How your smart car tracks you (and what you can do about it)

• Smart cars pose significant privacy concerns due to their extensive data collection practices.

• A recent study indicates that nearly every car manufacturer gathers information about its drivers, with a staggering 84% of them proceeding to share or sell this data.

• This information includes sensitive categories including biometric information, location data, personal details, and even sexual orientation.

• Privacy4Cars, a U.S.-based automotive company, introduced the Vehicle Privacy Report tool earlier this year to inform drivers of the extent of data collection by vehicles.

• ExpressVPN used this tool to analyze the most popular cars in the U.S., revealing how much information they collect.

• Until there are clearer regulations on car data privacy, there are steps you can take to safeguard your personal information from being collected and shared by your smart car.

• For example, opting out of data selling and behavioral advertising and using a privacy-focused VPN when connecting to your car’s Wi-Fi hotspot. 

Modern cars have become more than just vehicles; they’re rolling data centers, akin to smartphones on wheels, silently gathering a wealth of information about us as we drive. From tracking our routes to monitoring driving habits and even delving into biometric details, our vehicles are quietly accumulating a hoard of data, often without us even realizing it.

As cars become more automated and connected, the companies behind them are gaining more control over their functionality and data collection. This transition raises a pressing concern over privacy, as our locations and personal information are funneled back to manufacturers and, in some cases, traded by questionable third parties.

In fact, a recent study by the Mozilla Foundation labeled cars as the worst product category they’ve ever evaluated for privacy. Alarming findings include excessive collection of personal data, widespread data sharing, and a notable lack of user control over their information. This situation highlights the urgent need for clearer regulations on car data privacy. 

However, until these measures are in place, drivers can take a proactive step by staying informed. Join us as we guide you on what you need to know about how your smart car tracks you, the data it shares, and what you can do about it.

Jump to…
What your car knows
How your car collects data
How your new car tracks you
Why smart cars are a privacy nightmare
The extent of data collection
Where does your personal data go?
Analyzing top car models in the U.S.
The road ahead: smart car data regulation
How to stop your car spying on you

What your car knows 

Every time you use your turn signal, you’re not just activating a light; you’re sending a digital message through your car’s intricate internal network. This seemingly small action speaks volumes about the incredible advancement of automobiles.

Since the 1970s, cars have housed computers, but today’s smart cars are in a league of their own. McKinsey predicts that by 2030, up to 95% of new vehicles sold worldwide will be connected. 

These modern vehicles feature an array of advanced features, relying on touch-sensitive panels and screens that respond to the slightest touch, a wave, or even a voice command. However, this progress comes with a notable consequence: Every interaction with your car generates a record, from turning the wheel to unlocking the doors. This information is typically collected and stored by the car company.

How your car collects your data 

Telematics 

Braking intensity, acceleration, headlight usage, windshield wiper activation, and even opening your driver’s side door all contribute to a detailed profile of you as a driver. This wealth of data has given rise to an entire industry centered around telematics, the art and science of monitoring, logging, and analyzing driving behavior. It underpins incentives like good-driver discounts offered by insurance companies and ushers in a new era of personalized driving experiences.

Connected services and devices

But your car’s capabilities extend beyond the physical actions you perform while driving. Services accessible through your car’s dashboard, like radio stations, the channels you watch on your car’s infotainment system, or a GPS route planner also contribute to the data it collects. Car companies can also access data from your phone when you download your car’s app.

External data sources

Car companies can also gather additional information about you from data brokers, car dealers (who have information from test drives), your social media profiles, and government sources.

20 ways your smart car tracks you 

Let’s delve into the specifics. Here’s how a smart car can track its driver:

1. Location tracking

GPS technology allows smart cars to pinpoint their exact location, enabling features like navigation and providing data on travel patterns.

2. Traffic patterns and congestion

Smart cars can collect data on traffic patterns and congestion, which can be used to improve navigation and routing algorithms. However, this data can also be used to track individual vehicles and their movements.

3. Driving behavior

Smart cars monitor factors like acceleration, braking, speed, and steering patterns to analyze how a driver operates the vehicle.

4. In-vehicle preferences

These include settings like seat position, climate control, and entertainment choices, which are recorded to provide a personalized driving experience.

5. Biometric data

Some smart cars can collect biometric data, such as fingerprints and facial scans. This data can be used for security purposes, such as unlocking the car or starting the engine.

