HydraWatch All articles
Account Security & Privacy

Driven to Data: The Surveillance Economy Hidden Inside Your Connected Vehicle

HydraWatch
Driven to Data: The Surveillance Economy Hidden Inside Your Connected Vehicle

When most Americans think about the devices in their lives that collect personal data, they think about smartphones, smart speakers, and laptops. Few think about the vehicle parked in their driveway. That oversight is increasingly costly. The connected car — equipped with GPS, cellular modems, onboard cameras, microphones, and Bluetooth pairing — has evolved into a rolling data collection platform whose appetite for personal information rivals that of the most aggressive consumer technology products on the market.

A landmark 2023 investigation by Mozilla's Privacy Not Included project examined the privacy practices of 25 major automakers and concluded that cars represented the worst product category it had ever reviewed. Every brand studied failed its minimum privacy standards. Most collected far more data than necessary for vehicle operation, and the majority reserved the right to share or sell that information to third parties.

What Your Vehicle Is Actually Recording

The data a modern connected vehicle generates falls into several distinct categories, and understanding them separately helps clarify why the aggregate picture is so consequential.

Location and movement data is the most obvious. Any vehicle with a built-in navigation system or a connected telematics module logs GPS coordinates at regular intervals. Over weeks and months, that record becomes a precise map of a driver's life — where they live, where they work, which medical facilities they visit, which places of worship they attend, and with what frequency. Several automakers retain this data for extended periods, and their privacy policies permit its disclosure to law enforcement without requiring a warrant in some circumstances.

Driving behavior telemetry encompasses acceleration patterns, braking force, cornering speed, seatbelt usage, and time-of-day driving habits. This category is of particular interest to auto insurers. A growing number of carriers now offer usage-based insurance programs that draw on telematics data, and at least two major U.S. insurers have faced scrutiny for allegedly obtaining this data from automakers without drivers' explicit awareness — in one reported case, leading to premium increases that policyholders could not explain.

Smartphone integration data is less widely appreciated. When a driver pairs their phone via Bluetooth or Apple CarPlay and Android Auto, the vehicle's infotainment system may index contacts, call logs, text message previews, and app usage data. Several automaker privacy policies acknowledge retaining synced contact lists. The practical implication is that a vehicle's data store can contain personal information about individuals who have never sat in the car themselves — every person in a driver's contact list.

In-cabin sensing represents the frontier of automotive data collection. Voice-activated assistants require microphone access, and the conditions under which audio is processed — locally on the vehicle, transmitted to a cloud server, or retained — vary by manufacturer and are rarely communicated clearly to owners. Some vehicles now incorporate interior cameras for driver-monitoring systems, generating continuous video data about occupant behavior.

The Regulatory Vacuum

For American drivers, the uncomfortable reality is that the legal framework governing automotive data collection is fragmentary at best.

The federal landscape offers limited protection. The Driver's Privacy Protection Act, enacted in 1994, restricts the disclosure of information held by state motor vehicle departments — a narrow scope that does not reach data generated by the vehicle itself. The Federal Trade Commission has authority to pursue deceptive data practices under Section 5 of the FTC Act, but it lacks a comprehensive rulemaking framework specifically addressing vehicle telematics. The National Highway Traffic Safety Administration's mandate centers on safety, not privacy.

At the state level, California's Consumer Privacy Act and its successor, the California Privacy Rights Act, provide residents with meaningful rights — including the right to know what data is collected, to request deletion, and to opt out of its sale. A handful of other states have enacted broadly comparable legislation. But for drivers in the majority of U.S. states, no comparable statute exists. Automakers operating nationally are largely free to set their own data practices, constrained primarily by their own privacy policies — documents that are written by the companies' legal teams and interpreted by those same companies.

The result is a system in which the entity with the greatest incentive to collect data is also the primary author of the rules governing its use.

Law Enforcement Access: A Particular Concern

Automaker cooperation with law enforcement requests has drawn increasing attention from civil liberties organizations. Because vehicle location and movement data falls outside the traditional categories addressed by Fourth Amendment jurisprudence — courts have generally held that information voluntarily shared with third parties carries a reduced expectation of privacy — law enforcement agencies can in many cases obtain it through subpoenas or even informal requests, without the probable-cause showing required for a warrant.

Several documented cases have involved automakers providing detailed location histories to investigators, sometimes covering periods of months. In contexts involving lawful criminal investigations, this capability has clear utility. But the same infrastructure and legal framework that enables those disclosures also means that a vehicle's data record could be sought in connection with civil matters — including, in the post-Dobbs legal environment, reproductive health decisions made in states where certain procedures have been restricted.

The Electronic Frontier Foundation and other advocacy organizations have called for federal legislation establishing warrant requirements for vehicle location data. As of this writing, no such statute has been enacted.

What Drivers Can Do Today

The absence of comprehensive federal protection does not mean drivers are entirely without options. Several practical measures can meaningfully reduce a vehicle's data footprint.

Review and adjust connected services settings. Most modern vehicles provide an infotainment menu that controls data-sharing features. Disabling remote data transmission, limiting location-sharing to in-vehicle navigation only, and opting out of automaker telematics programs where the option exists are reasonable starting points. The specific menus vary by make and model; the owner's manual and the automaker's privacy portal (required under California law and often made available nationally) are the most reliable guides.

Be deliberate about smartphone pairing. Connecting a phone to a vehicle's infotainment system via Bluetooth or USB grants that system access to data beyond what is needed for music playback. If full contact and message integration is not necessary, limiting the connection to audio-only modes — or using a separate, minimally populated device for in-car use — reduces the scope of what the vehicle can index.

Understand your insurer's data sources. Before enrolling in any usage-based insurance program, ask explicitly whether the carrier obtains driving data from the automaker in addition to or instead of a dedicated app or plug-in device. Request a written explanation of what data is collected, how long it is retained, and under what circumstances it is shared.

Submit a data access or deletion request. Under California law — and increasingly under other state statutes — consumers have the right to request a copy of the personal data an automaker holds about them and to request its deletion. Even for residents of states without analogous legislation, many automakers have extended these rights nationally. Submitting such a request through the automaker's privacy portal is straightforward and costs nothing.

The Broader Picture

The connected vehicle represents a microcosm of a broader tension in American digital life: the gap between the data practices that technology companies adopt and the legal frameworks that exist to constrain them. Automakers have moved faster than regulators, and the resulting asymmetry leaves consumers in a position of structural disadvantage. Understanding what your vehicle collects — and exercising whatever control the current framework permits — is not a complete solution. But it is a more informed starting position than the one most American drivers occupy today.

All articles

Related Articles

The Invisible Signature: How Browser Fingerprinting Follows You Across the Web Without Touching Your Device

The Invisible Signature: How Browser Fingerprinting Follows You Across the Web Without Touching Your Device

The Shadow Profilers: Inside the Data Broker Industry Quietly Selling Your Life Story

The Shadow Profilers: Inside the Data Broker Industry Quietly Selling Your Life Story

The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed

The Privacy Patchwork: What Your State's Data Laws Actually Protect — and Where the Gaps Leave You Exposed