Steering through Data: Telematics Insurance and India’s Privacy Landscape

By Vikrant Rana, Anuradha Gandhi and Rishabh Gupta

Introduction

As Tesla prepares to expand its presence in India, one of the lesser-discussed aspects of its business model i.e. in-house Telematics Insurance service may face significant regulatory challenges. Unlike conventional motor insurance, Tesla’s Telematics Insurance model relies heavily on real-time telematics data such as speed, breaking patterns, acceleration, miles driven etc. to personalize premiums. As the model relies on continuous behavioral tracking and profiling of individuals, it is subjected to the requirements of Digital Personal Data Protection Act, 2023 (hereinafter referred to as” DPDP Act”) which imposes strict conditions on the collection and use of personal data.

What is Telematics Insurance?

Generally, while most car insurers rely on data such as credit ratings, age, gender and type of vehicle to evaluate risks, they cannot accurately determine the driving behavior, check vehicle dynamics, or prevent mishaps. Technologies such as telematics, on-board diagnostic (OBD) devices, and adaptive cruise control (ACC) monitors vehicles in real-time through the use of sensors. These sensors send signals about drivers and their surroundings, which can help car insurance companies assess risks better. For example, insurers can analyse real-time driving data to determine fair insurance rates, develop tailored products, personalize road safety programs, and even provide driving assistance to prevent accidents.

Scope of Telematics Devices

The scope of telematics devices relates with personal data processed inside the vehicle; exchanged between the vehicle and personal devices connected to it (for instance, mobile phones containing telematics applications like Tesla App); and collected within the vehicle and exported to external entities (for instance, insurance companies, vehicle manufacturers/repairers) for further processing.

How does it work?

Telematics insurance uses a small device known as a ‘black box’ which records distance travelled, speed of the drive, braking and accelerating habits, the date and time when the vehicle was driven, the number of stops during a long journey, the number of miles driven per journey, geolocation etc. The insurance is calculated by charging an upfront fee, which covers the cost of the device and its installation. An annual premium is then quoted, which may increase or decrease based on driving performance and other relevant factors[1].

Impact on EV Market

The electric vehicle telematics market size has grown exponentially in recent years from $10.39 billion in 2024 to $12.66 billion in 2025 at a compound annual growth rate (CAGR) of 21.9%.[2] In fact, 14.4% of all car-insurance policies now include telematics insurance.[3]

In India, Insurance companies, typically offers three types of insurances which are based on real-time data:

1. PAYD (Pay as you drive) – In this particular variation, the insurance coverage provided to the driver fully depends on the actual distance that is travelled by the vehicle. The data is gathered from the reading of the odometer of the vehicle.
2. PHYD (Pay how you drive) – In this type of scheme, the insurance coverage is decided on the basis of the mileage that is collected from the Global Navigation Satellite System (GNSS) or the overall time that the car has taken to travel the particular distance. Using a vehicle-independent module transmitting data via RF technology or cell phone the total number of minutes is calculated.
3. PAYG (Pay as you go) – This variation offers an insurance coverage after considering several data points like the time of the day, driving actions, the time taken to cover the distance, and the historic risk factor of the road etc.[4]

At present, Tesla inter alia collects the following real-time data[5]:

1. Vehicle data – this includes performance, usage, operation, and health
2. Charging information – Charging station used, utilization, charge rate, battery analytics and performance
3. Tesla service and repair history – Service facility, date, mileage, repairs conducted, estimate and cost, parts details
4. Service history and maintenance summary data – Service or maintenance action conducted, correction code, mileage, date performed, entry date, next interval maintenance, firmware, pseudonymous ID
5. Energy installation data – Home details, such as dimensions of roof, electric system configuration, existing solar capacity, installation date, and energy serial number

Issues

With the enactment of DPDP Act, the usage of telematics insurance poses significant issues with respect to data privacy.

