common purposes in the recommendation: navigation assistance, breakdown and accident support, fleet management by rental firms, theft prevention, and product or service improvement. Each purpose needs its own legal analysis. Product analytics that reuse location for a purpose the driver did not request is the sort of secondary use that triggers both consent questions and compatibility checks. The parallel with Amadeus booking-data reuse is instructive: operational data collected for one stated purpose does not automatically become fair game for analytics pilots.

Two Article 82 carve-outs matter for rental and mobility operators. The CNIL states that consent is not required to prevent abuse of trust when non-return of the vehicle would affect rental availability. If a third party steals the vehicle, the same location mechanism may continue to support recovery. Those exemptions are narrow. They do not licence open-ended fleet surveillance of each driver’s trips.

Multi-user vehicles: profiles, rights, and dashboard residue

The final recommendation now advises authenticated profile systems so different drivers can manage choices and exercise rights on their own account. That shift followed the March 2025 consultation. Profiles should support transparency about connected services, consent choices where required, and GDPR rights including access.

The CNIL adds detail on access requests where several people use one vehicle, with or without named profiles. Rental and fleet teams should document how they identify which driver’s data sits in a given export. Where a personal account can link to the vehicle remotely, users should be able to disconnect that account remotely. Good practices should stop rental staff or the next renter seeing dashboard data left by a prior user. Wipe flows, staff training, and handover checklists belong in the operational response, not only in the privacy policy.

Five checks fleet and telematics teams should run now

Map every location purpose to a lawful basis and any ePrivacy consent requirement

List each location feed: live tracking, trip history, geofencing, theft recovery, breakdown routing, product telemetry. For each row, record the GDPR Article 6 basis, whether French Article 82 consent applies, who the controller is, and what the driver sees before collection starts. If the answer is “marketing analytics”, expect consent.

Minimise precision, retention, and onward sharing to what each purpose needs

Full-precision GPS stored indefinitely is hard to defend for fleet optimisation alone. Set retention by purpose, downgrade precision where possible, and restrict onward sharing in vendor contracts. Document deletion when a rental ends or a profile is removed.

Build profile-aware transparency and consent flows for shared vehicles

Shared vehicles need per-driver notices and controls, not a one-off factory screen. Authenticated profiles are now a CNIL recommendation, not a nice-to-have. If profiles are impossible on a legacy model, document the compensating controls for rights and access.

Test subject-access and erasure paths for each driver profile

Run a subject-access request test for a rental customer, a fleet sub-user, and a primary account holder. Check whether exports mix drivers, whether erasure removes telematics history, and whether backup systems respect the same timelines.

Secure telematics pipelines and vendor contracts

Location leaks draw regulators and plaintiffs. Audit API keys, integrator access, log retention, and breach notification clauses in telematics contracts. The CNIL will support sector associations through its club conformité on connected vehicles and mobility; use that as a prompt to align vendor SLAs with the June 2026 checklist.

What UK organisations should take from a French recommendation

CNIL guidance is not UK law. UK fleet operators with EU drivers, French rentals, or cross-border telematics still face GDPR and PECR questions on location and electronic communications. The operational checklist transfers even when the statute labels differ.

For a UK bridge, ICO guidance on consumer internet-of-things products and services, finalised on 11 June 2026, sets expectations on privacy by design, transparency, security, and DPIAs. That guidance covers smart speakers, doorbells, and domestic appliances. It explicitly excludes connected and autonomous vehicles. Do not cite it as the direct rulebook for fleet telematics. Do use its principles when designing consent, minimisation, and security for location-heavy products.

UK employee vehicle tracking remains under ICO employment guidance. That is a different risk profile from consumer rental location covered by the CNIL recommendation.

Which teams own the response

  • Privacy and DPO office: purpose register, DPIAs, regulator liaison
  • Fleet and mobility operations: handover processes, profile rollout, retention schedules
  • Rental and logistics commercial teams: contract terms, abuse-of-trust and recovery policies
  • Telematics vendors and procurement: data-processing agreements, security attestations, subprocessors
  • Product and connected-services engineering: consent UX, remote disconnect, dashboard wipe flows
  • Legal and insurer partners: location feeds used for risk scoring or claims

Fleet location compliance is a joint delivery problem. The CNIL document gives managers a concrete checklist; internal owners need named deadlines. Staff who handle vehicle handovers need the same training intensity you would apply to GDPR Essentials for customer data.

FAQ

What did the CNIL recommend on connected-vehicle location data?

On 30 June 2026 the CNIL published recommendations on how professionals may use location data from connected vehicles rented or owned by individuals. The document clarifies French Article 82 consent rules, advises authenticated profiles for multi-user vehicles, and sets good practices on rights, remote account disconnection, and dashboard data residue.

Do fleet managers need consent to track rental vehicles?

Often yes, under French Article 82, unless location is strictly necessary for a service the user expressly requested, or a narrow exemption applies such as abuse-of-trust prevention when non-return affects rental availability, or post-theft recovery. GDPR lawful basis alone does not remove the ePrivacy consent question.

Does GDPR treat vehicle location as special-category data?

Vehicle location is usually personal data under GDPR, not special-category data, unless it reveals health, trade-union membership, or other Article 9 categories. The risk is sensitivity and inference: location can expose habits and interests even when stored as coordinates.

How should rental firms handle multiple drivers on one connected vehicle?

The CNIL now recommends authenticated profile systems so each driver can manage service choices and rights. Firms should also prevent staff or the next renter accessing prior users’ dashboard data, support remote disconnection of linked personal accounts, and document access-request handling when several people share one vehicle.

When can telematics providers use location data without consent?

When Article 82 exempts the purpose, typically because location is strictly necessary for a service the user expressly requested, or for the narrow rental abuse-of-trust and theft-recovery cases described in the CNIL recommendation. Each purpose needs a documented analysis; exemptions do not cover general fleet analytics or open-ended product improvement.

What should UK businesses learn from the CNIL connected-vehicle guidance?

Treat location as high-risk personal data, separate ePrivacy-style consent from GDPR lawful basis, build multi-user rights handling, and tighten telematics security. UK PECR mechanics differ from French Article 82, but the manager checklist on purpose mapping, minimisation, profiles, and vendor control transfers to any fleet serving UK and EU customers.

Sources

Author

  • Scott Dooley is a seasoned entrepreneur and data protection expert with over 15 years of experience in the tech industry. As the founder of Measured Collective and Kahunam, Scott has dedicated his career to helping businesses navigate the complex landscape of data privacy and GDPR compliance.

    With a background in marketing and web development, Scott brings a unique perspective to data protection issues, understanding both the technical and business implications of privacy regulations. His expertise spans from cookie compliance to implementing privacy-by-design principles in software development.

    Scott is passionate about demystifying GDPR and making data protection accessible to businesses of all sizes. Through his blog, he shares practical insights, best practices, and the latest developments in data privacy law, helping readers stay informed and compliant in an ever-changing regulatory environment.

    View all posts