How to stop your car spying on you

Privacy news
32 mins
  • Smart cars pose significant privacy concerns due to their extensive data collection practices.
  • A recent study indicates that nearly every car manufacturer gathers information about its drivers, with a staggering 84% of them proceeding to share or sell this data.
  • This information includes sensitive categories including biometric information, location data, personal details, and even sexual orientation.
  • Privacy4Cars, a U.S.-based automotive company, introduced the Vehicle Privacy Report tool earlier this year to inform drivers of the extent of data collection by vehicles.
  • ExpressVPN used this tool to analyze the most popular cars in the U.S., revealing how much information they collect.
  • Until there are clearer regulations on car data privacy, there are steps you can take to safeguard your personal information from being collected and shared by your smart car.
  • For example, opting out of data selling and behavioral advertising and using a privacy-focused VPN when connecting to your car’s Wi-Fi hotspot. 

 

Modern cars have become more than just vehicles; they’re rolling data centers, akin to smartphones on wheels, silently gathering a wealth of information about us as we drive. From tracking our routes to monitoring driving habits and even delving into biometric details, our vehicles are quietly accumulating a hoard of data, often without us even realizing it.

As cars become more automated and connected, the companies behind them are gaining more control over their functionality and data collection. This transition raises a pressing concern over privacy, as our locations and personal information are funneled back to manufacturers and, in some cases, traded by questionable third parties.

In fact, a recent study by the Mozilla Foundation labeled cars as the worst product category they’ve ever evaluated for privacy. Alarming findings include excessive collection of personal data, widespread data sharing, and a notable lack of user control over their information. This situation highlights the urgent need for clearer regulations on car data privacy. 

However, until these measures are in place, drivers can take a proactive step by staying informed. Join us as we guide you on what you need to know about how your smart car tracks you, the data it shares, and what you can do about it.

Jump to…
What your car knows
How your car collects data
How your new car tracks you
Why smart cars are a privacy nightmare
The extent of data collection
Where does your personal data go?
15 Smart cars with the most privacy concerns?
Analyzing top car models in the U.S.
The road ahead: smart car data regulation
How to stop your car spying on you

Whose car is this? What your vehicle knows about you

Every time you use your turn signal, you’re not just activating a light; you’re sending a digital message through your car’s intricate internal network. This seemingly small action speaks volumes about the incredible advancement of automobiles.

Since the 1970s, cars have housed computers, but today’s smart cars are in a league of their own. McKinsey predicts that by 2030, up to 95% of new vehicles sold worldwide will be connected. 

These modern vehicles feature an array of advanced features, relying on touch-sensitive panels and screens that respond to the slightest touch, a wave, or even a voice command. However, this progress comes with a notable consequence: Every interaction with your car generates a record, from turning the wheel to unlocking the doors. This information is typically collected and stored by the car company.

Are smart cars safe? How your car collects your data 

Telematics 

Braking intensity, acceleration, headlight usage, windshield wiper activation, and even opening your driver’s side door all contribute to a detailed profile of you as a driver. This wealth of data has given rise to an entire industry centered around telematics, the art and science of monitoring, logging, and analyzing driving behavior. It underpins incentives like good-driver discounts offered by insurance companies and ushers in a new era of personalized driving experiences.

Connected services and devices

But your car’s capabilities extend beyond the physical actions you perform while driving. Services accessible through your car’s dashboard, like radio stations, the channels you watch on your car’s infotainment system, or a GPS route planner also contribute to the data it collects. Car companies can also access data from your phone when you download your car’s app.

External data sources

Car companies can also gather additional information about you from data brokers, car dealers (who have information from test drives), your social media profiles, and government sources.

The true cost of owning a smart car: 20 ways it tracks you 

Let’s delve into the specifics. Here’s how a smart car can track its driver:

1. Location tracking

GPS technology allows smart cars to pinpoint their exact location, enabling features like navigation and providing data on travel patterns.

2. Traffic patterns and congestion

Smart cars can collect data on traffic patterns and congestion, which can be used to improve navigation and routing algorithms. However, this data can also be used to track individual vehicles and their movements.

3. Driving behavior

Smart cars monitor factors like acceleration, braking, speed, and steering patterns to analyze how a driver operates the vehicle.

