Navigating the Road of Data Privacy: What Your Car Knows About You

Cars can collect a vast amount of data about us, including our whereabouts, driving behaviors, voice interactions, and even biometric details, essentially evolving into powerful snooping machines that we engage with on a daily basis. This data is valuable to car manufacturers, who can use it to improve their products and services, but it also raises major data privacy concerns.

By the year 2025, over 80% of newly manufactured cars will be categorized as "connected vehicles", featuring constant connectivity capabilities. These systems frequently work in conjunction with mobile devices and cloud services that monitor driver habits, preferences, and even emotional states via cabin-facing cameras and AI designed for emotion detection.

Related blog: Personal data and GDPR

At the heart of this relentless data collection process are the onboard computer systems of modern cars. A recent report from the Mozilla Foundation for 2025 has confirmed that no major automobile manufacturer complies with contemporary privacy standards. Car manufacturers like Kia, Nissan, and Tesla persist in gathering extremely sensitive information, such as data related to sexual activity and genetic information, frequently without explicit consent or user oversight. 

According to the original 2023 McKinsey forecast, 95% of new vehicles would be connected by 2030. 

Recent data indicates that the industry is progressing effectively, with more than 80% of new vehicles worldwide expected to possess connected features by 2025. The highest rates of adoption are observed in North America, the European Union, and certain regions of Asia.

Connectivity is another key factor of this data gathering. Internet-connected cars have the ability to compile real-time data about your location, traffic conditions, and even how you interact with the infotainment system. For some, the ordeal doesn't end there as telematics devices come into play. These plug-in devices are employed to transmit data on driving behavior, often to insurance companies. They keep a vigilant eye on your speed, braking habits, and acceleration patterns.

Furthermore, should you opt to synchronize your car with a manufacturer's app, be prepared for another violation of privacy. These seemingly harmless applications quietly collect data about your every move – your usage patterns, your exact whereabouts, and your unique preferences – all neatly packaged and handed over to the car manufacturer. Car companies often seek additional insights about you from car brokers, who specialize in collecting and selling data from diverse sources, ranging from your social media profiles to government records. 

Unfortunately, even the simple act of taking a test drive is not immune to data collection. Dealerships have the capability to discreetly gather information during these test drives, including your contact details and your driving preferences. Government records also play a role, occasionally providing data such as vehicle registration and licensing information.

Alongside manufacturer applications, emerging automotive operating systems such as Android Automotive OS and Apple CarPlay 2.0 have enhanced the flow of third-party data. Applications integrated directly into infotainment systems are now capable of accessing location data, vehicle diagnostics, and even inputs from the microphone.

Car companies often share and sometimes sell the data they collect to third-party businesses. These third parties can include a wide range of entities, such as service providers, data brokers, and other companies. The privacy policies tend to use vague language when describing the recipients of the data, making it unclear who exactly is receiving the data. Car manufacturers may combine the data they collect from your car with personal information obtained from third parties leading to a more comprehensive profile of you, which is often used for marketing and other purposes.

By the year 2025, automotive manufacturers are progressively collaborating with telecommunications companies, cloud service providers, and application developers to capitalize on user data. This collaboration encompasses data enrichment platforms that integrate vehicle information with social media activities and public records to formulate marketing profiles.

Many car companies explicitly state in their privacy policies that they have the right to sell your personal data. This data may include a wide range of information, from driving behavior to personal preferences. Some data collected from your car may be aggregated and anonymized before it is shared or sold. In many jurisdictions, privacy laws do not apply to such data, making it difficult to determine how this information is handled and who has access to it. According to Mozilla’s report on car rankings, Subaru's policy dictates that by being a passenger, you are considered a user – and by being a user, you have consented to their privacy policy.

Volkswagen, Ford, and Stellantis have implemented privacy policies that categorize even passengers as users, thereby broadening the scope of consent to include more than just the driver. This emerging trend, frequently referred to as "passenger profiling", prompts significant legal concerns in light of the changing privacy regulations such as the California Privacy Rights Act (CPRA) and Canada’s Consumer Privacy Protection Act (CPPA).

Car companies may also partner with data brokers or automotive data hubs, which act as intermediaries that collect, aggregate, and distribute vehicle data. These data brokers may sell the data to various businesses, including insurance companies, advertisers, and researchers.

Toyota has revealed a significant data breach exposing the data of more than 2.15 million customers from November 2013 to April 2023 due to a misconfigured cloud bucket. The breach affected sensitive information from Toyota's cloud-based Connected services, which were accessible without authorization from November 2013 to April 2023. While the breach only impacted customers in Japan, Toyota emphasized that individual customers' identities were not compromised, and there have been no reports of third-party misuse of the exposed data. This incident surprisingly comes after a separate security incident earlier in the year involving a hacker exploiting a flaw in Toyota's customer relationship management software.