6. Data from synced devices 

Depending on the manufacturer, your smart car may have the ability to access and collect data from your synchronized mobile devices. This includes call logs, messages, and app usage. 

7. External cameras and sensors

Smart cars use a variety of sensors and cameras to monitor their surroundings, enabling features like parking assistance, lane-keeping, and collision avoidance.

8. Environmental data

Smart cars can also collect data on the environment around them, such as air quality, temperature, and road conditions. This data can be used to improve navigation, safety systems, and environmental monitoring.

9. Voice recognition

Smart cars with voice recognition systems can track what the driver and passengers say. This data can be used to control the car’s features, such as the climate control, navigation system, and infotainment system.

10. Trip log information

This includes information about when you start and end a journey, as well as details of the trip (e.g., route taken).

11. Airbag system data

Some cars collect data related to the airbag system, including weight and body position information, which is stored onboard. This data can be used to diagnose vehicle problems and investigate accidents.

12. On-board data

This refers to data generated by the car, but not necessarily sent to the manufacturer, unless accessed using external data extraction tools. It covers a wide range of information, including engine performance, tire pressure, and fluid levels, helping with maintenance and diagnostics.

13. Media analytics

Information about what you listen to in your car, such as radio stations and media sources, may be tracked. This includes which shows and channels are watched on the rear seat infotainment system, logins to various streaming sites, and data on which features of the infotainment system are used, such as navigation, music, and settings adjustments.

14. Battery, ignition, and window data

Information about the vehicle’s state, including battery status, ignition status, and window positions, can be collected.

15. Diagnostic information

Smart cars can track a variety of diagnostic information, such as fault codes and system performance data. This data can be used to diagnose vehicle problems and improve vehicle reliability.

16. Stability control and anti-lock events

Recording instances where these safety features are activated provides insights into driving conditions and potential hazards.

17. Security/theft alerts

Smart cars can generate security and theft alerts. These alerts can be sent to the vehicle owner’s smartphone or to a monitoring service.

18. Wi-Fi data usage

Smart cars can track Wi-Fi data usage, such as what websites the driver and passengers visit. This data can be used to personalize the driving experience and target advertising.

19. Home energy usage 

Electric vehicles can track home energy usage. This includes data on charging habits and energy consumption patterns.

20. Vehicle maintenance

Smart cars can collect data on their own performance and maintenance needs. This data can be used to improve vehicle reliability and safety, but it can also be used to track individual usage.

Why smart car tracking is a privacy nightmare 

Smart cars have revolutionized our driving experience, offering unprecedented connectivity and convenience. However, they come with a significant drawback—a serious invasion of privacy and security. In fact, few products collect as much information about an individual’s actions, whereabouts, and conversations as a smart car.

The extent of data collection

Smart vehicles are continuously gathering data, transmitting it wirelessly to manufacturers, and often sharing it with third-party service providers. The range of information collected is staggering:

Personal details: Name, age, address, Social Security number, driver’s license number.
Location specifics: Precise GPS data, route history, and driving schedule.
Digital footprint: IP address, mobile device location, search content.
Demographic insights: Gender, ethnicity, and other personal details.
Financial information: Payment details, acquisition, and financing of the vehicle.
Biometric data: Facial, voice, and fingerprint recognition.
Behavioral patterns: Driving habits, style, and even 3D images around your vehicle.

And smart car makers don’t stop there. Through external data sources, they go a step further, delving into aspects like income, immigration status, race, and even intimate details like sexual activity (we kid you not) and genetic information. They can even access your photos, calendars, and to-do lists if your privacy settings allow them.

Where does your personal data go?

Manufacturers are legally bound to outline these practices in their privacy policies, however, the complexity of these documents often confuses consumers. And while these policies vary by car maker, the primary recipients of this data include:

• Service providers (although, not specified which ones)
• Government agencies
• Law enforcement
• Advertising and research companies
• Other drivers (usually to improve traffic flow or report accidents) 
• Dealers
• Social media platforms
• Data brokers
• Tech giants like Apple CarPlay, Android Auto, and Amazon Alexa
• Affiliates
• SiriusXM, OnStar, and other connected services

The murky world of data brokers 

One of the most troubling aspects of smart car tracking lies in the involvement of data brokers. These entities operate in a shadowy realm, trading car-generated data without obtaining the explicit consent of vehicle owners. This practice raises significant concerns, including: 

1. Personal data misuse: When companies fail to be transparent about how they handle personal data, it erodes the principle of informed consent. This puts individuals at risk of having their personal information exploited.
2. Targeted advertising: Data brokers can use driver information to bombard individuals with customized advertising. This often happens without people knowing how their data was obtained in the first place. 
3. Invasive surveillance: This data can be abused for more sinister purposes, enabling unwelcome surveillance that intrudes on personal privacy.
4. Discrimination and profiling: Data brokers can compile detailed sets of information to create highly specific profiles of individuals. This can lead to potential discrimination based on factors like race, income, or lifestyle. It can also result in profiles that don’t accurately reflect an individual’s true characteristics.

