- Car data privacy is a growing crisis — modern vehicles collect location, biometrics, and even facial expressions without drivers realising.
- Car data privacy failures affect your wallet too: insurers are already using vehicle data to raise premiums for some drivers.
- Mozilla reviewed 25 car brands and found every single one failed its basic privacy and security standards.
- A new federal law will soon require biometric cameras in US cars, creating even more data with zero rules on its use.
- Car data privacy is a growing crisis — modern vehicles collect location, biometrics, and even facial expressions without drivers realising.
- Car data privacy failures affect your wallet too: insurers are already using vehicle data to raise premiums for some drivers.
- Mozilla reviewed 25 car brands and found every single one failed its basic privacy and security standards.
- A new federal law will soon require biometric cameras in US cars, creating even more data with zero rules on its use.
Car Data Privacy Is Already Out of Control
Car data privacy should be the biggest consumer tech scandal nobody is talking about. Your car — the thing you probably think of as a personal space, a place to sing badly and argue with GPS — is one of the most sophisticated surveillance devices you own. It knows where you’ve been, how fast you drove, whether you buckled your seatbelt, and in some cases, what your face looked like while you were doing all of it. And chances are, you agreed to all of this without ever reading the small print.
This isn’t speculation or fearmongering. It’s written plainly in the privacy policies of major automakers — if you’re willing to wade through them. The data harvested can include precise GPS location, passenger count, radio listening habits, braking patterns, and physical details like your weight and age. Some manufacturers go further still, with interior-facing cameras capable of capturing facial expressions in real time.
“People would be shocked at the number of data points that their car collects and transmits to other people, either the manufacturer or third-party applications,” says Darrell West, a senior fellow in the Center for Technology Innovation at the Brookings Institute in Washington DC. “It basically means your life can be recreated almost on a second-by-second basis.”
That’s not hyperbole. McKinsey found that 50% of cars on the road in 2021 already had internet connections, and the consulting firm expects that number to hit 95% by 2030. The connected car isn’t coming — it’s already here, and it’s talking about you behind your back. Car data privacy concerns are only going to intensify as that number climbs.
What the Privacy Policies Actually Say
In 2023, Mozilla — the organisation behind the Firefox browser — published what remains the most thorough independent audit of automotive car data privacy practices. Its researchers examined the privacy policies of 25 car brands. Every single one failed to meet Mozilla’s baseline privacy and security standards. Not most of them. All of them. Mozilla’s verdict was blunt: cars were “the worst product category we have ever reviewed for privacy.”
That’s a striking claim from an organisation that has reviewed smart TVs, fitness apps, and home assistants. Cars beat them all for invasiveness.
The data these companies reserve the right to collect is genuinely startling. Mozilla’s report found automakers claiming the ability to gather names, ages, race, weight, financial details, facial expressions, and — this one’s hard to type without double-checking — “psychological trends.” Kia’s privacy policy went as far as mentioning “sex life” and general health data among the categories of sensitive information it might collect. Understanding car data privacy means grappling with exactly these kinds of disclosures buried deep in legal documents most people never open.
Kia spokesperson James Bell was quick to clarify that the company has never actually collected data on drivers’ sex lives or health. He said those terms appear in Kia’s policy because California law requires companies to enumerate its definition of “sensitive data” — essentially a legal boilerplate exercise. Bell also said Kia only shares data with insurers when drivers explicitly opt in. Fair enough. But notably, the company declined to specify which sensitive data categories it does actually collect. That gap between what’s technically permitted and what’s actually happening is exactly the problem.
Car Data Privacy and the Insurance Industry
The financial stakes are real and immediate. Insurance companies are among the most active buyers of vehicle data, and they’re using it to set premiums. If you drive aggressively — hard braking, sharp cornering, late-night miles — that information can find its way to an insurer and push your costs up. If you drive conservatively, theoretically it could lower them. But the system only works in your favour if you know it’s running, understand the terms, and trust that the data is being interpreted fairly. Most drivers don’t know any of this is happening.
