Cybersecurity & Risk ManagementData Protection

Navigating the Road of Data Privacy: What Your Car Knows About You

Navigating the Road of Data Privacy: What Your Car Knows About You
252x252_arthur_heydata_882dfef0fd_c07468184b.webp
Arthur
17.10.2023

What is this all about?

  • Modern vehicles serve as data hubs, gathering a vast array of personal information such as location, driving behaviors, voice commands, and synchronized phone data.
  • Data is collected via onboard systems, connectivity features, telematics devices, and manufacturer applications, frequently without the explicit consent of users.
  • Automakers may share or sell this information to third parties, including advertisers, insurance firms, and data brokers, occasionally merging it with external personal data for comprehensive profiling.
  • Grasping and managing car data privacy is crucial as vehicles become more interconnected and integrated with digital services.

In an era of digital transformation, our cars have become more than just modes of transportation. They have evolved into rolling data hubs with sensors, computer systems, and connectivity features. While this technological advancement has undoubtedly enhanced our driving experience, it has also raised significant concerns about data privacy. In this blog, we'll delve into the data privacy concerns surrounding cars and educate you on the types of information your vehicle may be collecting.

Table of Contents:

What Your Car Knows About You

Cars can collect a vast amount of data about us, including our whereabouts, driving behaviors, voice interactions, and even biometric details, essentially evolving into powerful snooping machines that we engage with on a daily basis. This data is valuable to car manufacturers, who can use it to improve their products and services, but it also raises major data privacy concerns.

By the year 2025, over 80% of newly manufactured cars will be categorized as "connected vehicles", featuring constant connectivity capabilities. These systems frequently work in conjunction with mobile devices and cloud services that monitor driver habits, preferences, and even emotional states via cabin-facing cameras and AI designed for emotion detection.

Location DataYour car can track your location, which can include information about where you go, how often you go there, and how long you stay.
Voice RecordingsSome cars have voice recognition systems that can record your voice when you use voice commands or interact with in-car systems.
Financial DataYour car may collect information related to your financial status, such as your income and spending habits.
Personal DataCar manufacturers may collect personal information about you, including your immigration status, race, genetic information, and even information about your sexual activity.
Personal Photos & Images If you use in-car infotainment systems or connect your phone, your car may have access to your personal photos. Your car may also capture images, although the specific details about what images are captured are often not clear.
Calendar and ActivitiesSome cars can access and store your calendar events and to-do lists.
Route HistoryYour car may record information about the routes you take, helping to build a picture of your travel habits.
Employment InformationInformation about your workplace and commuting habits may be gathered.

Related blog: Personal data and GDPR


How Your Car Collects Your Information

At the heart of this relentless data collection process are the onboard computer systems of modern cars. A recent report from the Mozilla Foundation for 2025 has confirmed that no major automobile manufacturer complies with contemporary privacy standards. Car manufacturers like Kia, Nissan, and Tesla persist in gathering extremely sensitive information, such as data related to sexual activity and genetic information, frequently without explicit consent or user oversight. 

According to the original 2023 McKinsey forecast, 95% of new vehicles would be connected by 2030. 

Recent data indicates that the industry is progressing effectively, with more than 80% of new vehicles worldwide expected to possess connected features by 2025. The highest rates of adoption are observed in North America, the European Union, and certain regions of Asia.

Connectivity is another key factor of this data gathering. Internet-connected cars have the ability to compile real-time data about your location, traffic conditions, and even how you interact with the infotainment system. For some, the ordeal doesn't end there as telematics devices come into play. These plug-in devices are employed to transmit data on driving behavior, often to insurance companies. They keep a vigilant eye on your speed, braking habits, and acceleration patterns.

Furthermore, should you opt to synchronize your car with a manufacturer's app, be prepared for another violation of privacy. These seemingly harmless applications quietly collect data about your every move – your usage patterns, your exact whereabouts, and your unique preferences – all neatly packaged and handed over to the car manufacturer. Car companies often seek additional insights about you from car brokers, who specialize in collecting and selling data from diverse sources, ranging from your social media profiles to government records. 

Unfortunately, even the simple act of taking a test drive is not immune to data collection. Dealerships have the capability to discreetly gather information during these test drives, including your contact details and your driving preferences. Government records also play a role, occasionally providing data such as vehicle registration and licensing information.

Alongside manufacturer applications, emerging automotive operating systems such as Android Automotive OS and Apple CarPlay 2.0 have enhanced the flow of third-party data. Applications integrated directly into infotainment systems are now capable of accessing location data, vehicle diagnostics, and even inputs from the microphone.

Data Destination: Where Does Your Information Go

Car companies often share and sometimes sell the data they collect to third-party businesses. These third parties can include a wide range of entities, such as service providers, data brokers, and other companies. The privacy policies tend to use vague language when describing the recipients of the data, making it unclear who exactly is receiving the data. Car manufacturers may combine the data they collect from your car with personal information obtained from third parties leading to a more comprehensive profile of you, which is often used for marketing and other purposes.

By the year 2025, automotive manufacturers are progressively collaborating with telecommunications companies, cloud service providers, and application developers to capitalize on user data. This collaboration encompasses data enrichment platforms that integrate vehicle information with social media activities and public records to formulate marketing profiles.

Many car companies explicitly state in their privacy policies that they have the right to sell your personal data. This data may include a wide range of information, from driving behavior to personal preferences. Some data collected from your car may be aggregated and anonymized before it is shared or sold. In many jurisdictions, privacy laws do not apply to such data, making it difficult to determine how this information is handled and who has access to it. According to Mozilla’s report on car rankings, Subaru's policy dictates that by being a passenger, you are considered a user – and by being a user, you have consented to their privacy policy.

