The 2024 Mozilla Privacy Not Included report recently labeled cars as the official “worst category of products” for privacy, noting that 84% of car brands surveyed admit to sharing or selling personal data. Most drivers realize their phone tracks them, but your car is essentially a two-ton smartphone with even more intrusive sensors.
By the end of this deep dive, you will understand exactly which data points your vehicle transmits, the specific entities that buy or access that information, and practical steps you can take to lock down your automotive digital footprint. We are moving past the “cool tech” phase of connected cars and into a period where your driving habits, location history, and even biometric data are becoming valuable commodities.
The Modern Car as a Data Vacuum
Your car knows when you’re tired, where you grab coffee, and how hard you hit the brakes at yellow lights. Modern vehicles are equipped with Telematics Control Units (TCUs) that maintain a constant cellular connection to the manufacturer’s servers. According to the McKinsey Center for Future Mobility, a single connected car can generate up to 25 gigabytes of data per hour.
This isn’t just mechanical “health” data about oil life or tire pressure. It includes “infotainment” metadata, such as the songs you stream, the contacts you sync from your phone, and the exact GPS coordinates of every trip you take. If you use the in-car voice assistant, snippets of your conversations may be recorded to “improve the service,” a practice that mirrors the privacy concerns found in smart home speakers.
New models from brands like Cadillac and Mercedes-Benz use interior cameras for driver-attention monitoring. While these are vital safety tools, they also create a digital record of your facial expressions and eye movements. This is a level of biological data collection that was unthinkable in the automotive space just a decade ago.
Who is Accessing Your Driving Profile?
The data collected by your car doesn’t just sit in a vacuum at the manufacturer’s headquarters. There is a thriving secondary market for automotive data, and data brokers, insurance companies, and even city planners are often the end-users of your driving habits.
| Data Type | Primary Collector | Common Third-Party Recipients | Opt-Out Difficulty |
|---|---|---|---|
| Location History | Vehicle Manufacturer | Advertisers, Map Services, Law Enforcement | Hard |
| Driving Behavior | Telematics Provider | Insurance Companies, Fleet Managers | Medium |
| Biometric Data | Interior Sensors | R&D Partners, AI Training Firms | Hard |
| Mobile Sync Data | Infotainment System | App Developers, Marketing Firms | Easy |
Insurance companies are perhaps the most controversial players in this ecosystem. Some manufacturers have been caught sharing “driving score” data—including hard braking and rapid acceleration events—with LexisNexis or Verisk.
These reports can directly impact your premiums, often without you explicitly realizing you “opted in” when you clicked “Accept” on a 40-page terms of service agreement while sitting in the dealership.
The Cybersecurity Frontier: Can Your Car Be Hacked?
Privacy is about who sees your data; cybersecurity is about who takes control of the machine. The “attack surface” of a 2025 model-year vehicle is massive. Between Bluetooth, Wi-Fi hotspots, keyless entry systems, and Over-the-Air (OTA) software updates, there are dozens of digital “doors” for a bad actor to knock on.
Research presented at the DEF CON hacking conference has repeatedly shown that vulnerabilities in a car’s infotainment system can, in some cases, provide a pathway to the Controller Area Network (CAN bus). The CAN bus is the nervous system of the car—it controls steering, braking, and acceleration. While there are no documented cases of mass “highway hacking” by rogue actors yet, the theoretical risk is high enough that the NHTSA has issued formal Cybersecurity Best Practices for the industry.
Relay attacks remain the most common real-world cybersecurity threat for the average owner. Thieves use a signal booster to “trick” your car into thinking your key fob is next to the door, allowing them to drive off in seconds. It is a low-tech “hack” that exploits a high-tech convenience.
Protecting Your Privacy: Practical Mitigation Strategies
You don’t have to go off the grid to protect yourself, but you do have to be intentional. The “default” settings on most new cars are designed to maximize data collection, not your privacy. Changing these settings is often buried three or four levels deep in the infotainment menu or within the manufacturer’s smartphone app.
