Skip to main content

Your Car Is a Data Privacy Nightmare. Here's How to Protect Yourself

Automakers collect a stunning amount of information about you. Here's how you can stop it.

Vehicle Data illustration
  • Automakers have access to everything from your driving habits to your taste in music due to rampant data collection.
  • Often, this data is used against you in the form of targeted ads or sold to third-party brokers.
  • Consumers have options, but without strong legal protections for their data, it's an uphill battle.
Get More Edmunds Car News in Your Inbox

Your car knows you far, far better than you think — where you work, your Instagram handle, what kind of music you like, the sound of your voice singing backup to “Under Pressure” and more. But the worst part? You handed all that data over willingly, and you probably didn't even know it.

What data does my car collect?

As is the case with tech companies that collect and sell your data to the highest bidder, the scale of the information collected by automakers only comes into view when their privacy policies are read in full — which is what you should do, but we all know that's not what happens. Companies bury exactly what is collected behind hundreds of pages of intentionally wordy legalese that is designed to bore and mislead. Automakers generally notify you that terms and conditions exist by displaying a brief note on your car's screen, accompanied by a nice large “OK” button. Most people tap that button without thinking about it — I need to get on the road and this silly screen is standing between me and the nav system! — but in many cases, that’s all it takes for your data to be collected and used in whatever way these companies see fit.

Mozilla’s *Privacy Not Included, an organization focused on educating consumers about the way companies use their data, points out that cars are, generally, a privacy nightmare. The organization went so far as to call them “the worst product category we have ever reviewed for privacy” in a review it published last year. We spoke with Jen Caltrider, program director at *Privacy Not Included, to find out more. Caltrider told us, “There really isn’t much of a middle ground where consumers can access connected features and be certain their privacy is also being respected.” Moreover, some automakers make opting out sound scarier than having your data taken and sold off. Caltrider and *Privacy Not Included cataloged warnings in Teslas in this piece telling consumers that if they opt out of data sharing, their car may become inoperable. Moreover, Tesla states certain features like the car’s over-the-air update functionality — which Tesla often uses to push recall fixes — “rely on such connectivity.” Right now, protections for consumers and their data are scarce, and where the data automakers collect goes can be pretty scary. 

Where does all your data go illustration

Photo courtesy of *Privacy Not Included

Who do manufacturers sell data to?

Sometimes, automakers sell data to outside firms — the New York Times reported that General Motors was selling customer driving data to insurance companies via third-party brokers like LexisNexis and Verisk. In other cases, the data stays “in network.” *Privacy Not Included states in this review that Toyota collects information like social media IDs, car driving inputs, location data and much more. The company profits from collecting all this data about you and can use it to sell you on the brand through targeted ads and dealers, or send that information to a vast network of dealers who receive the data it collects from its customers. This exchange is also a two-way street; Toyota Financial Services, where some consumers may make their lease or loan payments, will also share sensitive private data with Toyota, advertisers and more.

How do you know where your information is going? To their credit, some manufacturers that collect sensitive data communicate how they handle it. Toyota and Lexus offer a privacy center where you can see what happens to various pieces of data. If you want to terminate data sharing entirely, you can do so by logging in to the Toyota app, clicking the top right “profile” icon, selecting “Account,” then “Data Privacy Portal.” 

Nissan told us, "When we do collect or share personal data, we comply with all applicable laws, and provide as much transparency as possible to allow our customers to make informed decisions about their data." Prior to an update in December 2023, an older version of Nissan's privacy notice (which can be found here) said it could obtain data on health diagnosis, sexual orientation, geolocation and genetic information, which sounds like really scary information for a company to have. But Nissan says that this isn’t the case anymore, and that “due to the broad disclosure obligations present in certain privacy laws, we chose to list those data elements in the previous notice, as those types of information could conceivably come to us from employees that participate in our benefit programs.” 

Nissan’s privacy notice used to cover both customers and employees alike in the same statement. I.e. Nissan was never collecting that data from their customers, only its employees, and only then, voluntarily. The agreements have since been split. Now, Nissan's customer notice no longer states that it could get access to health data. While Nissan could conceivably be given these types of data, the company asserts it would have to be told the information expressly by a person.

