Vehicle Data Platforms and Data Monetisation

Executive Summary

Vehicle Data Platforms are becoming strategically relevant for OEMs — but not as simple “data monetisation engines.” Sustainable value lies in validated use cases: fleet efficiency, predictive maintenance, insurance models, mobility services, road safety and smart city applications. Data protection, consent, cybersecurity, data quality, semantics and fair access models are hard prerequisites for success.

The EU Data Act has been applicable since 12 September 2025 and strengthens user and third-party access to data from connected products and related services.¹ The European Commission published specific guidance on vehicle data on the same day.²

The central thesis: OEMs can create value from vehicle data when they treat data platforms not primarily as a sales channel for raw data, but as controlled, trustworthy, legally compliant and semantically standardised infrastructure for concrete services.

1. Connected Vehicle Data Landscape

Connected vehicles generate heterogeneous data classes with different sensitivity and purpose limitations:

• Vehicle status (mileage, battery, tyre pressure, fault codes) — Sensitivity: Medium — Maintenance, diagnostics, fleet operations
• Usage data (driving profiles, acceleration, braking, charging behaviour) — Sensitivity: High — Insurance, fleet optimisation
• Location and movement data (GPS, routes, parking position) — Sensitivity: Very high — Navigation, road safety, smart city
• Environmental data (temperature, wiper status, road condition) — Sensitivity: Medium to high — Weather, infrastructure, hazard warning
• Infotainment and user interaction (app usage, preferences) — Sensitivity: High — Personalisation, digital services
• Safety and ADAS data (camera, radar, LiDAR events) — Sensitivity: Very high — Safety, ADAS development, accident analysis
• Service and contract data (vehicle ID, user account, consent, tariffs) — Sensitivity: High — Billing, access control, partner integration

The European Data Protection Board (EDPB) clarified in Guidelines 01/2020 (final version 2.0 adopted 9 March 2021) that many technical vehicle data points can be personal data when they can be linked directly or indirectly to a person. The EDPB considers connected vehicles as “terminal equipment” under the ePrivacy Directive.³

2. Technical Architecture of Vehicle Data Platforms

A robust Vehicle Data Platform should not be understood as a monolithic data lake but as a layered architecture:

• 1. In-Vehicle Data Layer — ECUs, sensors, gateway, TCU, edge filtering, data minimisation
• 2. Connectivity Layer — Cellular, eSIM, VPN/APN, TLS, device identity, messaging, store-and-forward
• 3. Ingestion Layer — Streaming, batch upload, MQTT/HTTP, event broker, schema validation
• 4. Data Processing Layer — Normalisation, plausibility checking, aggregation, pseudonymisation, anonymisation, quality scoring
• 5. Semantic Layer — Signal catalogues, data models, ontologies, mapping between OEM signals and standards
• 6. Governance & Consent Layer — Legal grounds, consent management, purpose limitation, Data Act access workflows
• 7. API & Partner Layer — Developer portal, API gateway, access control, audit logs, billing, SLA monitoring
• 8. Use-Case Layer — Fleet portals, insurance services, maintenance platforms, smart city data products

For semantic standardisation, COVESA is relevant: the Vehicle Signal Specification (VSS) defines an open catalogue and syntax for vehicle signals; VISS describes an API for accessing VSS data.⁴ Catena-X addresses standardised, interoperable data exchange along the automotive value chain; Gaia-X focuses on federated, secure data infrastructures and data sovereignty.

3. Use Case Analysis

4. Regulatory Framework

EU Data Act

The EU Data Act (Regulation (EU) 2023/2854) has been applicable since 12 September 2025.¹ Users of connected products can request access to data generated through use of the product or related services, and can have this data made available to third parties. Additional design obligations apply from 12 September 2026; certain contract obligations from 12 September 2027.⁵

The European Commission published specific Guidance on vehicle data on 12 September 2025 (“Guidance on vehicle data, accompanying the Data Act”).² The Commission distinguishes:

• Raw data and pre-processed data — fall within scope (e.g. sensor signals, vehicle speed, battery level, mileage)
• Inferred or derived data — fall outside scope (e.g. ADAS data, driver scoring, complex algorithm outputs)

Article 9 of the Data Act regulates B2B access with reasonable compensation; further Commission guidelines on Article 9(5) (compensation calculation) have not yet been finalised.⁶

GDPR and EDPB Guidelines

The GDPR (Regulation (EU) 2016/679) remains applicable in parallel whenever personal data are concerned. Particularly relevant are lawfulness, transparency, purpose limitation, data minimisation, privacy by design, security of processing and data protection impact assessment (DPIA).

The EDPB Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility-related applications (version 2.0, adopted 9 March 2021) classify connected vehicles as “terminal equipment” under the ePrivacy Directive and emphasise the necessity of consent for many processing scenarios.³

Industry Positions

ACEA calls for effective Data Act implementation, simplification of the regulatory framework and a unified European data space. CLEPA and aftermarket actors emphasise practical issues such as inconsistent data availability, lack of standardisation, real-time capability and fair pricing.

5. Market Forecasts — with Critical Distance

Market forecasts for vehicle data monetisation vary considerably and often reflect expectations rather than validated value creation. A critical assessment:

• McKinsey (2016): Connected-car data could reach a global value pool of $450–750 billion by 2030 — early, optimistic forecast, later revised downwards by McKinsey itself⁷
• McKinsey (2021, update): 9 use-case clusters with 38 use cases could deliver $250–400 billion in annual incremental value by 2030 — reduced due to slow adoption⁸
• BCG/WEF (2023): OEM revenues from automotive software/electronics from $87B (2023) to $248B (2030); SDV value potential of $650 billion — refers to software/digital services, not vehicle data alone⁹
• S&P Global Mobility (2023): Important reality check — two major SPAC-financed market players (Otonomo, Wejo) exited or went bankrupt despite valuations of $1.4B and $657M respectively in 2021¹⁰

Conclusion: Market forecasts show potential, but no guarantees. A robust business case does not arise from “data sales” but from concrete, demonstrable efficiency, safety, service or customer value. The Otonomo/Wejo cases show: pure data marketplaces without clear use cases and willingness to pay carry high risk.