The unregulated nature of data brokerage raises questions about accountability. With no clear oversight or standardized industry practices, it’s challenging to hold these entities responsible for any misuse or mishandling of the data they acquire.

Hackers can get access to your data 

The trade of sensitive information by data brokers also introduces potential security vulnerabilities. In the event of a data breach or cyberattack, this valuable information could fall into the wrong hands, exposing individuals to a range of risks, from identity theft to stalking.

Sixty-eight percent of car brands have a bad track record, indicating recent lapses in protecting their users’ privacy through leaks, breaches, or hacks. Some of the most notable incidents include:

• Volkswagen and Audi: In 2021, a data breach between the sister companies impacted 3.3 million users.
• Toyota: Over the course of ten years, from 2013 to 2023, Toyota exposed data from 2.15 million users, highlighting a prolonged lapse in data security.
• Mercedes-Benz: In June 2022, Mercedes-Benz disclosed a data leak stemming from a third-party vendor, compromising the personal information of potentially 1.6 million prospective and existing customers. This included sensitive details such as names, street addresses, email addresses, and phone numbers.

These breaches can have far-reaching consequences for individuals, from identity theft to targeted cyberattacks.

Your smart car data can be used against you 

Another concerning aspect of smart car data collection is that it can be used against you in a court case. Law enforcement agencies globally are increasingly accessing personal car data for investigative purposes. This not only includes location history but also personal communications. 

Vehicle manufacturers are known for sharing voice recordings and location history, often without the knowledge or consent of the occupants. In some instances, individuals haven’t even signed up for the service, yet their movements are being recorded.

According to the Mozilla Foundation, 56% of car manufacturers said that they share their drivers’ information with the government or law enforcement in response to a “request,” be it formal or informal. 

Analyzing the top car models in the U.S.

To create more awareness about data collection practices, Privacy4Cars, a U.S. automotive firm, unveiled its Vehicle Privacy Report earlier this year. 

The online tool works by utilizing the Vehicle Identification Number (VIN) of a car, a unique identifier much like a fingerprint for vehicles. It then cross-references this with each manufacturer’s public policy documents, giving a comprehensive picture of the data landscape. Through this, the report reveals the huge amount of information that our smart cars are capable of collecting and transmitting to manufacturers.

The tool categorizes vehicles as either a “smartphone on wheels” or a “hard drive on wheels”. The latter designation is used for vehicles that have telematics, but the cellular connection is no longer functional (due to it being 3G or older technology). 

To gain further insights, using publicly available VIN numbers, we ran the five most popular cars in America (according to research by automotive platform Edmunds Inc.) through the Privacy4Cars tool. Here’s what we found: 

2023 Chevrolet Silverado

The Chevy Silverado holds its crown as the top-selling vehicle in the U.S. in 2023. However, due to its advanced telematics capabilities, it actively gathers a wealth of data on both the driver and the vehicle’s operations.

This data collection covers personal details like names, addresses, and email addresses. It also extends to biometric markers such as fingerprints or facial features, all while keeping tabs on the driver’s whereabouts. Though the policy’s wording regarding synchronized phone data can be convoluted, the vehicle crafts user profiles based on individual driver habits and preferences.

The scope of data collection is broad, spanning from camera imagery and sensor metrics to voice commands, stability control, and anti-lock events. It leaves no stone unturned, even logging infotainment system use, from radio to rear-seat entertainment.

In addition to these details, the Silverado logs specific information like battery status, ignition details, window operation, gear status, and diagnostic information. It tracks the driver’s journey, recording location, route history, speed, and noteworthy driving events like braking, swerving, and cornering.

Regarding data sharing, the Silverado divulges information to affiliates within the General Motors network, third-party service providers, insurers, and government agencies. However, the policy leaves a question mark on whether data is shared with data brokers, as the manufacturer neither explicitly affirms nor denies this in its policy.

