Over-the-Air Recalls Carry Legal Risks for Auto Manufacturers

Many car owners have gotten a letter from a vehicle manufacturer informing them of a vehicle being recalled and needing to be fixed. Recalls historically have required physical repairs.

But in recent years, a new kind of recall has emerged, reflecting the increasingly computerized and connected vehicles on our roads: the over-the-air, or OTA, recall. Instead of being repaired in a shop, vehicles are “recalled” through remote software fixes.

Owners don’t have to do anything to effectuate the recall, and they may not even know their vehicle has been recalled until the manufacturer notifies them—possibly well after the software fix is completed.

OTA recalls present key legal issues and risks. Manufacturers should carefully analyze whether software updates they make should be categorized as recalls, as failing to meet the obligations of recalls could result in investigations and penalties.

Rising OTA Recalls

The National Highway Traffic Safety Administration, or NHTSA, has issued regulations that require automotive manufacturers to recall vehicles or equipment that don’t comply with applicable Federal Motor Vehicle Safety Standards or that have safety-related defects. Manufacturers recalled more than 29 million vehicles in 2024.

The traditional recall remedy involves the owner bringing the affected vehicle into a dealership or repair shop for the required fix. This process is costly for manufacturers, inconvenient for owners, and normally leaves a large share of defects unremedied.

OTA recalls have created an alternative remedy for defective or noncompliant vehicles. As vehicles become “computers on wheels,” OTA modifications are possible for features as diverse as brakes, airbags, emissions controls, and autonomous driving functions.

These fixes can be performed remotely—and to vehicle owners, invisibly. OTA recalls are more convenient for owners, normally less costly for manufacturers, and likely have a much higher completion rate than traditional recalls.

Although still a minority of all recalls, the number of OTA recalls has exploded in recent years from five total OTA recalls in 2020 to 24 such recalls in 2024, covering 6,769,773 vehicles—nearly a quarter of all recalled vehicles.

Recalls Versus Updates

Recalls aren’t the only reason an original equipment manufacturer may make OTA changes to a vehicle’s software. A manufacturer may push an update to improve vehicle performance or add functionality, but not all of these updates are recalls.

The distinction between OTA recalls and other software updates matters because recalls trigger legal obligations that other updates don’t. Companies that fail to perform timely recalls covering all affected vehicles, or fail to make the required notifications, face investigations and substantial civil penalties.

First, the company must notify NHTSA of the defect or noncompliance. NHTSA then will make information about the recall public on its website. Manufacturers also must file detailed reports on the progress of recall remedies and keep a list of registered owners affected by the recall.

Second, the manufacturer must notify owners by first-class mail that their vehicles or equipment are being recalled. This mail notification is required regardless of the recall remedy method—even if the mailing goes out after an OTA fix is already completed.

Takeaways for Manufacturers

OTA modifications carry risk. Before pushing out an OTA software update, original equipment manufacturers should consider several questions when determining whether it qualifies as a recall:

• Does the OTA update address a safety-related defect that poses an unreasonable risk to safety or noncompliance with a Federal Motor Vehicle Safety Standard?
• Does the update fix a safety problem in the vehicle or a non-safety-related problem, such as with the vehicle’s infotainment or climate control system?
• Does the update improve the vehicle’s performance in some way, even though its current performance isn’t defective and the vehicle fully complies with the Federal Motor Vehicle Safety Standard?

Any company planning an OTA software change should pay close attention to the legal standard for whether to treat it as a recall—namely, whether the fix addresses an unreasonable risk to safety or a noncompliance with safety standards.

In determining whether a safety-related defect exists, NHTSA will consider factors such as the nature of the allegedly defective component, its importance to the vehicle’s safe operation, the circumstances in which operational failures occurred, and the number of failures. And NHTSA has specifically cautioned that software updates to emerging technologies can affect the performance of “systems encompassing critical control functions such as braking, steering, or acceleration.”

Because the line between a recall mandated by law and an unobligated software update may not always be clear cut, original equipment manufacturers may consider erring on the side of over-inclusion by treating an OTA update as a recall. Regulators have been paying close attention to OTA recalls, and there are risks to characterizing an action as a mere update when it might be viewed otherwise in retrospect.

Original equipment manufacturers also may consider updating their safety and compliance programs to address the requirements of OTA recalls. This approach can include a systematic process for determining when an OTA update is advisable, including its potential consequences for all of a vehicle’s functions; determining whether the update should be characterized as a recall because it meets the requisite legal standard; and ensuring recalls encompass all affected vehicles and include the necessary agency and owner notifications.

Manufacturers should thoroughly document the decision whether to treat an OTA update as a recall, with a clear rationale for why the recall standard does or doesn’t apply. Also, engaging proactively with regulators regarding the company’s compliance program and recall decision-making process is advisable.

OTA recalls, like any other OTA software changes, also create cybersecurity risks. NHTSA discussed these risks in a 2020 report, and the Department of Commerce identified them in its recent rule restricting the import and sale of connected vehicles and related equipment linked to China and Russia. Original equipment manufacturers should be mindful of these vulnerabilities throughout the OTA process.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Adam M. Raviv is global co-chair of Sidley Austin’s automotive and mobility practice and former chief counsel at the National Highway Traffic Safety Administration.

Write for Us: Author Guidelines