4. In-vehicle preferences

These include settings like seat position, climate control, and entertainment choices, which are recorded to provide a personalized driving experience.

5. Biometric data

Some smart cars can collect biometric data, such as fingerprints and facial scans. This data can be used for security purposes, such as unlocking the car or starting the engine.

6. Data from synced devices 

Depending on the manufacturer, your smart car may have the ability to access and collect data from your synchronized mobile devices. This includes call logs, messages, and app usage. 

7. External cameras and sensors

Smart cars use a variety of sensors and cameras to monitor their surroundings, enabling features like parking assistance, lane-keeping, and collision avoidance.

8. Environmental data

Smart cars can also collect data on the environment around them, such as air quality, temperature, and road conditions. This data can be used to improve navigation, safety systems, and environmental monitoring.

9. Voice recognition

Smart cars with voice recognition systems can track what the driver and passengers say. This data can be used to control the car’s features, such as the climate control, navigation system, and infotainment system.

10. Trip log information

This includes information about when you start and end a journey, as well as details of the trip (e.g., route taken).

11. Airbag system data

Some cars collect data related to the airbag system, including weight and body position information, which is stored onboard. This data can be used to diagnose vehicle problems and investigate accidents.

12. On-board data

This refers to data generated by the car, but not necessarily sent to the manufacturer, unless accessed using external data extraction tools. It covers a wide range of information, including engine performance, tire pressure, and fluid levels, helping with maintenance and diagnostics.

13. Media analytics

Information about what you listen to in your car, such as radio stations and media sources, may be tracked. This includes which shows and channels are watched on the rear seat infotainment system, logins to various streaming sites, and data on which features of the infotainment system are used, such as navigation, music, and settings adjustments.

14. Battery, ignition, and window data

Information about the vehicle’s state, including battery status, ignition status, and window positions, can be collected.

15. Diagnostic information

Smart cars can track a variety of diagnostic information, such as fault codes and system performance data. This data can be used to diagnose vehicle problems and improve vehicle reliability.

16. Stability control and anti-lock events

Recording instances where these safety features are activated provides insights into driving conditions and potential hazards.

17. Security/theft alerts

Smart cars can generate security and theft alerts. These alerts can be sent to the vehicle owner’s smartphone or to a monitoring service.

18. Wi-Fi data usage

Smart cars can track Wi-Fi data usage, such as what websites the driver and passengers visit. This data can be used to personalize the driving experience and target advertising.

19. Home energy usage 

Electric vehicles can track home energy usage. This includes data on charging habits and energy consumption patterns.

20. Vehicle maintenance

Smart cars can collect data on their own performance and maintenance needs. This data can be used to improve vehicle reliability and safety, but it can also be used to track individual usage.

;"

Is your smart car spying on you? Understanding the privacy risks

Smart cars have revolutionized our driving experience, offering unprecedented connectivity and convenience. However, they come with a significant drawback—a serious invasion of privacy and security. In fact, few products collect as much information about an individual’s actions, whereabouts, and conversations as a smart car.

The extent of data collection

Smart vehicles are continuously gathering data, transmitting it wirelessly to manufacturers, and often sharing it with third-party service providers. The range of information collected is staggering:

Personal details: Name, age, address, Social Security number, driver’s license number.
Location specifics: Precise GPS data, route history, and driving schedule.
Digital footprint: IP address, mobile device location, search content.
Demographic insights: Gender, ethnicity, and other personal details.
Financial information: Payment details, acquisition, and financing of the vehicle.
Biometric data: Facial, voice, and fingerprint recognition.
Behavioral patterns: Driving habits, style, and even 3D images around your vehicle.

And smart car makers don’t stop there. Through external data sources, they go a step further, delving into aspects like income, immigration status, race, and even intimate details like sexual activity (we kid you not) and genetic information. They can even access your photos, calendars, and to-do lists if your privacy settings allow them.

In its privacy policy, Nissan U.S. explicitly states that it collects and shares sensitive data such as sexual activity, health diagnosis, and genetic information for targeted marketing purposes. However, the policy doesn’t clarify how this information is obtained in the first place.

Where does your personal data go?