2023 Ford F-150

Like its contemporaries, the light-duty pickup doesn’t have information about data deletion, despite it collecting a wealth of information about its owners. This includes names, locations, and driving license details. The manufacturer is also keen on identifiers and user profiles and also keeps track of location details. However, the car’s stance on synchronized phones and biometric data is a bit hazy. 

A driver’s habits aren’t off the radar either. Ford keeps tabs on speed, pedal usage, and even seatbelt engagement. The vehicle acts as a silent recorder, documenting routes, speed, and even local weather conditions.

When it comes to sharing, Ford isn’t shy. They disseminate data to affiliates, service providers, insurers, and government bodies. The stance on data brokers, however, remains elusive.

2023 RAM 1500

RAM is owned by Stellantis, a firm that was created when Fiat Chrysler Automobiles and the Peugeot group merged in 2021. As a result, RAM uses the same connected services privacy policy and terms of service as Chrysler, Dodge, and Fiat.

When it comes to personal data, RAM opts for a “no-deletion” policy, including personal identifiers from names and addresses to Social Security numbers and driving license details, as well as biometrics. RAM also monitors driving habits, recording timestamps, speed, acceleration, and braking. The vehicle tracks journey details like location, weather, and routes taken. It even keeps an eye on its own status, monitoring refueling, battery levels, and camera imagery. 

In terms of synchronized phones, RAM’s policy is nuanced. While data isn’t directly taken from synced phones in the vehicles, an exception exists for RAM’s own branded mobile remote apps.

On the upside, RAM provides three avenues for individuals to manage their personal data in most of their new vehicles. This includes toggling geo-location data collection, opting in or out of specific data uses through digital channels, and requesting the “right to be forgotten.”

2023 Honda CR-V

Honda’s data collection practices involve gathering a wide range of information, which the company categorizes as “covered information.” This includes personally identifying details such as contact information, Social Security numbers, and driving license information. 

Unlike some of Honda’s other models, the CR-V specifically collects information about the vehicle’s status, including fuel levels, tire pressure, and battery charge. The car also records trip log data, such as the start and end times of journeys, and monitors the status of the airbag system. 

Additionally, the CR-V collects information on how the connected features of the vehicle are used, which can include search history, call logs, and voice commands (which potentially include audio recordings). Driver behavior information is also tracked, including details like pedal position, engine speed, and steering angle.

Regarding biometric data, it’s unclear how Honda utilizes this type of information as it’s not explicitly stated in the car’s privacy policy. However, it has said through a spokesperson that its cars in the U.S. have systems that transfer biometrics to the company. 

On top of that, the airbag system may collect weight and body position information, but this data is stored locally on the onboard computer and can only be accessed through a physical connection, with state and federal laws governing who can access it.

2023 Tesla Model Y

Tesla doesn’t have a straightforward policy for deleting user data, which suggests that information could potentially be held indefinitely. This raises concerns about how much control users actually have over their personal information.

What’s more, Tesla’s privacy policy gives the company a wide berth in terms of using and sharing user data for what the company deems “necessary or appropriate” purposes. While this provides Tesla with flexibility, it also means that users have limited influence over how their information gets put to use.

Tesla is open about collecting data about its drivers in the form of personal identifiers, it also tracks location data. However, the company’s policies around synchronized phone information user-profiles and biometrics are a bit of a mystery, leaving users uncertain about how this particular category is managed.

As for data sharing, Tesla collaborates extensively with affiliates, service providers, insurance companies, and government bodies. However, it’s not entirely clear to what extent data is shared with data brokers. This omission in Tesla’s privacy policy, like the ones above, should be a significant concern for drivers. 

The road ahead: calls for stronger smart car data regulations

Most smart car brands fall short in data use and security, demonstrating poor data control. None of the policies outlined by the majority of smart car manufacturers offers a comprehensive view of how driver data is utilized and shared.

The notion of “consent” in the world of smart cars is also often illusory. Unlike optional smart home devices, driving is a necessity for many. Companies frequently sidestep or presume consent, assuming you’ve read and agreed to their policies before you even get into their vehicle. Subaru, for example, states that passengers implicitly “consent” to the use, and potentially sale, of their personal information simply by being inside.

Tesla takes it a step further, allowing you to opt out of data collection, but with a veiled warning that it may impair your car’s functionality. Nissan goes so far as to burden you with the responsibility of informing others about your car’s privacy policies.

