All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
The auto industry is at a critical juncture from a privacy standpoint, with the EU first in the firing line. Every new car sold in the region from July 7, 2026 must include an infrared camera pointed at the driver to alert them when they’re distracted.[1]
Known as the Advanced Driver Distraction Warning (ADDW) system, it flashes a warning light and sounds an alert if you look away from the road for more than six seconds at lower speeds or 3.5 seconds at highway speeds.
While the technology could help reduce crashes, it has also raised serious privacy concerns. What happens to the data collected by these cameras? How long is it stored? Is it shared or sold to third parties? While the data will be kept on a closed-loop system for now, the privacy creep has advocates nervous about potential implications.
More importantly, the debate over ADDW highlights a much bigger issue: How much personal data is your car already collecting?
What car companies do with your data
Real-world examples of car data misuse
What can you do to protect yourself
Bottom line
What data does your car collect
The Mozilla Foundation recently released a report covering 25 car brands, each of which earned its "Privacy Not Included" warning label, making cars the worst product category for privacy that the foundation has ever reviewed.
None of the car brands were able to meet Mozilla's minimum security standards, which include basic measures such as encrypting the personal information stored in the car.
Out of all the brands reviewed, Tesla was the worst-performing, with Mozilla calling its AI technology "untrustworthy." The company's Autopilot system has reportedly been involved in 17 deaths and 736 crashes so far, which remain the subject of ongoing government investigations.
Brands like Nissan and Kia are no better, as they can collect highly sensitive data, including information about your sexual activity. As many as six car companies say they can gather information about your genetic characteristics.
The report also highlighted the different types of personal data that car manufacturers may collect:
- Name, address, phone number, and email address
- Age and demographic information
- Device location and driving route history
- Financial account details
- Driver's license number
- IP address
- Health insurance information
- Facial geometric features and biometric information
- Behavioral and biological characteristics
- Sleep data, health data, and other physical characteristics
- Language preferences
- Calendar entries
- Employment history
- Multimedia service credentials
- Vehicle speed, driving habits, and driving style
The scary part is that this is not even an exhaustive list. Car companies are capable of collecting far more data about you.
Another report from the Mozilla Foundation found that around 52% of car manufacturers can collect information about the world around your car, such as the weather, road surface, traffic signs, and other surroundings.
Most of these manufacturers also use broad language in their privacy policies, including qualifying terms such as “including,” “such as,” “or,” etc. This means the list provided is only a sample of the data they may collect, and drivers are never given the full picture.
Honda goes a step further and states in its privacy policy that it can collect personal information as described in Cal. Civ. Code § 1798.80(e). This essentially means it can collect just about any information that "identifies, relates to, describes, or is reasonably capable of being associated with a particular individual."
What car companies do with your data
Around 84% of the car brands simply said they can share your personal data, while around 56% of manufacturers said they can share information with the government or law enforcement based on something as trivial as an "informal request."
This means that car manufacturers do not necessarily need to be subpoenaed or served with a court order before sharing your information; they may do so even in response to an informal request from government agencies.
And yet, there's more. A staggering 88% of car manufacturers also said they can draw inferences about you based on the data they collect and may sell those inferences to third parties. This means they could combine the information they collect to build a detailed profile of your preferences and behavior.
The dangers of this kind of profiling extend far beyond personalized ads. Detailed profiles can be used to influence your behavior, target you with highly personalized marketing, or even determine the prices and offers you receive.
Real-world examples of car data misuse
We only have to look at the case of General Motors (GM) and OnStar to understand the extent of the damage that personal data collection by car manufacturers can cause.
First reported by The New York Times, GM and OnStar were accused in March 2024 of collecting, using, and selling drivers' precise geolocation data (collected every three seconds), along with driving behavior data, to data brokers LexisNexis and Verisk.
GM allegedly then sold the data to insurance providers, who could use it to influence insurance pricing. The FTC imposed a five-year ban on GM and OnStar from sharing consumers' connected vehicle data, finding that the companies had used a misleading enrollment process to sign users up for the OnStar Smart Driver feature.
They didn’t adequately disclose what kinds of data would be collected or that the information would be sold to third parties. The order required GM to obtain explicit consent from consumers before collecting, using, or sharing connected vehicle data.
In addition to collecting data through a vehicle's built-in telematics (as in the GM case), which logs information such as speed, location, and braking, manufacturers can also collect data through a second route — a hidden software development kit (SDK) embedded within a mobile app.
The Texas Attorney General, in January 2025, filed a lawsuit against Allstate and its subsidiary Arity, alleging that apps like GasBuddy, Routely, Life360, and Fuel Rewards contained an Allstate-developed SDK capable of tracking more than 45 million Americans.
This data was then used by Allstate and other insurers to increase car insurance premiums, all without the knowledge of the drivers.
What can you do to protect yourself
Unfortunately, there’s no single federal law in the U.S. protecting drivers from the unauthorized sale of their personal information. This makes it important to be aware of the privacy rights available in your state.
Additionally, here are some steps you can take to minimize the amount of personal information collected and shared by automobile manufacturers:
- Opt out when possible: The California Consumer Privacy Act (CCPA) allows residents to opt out of the sale or sharing of their personal information. California also offers the Delete Request and Opt-Out Platform (DROP), where residents can submit opt-out and deletion requests to registered data brokers. Similarly, Texans have comparable rights under the Texas Data Privacy and Security Act (TDPSA), including the right to access, correct, and delete personal information collected about them.
- Review your vehicle's privacy settings and connected services: Many modern automobile manufacturers allow you to manage your data-sharing preferences through either a companion app or directly from your car's infotainment system. Take the time to review your manufacturer's privacy policy to understand the kind of data it collects and whether it shares that information with third parties. For instance, you may not need features like real-time diagnostics or driver score tracking.
- Be cautious with connected third-party apps: As highlighted by the Texas case, even third-party applications can track your driving information. Make sure you only download trusted apps from verified sources. Even then, minimize the amount of data they collect by refusing to grant permissions that are unnecessary for using the app.
- Beware when buying second-hand cars: Always make sure the previous owner has performed a full factory reset and disconnected all devices and apps before you take possession of the car.
- Use an identity theft protection service: It can alert you if your information is exposed in the wild, helping you act before criminals can misuse it. Many services also offer data broker removal, submitting opt-out and deletion requests on your behalf to reduce the amount of personal information that's publicly available online.
Bottom line
With modern cars becoming closer to computers on wheels, the amount of personal data they collect without your meaningful consent is also at an all-time high.
By selling this data to brokers and insurers, car manufacturers may directly contribute to higher insurance premiums. Worse still, the sheer volume of data they collect puts drivers at an increased risk of cyberattacks.
Fortunately, there has been significant legal pushback against manipulative automobile data collection practices, particularly in U.S. states like California and Texas.
On a personal level, you should educate yourself about your state’s privacy laws, opt out of data collection programs wherever such options are available, limit the access you grant your vehicle's connected systems, and use third-party tools like an identity theft protection service to stay on top of any data leaks.
[1] Commission Delegated Regulation (EU) 2023/2590 – Advanced Driver Distraction Warning (EUR-Lex)