Envisioned vehicular ad-hoc networks (VANET) standards use pseudonym certificates to provide secure and privacy-friendly message authentication. Revocation of long-term credentials is required to remove participants from the system, e.g. in case of vehicle theft. However, the current approach to revocation puts the users' privacy at risk if the backend systems are not fully trusted. We propose PUCA - a scheme that provides full anonymity, even against colluding backend providers, until the owner of a vehicle triggers revocation himself. The scheme uses anonymous credentials for authentication with the backend while leaving the communication among vehicles and with road side units unchanged and in compliance with existing standards. With PUCA, we put drivers back in charge of their privacy while still allowing revocation of long-term credentials.