Vehicle Data Platforms and Data Monetisation

Executive Summary

Vehicle Data Platforms are becoming strategically relevant for OEMs — but not as simple "data monetisation engines." Sustainable value lies in validated use cases: fleet efficiency, predictive maintenance, insurance models, mobility services, road safety and smart city applications. Data protection, consent, cybersecurity, data quality, semantics and fair access models are hard prerequisites for success.

The EU Data Act has been applicable since 12 September 2025 and strengthens user and third-party access to data from connected products and related services.¹ The European Commission published specific guidance on vehicle data on the same day.²

The central thesis: OEMs can create value from vehicle data when they treat data platforms not primarily as a sales channel for raw data, but as controlled, trustworthy, legally compliant and semantically standardised infrastructure for concrete services.

1. Connected Vehicle Data Landscape

Connected vehicles generate heterogeneous data classes with different sensitivity and purpose limitations:

• Vehicle status (mileage, battery, tyre pressure, fault codes) — sensitivity: medium — maintenance, diagnostics, fleet operations
• Usage data (driving profiles, acceleration, braking, charging behaviour) — sensitivity: high — insurance, fleet optimisation
• Location and movement data (GPS, routes, parking position) — sensitivity: very high — navigation, road safety, smart city
• Environmental data (temperature, wiper status, road condition) — sensitivity: medium to high — weather, infrastructure, hazard warning
• Infotainment and user interaction (app usage, preferences) — sensitivity: high — personalisation, digital services
• Safety and ADAS data (camera, radar, LiDAR events) — sensitivity: very high — safety, ADAS development, accident analysis
• Service and contract data (vehicle ID, user account, consent, tariffs) — sensitivity: high — billing, access control, partner integration

The European Data Protection Board (EDPB) clarified in Guidelines 01/2020 (final version 2.0 adopted 9 March 2021) that many technical vehicle data points can be personal data when they can be linked directly or indirectly to a person. The EDPB considers connected vehicles as "terminal equipment" under the ePrivacy Directive.³

2. Technical Architecture of Vehicle Data Platforms

A robust Vehicle Data Platform should not be understood as a monolithic data lake but as a layered architecture:

1. In-Vehicle Data Layer — ECUs, sensors, gateway, TCU, edge filtering, data minimisation
2. Connectivity Layer — cellular, eSIM, VPN/APN, TLS, device identity, messaging, store-and-forward
3. Ingestion Layer — streaming, batch upload, MQTT/HTTP, event broker, schema validation
4. Data Processing Layer — normalisation, plausibility checking, aggregation, pseudonymisation, anonymisation, quality scoring
5. Semantic Layer — signal catalogues, data models, ontologies, mapping between OEM signals and standards
6. Governance & Consent Layer — legal grounds, consent management, purpose limitation, Data Act access workflows
7. API & Partner Layer — developer portal, API gateway, access control, audit logs, billing, SLA monitoring
8. Use-Case Layer — fleet portals, insurance services, maintenance platforms, smart city data products

For semantic standardisation, COVESA is relevant: the Vehicle Signal Specification (VSS) defines an open catalogue and syntax for vehicle signals; VISS describes an API for accessing VSS data.⁴ Catena-X addresses standardised, interoperable data exchange along the automotive value chain; Gaia-X focuses on federated, secure data infrastructures and data sovereignty.

3. Use Case Analysis

• Fleet management — needs location, mileage, energy consumption, fault codes; delivers cost reduction, utilisation and compliance; requires a role model, aggregation and driver separation.
• Usage-based insurance — needs driving behaviour, mileage, time, region; enables more individualised tariffs; requires explicit consent, transparency and purpose limitation.
• Predictive maintenance — needs DTCs, sensor values, mileage, temperature; reduces failures and improves service planning; requires data quality, diagnostic models and OEM/workshop integration.
• Mobility services — need availability, location, charge level, booking status; improve user experience and enable new services; require an API gateway, consent and real-time capability.
• Road safety — needs brake events, ESP, wipers, slipperiness, airbag events; supports hazard warning and accident prevention; requires event filtering, anonymisation and latency management.
• Smart city — needs traffic flow, parking data, road condition; supports traffic planning and infrastructure maintenance; requires aggregation, geofencing and data-sharing contracts.
• EV charging optimisation — needs SOC, charging history, location, tariffs; supports charging planning, grid relief and comfort; requires user authorisation and energy/roaming integration.
• Residual value & remarketing — needs maintenance, usage and battery health data; enables transparent vehicle valuation; requires data history, tamper protection and rights clarification.