Volkswagen, Ford, and Stellantis have implemented privacy policies that categorize even passengers as users, thereby broadening the scope of consent to include more than just the driver. This emerging trend, frequently referred to as "passenger profiling", prompts significant legal concerns in light of the changing privacy regulations such as the California Privacy Rights Act (CPRA) and Canada’s Consumer Privacy Protection Act (CPPA).

Car companies may also partner with data brokers or automotive data hubs, which act as intermediaries that collect, aggregate, and distribute vehicle data. These data brokers may sell the data to various businesses, including insurance companies, advertisers, and researchers.

Automotive Companies with Data Privacy Breaches

Toyota has revealed a significant data breach exposing the data of more than 2.15 million customers from November 2013 to April 2023 due to a misconfigured cloud bucket. The breach affected sensitive information from Toyota's cloud-based Connected services, which were accessible without authorization from November 2013 to April 2023. While the breach only impacted customers in Japan, Toyota emphasized that individual customers' identities were not compromised, and there have been no reports of third-party misuse of the exposed data. This incident surprisingly comes after a separate security incident earlier in the year involving a hacker exploiting a flaw in Toyota's customer relationship management software.

Volkswagen and its subsidiary Audi suffered a data breach affecting 3.3 million customers, primarily in the United States and Canada. The breach, which occurred between August 2019 and May 2021, exposed customer data used for sales and marketing purposes, including names, addresses, email addresses, and phone numbers, as well as details about vehicles purchased or inquired about. While most records contained basic contact information, approximately 90,000 Audi customers in the US had more sensitive data compromised, including driving license numbers and Social Security numbers. The breach was traced back to an unnamed associate vendor. 

In addition to the aforementioned breaches:

BYD (2024) revealed the vehicle location and profile information of 1.3 million users as a result of a cloud misconfiguration.

Rivian (2025) acknowledged unauthorized access to in-car camera feeds and voice recordings while conducting software testing.

Hyundai-Kia (2024) encountered public outrage for sharing behavioral data with third-party advertisers, which resulted in class action lawsuits in the United States.

These occurrences highlight the extent to which vehicle data systems are integrated and susceptible to vulnerabilities.


Related blog: Understanding and Implementing Data Protection Basics – Get Informed with heyData


Car Privacy Best Practices

It’s important to be aware of the risks associated with data collection and to take steps to protect your privacy. Always review your car's privacy policy to learn more about the data that is being collected and how it is being used. You may also be able to opt out of certain data collection practices. Recent research by Mozilla Foundation has exposed concerning practices within the automotive industry as some car manufacturers shockingly fail to obtain explicit consent before gathering data. Opting out of specific data collection practices also may not be a viable option, resulting in limited control over your personal data. 

Mozilla’s findings from 2025 indicated that none of the 25 prominent car manufacturers assessed fulfill fundamental criteria for data transparency, user control, or security. Some even claim the right to sell sensitive data without anonymization.

As an honorable data protection company, we strongly urge consumers to examine their vehicle's privacy policies. Here are some tips for protecting your privacy when using a connected car:

Know your car's privacy policy

  • The privacy policy outlines what data your car collects and how it is used. It's essential to understand this information thoroughly before using any connected features.
  • Pay attention to details about data retention, sharing with third parties, and the purpose of data collection.

Limit Data Collection

  • A number of automakers, such as BMW, GM, and Tesla, now associate essential features, like remote locking, navigation, and software updates with data collection. Choosing to opt out may result in the disabling of these services, thereby effectively discouraging user autonomy. It is crucial to always consider the potential loss of functionality in relation to privacy risks.

It's worth noting that in some cases, certain car companies may put the burden on consumers to make “better choices”, as seen with Tesla, where opting out of data collection could potentially impact certain vehicle functionalities. For instance, Tesla's privacy notice outlines that while you can choose to opt out of vehicle data collection, it may affect features like over-the-air updates, remote services, and in-car capabilities. Therefore, it's crucial to carefully assess the trade-offs involved in limiting data collection and make informed decisions about your data. The option to opt-out should be transparent and should never be used as a tool to manipulate consumers.

Be Cautious with Third-Party Apps

Exercise particular caution when connecting applications through Android Automotive or CarPlay 2.0, as these platforms have broadened permissions beyond conventional smartphone synchronization. Even applications for weather or calendars may, by default, request access to vehicle motion, speed, and location data.

Secure Your Personal Information

Be mindful of the personal information you share through your car's communication systems, such as phone calls or text messages.

Final Notes

As our vehicles become increasingly connected and smarter, understanding the data they collect and how it's used is paramount. The automotive sector is advancing at a pace that outstrips the development of privacy laws. Nevertheless, emerging frameworks such as the EU Digital Services Act, California's CPRA, and Canada's CPPA are beginning to restore consumer power. It is essential to remain updated, regularly assess privacy settings, and advocate for regulations that enhance data transparency.

Don’t forget to subscribe to our email newsletter to get more data protection and compliance updates and latest blogs delivered right to your inbox

Frequently asked questions (FAQs)

Q: What types of personal information does my vehicle gather?
A: Your vehicle may gather data such as location, driving habits, voice recordings, and personal information synchronized from your mobile device or applications.

Q: Is it possible to prevent my vehicle from collecting or sharing my information?
A: You can restrict certain data collection through your vehicle’s settings or application, although complete opt-outs are seldom achievable.

Q: Who is permitted to access the information collected from my vehicle?
A: Manufacturers, third-party service providers, insurance companies, and occasionally data brokers or governmental authorities may have access to the data from your vehicle.

Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.