1. Collection of Real-time dataMost of the data collected by telematics systems are personal data which can be linked to identifiable individuals. In cars, these systems collect real-time data using GPS and onboard diagnostics (OBD-II) ports which includes speed, engine health, fuel consumption, braking habits and seat belt usage. In some instances, biometric data may also be collected to enable access to a vehicle, to authenticate the driver or to enable access to a driver’s profile settings and preferences. Some vehicles also collects voice data to enable voice control and voice inputs which is transmitted as recordings to the service providers.[6]
2. Legal BasisUnder the DPDP Act, processing personal data requires a valid legal basis i.e. consent which shall be free, specific, informed and unambiguous[7]. Where the telematics system is pre-installed by the vehicle manufacturer (such as the case in Tesla), accessing data requires fresh, informed consent from the vehicle owner as it stores personal information.In some cases, users may not always be aware of the data being collected, making it hard to demonstrate informed consent. This becomes even more complicated in second-hand, leased or shared vehicles where obtaining proper consent from all users is impractical.In case, the customer wants to sell his vehicle, the manufacturers have shifted the responsibility on the customers to delete their personal information stored in the vehicles to prevent it from being used in future and the same may be retained for legitimate purpose for a specified period of time[8].
3. Continuous Behavioral TrackingTelematics insurance relies on continuous monitoring of driving behavior to build risk profiles and adjust premiums accordingly. This behavioral data is collected in real-time and used to make decisions that directly affects the individual. Under the DPDP Act, when personal data (such as speed, braking habits, driving patterns etc.) is used to make decisions impacting a Data Principal (driver, passenger or vehicle owner), the Data Fiduciary (insurance company) is required to ensure that the data is accurate, complete and consistent[9].Thus, insurers are obligated to ensure high standards of Data Quality while profiling individuals such as the right to obtain human intervention and not being subjected to automated decision or profiling as guaranteed by Article 22 of General Data Protection Regulation (GDPR)
4. Use of in-vehicle Wi-Fi TechnologiesTesla cars comes with built-in Wi-Fi capabilities which are often faster than cellular data networks. Once connected, vehicles can constantly share signals that allow users to be identified and tracked. To reduce this risk, car makers and equipment providers should offer easy opt-out options and ensure that the service set identifier (SSID) of the Wi-Fi network is not collected.[10]
5. Data MinimizationVehicle uses a combination of GPS, Bluetooth, IP address, and Wi-Fi and mobile towers to determine an individual’s location. This data is used to provide navigation services, real-time traffic, intelligent routing, and to aid response efforts in case of a safety event such as accidents. Although, opt-out options are provided, however, the collection of location may reveal sensitive information such as driver’s centre of interest, places of worship etc. [11]Given that data collected via telematics devices may be used for profiling, it is essential to follow the principle of data minimization by following three ways:
   1. First, the data can be processed directly inside the car via the telematics device or on the user’s phone. This way, only the final results i.e. a driving score is shared with the insurance company. The raw data such as location, biometrics, voice etc. stays private.
   2. Second, if a third-party telematics provider processes the data for the insurer (Data Fiduciary), it must be ensured that raw driving data is separated from data directly relating to driver’s identity. In this case, telematics provider sees the raw data but does not know the names, license plate etc. of the policyholder. The insurer, on the other hand, knows who the policyholder is but only receives the final score, not the detailed data used to calculate it.
   3. If only mileage is necessary for the performance of contract, location data should not be collected
6. Retention PeriodThe DPDP Act provides that the personal data shall be completely deleted when they are no longer needed for the desired purpose unless needed to comply with applicable laws[12]. Therefore, every car manufacturer and insurance provider must have a clear retention policy to indicate the retention periods.

How is Tesla Insurance being governed in other countries?

Tesla Insurance calculates premium based on real-time driving behavior. It considers factors like the vehicle model, garaging address, miles driven, coverage selection and the vehicle’s monthly safety score. The Safety Score reflects driving habits using several metrics called the Safety Factors such as hard braking, aggressive turning, unsafe following, late-night driving etc. Daily safety scores (for upto 30 days) are used to calculate an overall aggregated safety score. As this score improves, the insurance premium decreases[13].

United States

There is no comprehensive national privacy law in the United States. However, the US does have a number of largely sector-specific privacy and data security laws at the federal level. For instance, The California Consumer Privacy Act of 2018 (CCPA) gives consumers more control over the personal information that businesses collect about them and also provides them The right to opt-out of the sale or sharing of their personal information.