Manufacturers are legally bound to outline these practices in their privacy policies, however, the complexity of these documents often confuses consumers. And while these policies vary by car maker, the primary recipients of this data include:

  • Service providers (although, not specified which ones)
  • Government agencies
  • Law enforcement
  • Advertising and research companies
  • Other drivers (usually to improve traffic flow or report accidents) 
  • Dealers
  • Social media platforms
  • Data brokers
  • Tech giants like Apple CarPlay, Android Auto, and Amazon Alexa
  • Affiliates
  • SiriusXM, OnStar, and other connected services

The murky world of data brokers 

One of the most troubling aspects of smart car tracking lies in the involvement of data brokers. These entities operate in a shadowy realm, trading car-generated data without obtaining the explicit consent of vehicle owners. This practice raises significant concerns, including: 

  1. Personal data misuse: When companies fail to be transparent about how they handle personal data, it erodes the principle of informed consent. This puts individuals at risk of having their personal information exploited.
  2. Targeted advertising: Data brokers can use driver information to bombard individuals with customized advertising. This often happens without people knowing how their data was obtained in the first place. 
  3. Invasive surveillance: This data can be abused for more sinister purposes, enabling unwelcome surveillance that intrudes on personal privacy.
  4. Discrimination and profiling: Data brokers can compile detailed sets of information to create highly specific profiles of individuals. This can lead to potential discrimination based on factors like race, income, or lifestyle. It can also result in profiles that don’t accurately reflect an individual’s true characteristics.

The unregulated nature of data brokerage raises questions about accountability. With no clear oversight or standardized industry practices, it’s challenging to hold these entities responsible for any misuse or mishandling of the data they acquire.

Hackers can get access to your data 

The trade of sensitive information by data brokers also introduces potential security vulnerabilities. In the event of a data breach or cyberattack, this valuable information could fall into the wrong hands, exposing individuals to a range of risks, from identity theft to stalking.

Sixty-eight percent of car brands have a bad track record, indicating recent lapses in protecting their users’ privacy through leaks, breaches, or hacks. Some of the most notable incidents include:

  • Volkswagen and Audi: In 2021, a data breach between the sister companies impacted 3.3 million users.
  • Toyota: Over the course of ten years, from 2013 to 2023, Toyota exposed data from 2.15 million users, highlighting a prolonged lapse in data security.
  • Mercedes-Benz: In June 2022, Mercedes-Benz disclosed a data leak stemming from a third-party vendor, compromising the personal information of potentially 1.6 million prospective and existing customers. This included sensitive details such as names, street addresses, email addresses, and phone numbers.

These breaches can have far-reaching consequences for individuals, from identity theft to targeted cyberattacks.

Your smart car data can be used against you 

Another concerning aspect of smart car data collection is that it can be used against you in a court case. Law enforcement agencies globally are increasingly accessing personal car data for investigative purposes. This not only includes location history but also personal communications. 

Vehicle manufacturers are known for sharing voice recordings and location history, often without the knowledge or consent of the occupants. In some instances, individuals haven’t even signed up for the service, yet their movements are being recorded.

According to the Mozilla Foundation, 56% of car manufacturers said that they share their drivers’ information with the government or law enforcement in response to a “request,” be it formal or informal. 

15+ car brands under the spotlight 

So which car companies stand out for their concerning privacy practices? While Tesla is known for its revolutionary electric vehicles, its data collection practices are questionable. Kia’s privacy policy is also problematic, and Nissan’s is probably the worst. 

Here’s what you need to know about a few of the top car brands, ranked from bad to worse in terms of user privacy:

Car brandData useData control Track record Security AI
Renault 
BMW
Jeep 
Chrysler (Dodge)
Volkswagen 
Toyota (Lexus) 
Ford 
Audi
Mercedes-Benz
Honda 
Kia
Chevrolet (GMC & Cadillac)
GMC
Hyundai 
Tesla 
Nissan 

Source: Mozilla Foundation 

1. Renault 

Renault, a prominent French car company, boasts a long history in Europe and Latin America, though it withdrew from the U.S. market in 1992. While it complies with European privacy laws, there’s some uncertainty about its data collection practices, including personal and driving information. The company seeks consent for geolocation data, as per GDPR guidelines, and refrains from selling personal data, but invests in data ventures, raising some privacy queries. Its association with Nissan, known for privacy issues, adds to these concerns.

