What Data Does My Car Collect About Me and Where Does It Go?

By Mozilla Foundation, Sept. 6, 2023

What did I learn in researching the privacy and security of 25 of the top car brands in the world? Modern cars are a privacy nightmare and it seems that the Fords, Audis, and Toyotas of the world have shifted their focus from selling cars to selling data.

When all of the 25 car brands we reviewed earn our *Privacy Not Included warning label for failing to respect and protect their customers’ privacy, something is seriously wrong. Car companies, are you hard up on cash? Your swan dive into the data biz is worrying us. It’s just that… Drivers are already paying you for their cars so why are you taking their privacy too? Ugh.

When we first started looking into cars and privacy, only one thing was clear: It’s complicated. Even to the car-markers! In response to a standard set of privacy and security questions we ask companies by email, Mercedes-Benz told us that it wasn’t possible to give us “universal answers.” And they’re kinda right. It is so difficult to get a clear picture of the data comings and goings between vehicles, their apps, their connected services, and more. But did your privacy-researching team take “it’s too complicated” for an answer? Heck no! Determined to help consumers get to the bottom of the privacy and security of cars, here’s what we learned after combing through 25 of the most popular car brands’ (many) privacy policies.

How does my car collect data about me?

Cars have had some kind of computer in them since the 1970’s. What’s new is the number of them and the amount of things they control. If you had the pleasure of driving during the El Camino era before the mid-eighties, you might remember literally rolling down a car window — by turning a crank. (A clunky move that makes it even harder to look cool hanging out the passenger side of your best friend’s ride.)

Nowadays, it takes just a press of a button to “roll down” your car’s windows as more and more of cars’ features are powered by computer systems that also connect to the internet. And we’re not just talking about state-of-the-art future-cars. Consulting firm McKinsey predicts that 95% of new vehicles sold globally will be connected ones by 2030. “Basic vehicles,” the report says, will bring the most value from data because of their popularity. So if it doesn’t yet, calling a car “smart” will soon feel as retro as saying “smart phone.”

Cars with more advanced features and commands barely even need buttons. There’s touch-sensors and screens that work with barely a boop of the finger, a wave of the foot, or even by asking nicely. The future is now! But having all those microphones, cameras, and sensors sending signals through your car’s computers also means that whenever you interact with your car you create a tiny record of what you just did. Like when you turn the steering wheel or unlock the doors. And usually all that information is collected and stored by the car company.

Other bits of information about you and your passengers can be collected automatically, when you’re just sitting there. Because while your car is waiting to respond to your command, its sensors are, uh, “sensing”. That’s probably why vehicle data hubs, the data brokers of the car industry, can brag about having so many data points like driver fatigue — which monitors head and eye position — and heart rate.

Cars’ new bells and whistles mean the potential for more data-collecting sensors, cameras, and microphones. But unlike with apps or smart home devices, most drivers aren’t even aware this data is being collected — let alone have the power to turn it off.

Another way your car collects data is from the connected services you use from your car’s dashboard, like satellite radio or a GPS route planner. Then there’s the devices you connect to it, like a telematics device: a plug-in that sends information about your driving behavior to your insurance company, or your phone. Car companies can also get data about you from your phone when you download the car’s app.

Finally, there’s the old-fashioned way. Just like (way too many) other products that connect to the internet do, car companies often collect extra information about you on their own from data brokers, car dealers (yes, they know all about you from those test drives), social media, the government, and more places we’ll talk about below.

What data does my car collect about me?

There’s probably no other product that can collect as much information about what you do, where you go, what you say, and even how you move your body (“gestures”) than your car. And that’s an opportunity that ever-industrious car-makers aren’t letting go to waste. Buckle up. From your philosophical beliefs to recordings of your voice, your car can collect a whole lotta information about you.

What you do in your car is more than enough information to paint a detailed picture of you. But your car-maker wants more. They can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!). Heck, they’ll even help themselves to your photos, your calendar, and your to-do list if you’ll let them.

… But wait, there’s more data car companies collect about you

Thirteen (52%) of the cars we looked at also collect information about the world around your car. Apparently, sensors can record information about the weather, the road surface conditions, traffic signs, and “other surroundings,” whatever that means.

Ugh, that pesky “other” category. As creepy and detailed as these data points are, we’re more worried about what’s not in the fine print. As usual, a lot of the privacy policies use vague language. Six companies mention “demographic data” which is about as descriptive as saying “characteristics” — another word that popped up a few times. We have similar worries about “sensor data,” because, like we talked about before, sensors can be high tech enough to measure private stuff, like stress level. Also, “images.” Please, car brands, tell us more.

Using broad language is a classic tool that companies use to leave the door open for collecting more data than they’re spelling out in their policies. It makes it pretty much impossible to know all of the information that’s being gathered about you.