This stark disadvantage faced by consumers when it comes to smart cars has prompted Senator Elizabeth Warren to get involved. In November 2022, she addressed this escalating concern, highlighting the pressing need for action. 

In a six-page letter to the top antitrust enforcers in the U.S., Lina Khan, chair of the Federal Trade Commission, and Jonathan Kanter, head of the antitrust division of the Justice Department, she expressed profound unease over the rising competition and consumer protection issues linked to smart vehicles.

The Surveillance Technology Oversight Project (STOP) took it a step further with their report titled “Wiretap on Wheels,” where they emphasized: 

“Modern cars collect a huge amount of data, stored indefinitely onboard and in the cloud. The data tracks not just the car, but its occupants: it records our location history, phone contents (contacts, emails, texts, tweets, social media feeds), voice recordings, weight, and other biometric data. If this sounds creepily expansive, it is. Car data often is collected for the benefit of manufacturers, not drivers.

Our information fuels a billion-dollar industry centered on subscription services and on selling drivers’ data to third parties, including law enforcement. Many cars on the road feed this industry: 84 million connected cars beamed data to manufacturers and other companies in the U.S. in 2021. Drivers can refuse some data collection, but saying “no” often comes at the cost of passenger safety: no data, no emergency roadside service, or built-in navigation tools.”

The urgency for action is clear. There’s a critical need for more robust regulation and oversight in the smart car industry. Clearer, stricter guidelines governing data collection, sharing, and resale are vital to protect the privacy and security of vehicle owners. However, until these regulatory measures are firmly established, it’s important that consumers take proactive steps to safeguard their data. 

12 ways to protect yourself from your car spying on you

A vigilant awareness of privacy policies and the use of tools like Privacy4Cars are important steps in the effort to add an extra layer of defense against unwarranted data collection. Here are a few more tips on how to shield yourself against the relentless data collection and potential sale of your personal information by smart cars:

1. Consider older, non-connected models

One effective approach to safeguarding your privacy is to opt for an older, used car that lacks internet connectivity and cameras. By doing so, you can significantly reduce the potential points of data collection and minimize the risk of unwanted surveillance.

2. Be cautious of the information you share on social media 

It’s important to be mindful of the information you share, especially on social media platforms or when communicating with friends and family. Avoid disclosing sensitive details about your smart car, such as its location or your travel plans on social media, and rather opt for messaging platforms that have end-to-end encryption like WhatsApp or Telegram. 

3. Embrace open-source solutions

An emerging trend in the automotive industry mirrors the competition between open-source Android and closed-source iOS in the smartphone realm. Look for car manufacturers that offer open-source options, enabling users to have greater control over their car’s operating system and, consequently, their data privacy.

4. Disable tailored advertisements

In your contract when purchasing a vehicle, refuse consent for personalized advertisements to prevent the sharing of your personal information for targeted marketing.

5. Opt-out of data selling and behavioral advertising

Take advantage of opt-out options to limit the sharing of your personal data and cross-context behavioral advertising.

6. Perform a factory reset

Before selling or trading in your car, ensure you conduct a factory reset to erase all personal data and disconnect any associated apps. The same goes for purchasing a used car—confirm that the previous owner has removed their connected account.

7. Strengthen security measures

Implement robust passwords and enable two-factor authentication for apps and services linked to your car.

8. Exercise data caution

Grant access to your data only to trusted third parties and limit data collection through mobile apps using iOS or Android settings.

9. Disable location sharing

Opt out of location sharing on your mobile device to restrict access to your real-time whereabouts.

10. Evaluate voice assistants

If you’re concerned about data collection, reconsider using voice assistants like Amazon Alexa, which may gather voice requests, IP addresses, and geolocation information for advertising purposes.

11. Keep software updated for enhanced security

Regularly updating your smart car’s software is a critical measure in fortifying your privacy defenses. Manufacturers frequently release security patches that address vulnerabilities. By staying up-to-date, you ensure that your vehicle is equipped with the latest protections against potential intrusions.

12. Use a privacy-focused VPN for added security

When connecting to your car’s Wi-Fi hotspot, consider using a privacy-focused VPN like ExpressVPN. This technology creates a secure tunnel for your data, shielding it from prying eyes. It also adds an extra layer of protection, making it significantly more challenging for any potential eavesdroppers to intercept your online activities.

Cause for concern or a necessity? What are your thoughts on smart car data privacy practices?