Audit your smartphone connection. When you plug your phone in via USB to use Apple CarPlay or Android Auto, the car often asks for permission to sync your contacts and call history. Unless you specifically need to make calls via the car’s native interface, decline this. Your phone handles the interface; the car doesn’t need a permanent copy of your address book stored on its local hard drive.
Be ruthless with the manufacturer’s app. Apps like FordPass, MyChevrolet, or Tesla’s mobile app are significant data conduits. Check the “Data Sharing” or “Privacy” sections in these apps. You can often opt out of “Research and Development” sharing or “Marketing Partner” sharing while still keeping the remote start and locking features active.
Mind the hardware. The car’s built-in GPS is tied to the emergency roadside assistance system (like OnStar), so you can’t easily unplug it without losing safety features. For the physical security of your vehicle, however, using a Faraday pouch—a cheap, widely available signal-blocking sleeve—for your key fob at night can effectively kill the signal and prevent relay-style thefts.
Factory-reset before you sell or trade in. This one is overlooked constantly. Your infotainment system stores synced contacts, saved addresses, Wi-Fi passwords, and garage door codes. Before handing your keys to a dealer or a new buyer, perform a full factory reset from the settings menu and unpair the vehicle from your manufacturer app account.
Check your driving data reports annually. You can request a copy of your consumer disclosure report from LexisNexis and Verisk, the two major data aggregators that feed information to insurers. Reviewing these reports lets you see exactly what “driving score” data has been collected and dispute inaccuracies before they silently inflate your premiums.
The Regulation Gap in the USA
Unlike the European Union, which has the General Data Protection Regulation (GDPR), the United States lacks a singular, federal privacy law that covers automotive data. Your protections vary wildly depending on which state you live in.
California residents have the most leverage thanks to the California Consumer Privacy Act (CCPA), which allows them to request a copy of the data a manufacturer has collected and demand its deletion. For everyone else, the “Automotive Consumer Privacy Protection Principles” is a voluntary set of guidelines that most major OEMs have signed—but because they are voluntary, enforcement is thin.
In my assessment, we are approaching a tipping point where privacy will become a branded luxury feature. We may see a future where “Privacy Mode” is an optional subscription, or perhaps a selling point for brands that realize consumers are tired of being tracked. Until then, the burden of protection sits squarely on your shoulders.
The Future of Automotive Cybersecurity
As we move toward higher levels of autonomous driving, the stakes for cybersecurity shift from “privacy annoyance” to “life safety.” A self-driving car relies on a constant stream of external data to navigate, and if that data stream is spoofed or intercepted, the consequences are physical.
Automakers are currently hiring thousands of “white hat” hackers to find these holes before the bad guys do. According to J.D. Power’s latest Tech Experience Study, owners are becoming increasingly wary, with a growing segment of buyers stating they feel “overwhelmed” by the amount of tech in their cars. That “tech fatigue” might actually be a healthy instinct.
Final Thoughts for the Connected Driver
Privacy in a connected vehicle isn’t an all-or-nothing proposition. You can still enjoy the convenience of remote start and real-time navigation while limiting the amount of “lifestyle data” you leak to third parties. It simply requires a shift in how we view our vehicles.
Treat your car’s infotainment system with the same suspicion you would a new app on your phone. Be stingy with permissions, read the privacy settings during the initial setup, and stay informed about the data-sharing practices of the brand you drive. Your car might be watching the road, but someone else might be watching you.
References
- Mozilla Privacy Not Included – Car Edition
- NHTSA Cybersecurity Best Practices
- IIHS Safety Ratings and Technology Overviews
- J.D. Power 2024 U.S. Tech Experience (TXI) Study
- Consumer Reports – Is Your Car Spying on You?
- McKinsey – Monetizing Car Data
Disclaimer: The information provided in this article is for educational and informational purposes only. It does not constitute professional advice. Readers should conduct their own research and consult with qualified professionals before making any decisions.
Last Updated on March 18, 2026 by Kamakashi Singh