4. Regulatory Framework

EU Data Act

The EU Data Act (Regulation (EU) 2023/2854) has been applicable since 12 September 2025.¹ Users of connected products can request access to data generated through use of the product or related services, and can have this data made available to third parties. Additional design obligations apply from 12 September 2026; certain contract obligations from 12 September 2027.⁵

The European Commission published specific Guidance on vehicle data on 12 September 2025 ("Guidance on vehicle data, accompanying the Data Act").² The Commission distinguishes:

• Raw data and pre-processed data — fall within scope (e.g. sensor signals, vehicle speed, battery level, mileage)
• Inferred or derived data — fall outside scope (e.g. ADAS data, driver scoring, complex algorithm outputs)

Article 9 of the Data Act regulates B2B access with reasonable compensation; further Commission guidelines on Article 9(5) (compensation calculation) have not yet been finalised.⁶

GDPR and EDPB Guidelines

The GDPR (Regulation (EU) 2016/679) remains applicable in parallel whenever personal data are concerned. Particularly relevant are lawfulness, transparency, purpose limitation, data minimisation, privacy by design, security of processing and data protection impact assessment (DPIA).

The EDPB Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility-related applications (version 2.0, adopted 9 March 2021) classify connected vehicles as "terminal equipment" under the ePrivacy Directive and emphasise the necessity of consent for many processing scenarios.³

Industry Positions

ACEA calls for effective Data Act implementation, simplification of the regulatory framework and a unified European data space. CLEPA and aftermarket actors emphasise practical issues such as inconsistent data availability, lack of standardisation, real-time capability and fair pricing.

5. Market Forecasts — with Critical Distance

Market forecasts for vehicle data monetisation vary considerably and often reflect expectations rather than validated value creation. A critical assessment:

• McKinsey (2016): Connected-car data could reach a global value pool of $450–750 billion by 2030 — an early, optimistic forecast, later revised downwards by McKinsey itself⁷
• McKinsey (2021, update): 9 use-case clusters with 38 use cases could deliver $250–400 billion in annual incremental value by 2030 — reduced due to slow adoption⁸
• BCG/WEF (2023): OEM revenues from automotive software/electronics from $87B (2023) to $248B (2030); SDV value potential of $650 billion — refers to software/digital services, not vehicle data alone⁹
• S&P Global Mobility (2023): An important reality check — two major SPAC-financed market players (Otonomo, Wejo) exited or went bankrupt despite valuations of $1.4B and $657M respectively in 2021¹⁰

Conclusion: Market forecasts show potential, but no guarantees. A robust business case does not arise from "data sales" but from concrete, demonstrable efficiency, safety, service or customer value. The Otonomo/Wejo cases show that pure data marketplaces without clear use cases and willingness to pay carry high risk.

6. Business Models and Limits

Realistic Models

• Data-enabled services — maintenance, fleet optimisation, EV charging, safety alerts — high suitability
• API access for partners — access to defined data products — medium to high
• B2B2C services — insurance, leasing, workshops, mobility — high with consent
• Internal value capture — quality improvement, warranty analytics, product development — very high suitability (often underestimated)
• Data spaces — federated exchange under governance rules (Catena-X, Gaia-X) — medium to high
• Subscription add-ons — digital vehicle functions — high, but customer-acceptance dependent

Limits

• Raw data alone usually has little value without context, quality and semantics
• Personal data cannot be "monetised" arbitrarily
• Consent must be specific, informed and revocable (GDPR Art. 4(11), 7)
• Location and driving behaviour data create high trust risk
• Aftermarket, insurers and mobility providers expect fair, standardised and non-discriminatory access
• Cybersecurity and safety can justify legitimate access restrictions, but must not be used as a blanket blockade

