CNIL: vehicle location data — new recommendation
On 30 June 2026, the CNIL issued a recommendation on the use of vehicle location data. It clarifies ePrivacy consent, multi-user rights, security, data minimisation and the need for DPIAs.
On 30 June 2026, the CNIL released a 60‑page recommendation governing the use of location data generated by connected vehicles (cars, bikes, scooters, etc.). It targets OEMs, fleet managers, telematics device providers and data aggregators, and complements the 2017 compliance pack on connected vehicles and EDPB Guidelines 01/2020.
Key takeaways
- Clear guidance on when prior consent is required under ePrivacy, in addition to a GDPR legal basis.
- Managing data subject rights in multi‑user contexts via authenticated profiles and adapted in‑vehicle UX.
- Reinforced security, minimisation and anonymisation requirements, with DPIAs where risk is high.
Legal framework
The recommendation relies on the GDPR (minimisation, legal basis, transparency, privacy by design, security, DPIA) and on the ePrivacy directive (as implemented in France via LIL art. 82) for access/write operations on devices. It also references EDPB Guidelines 01/2020 for EU‑level interpretation.
For a structured refresher, see our overview of the GDPR and its key articles (including 30 and 35).
Impact for Luxembourg companies
Operators running fleets in France, selling/leasing to French residents, or providing OBD devices/data platforms should align practices now. The recommendation applies extraterritorially to any operator targeting users in France.
- ePrivacy consent and GDPR: where location is not strictly necessary to the requested service (e.g., certain infotainment or product optimisation features), prior consent is required in addition to an appropriate GDPR legal basis. Devices and apps must include consent capture and logging.
- Rights and profiles: the CNIL expects authenticated profiles to separate users, enable contextual information and facilitate rights (access, erasure, objection, portability).
- Security and minimisation: document technical/organisational measures (encryption, data‑flow separation, short retention) and only anonymise with robust techniques against trajectory re‑identification. A DPIA is recommended and often required where monitoring is systematic.
If you operate from Luxembourg with activities in France, align your practices with this benchmark. See our resources on GDPR compliance in Luxembourg.
Immediate actions
- Map location data processing by use case (assistance, theft/abuse, optimisation, fleet), including legal basis and ePrivacy status (necessary vs consent).
- Implement authenticated profiles, access controls and logging of privacy choices; validate UX with legal.
- Launch/update the DPIA: risk scenarios, reduced precision/frequency, short retention, encryption and hardening of devices/APIs, anonymisation protocol and re‑identification testing, plus supplier audits.
Need operational support and compliant governance? Our team can deliver a certified DPO mandate and coordinate ePrivacy/GDPR alignment with your product engineering.
Sources
To speak with an expert, get in touch.
Article generated by Luxgap regulatory watch. For tailored guidance on this topic, contact us.
A question on this topic?
Our team usually replies within one business day. Configure your quote or write to us.
Build my quote →