As such, Tesla does not provide Real-Time Insurance in the State of California and offers an alternative insurance product via Tesla app which does not use the above-mentioned Safety Score to calculate monthly premium. However, policyholders may opt-in to receive a Safety Score for educational purposes only. In other 11 states, the company provides real-time insurance.

China

Tesla stores its car-related data in local data centers situated in Shanghai, with any overseas transfer requiring official approval. Its Model 3 and Model Y have passed the CAAM data security assessment, which enforces anonymization of facial/external identifiers, prohibits default cockpit audio or video collection, mandates in vehicle processing of any such data and requires clear on screen notifications when personal data is recorded[14].

How can Data Principal exercise his rights?

The Data Principal has been granted following rights with respect to personal data processing which he can exercise by making a request to the Data Fiduciary:

1. Right to Withdraw Consent: A Data Principal can withdraw his consent to the processing of personal data at any time and such withdrawal shall be as easy as giving of consent without affecting the legality of personal data processed before such withdrawal. [15] In such cases, car manufacturers which provide built-in telematics system must give alternatives to provide insurance as being done by Tesla in the state of California.
2. Right to Access Information: The Data Principal has the right to access personal data along with associated processing activities and identities of other Data Fiduciaries or Data Processors processing such personal data from the Data Fiduciary.[16]
3. Right to Correction/Erasure of Personal Data: A Data Principal has a right to request correction, completion or erasure of personal data at any point of processing.[17]

Conclusion

The usage of internet and other communication interfaces offered by electric vehicles has increased the risk of personal data being compromised. Furthermore, usage of cloud services for storing of personal data may not be adequately secured against unauthorized access. In such instances, it becomes important that the Data Fiduciaries must adopt reasonable security practices to prevent any cyber-attack. Techniques such as anonymization of data must be used before the data is transferred and Data Principals must get an exclusive right to delete their personal data permanently before the vehicles are put for sale.

[1] IRDAI Discussion Paper on ‘Telematics and Motor Insurance’, available at: https://irdai.gov.in/documents/37343/365848/Discussion+Paper+on+%E2%80%98Telematics%E2%80%99.pdf/09ceb38b-ea79-9bd0-25f6-6921470925eb?version=1.0&t=1631530685485&download=true

[2] https://www.thebusinessresearchcompany.com/report/electric-vehicle-telematics-global-market-report#:~:text=The%20electric%20vehicle%20telematics%20market%20size%20has%20grown%20exponentially%20in,(CAGR)%20of%2021.9%25.

[3] https://www.globenewswire.com/news-release/2025/06/13/3099019/0/en/Usage-Based-and-Telematics-Motor-Insurance-Report-2025-Telematics-Becomes-a-Consumer-Favorite-as-14-4-of-Policies-Now-Include-It.html

[4] https://www.acma.in/uploads/publication/research-studies/3_ACMA_Grant_Thornton_Bharat_White_Paper_on_Telematics_Ecosystem_in_India.pdf

[5] https://www.tesla.com/legal/privacy

[6] https://owners.kia.com/us/en/privacy-policy.html#two

[7] Section 6 of Digital Personal Data Protection Act, 2023

[8] https://owners.kia.com/us/en/privacy-policy.html#twelve

[9] Section 8(3) of Digital Personal Data Protection Act, 2023

[10]Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications, available at: https://www.edpb.europa.eu/sites/default/files/consultation/edpb_guidelines_202001_connectedvehicles.pdf

[11] https://www.tesla.com/legal/privacy#location-data ; https://owners.kia.com/us/en/privacy-policy.html#two

[12] Section 8(7) of Digital Personal Data Protection Act, 2023

[13] https://www.tesla.com/support/insurance/what-is-tesla-insurance

[14] https://economictimes.indiatimes.com/industry/renewables/musks-big-win-in-china-tesla-clears-data-security-full-self-driving-hurdles-for-locally-made-cars/articleshow/109678866.cms?from=mdr

[15] Section 6(4), (5) of Digital Personal Data Protection Act, 2023

[16] Section 11 of Digital Personal Data Protection Act, 2023

[17] Section 12 of Digital Personal Data Protection Act, 2023