2. BMW

BMW, while not the worst in privacy among car brands, aligns with a low industry standard. It amasses a wide range of personal and driving data, including contact details, driving habits, and multimedia usage. BMW extends data collection to third-party sources, like data brokers and social media networks. There’s also uncertainty about the extent of data sharing for advertising, as its privacy policy doesn’t explicitly clarify this.

3. Jeep

Jeep, an iconic American brand known for rugged vehicles, has faced criticism for its user-unfriendly privacy policy. Navigating its website for privacy information is challenging. Jeep, along with parent company Fiat Chrysler Automotive (FCA), collects a broad range of data, from personal details to vehicle information. Third-party data sources are also tapped for targeted marketing, resulting in extensive data sharing and privacy concerns.

4. Chrysler (Dodge)

Chrysler and Dodge, which fall under the same parent company FCA, share a complex and challenging-to-navigate privacy policy with Jeep. They gather extensive personal and vehicle information, creating detailed user profiles for targeted marketing and ad personalization. While security has improved since a 2015 incident that saw 1.4 vehicles being recalled after a hacking incident, concerns remain about potential identification risks with de-identified data (data that has had all of the personally identifiable information removed), especially if it includes location information.

5. Volkswagen 

Volkswagen’s privacy practices regarding data usage, control, and security are also problematic. The company engages in extensive data collection across cars and connected services, encompassing a wealth of personal and vehicle data. VW’s disclosure policy indicates broad sharing, often for targeted advertising. Even de-identified data is not immune to usage, with potential re-identification risks. Security concerns, data breaches, and privacy violations further mar VW’s privacy track record, posing considerable risks to personal and location data.

6. Toyota (Lexus)

Toyota, a Japanese brand and global leader in car sales, also owns Lexus—which shares the same privacy policy. Despite the company’s stature, Toyota’s privacy practices raise concerns. It collects an extensive amount of data, often more than necessary, and shares or sells it to third parties for marketing purposes. 

Its privacy landscape is complex, with numerous policies covering different aspects, making it challenging for users to navigate and comprehend. Data collection encompasses personal, demographic, driving behavior, vehicle, and sensitive information. Toyota claims to process facial geometric features exclusively within the car but concedes that this sensitive information may be shared under legal requirements. On the plus side, Toyota does grant individuals in the U.S. certain rights to control their data.

7. Ford

Ford, arguably the best-known American car brand, has a long history in the automotive industry. However, its privacy track record raises concerns. It amasses substantial personal and vehicle data, ranging from names and emails to location data and driving behavior. This information is used to create detailed user profiles for marketing purposes. Ford also shares or potentially sells this data to various third parties, including dealers, social media platforms, advertising companies, and law enforcement. Its privacy policies are complex, making it hard for users to understand the extent of data collection. In terms of security, Ford has had some publicized incidents, which raises doubts about its ability to protect the personal information they collect.

8. Audi

Audi, the renowned German car manufacturer, known for its luxury vehicles, presents a challenge in understanding its privacy policies, particularly for U.S. consumers. Policies vary based on the car’s model year and selected services, with an additional privacy page for Volkswagen Group of America, Audi’s parent company, accessible only in select U.S. states with stringent privacy laws.

In terms of data collection, Audi accumulates a wide range of personal, car-related, and other information, which includes names, contact details, GPS-derived location data, in-car voice commands, and extensive vehicle usage data. It also extracts information from connected services like navigation and streaming. Audi is capable of creating detailed user profiles based on this data, reflecting individual preferences and traits. This information not only remains within Audi but is also shared, and potentially sold, to third parties for advertising purposes.

Coupled with a track record of data protection issues, as seen in the 2021 incident mentioned above, not all consumers have equal rights to request data deletion or to opt out of data sharing for marketing.

9. Mercedes-Benz

Mercedes-Benz cars are known for luxury, but the company’s privacy practices raise serious concerns. It collects a lot of personal data, including sensitive info like location and biometrics. It also admits to sharing or selling some of this data for targeted ads. The company’s track record isn’t perfect either, with the significant data leak in 2022. Integrating the privacy-sensitive TikTok app into its cars in 2023 doesn’t inspire confidence either. The company’s privacy notice even acknowledges that no information system is completely secure. The German manufacturer admits to sharing sensory data with law enforcement, posing a potential threat to individual privacy.