6. Business Models and Limits

Realistic Models

• Data-enabled services — Maintenance, fleet optimisation, EV charging, safety alerts — high suitability
• API access for partners — Access to defined data products — medium to high
• B2B2C services — Insurance, leasing, workshops, mobility — high with consent
• Internal value capture — Quality improvement, warranty analytics, product development — very high suitability (often underestimated)
• Data spaces — Federated exchange under governance rules (Catena-X, Gaia-X) — medium to high
• Subscription add-ons — Digital vehicle functions — high, but customer-acceptance dependent

Limits

• Raw data alone usually has little value without context, quality and semantics
• Personal data cannot be “monetised” arbitrarily
• Consent must be specific, informed and revocable (GDPR Art. 4(11), 7)
• Location and driving behaviour data create high trust risk
• Aftermarket, insurers and mobility providers expect fair, standardised and non-discriminatory access
• Cybersecurity and safety can justify legitimate access restrictions, but must not be used as a blanket blockade

7. Risks and Mitigation

• Loss of trust — Users perceive data usage as opaque → Privacy UX, clear purposes, simple controls
• GDPR violation — Unclear legal basis or excessive data use → DPIA, legal basis mapping, data minimisation
• Data Act non-compliance — Missing processes for user and third-party access → Access portal, contract and API processes
• Poor data quality — Incomplete, inconsistent data → Data quality KPIs, schema governance
• Vendor lock-in — Proprietary data models complicate partner integration → COVESA/VSS, open APIs, mapping layer
• Security exposure — APIs increase attack surface → Zero trust, OAuth2/OIDC, mTLS, audit logging
• Missing business case — Data products without paying customers → Use-case validation, piloting, ROI model
• Discrimination / profiling — Insurance or scoring disadvantages users → Fairness checks, transparency, human oversight

8. Recommendations for OEMs

1. Develop data strategy from the use case. Not “What data can we sell?” but: “Which service creates measurable value?”
2. Design Data Act and GDPR jointly. Vehicle data access, consent, data protection, cybersecurity and contract models must be unified in one architecture.
3. Standardise semantics. Evaluate COVESA VSS/VISS, Catena-X approaches and data-space principles early.
4. Treat consent as a product feature. Users must understand which data are used for what, who has access, and how they retain control.
5. Define data products. Data products need description, purpose, quality, latency, freshness, access classes, pricing logic, SLA and auditability.
6. Professionalise partner integration. Insurers, workshops, fleet operators, cities and mobility platforms need stable APIs, test environments and clear contracts.
7. Avoid hype. Market forecasts are scenarios. Investment decisions should be based on validated use cases, willingness to pay and operational scalability — the Otonomo/Wejo cases show the risks of one-sided hype strategies.

9. IoT42 Competence Contribution

IoT42 supports OEMs, mobile network operators and partners in building trustworthy Vehicle Data Platforms:

IoT42 does not sell technology. IoT42 provides the clarity, structure and execution capability that enables organisations to navigate the complexity of vehicle data platforms.

Sources

1. European Commission, “Data Act — Shaping Europe’s digital future,” applicable since 12 September 2025. Available at digital-strategy.ec.europa.eu/en/policies/data-act.
2. European Commission, “Guidance on vehicle data, accompanying the Data Act,” published 12 September 2025. Available at digital-strategy.ec.europa.eu (CELEX:52025XC05026).
3. European Data Protection Board, “Guidelines 01/2020 on processing personal data in the context of connected vehicles and mobility related applications,” Version 2.0, adopted 9 March 2021.
4. COVESA (Connected Vehicle Systems Alliance), Vehicle Signal Specification (VSS) and VISS. Available at covesa.global.
5. Bird & Bird, “Navigating the Data Act — EU Commission guidance for the automotive sector,” November 2025; Mayer Brown, “The EU Data Act Has Taken Effect,” November 2025.
6. Garrigues Digital, “New guidance on vehicle data and the Data Act: challenges and opportunities,” November 2025; StreamLex, “EU Data Act Vehicle Data Guidance Explained,” September 2025.
7. McKinsey & Company, “Monetizing car data: New service business opportunities,” 2016. Original forecast: $450–750 billion value pool by 2030.
8. McKinsey & Company, “Unlocking the full life-cycle value from connected-car data,” 2021. Reduced forecast: $250–400 billion incremental value by 2030.
9. Boston Consulting Group / World Economic Forum, “Rewriting the Rules of Software-Defined Vehicles,” September 2023. OEM software revenue from $87B (2023) to $248B (2030).
10. S&P Global Mobility, “Connected vehicle data market faces setbacks as two of its largest players exit,” 2023.
11. ACEA (European Automobile Manufacturers’ Association), Position Paper on Connected Vehicle Data Sharing.
12. CLEPA (European Association of Automotive Suppliers), Statements on Data Act implementation.
13. Catena-X Automotive Network. Available at catena-x.net. Gaia-X European Association for Data and Cloud. Available at gaia-x.eu.
14. Regulation (EU) 2023/2854 (Data Act) and Regulation (EU) 2016/679 (GDPR). Available at eur-lex.europa.eu.

© 2026 IoT42 GmbH. All rights reserved. This whitepaper is for informational purposes only and does not constitute legal, regulatory or investment advice. Market forecasts are from third-party sources and reflect the assumptions and methodologies of their respective authors.