“Practically all of the privacy policies we looked at used qualifying language when listing the data points they collect. Words like ‘such as,’ ‘including,’ or ‘etc.’ tell us we are only getting a sample of what is collected and not the full picture.”

They use other cheeky little tactics to gloss over the amount of data they collect, like this Easter egg we found in Honda’s privacy policy. At the end of a long list of categories of personal information they collect, they put “Personal information as described in Cal. Civ. Code § 1798.80(e).” Huh? It turns out that that’s short for just about anything that “identifies, relates to, describes, or is capable of being associated with a particular individual.” Yowza!

(e) “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

CALIFORNIA CIVIL CODE 1798.80 (E)
https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?sectionNum=1798.80.&lawCode=CIV

Through inferences, car companies also create new data about you

Twenty two of the car brands (88% of the ones we looked at) mentioned creating inferences — assumptions about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties. Hmm. Car companies’ love for inferences might explain why they seem to want to collect as much information about you as possible, even when those data points seem meaningless on their own. Like what “title,” “artist,” and “genre” you listen to in your car. Whether you listen to christian rock, show tunes, or The Joe Rogan Experience podcast on your way to work might not say that much about you… Or maybe it does? Either way, when you combine it with where you work (“employment information”) and all the places you go (“route history”), your track list can probably help fill in some blanks about your “preferences.”

Where does all the data go?

Welp, there’s more not-so-great news, folks. Most of the car companies we looked at commit many of the biggest data privacy no-nos in our books. We already talked about how, according to our standards, they collect too much data about you and how they sell inferences. There’s more. Car brands might combine information collected about you from your car with personal information they get from third parties. Then, they often share (and sometimes sell) that information (plus the “inferences” they created based on it) to all kinds of businesses. Over-collecting, combining, sharing, and selling are all things we do not like to see in privacy policies.

According to their own privacy policies, here are the comings and goings of the data created, collected, shared, and sold by car companies.
When it comes to disclosing who your car shares and sells your data to, vague language strikes again! The privacy policies we read usually only listed the categories of businesses they share with, like “service providers.” When they did name companies, the privacy policies often used more qualifying language like “such as,” “etc.” “and others,” “or similar” to make it clear that they’re only sharing a sample. Other times, the privacy policies only said that data would be shared or sold without saying to who.

After over 600 hours of research, we’re still confused about who car companies are sharing your data with and selling it to. But we do have a pretty good guess about why they’re doing it. Your data is a valuable business asset to these companies. And cars, like we mentioned earlier, can collect more and more detailed personal data than almost any other device or company can. So of course car companies are keen to cash in on that. Nineteen (76%) of the car companies we looked at say they can sell your personal data.

We know this about personal data because of data privacy laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States. Both laws say that if a company plans to sell or share your personal data, they have to let you know. So even though the information isn’t as detailed as we’d like it to be, it is listed in the privacy policy.

On the other hand, even the strongest privacy laws don’t apply to so-called “aggregated and anonymized” data. So we can’t know how that information is handled. What we do know is that there’s a booming industry based on selling data from cars. On their website, automotive data broker (or “vehicle data hub”) High Mobility advertises their wide range of data products that include precise location, those two we mentioned earlier (“heart rate” and “driver fatigue”) and 57 other categories. Oh, and! They have a partnership with nine (36%) of the car brands we researched.

“The detailed data collected by car companies is a data broker’s dream. Indeed, Vehicle Data Hubs are rich with that information. Yet we still know so little about how they obtain, process, and sell it. That is the sad irony about the data broker business: they make billions off of our essentially stolen private information while revealing next to nothing about how they operate.”

The more we try to learn about cars and privacy, the more questions we have. Like, what happens to your personal data after it’s shared? And how can time-stamped, precise location data ever be anonymous?

… And where does the data end up?

Even though it might not sound like it, our research at *Privacy Not Included is based on the best case scenario. We can only really report on what companies say they’ll do with your data in their privacy policies. That’s why we take security standards and track record into account when handing out warning labels. And on that point, it’s a “yikes” across the board for car brands. Seventeen (68%) of the car companies earned our “bad track record” ding for failing to protect and respect their users’ privacy with a leak, breach, or hack recently. Among the greatest hits to their customers’ privacy:

– Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users.

– Toyota leaked data of 2.15M users over 10 years between 2013 and 2023.

– In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers.

With all the mysterious sharing and selling on top of these epic-level oopsie daisies, we’re worried about all that super personal and detailed information getting into even wrong-er hands than your car’s parent company. Like law enforcement, hackers, or just about anyone who can purchase from a data broker.

Want to learn more about what could happen if something goes wrong? We’re not done talking about cars and privacy. Sign up for our newsletter to get our latest delivered to your inbox.