10. Honda

Honda’s privacy policy raises concerns. While the company claims to prioritize privacy, its policy allows for extensive data collection, potential sharing, and even selling, of personal information. Its interpretation of “data minimization” is broad, enabling substantial collection for “legitimate business purposes.” It also lists a wide range of potentially gathered information, including sensitive data. 

While Honda states it won’t share geolocation info without consent, the terms of this consent are unclear, leaving customers potentially exposed. Additionally, it mentions acquiring data from various sources and using a wide array of personal information for targeted marketing. While Honda’s privacy and security record isn’t the worst, reported vulnerabilities, like a keyless entry system flaw, raise concerns about their reporting mechanisms.

11. Kia 

Kia’s approach to privacy is bizarre. Like Nissan, it claims the right to collect sensitive data like genetic information and details about one’s sex life without providing clear justification. It also has a broad definition of personal information, which means private and sensitive data could fall under this category. 

Kia also collects a wealth of information about driving habits, geolocation, and movements, and may share or sell this information. Past security incidents and vulnerabilities also raise doubts about the company’s commitment to user safety. 

Additionally, its connected services also likely involve third-party providers, possibly exposing user information. Concerningly, Kia also has a “My Car Zone” feature that lets you set alerts to monitor how others drive your car, like curfew violations and speed limits. While it’s designed for parents to keep an eye on their kids, it could also be abused by controlling family members or partners.

12. Chevrolet (GMC & Cadillac)

Chevrolet, GMC, and Cadillac share a privacy policy as they’re all owned by General Motors. They have a complicated privacy setup with at least six separate privacy policies in the U.S. The car manufacturer is really keen on connecting driver’s phones to their cars, even adding a mandatory 1,500 USD fee for its OnStar and Connected Services Premium Plan. This doesn’t leave much choice for buyers. 

OnStar’s policy reveals that the company gathers a lot of personal and car data, and it’s closely linked with law enforcement and government agencies. The service can collect a vast range of information about you and your car, and even draw conclusions about your traits and habits for marketing. It’s not clear when you actually give consent for all this data collection. GM’s track record on data protection isn’t perfect either, with a major data breach in 2022. 

13. Hyundai 

Hyundai, a well-known South Korean car maker, has significantly improved its global reputation since its early days. However, its privacy policy raises particular concerns. It states the company’s readiness to comply with “lawful requests, whether formal or informal,” a statement that goes beyond the language of many other car brands. This gives rise to serious questions about the potential extent of data sharing with government or law enforcement agencies.

What’s particularly worrisome is Hyundai’s extensive data collection practices. The company collects a host of detailed and sensitive information about users’ activities, both within their vehicles and through connected services. This includes geolocation, driving habits, and even sensor data generated by the vehicle. Moreover, Hyundai’s definition of personal information is exceptionally broad, potentially encompassing a wide range of sensitive data.

Hyundai’s privacy policies also show a lack of clarity and transparency. The language is often vague, leaving room for broad interpretation. For example, the policy references collecting “physiological, biological or behavioral characteristics” under biometric information, a term open to wide-ranging interpretation.

Additionally, Hyundai’s data handling practices raise questions about security. Recent incidents, including a data breach affecting car owners in France and Italy, and a vulnerability that could potentially allow unauthorized access and control of vehicles, underscore concerns about data safety and user privacy.

In terms of user control, options to opt out of certain data collection practices are limited, and some functionalities may be restricted as a result. Only residents of select U.S. states and those under GDPR protection in Europe have the option to request certain data-related actions.

14. Tesla

Tesla, led by Elon Musk, is known for its high-tech electric cars. As of 2023, it stands as the world’s most valuable car manufacturer. However, its AI-powered autopilot has raised serious concerns due to its association with a troubling number of accidents and fatalities. This has prompted heightened government scrutiny.

There have also been incidents, like the internal sharing of videos from Tesla’s cameras, that included highly sensitive content, raising serious questions about user privacy. Moreover, a whistleblower leaked multiple confidential files alleging a cover-up of Autopilot system issues, containing extensive personal data. This event is currently under investigation for potential GDPR privacy law violations.