7. Risks and Mitigation

• Loss of trust — users perceive data usage as opaque → privacy UX, clear purposes, simple controls
• GDPR violation — unclear legal basis or excessive data use → DPIA, legal basis mapping, data minimisation
• Data Act non-compliance — missing processes for user and third-party access → access portal, contract and API processes
• Poor data quality — incomplete, inconsistent data → data quality KPIs, schema governance
• Vendor lock-in — proprietary data models complicate partner integration → COVESA/VSS, open APIs, mapping layer
• Security exposure — APIs increase attack surface → zero trust, OAuth2/OIDC, mTLS, audit logging
• Missing business case — data products without paying customers → use-case validation, piloting, ROI model
• Discrimination / profiling — insurance or scoring disadvantages users → fairness checks, transparency, human oversight

8. Recommendations for OEMs

1. Develop data strategy from the use case. Not "What data can we sell?" but: "Which service creates measurable value?"
2. Design Data Act and GDPR jointly. Vehicle data access, consent, data protection, cybersecurity and contract models must be unified in one architecture.
3. Standardise semantics. Evaluate COVESA VSS/VISS, Catena-X approaches and data-space principles early.
4. Treat consent as a product feature. Users must understand which data are used for what, who has access, and how they retain control.
5. Define data products. Data products need description, purpose, quality, latency, freshness, access classes, pricing logic, SLA and auditability.
6. Professionalise partner integration. Insurers, workshops, fleet operators, cities and mobility platforms need stable APIs, test environments and clear contracts.
7. Avoid hype. Market forecasts are scenarios. Investment decisions should be based on validated use cases, willingness to pay and operational scalability — the Otonomo/Wejo cases show the risks of one-sided hype strategies.

9. IoT42 Competence Contribution

IoT42 supports OEMs, mobile network operators and partners in building trustworthy Vehicle Data Platforms:

Data strategy & use case validation — assessment of value, feasibility, data needs, privacy risk and business case.

Technical interface architecture — API design, partner integration, mobile/IoT connectivity, eSIM/MNO integration, data flow modelling.

Privacy & trust by design — consent processes, GDPR/Data Act requirements analysis, pseudonymisation, purpose limitation, DPIA support.

Semantics & data quality — signal mapping, data catalogues, COVESA-oriented modelling, data quality KPIs.

Partner & ecosystem integration — fleet operators, insurers, workshops, smart city actors, Catena-X / Gaia-X-oriented architectures.

Implementation-oriented consulting — requirements engineering, solution design, technical specification, governance model, MVP and pilot planning.

IoT42 does not sell technology. IoT42 provides the clarity, structure and execution capability that enables organisations to navigate the complexity of vehicle data platforms.

Sources

1. European Commission, "Data Act — Shaping Europe's digital future," applicable since 12 September 2025. Available at digital-strategy.ec.europa.eu.
2. European Commission, "Guidance on vehicle data, accompanying the Data Act," published 12 September 2025 (CELEX:52025XC05026).
3. European Data Protection Board, "Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications," Version 2.0, adopted 9 March 2021.
4. COVESA (Connected Vehicle Systems Alliance), Vehicle Signal Specification (VSS) and VISS. Available at covesa.global.
5. Bird & Bird, "Navigating the Data Act — EU Commission guidance for the automotive sector," November 2025; Mayer Brown, "The EU Data Act Has Taken Effect," November 2025.
6. Garrigues Digital, "New guidance on vehicle data and the Data Act," November 2025; StreamLex, "EU Data Act Vehicle Data Guidance Explained," September 2025.
7. McKinsey & Company, "Monetizing car data: New service business opportunities," 2016.
8. McKinsey & Company, "Unlocking the full life-cycle value from connected-car data," 2021.
9. Boston Consulting Group / World Economic Forum, "Rewriting the Rules of Software-Defined Vehicles," September 2023.
10. S&P Global Mobility, "Connected vehicle data market faces setbacks as two of its largest players exit," 2023.
11. ACEA — Position Paper on Connected Vehicle Data Sharing.
12. CLEPA — Statements on Data Act implementation.
13. Catena-X Automotive Network (catena-x.net); Gaia-X European Association for Data and Cloud (gaia-x.eu).
14. Regulation (EU) 2023/2854 (Data Act) and Regulation (EU) 2016/679 (GDPR). Available at eur-lex.europa.eu.

---

© 2026 IoT42 GmbH. All rights reserved. This whitepaper is for informational purposes only and does not constitute legal, regulatory or investment advice. Market forecasts are from third-party sources and reflect the assumptions and methodologies of their respective authors.