Data your car-maker can collect from you… about 160 personal data items
1 – about you

1. name
2. address
3. phone number
4. email
5. age
6. date of birth
7. demographic data
8. protected classification information
9. your mobile device location
10. device identifier
11. payment information
12. financial account numbers
13. credit card number
14. debit card number
15. information about the acquisition and financing of your vehicle
16. the lease/financing term
17. billing information
18. your credit card number CVV code and expiration date
19. other financial information
20. records of products or services purchased or considered
21. other purchase or usage histories
22. device identifier
23. driver’s license number
24. national or state identification number
25. social security number
26. employee identification number
27. National or State Identification Numbers
28. IP address
29. Passport number
30. insurance policy number
31. signature
32. sex life or sexual orientation information
33. medical information
34. health insurance information
35. health diagnosis data
36. disability status
37. basic identifiers
38. genetic information
39. genetic data
40. facial templates
41. facial geometric features
42. physical or mental disability
43. Genetic characteristics
44. physiological characteristics
45. behavioral characteristics
46. biological characteristics
47. activity patterns used to extract a template or other identifier or identifying information
48. fingerprints
49. faceprints
50. voiceprints
51. iris or retina scans
52. keystroke
53. gait
54. or other physical patterns
55. sleep data
56. health data
57. exercise data
58. religion or creed
59. Philosophical beliefs
60. marital status
61. Notifications, including the recipient of the notification or their contact information;
62. calendar entries
63. contact numbers
64. characteristics
65. physical characteristics
66. language preference
67. inferences reflecting your preferences
68. demographics and vehicle usage patterns
69. nationality
70. citizenship status
71. education
72. current employment
73. employment history
74. union information
75. socio-professional category
76. veteran or military status
77. immigration status
78. ancestry
79. race
80. national origin
81. gender
82. sexual activity
83. your preferences
84. registration and account information
85. credentials for multimedia services
86. photographs, user-generated content and other materials that you may submit
87. your address book, calendar, tasks, and emails, to the extent you authorize such collection
88. other information linked or directly related to you

2 – about what you do in your car

1. geolocation
2. precise location
3. route history
4. driving schedule
5. audio information
6. audio recordings of vehicle occupants
7. voice recordings
8. call recordings for emergency and customer service purposes
9. calls and other communication recordings and associated logs with our customer service team or service providers, such as recordings and logs of telephone calls, or communications using Connected Vehicle Technologies and Services
10. information about anyone making a call using the Connected Vehicle Technologies and Services; Call history information, including the date, time, and duration of a call, and any response specialist’s notes written during a call;
11. visual information
12. gestures
13. biometric information
14. sensor-collected data from radar
15. sensor-collected data from ultrasonic devices
16. electronic information
17. other sensor-collected data
18. search content
19. vehicle speed
20. vehicle usage information
21. driving habit and style
22. pedal positions
23. use of accelerator
24. travel direction
25. trip start time and end time
26. trip start and end location
27. current location
28. points of interest
29. seat belt use
30. information about door locks
31. information about open doors
32. swerving/cornering events
33. use of steering functionality
34. use of braking functionality
35. information about braking habits
36. vehicle/technology usage data such as remote start technology

3 – information about your interactions with us, our affiliates, our service providers, Integrated Content Providers, and Optional Third Parties related to your vehicle usage

1. battery charging history (for electric vehicles)
2. charging locations used (if applicable)
3. Real Time Status of your vehicle (i.e., vehicle location, status of powered doors, windows, hood, trunk, sunroof, hazard lights, odometer reading, oil life, fuel economy, trip distance, distance to empty)
4. information about the usage of vehicle features, services, and technology
5. data from third-party account services that you link to your Connected Services account (e.g., Amazon Alexa)
6. use of multimedia screens
7. infotainment (including radio and rear-seat infotainment) system
8. records from usage of the Connected Services
9. information that you provide when using the connect services, including information you send and information you request
10. information about what is listened to in the vehicle (such as radio presets, volume, channels, media sources, title, artist, and genre)
11. crash or near-crash information about the vehicle or driver’s behavior will be recorded in the vehicle
12. air bag deployments
13. recent service requests
14. purchases
15. presets
16. other sensor data
17. images and event data generated in connection with certain features
18. a Vehicle Occupant’s search content
19. information collected from camera images
20. voice command information
21. stability control or anti-lock events
22. security/theft alerts
23. WiFi data usage

4 – about the world around your car

1. ambient data (such as outside temperature and brightness)
2. “Exterior Image Data”
3. 3-D images around your vehicle
4. weather
5. road segment data
6. road surface conditions
7. other driving conditions
8. traffic signs
9. other surroundings
10. traffic jams
11. obstacles
12. parking spaces

Source: *privacy not included | Shop smart and safe | Mozilla Foundation

---

All texts, images, logos and other information belong to their respective rightful owners and are only shown here as third-party information for the purpose of informing consumers. Via the links provided, the sources of this information can be viewed and the rightful owners can be contacted. Responsibility for the correctness of the information belongs to the sources mentioned. Prifora takes no position or responsibility for the information displayed.