Tesla’s privacy policy also outlines extensive data collection, covering details from personal information to various aspects of vehicle use. While some data processing is done locally on the car, certain elements, like cabin camera footage, are shared with Tesla if data sharing is enabled. Additionally, the opt-out process for data sharing may have unintended consequences, potentially impacting the functionality of the Tesla vehicle.

15. Nissan

Nissan’s approach to privacy is deeply unsettling as it openly admits to collecting and sharing highly sensitive personal information, including details about sexual activity, health conditions, and genetic data—all for targeted marketing purposes. While the company’s transparency is notable, it underscores a troubling approach to handling user data.

The company’s MyNissan app also raises red flags. The Data Safety Information on the app’s Google Play Store page contradicts its privacy policy. Nissan asserts that no data is shared with third parties, directly conflicting with its policy that clearly states personal information is shared with various partners. The issue of data collection also extends to passengers who use Nissan’s connective services while in one of their smart cars. Additionally, the app’s inability to delete collected data leaves users potentially exposed to data mishandling.

Nissan’s data protection track record, while not the worst among car companies, falls short. A 2022 data breach involving a third-party service provider raises serious questions about the overall security of their data-sharing practices. A security vulnerability in January 2023 also exposed a potential loophole for unauthorized remote access to vehicles, emphasizing the urgent need for improved security measures. 

Smart car privacy report: What are popular cars tracking?

To create more awareness about data collection practices, Privacy4Cars, a U.S. automotive firm, unveiled its Vehicle Privacy Report earlier this year. 

The online tool works by utilizing the Vehicle Identification Number (VIN) of a car, a unique identifier much like a fingerprint for vehicles. It then cross-references this with each manufacturer’s public policy documents, giving a comprehensive picture of the data landscape. Through this, the report reveals the huge amount of information that our smart cars are capable of collecting and transmitting to manufacturers.

The tool categorizes vehicles as either a “smartphone on wheels” or a “hard drive on wheels”. The latter designation is used for vehicles that have telematics, but the cellular connection is no longer functional (due to it being 3G or older technology). 

To gain further insights, using publicly available VIN numbers, we ran the five most popular cars in America (according to research by automotive platform Edmunds Inc.) through the Privacy4Cars tool. Here’s what we found: 

2023 Chevrolet Silverado

The Chevy Silverado holds its crown as the top-selling vehicle in the U.S. in 2023. However, due to its advanced telematics capabilities, it actively gathers a wealth of data on both the driver and the vehicle’s operations.

This data collection covers personal details like names, addresses, and email addresses. It also extends to biometric markers such as fingerprints or facial features, all while keeping tabs on the driver’s whereabouts. Though the policy’s wording regarding synchronized phone data can be convoluted, the vehicle crafts user profiles based on individual driver habits and preferences.

The scope of data collection is broad, spanning from camera imagery and sensor metrics to voice commands, stability control, and anti-lock events. It leaves no stone unturned, even logging infotainment system use, from radio to rear-seat entertainment.

In addition to these details, the Silverado logs specific information like battery status, ignition details, window operation, gear status, and diagnostic information. It tracks the driver’s journey, recording location, route history, speed, and noteworthy driving events like braking, swerving, and cornering.

Regarding data sharing, the Silverado divulges information to affiliates within the General Motors network, third-party service providers, insurers, and government agencies. However, the policy leaves a question mark on whether data is shared with data brokers, as the manufacturer neither explicitly affirms nor denies this in its policy.

2023 Ford F-150

Like its contemporaries, the light-duty pickup doesn’t have information about data deletion, despite it collecting a wealth of information about its owners. This includes names, locations, and driving license details. The manufacturer is also keen on identifiers and user profiles and also keeps track of location details. However, the car’s stance on synchronized phones and biometric data is a bit hazy. 

A driver’s habits aren’t off the radar either. Ford keeps tabs on speed, pedal usage, and even seatbelt engagement. The vehicle acts as a silent recorder, documenting routes, speed, and even local weather conditions.

When it comes to sharing, Ford isn’t shy. They disseminate data to affiliates, service providers, insurers, and government bodies. The stance on data brokers, however, remains elusive.