Some automakers are more brazen about it than others. Mozilla found 19 of the 25 car companies it reviewed said they might sell user data. And the industry has already faced serious regulatory scrutiny. US federal and state agencies took action against General Motors for allegedly selling car location data without customer consent. US Senators have accused Honda and Hyundai of similar practices. These are just the cases that became public — there’s no reason to assume they’re the full picture.
“They’re taking all the information they collect on you, which is a lot, and using it to make inferences about who you are, how intelligent you are, what your psychological profile is, what your political beliefs are,” says Jen Caltrider, the privacy analyst who led Mozilla’s automotive research. “That’s the stuff people don’t necessarily think about.”
There are currently no federal rules in the US restricting who can buy this data or what it can be used for. It can be sold to marketers, shared with data brokers, or passed to insurers — and the automaker isn’t required to tell you who’s on the receiving end. This is the car data privacy gap that regulators have so far failed to close.
It’s About to Get Worse — By Law
Here’s where the car data privacy situation moves from uncomfortable to genuinely alarming. A federal law is set to require American automakers to install infrared biometric cameras and behavioural monitoring systems in new vehicles. The stated purpose is road safety — specifically detecting whether a driver is impaired by alcohol or fatigue. The intent is reasonable. The side effects are not.
These systems will capture biometric data — eye movement, body language, physical state — continuously, every time someone drives. And right now, there are no regulations governing what automakers can do with that information once it’s collected. The safety case for the technology is real. The data governance framework to protect drivers? Essentially nonexistent.
It’s a pattern the tech industry knows well. Collect first, regulate later — if ever. We’ve seen it with smartphones, social media, and smart home devices. Cars are simply the latest and, given how physically intimate the space is, perhaps the most intrusive frontier yet. Car data privacy advocates warn this mandatory expansion of biometric collection could dwarf everything that has come before it.
The Phone Connection Makes It Worse
The car itself isn’t even the only entry point. When you plug your phone into a car’s infotainment system — through Apple CarPlay, Android Auto, or a direct USB connection — you may be handing the vehicle’s systems access to your contacts, messages, app usage, and location history. Driving apps and insurance telematics programmes add another layer, often monitoring speed, acceleration, and route data in exchange for potential discounts that may or may not materialise.
The data collection ecosystem around modern driving is sprawling and interconnected. Your car, your phone, your insurer, and third-party app developers can all be pulling data simultaneously — often with overlapping permissions you granted at different times, under different terms, without a clear picture of how they interact. Each connection point is a fresh car data privacy exposure most drivers have never considered.
What You Can Actually Do About Car Data Privacy
The options are limited, but they’re not zero. Reading your car manufacturer’s privacy policy — actually reading it — is the starting point. Some automakers offer opt-out mechanisms for certain types of data sharing, particularly with insurers. It’s worth finding out whether yours does and using them.
Being deliberate about phone connections matters too. If you don’t need CarPlay or Android Auto for a given journey, don’t connect. Treating in-car apps with the same scepticism you’d apply to any other app asking for location and usage permissions is a reasonable habit to develop. And if you’re considering an insurance telematics programme, understand exactly what data you’re trading before you sign up — the discount may not be worth it.
Mozilla’s Privacy Not Included guide for cars remains one of the most accessible resources for comparing how different manufacturers approach your data. It’s updated regularly and written for a general audience.
None of this is a complete solution. The structural problem — manufacturers collecting vast amounts of intimate data with minimal transparency and no meaningful federal oversight — isn’t something individual consumers can opt their way out of. That requires regulation. And while the EU’s GDPR has given European drivers somewhat more leverage, US consumers are still largely waiting for Washington to catch up with the industry it’s supposed to be watching.
Given that automakers are about to expand their biometric data collection by legal mandate, that wait is starting to look very expensive indeed. Car data privacy isn’t a niche concern for the technically minded — it’s a mainstream consumer rights issue that affects every driver on the road.
Source: https://www.bbc.com/future/article/20260513-your-car-is-spying-on-you-its-about-to-get-worse
