Every Way Your Car Is Already Spying on You

Powered by privacy-invasive tech, modern cars can collect everything from your location to biometrics. Here's what they track, who they share it with, and how to stay safe.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

The auto industry is at a critical juncture from a privacy standpoint, with the EU first in the firing line. Every new car sold in the region from July 7, 2026 must include an infrared camera pointed at the driver to alert them when they’re distracted.[1]

Known as the Advanced Driver Distraction Warning (ADDW) system, it flashes a warning light and sounds an alert if you look away from the road for more than six seconds at lower speeds or 3.5 seconds at highway speeds.

While the technology could help reduce crashes, it has also raised serious privacy concerns. What happens to the data collected by these cameras? How long is it stored? Is it shared or sold to third parties? While the data will be kept on a closed-loop system for now, the privacy creep has advocates nervous about potential implications.

More importantly, the debate over ADDW highlights a much bigger issue: How much personal data is your car already collecting?

In this article
What data does your car collect
What car companies do with your data
Real-world examples of car data misuse
What can you do to protect yourself
Bottom line

What data does your car collect

The Mozilla Foundation recently released a report covering 25 car brands, each of which earned its "Privacy Not Included" warning label, making cars the worst product category for privacy that the foundation has ever reviewed.

None of the car brands were able to meet Mozilla's minimum security standards, which include basic measures such as encrypting the personal information stored in the car.

Out of all the brands reviewed, Tesla was the worst-performing, with Mozilla calling its AI technology "untrustworthy." The company's Autopilot system has reportedly been involved in 17 deaths and 736 crashes so far, which remain the subject of ongoing government investigations.

Brands like Nissan and Kia are no better, as they can collect highly sensitive data, including information about your sexual activity. As many as six car companies say they can gather information about your genetic characteristics.

The report also highlighted the different types of personal data that car manufacturers may collect:

  • Name, address, phone number, and email address
  • Age and demographic information
  • Device location and driving route history
  • Financial account details
  • Driver's license number
  • IP address
  • Health insurance information
  • Facial geometric features and biometric information
  • Behavioral and biological characteristics
  • Sleep data, health data, and other physical characteristics
  • Language preferences
  • Calendar entries
  • Employment history
  • Multimedia service credentials
  • Vehicle speed, driving habits, and driving style

The scary part is that this is not even an exhaustive list. Car companies are capable of collecting far more data about you.

Another report from the Mozilla Foundation found that around 52% of car manufacturers can collect information about the world around your car, such as the weather, road surface, traffic signs, and other surroundings.

Most of these manufacturers also use broad language in their privacy policies, including qualifying terms such as “including,” “such as,” “or,” etc. This means the list provided is only a sample of the data they may collect, and drivers are never given the full picture.

Honda goes a step further and states in its privacy policy that it can collect personal information as described in Cal. Civ. Code § 1798.80(e). This essentially means it can collect just about any information that "identifies, relates to, describes, or is reasonably capable of being associated with a particular individual."

What car companies do with your data

Around 84% of the car brands simply said they can share your personal data, while around 56% of manufacturers said they can share information with the government or law enforcement based on something as trivial as an "informal request."

This means that car manufacturers do not necessarily need to be subpoenaed or served with a court order before sharing your information; they may do so even in response to an informal request from government agencies.

And yet, there's more. A staggering 88% of car manufacturers also said they can draw inferences about you based on the data they collect and may sell those inferences to third parties. This means they could combine the information they collect to build a detailed profile of your preferences and behavior.

The dangers of this kind of profiling extend far beyond personalized ads. Detailed profiles can be used to influence your behavior, target you with highly personalized marketing, or even determine the prices and offers you receive.

In the worst-case scenario, if this information is shared, sold, or exposed in a data breach, it could also end up in the hands of cybercriminals, who may use it to commit identity theft, financial fraud, or highly convincing phishing attacks.

Real-world examples of car data misuse

We only have to look at the case of General Motors (GM) and OnStar to understand the extent of the damage that personal data collection by car manufacturers can cause.

First reported by The New York Times, GM and OnStar were accused in March 2024 of collecting, using, and selling drivers' precise geolocation data (collected every three seconds), along with driving behavior data, to data brokers LexisNexis and Verisk.