2023 RAM 1500

RAM is owned by Stellantis, a firm that was created when Fiat Chrysler Automobiles and the Peugeot group merged in 2021. As a result, RAM uses the same connected services privacy policy and terms of service as Chrysler, Dodge, and Fiat.

When it comes to personal data, RAM opts for a “no-deletion” policy, including personal identifiers from names and addresses to Social Security numbers and driving license details, as well as biometrics. RAM also monitors driving habits, recording timestamps, speed, acceleration, and braking. The vehicle tracks journey details like location, weather, and routes taken. It even keeps an eye on its own status, monitoring refueling, battery levels, and camera imagery. 

In terms of synchronized phones, RAM’s policy is nuanced. While data isn’t directly taken from synced phones in the vehicles, an exception exists for RAM’s own branded mobile remote apps.

On the upside, RAM provides three avenues for individuals to manage their personal data in most of their new vehicles. This includes toggling geo-location data collection, opting in or out of specific data uses through digital channels, and requesting the “right to be forgotten.”

2023 Honda CR-V

Honda’s data collection practices involve gathering a wide range of information, which the company categorizes as “covered information.” This includes personally identifying details such as contact information, Social Security numbers, and driving license information. 

Unlike some of Honda’s other models, the CR-V specifically collects information about the vehicle’s status, including fuel levels, tire pressure, and battery charge. The car also records trip log data, such as the start and end times of journeys, and monitors the status of the airbag system. 

Additionally, the CR-V collects information on how the connected features of the vehicle are used, which can include search history, call logs, and voice commands (which potentially include audio recordings). Driver behavior information is also tracked, including details like pedal position, engine speed, and steering angle.

Regarding biometric data, it’s unclear how Honda utilizes this type of information as it’s not explicitly stated in the car’s privacy policy. However, it has said through a spokesperson that its cars in the U.S. have systems that transfer biometrics to the company. 

On top of that, the airbag system may collect weight and body position information, but this data is stored locally on the onboard computer and can only be accessed through a physical connection, with state and federal laws governing who can access it.

2023 Tesla Model Y

Tesla doesn’t have a straightforward policy for deleting user data, which suggests that information could potentially be held indefinitely. This raises concerns about how much control users actually have over their personal information.

What’s more, Tesla’s privacy policy gives the company a wide berth in terms of using and sharing user data for what the company deems “necessary or appropriate” purposes. While this provides Tesla with flexibility, it also means that users have limited influence over how their information gets put to use.

Tesla is open about collecting data about its drivers in the form of personal identifiers, it also tracks location data. However, the company’s policies around synchronized phone information user profiles and biometrics are a bit of a mystery, leaving users uncertain about how this particular category is managed.

As for data sharing, Tesla collaborates extensively with affiliates, service providers, insurance companies, and government bodies. However, it’s not entirely clear to what extent data is shared with data brokers. This omission in Tesla’s privacy policy, like the ones above, should be a significant concern for drivers. 

The future of smart car privacy: Are regulations enough?

Most smart car brands fall short in data use and security, demonstrating poor data control. None of the policies outlined by the majority of smart car manufacturers offers a comprehensive view of how driver data is utilized and shared.

The notion of “consent” in the world of smart cars is also often illusory. Unlike optional smart home devices, driving is a necessity for many. Companies frequently sidestep or presume consent, assuming you’ve read and agreed to their policies before you even get into their vehicle. Subaru, for example, states that passengers implicitly “consent” to the use, and potentially sale, of their personal information simply by being inside.

Tesla takes it a step further, allowing you to opt out of data collection, but with a veiled warning that it may impair your car’s functionality. Nissan goes so far as to burden you with the responsibility of informing others about your car’s privacy policies.

This stark disadvantage faced by consumers when it comes to smart cars has prompted Senator Elizabeth Warren to get involved. In November 2022, she addressed this escalating concern, highlighting the pressing need for action. 

In a six-page letter to the top antitrust enforcers in the U.S., Lina Khan, chair of the Federal Trade Commission, and Jonathan Kanter, head of the antitrust division of the Justice Department, she expressed profound unease over the rising competition and consumer protection issues linked to smart vehicles.