Nissan Ariya interior

But Nissan does, like all automakers, collect data to some degree. The company tells us it obtains “inferences” from “outside entities” and might use “certain data points to make educated guesses for, as an example, direct marketing campaigns.” However, per Nissan, it does not create nor sell these inferences itself. 

While Nissan’s data collection policies seemed like they were on the personal side, Ford's came with real-world consequences. We asked Ford about its data collection policies and its relationship with law enforcement. Regarding the former, the automaker acknowledged in a 2023 letter to Sen. Edward Markey that it “may share connected vehicle data with 1) dealers or independent repair companies for repair purposes; 2) service providers; or 3) third parties when it is at the direction of our customers.” Further, “some customers authorize Ford to share connected vehicle data with their insurance company so that they can enjoy discounted insurance premiums.” 

Ford shares data with insurance companies, so long as you opt in. However, it says it “does not sell any connected vehicle data to brokers, period.” In an email to Edmunds, Ford explained that it proposed partnerships with LexisNexis and Verisk that did not ultimately move out of the exploratory phase (Ford also noted it did not share connected vehicle data with these companies). These were the firms that used General Motors-supplied data to help insurance companies raise rates.

Ford also provided examples in which its sharing of data under exigent circumstances saved lives. Exigent circumstances is a hotly debated legal premise that, in very brief terms, allows law enforcement to circumvent some Fourth Amendment search and seizure laws if officers believe someone is in danger. In the letter to Sen. Markey, Ford gave two examples in which it shared data via “valid legal process or in the case of exigent circumstances." The first resulted in “[locating] a suspect in the kidnapping of a 9-year-old girl who was abducted,” and in the other, Ford’s vehicle location data helped find “a missing person who was believed to be at risk of self-harm.”

But as *Privacy Not Included points out in its report, government agencies have a demonstrated history of using exigent circumstances improperly. Until constitutional protections can play nicely with this legal premise, any automaker giving over data via the process should look twice at the reasoning — and consumers should look twice at their privacy agreements and rights to ensure their data is being handled properly.

touchscreen

What you can do to protect your data

Consumers do have steps they can take to limit or outright stop the sharing and collection of their data. Caltrider cites a shift in legal protections for data owned by private citizens as one potential avenue for improvement: “Part of the reason cars are so bad at privacy is that car companies don’t need to do much to protect their users' privacy. The U.S. doesn’t have a strong, consumer-focused federal privacy law, so there are no laws against these companies collecting way more personal information than they need to get us from point A to point B safely.”

Caltrider says it's possible that dealers incentivize salespeople to "get buyers to download and install apps and accept terms of service and privacy policies before they drive off the lot." To safeguard against any potential conflicts of interest, she recommends "not letting the salesperson in your car to help set up connected features before you leave the lot. Take the car home and review all the information as you set up the connected features yourself to make sure you don’t opt into data sharing from your car you don’t want."

Automakers don’t need to guarantee they will delete the data collected, though some say they do so voluntarily. “The best — and perhaps the only — thing that will truly protect consumers' privacy in cars now is a federal privacy law. Everyone should be calling their representatives and demanding that right now,” says Caltrider.

Caltrider says that privacy is an urgent issue, and the time to act is now. “I’ve seen technology touting the ability to use in-car cameras to monitor drivers' emotions. I don’t know about you, but I really don’t need my car to know my emotions. And cars are adding apps like TikTok and ChatGPT and more. We’re on a slippery slope with car privacy right now, so the more consumers can be aware of the problems, the better.” Of course, as an individual, you can also ensure you disable any forms of data sharing mentioned here. We’ve found some helpful videos online, and some OEMs, like Toyota, also provide a step-by-step if you spend a few minutes on Google.

Edmunds says

Data privacy is a thorny issue, but for now, in order to get some of the features people love in new cars, they'll have to be OK with their personal information being collected by companies in and outside the auto industry. The best thing consumers can do is raise their voices to local legislators and work to educate themselves on when and how their data is collected.