Volkswagen and its subsidiary Audi suffered a data breach affecting 3.3 million customers, primarily in the United States and Canada. The breach, which occurred between August 2019 and May 2021, exposed customer data used for sales and marketing purposes, including names, addresses, email addresses, and phone numbers, as well as details about vehicles purchased or inquired about. While most records contained basic contact information, approximately 90,000 Audi customers in the US had more sensitive data compromised, including driving license numbers and Social Security numbers. The breach was traced back to an unnamed associate vendor. 

In addition to the aforementioned breaches:

BYD (2024) revealed the vehicle location and profile information of 1.3 million users as a result of a cloud misconfiguration.

Rivian (2025) acknowledged unauthorized access to in-car camera feeds and voice recordings while conducting software testing.

Hyundai-Kia (2024) encountered public outrage for sharing behavioral data with third-party advertisers, which resulted in class action lawsuits in the United States.

These occurrences highlight the extent to which vehicle data systems are integrated and susceptible to vulnerabilities.

Related blog: Understanding and Implementing Data Protection Basics – Get Informed with heyData

It’s important to be aware of the risks associated with data collection and to take steps to protect your privacy. Always review your car's privacy policy to learn more about the data that is being collected and how it is being used. You may also be able to opt out of certain data collection practices. Recent research by Mozilla Foundation has exposed concerning practices within the automotive industry as some car manufacturers shockingly fail to obtain explicit consent before gathering data. Opting out of specific data collection practices also may not be a viable option, resulting in limited control over your personal data. 

Mozilla’s findings from 2025 indicated that none of the 25 prominent car manufacturers assessed fulfill fundamental criteria for data transparency, user control, or security. Some even claim the right to sell sensitive data without anonymization.

As an honorable data protection company, we strongly urge consumers to examine their vehicle's privacy policies. Here are some tips for protecting your privacy when using a connected car:

Know your car's privacy policy

• The privacy policy outlines what data your car collects and how it is used. It's essential to understand this information thoroughly before using any connected features.
• Pay attention to details about data retention, sharing with third parties, and the purpose of data collection.

Limit Data Collection

• A number of automakers, such as BMW, GM, and Tesla, now associate essential features, like remote locking, navigation, and software updates with data collection. Choosing to opt out may result in the disabling of these services, thereby effectively discouraging user autonomy. It is crucial to always consider the potential loss of functionality in relation to privacy risks.

It's worth noting that in some cases, certain car companies may put the burden on consumers to make “better choices”, as seen with Tesla, where opting out of data collection could potentially impact certain vehicle functionalities. For instance, Tesla's privacy notice outlines that while you can choose to opt out of vehicle data collection, it may affect features like over-the-air updates, remote services, and in-car capabilities. Therefore, it's crucial to carefully assess the trade-offs involved in limiting data collection and make informed decisions about your data. The option to opt-out should be transparent and should never be used as a tool to manipulate consumers.

Be Cautious with Third-Party Apps

Exercise particular caution when connecting applications through Android Automotive or CarPlay 2.0, as these platforms have broadened permissions beyond conventional smartphone synchronization. Even applications for weather or calendars may, by default, request access to vehicle motion, speed, and location data.

Secure Your Personal Information

Be mindful of the personal information you share through your car's communication systems, such as phone calls or text messages.

As our vehicles become increasingly connected and smarter, understanding the data they collect and how it's used is paramount. The automotive sector is advancing at a pace that outstrips the development of privacy laws. Nevertheless, emerging frameworks such as the EU Digital Services Act, California's CPRA, and Canada's CPPA are beginning to restore consumer power. It is essential to remain updated, regularly assess privacy settings, and advocate for regulations that enhance data transparency.

Don’t forget to subscribe to our email newsletter to get more data protection and compliance updates and latest blogs delivered right to your inbox

Q: What types of personal information does my vehicle gather?
A: Your vehicle may gather data such as location, driving habits, voice recordings, and personal information synchronized from your mobile device or applications.

Q: Is it possible to prevent my vehicle from collecting or sharing my information?
A: You can restrict certain data collection through your vehicle’s settings or application, although complete opt-outs are seldom achievable.

Q: Who is permitted to access the information collected from my vehicle?
A: Manufacturers, third-party service providers, insurance companies, and occasionally data brokers or governmental authorities may have access to the data from your vehicle.