The Surveillance Technology Oversight Project (STOP) took it a step further with their report titled “Wiretap on Wheels,” where they emphasized: 

“Modern cars collect a huge amount of data, stored indefinitely onboard and in the cloud. The data tracks not just the car, but its occupants: it records our location history, phone contents (contacts, emails, texts, tweets, social media feeds), voice recordings, weight, and other biometric data. If this sounds creepily expansive, it is. Car data often is collected for the benefit of manufacturers, not drivers.

Our information fuels a billion-dollar industry centered on subscription services and on selling drivers’ data to third parties, including law enforcement. Many cars on the road feed this industry: 84 million connected cars beamed data to manufacturers and other companies in the U.S. in 2021. Drivers can refuse some data collection, but saying “no” often comes at the cost of passenger safety: no data, no emergency roadside service, or built-in navigation tools.”

The urgency for action is clear. There’s a critical need for more robust regulation and oversight in the smart car industry. Clearer, stricter guidelines governing data collection, sharing, and resale are vital to protect the privacy and security of vehicle owners. However, until these regulatory measures are firmly established, it’s important that consumers take proactive steps to safeguard their data. 

12 ways to stop your car spying on you

A vigilant awareness of privacy policies and the use of tools like Privacy4Cars are important steps in the effort to add an extra layer of defense against unwarranted data collection. Here are a few more tips on how to shield yourself against the relentless data collection and potential sale of your personal information by smart cars:

1. Consider older, non-connected models

One effective approach to safeguarding your privacy is to opt for an older, used car that lacks internet connectivity and cameras. By doing so, you can significantly reduce the potential points of data collection and minimize the risk of unwanted surveillance.

2. Be cautious of the information you share on social media 

It’s important to be mindful of the information you share, especially on social media platforms or when communicating with friends and family. Avoid disclosing sensitive details about your smart car, such as its location or your travel plans on social media, and rather opt for messaging platforms that have end-to-end encryption like WhatsApp or Telegram. 

3. Embrace open-source solutions

An emerging trend in the automotive industry mirrors the competition between open-source Android and closed-source iOS in the smartphone realm. Look for car manufacturers that offer open-source options, enabling users to have greater control over their car’s operating system and, consequently, their data privacy.

4. Disable tailored advertisements

In your contract when purchasing a vehicle, refuse consent for personalized advertisements to prevent the sharing of your personal information for targeted marketing.

5. Opt-out of data selling and behavioral advertising

Take advantage of opt-out options to limit the sharing of your personal data and cross-context behavioral advertising.

6. Perform a factory reset

Before selling or trading in your car, ensure you conduct a factory reset to erase all personal data and disconnect any associated apps. The same goes for purchasing a used car—confirm that the previous owner has removed their connected account.

7. Strengthen security measures

Implement robust passwords and enable two-factor authentication for apps and services linked to your car.

8. Exercise data caution

Grant access to your data only to trusted third parties and limit data collection through mobile apps using iOS or Android settings.

9. Disable location sharing

Opt out of location sharing on your mobile device to restrict access to your real-time whereabouts.

10. Evaluate voice assistants

If you’re concerned about data collection, reconsider using voice assistants like Amazon Alexa, which may gather voice requests, IP addresses, and geolocation information for advertising purposes.

11. Keep software updated for enhanced security

Regularly updating your smart car’s software is a critical measure in fortifying your privacy defenses. Manufacturers frequently release security patches that address vulnerabilities. By staying up-to-date, you ensure that your vehicle is equipped with the latest protections against potential intrusions.

12. Use a privacy-focused VPN for added security

When connecting to your car’s Wi-Fi hotspot, consider using a privacy-focused VPN like ExpressVPN. This technology creates a secure tunnel for your data, shielding it from prying eyes. It also adds an extra layer of protection, making it significantly more challenging for any potential eavesdroppers to intercept your online activities.

Cause for concern or a necessity? What are your thoughts on smart car data privacy practices?

FAQ: About smart cars

Are smart cars safe?
What are the worst smart cars for privacy?
Are all smart cars electric?
Phone protected by ExpressVPN.
Privacy should be a choice. Choose ExpressVPN.

30-day money-back guarantee

A phone with a padlock.
We take your privacy seriously. Try ExpressVPN risk-free.
What is a VPN?
I like hashtags because they look like waffles, my puns intended, and watching videos of unusual animal friendships. Not necessarily in that order.