Connected car insurance

Category: Cyber-physical risk · Reviewed by Matt Bartlett, Director · Founder · Last reviewed 2026-06-10

Connected car insurance is motor insurance that uses telemetry collected by an OEM-installed connectivity platform — rather than a separately installed black box or app — for underwriting, pricing, mid-term monitoring and claims handling.

Connected car insurance is distinct from after-market telematics. The data source is the manufacturer’s embedded platform: Tesla, BMW ConnectedDrive, Ford SYNC, Volvo on Call, JLR InControl and equivalents. The regulatory considerations are correspondingly different and turn on the joint controllership of OEM and insurer.

Definition

A connected car insurance proposition typically uses one or more of:

• Embedded SIM (eSIM) telematics — the OEM’s own cellular module reports trip, location and event data;
• Crash detection and eCall — eCall is mandatory in EU vehicles type-approved from 31 March 2018 under Regulation (EU) 2015/758 (retained for UK approval purposes for vehicles type-approved before IP completion day);
• Driver behaviour scoring — acceleration, braking, cornering and (in EV products) regenerative braking patterns;
• Battery health and state-of-charge (EVs);
• Over-the-air (OTA) software updates that change vehicle behaviour and cyber risk profile; and
• OEM-managed event notification — e.g., Tesla’s automatic crash detection and submission to its own claims arm or partner insurers.

The OEM and the insurer are typically joint or independent controllers of personal data under UK GDPR, with specific roles defined contractually.

Legal / Regulatory basis

The legal framework comprises:

• Road Traffic Act 1988, Part VI — compulsory third party motor insurance.
• Automated and Electric Vehicles Act 2018 — establishing the single-policy insurance model for automated vehicles, with the insurer bearing first-party liability and having a right of subrogation against the manufacturer where the vehicle was operating in automated mode.
• Automated Vehicles Act 2024 — the broader UK regulatory framework for automated driving, including authorisation of self-driving features.
• UK GDPR and Data Protection Act 2018, in particular Articles 5, 6, 9, 22, 25, 32, 35.
• EDPB Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility-related applications (adopted 9 March 2021) — the principal European guidance on connected vehicle data; remains influential for UK practice.
• ICO, Connected and Autonomous Vehicles guidance.
• FCA Handbook ICOBS, PROD 4, SYSC and the Consumer Duty (PS22/9).
• Product Security and Telecommunications Infrastructure Act 2022 and SI 2023/1007 — although vehicles are largely excluded from the relevant connectable products regime; vehicle cybersecurity is regulated separately under UNECE Regulations 155 and 156 transposed for UK type approval.
• EU Type Approval — UN Regulation No. 155 on cybersecurity and cybersecurity management systems for motor vehicles; UN Regulation No. 156 on software updates and software update management systems.
• IAIS Application Paper on Cyber Risk Underwriting (2020).

How it works in practice

A typical connected car insurance journey:

1. Eligibility — the vehicle must be a model with the relevant embedded connectivity; the customer authorises sharing of data with the insurer (typically via the OEM app and an insurer data-share consent flow).
2. Underwriting — initial premium is based on conventional rating factors plus connected-driver score where available.
3. Mid-term monitoring — driver behaviour score updates each policy period; some products allow premium adjustments.
4. Claims — crash detection events flow to the insurer for first notice of loss; OEM-side telematics provides corroborating data.
5. Renewal — the renewal premium reflects the score, subject to PS21/5 equivalent renewal price rules.

The joint or independent controllership arrangement between OEM and insurer is documented under UK GDPR Article 26 (where joint) and supported by data sharing agreements.

Common variations / Subsequent developments

• OEM in-house insurers — Tesla Insurance in the US (state-by-state model); BMW with affiliated insurers; Ford and Stellantis pilots.
• Insurer-OEM partnerships — Aviva, Direct Line and others have run propositions with multiple OEMs.
• Pay-As-You-Drive variants — see pay-as-you-drive.
• Automated vehicle products — under the AEV Act 2018 and the Automated Vehicles Act 2024, with novel exposures for OEMs and insurers.
• eCall data use — strict limitations under EU and retained UK type approval rules limit non-consensual use of eCall data for non-emergency purposes.
• Cybersecurity — UN Regulations 155 and 156 are the principal vehicle-cyber regulatory framework, distinct from PSTI.

EDPB Guidelines 1/2020 emphasise data minimisation, in-vehicle local processing where possible, and the importance of distinguishing eCall data, telematics data and infotainment data.

Example

A UK driver insures a 2025-model EV with a London-headquartered insurer. The car’s embedded telematics provides the insurer (with the driver’s consent) with weekly driving score data. After three months of safe driving, the score improves and a 4% mid-term premium credit is applied at next renewal. When the driver is involved in a minor rear-end collision, automatic crash detection notifies the insurer; the OEM telematics records confirm the speed and impact direction; the third party’s at-fault claim is settled quickly. The data sharing arrangement is documented as joint controllership under UK GDPR Article 26.

See also

• IoT insurance
• Telematics
• Pay-as-you-drive
• Internet of Things insurance
• Automated and Electric Vehicles Act 2018
• Road Traffic Act 1988
• UK GDPR
• Cyber-physical convergence
• Consumer Duty

References

• Road Traffic Act 1988, Part VI (legislation.gov.uk).
• Automated and Electric Vehicles Act 2018 (legislation.gov.uk).
• Automated Vehicles Act 2024 (legislation.gov.uk).
• UK GDPR and Data Protection Act 2018.
• EDPB, Guidelines 1/2020 on processing personal data in the context of connected vehicles (adopted 9 March 2021), edpb.europa.eu.
• ICO, Connected and Autonomous Vehicles guidance, ico.org.uk.
• FCA Handbook, ICOBS, PROD 4, SYSC; Consumer Duty PS22/9; PS21/5.
• Regulation (EU) 2015/758 on eCall; UN Regulations 155 and 156 (UNECE).
• IAIS, Application Paper on Cyber Risk Underwriting (2020), iaisweb.org.

This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-10. Next review: 2026-12-10.

Apex Insurance Brokers Limited. Authorised and regulated by the Financial Conduct Authority, FRN 724952. Registered in England and Wales, Companies House 07014570. This entry provides general information about UK insurance concepts and is not regulated advice. Consult your insurance broker on your specific position.