GM allegedly then sold the data to insurance providers, who could use it to influence insurance pricing. The FTC imposed a five-year ban on GM and OnStar from sharing consumers' connected vehicle data, finding that the companies had used a misleading enrollment process to sign users up for the OnStar Smart Driver feature.

They didn’t adequately disclose what kinds of data would be collected or that the information would be sold to third parties. The order required GM to obtain explicit consent from consumers before collecting, using, or sharing connected vehicle data.

In addition to collecting data through a vehicle's built-in telematics (as in the GM case), which logs information such as speed, location, and braking, manufacturers can also collect data through a second route — a hidden software development kit (SDK) embedded within a mobile app.

The Texas Attorney General, in January 2025, filed a lawsuit against Allstate and its subsidiary Arity, alleging that apps like GasBuddy, Routely, Life360, and Fuel Rewards contained an Allstate-developed SDK capable of tracking more than 45 million Americans.

This data was then used by Allstate and other insurers to increase car insurance premiums, all without the knowledge of the drivers.

What can you do to protect yourself

Unfortunately, there’s no single federal law in the U.S. protecting drivers from the unauthorized sale of their personal information. This makes it important to be aware of the privacy rights available in your state.

Additionally, here are some steps you can take to minimize the amount of personal information collected and shared by automobile manufacturers:

  • Opt out when possible: The California Consumer Privacy Act (CCPA) allows residents to opt out of the sale or sharing of their personal information. California also offers the Delete Request and Opt-Out Platform (DROP), where residents can submit opt-out and deletion requests to registered data brokers. Similarly, Texans have comparable rights under the Texas Data Privacy and Security Act (TDPSA), including the right to access, correct, and delete personal information collected about them.
  • Review your vehicle's privacy settings and connected services: Many modern automobile manufacturers allow you to manage your data-sharing preferences through either a companion app or directly from your car's infotainment system. Take the time to review your manufacturer's privacy policy to understand the kind of data it collects and whether it shares that information with third parties. For instance, you may not need features like real-time diagnostics or driver score tracking.
  • Be cautious with connected third-party apps: As highlighted by the Texas case, even third-party applications can track your driving information. Make sure you only download trusted apps from verified sources. Even then, minimize the amount of data they collect by refusing to grant permissions that are unnecessary for using the app.
  • Beware when buying second-hand cars: Always make sure the previous owner has performed a full factory reset and disconnected all devices and apps before you take possession of the car.
  • Use an identity theft protection service: It can alert you if your information is exposed in the wild, helping you act before criminals can misuse it. Many services also offer data broker removal, submitting opt-out and deletion requests on your behalf to reduce the amount of personal information that's publicly available online.

Bottom line

With modern cars becoming closer to computers on wheels, the amount of personal data they collect without your meaningful consent is also at an all-time high.

By selling this data to brokers and insurers, car manufacturers may directly contribute to higher insurance premiums. Worse still, the sheer volume of data they collect puts drivers at an increased risk of cyberattacks.

Fortunately, there has been significant legal pushback against manipulative automobile data collection practices, particularly in U.S. states like California and Texas.

On a personal level, you should educate yourself about your state’s privacy laws, opt out of data collection programs wherever such options are available, limit the access you grant your vehicle's connected systems, and use third-party tools like an identity theft protection service to stay on top of any data leaks.

4.8
Editorial Rating
Get Deal
On Aura Identity Theft's website
2026 Editors’ Choice
Best Overall Identity Theft Protection Service
Identity Protection
Aura Identity Theft
PROMOTION: Save Up to 68%
  • ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
  • Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
  • Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription

Author Details
Krishi Chowdhary specializes in digital privacy, cybersecurity, and consumer technology. He has written extensively on online privacy tools and broader cybersecurity topics, including online scams, data breaches, age verification, and emerging digital threats. Krishi believes technology reporting should empower readers, not confuse them, and is committed to making even the most technical subjects easy to understand without compromising on accuracy or depth. His work has appeared in leading technology publications, including CNET, ExpressVPN, and TechRadar, where he has covered topics ranging from cybersecurity incidents and privacy product announcements to artificial intelligence and major technology news

Citations

[1] Commission Delegated Regulation (EU) 2023/2590 – Advanced Driver Distraction Warning (EUR-Lex)