Privacy in connected cars: what your vehicle knows about you

Getting into a modern car today is, in practice, like stepping into a rolling computer full of sensors, cameras and permanent connectionAs you start the engine and begin your journey to work, school, or the supermarket, the vehicle starts recording almost everything you do: how you drive, where you go, how long you are stopped, and even how often you brake suddenly.

What's disturbing is that a huge portion of that information doesn't stay in the car. It's sent to manufacturers' and third-party servers, combined with other personal data, and used for business, advertising, insurance, behavioral analysis and, in some cases, to share it with governments and security forcesThe feeling that the car is an intimate refuge clashes head-on with what recent studies reveal: in terms of privacy, connected vehicles are among the worst technological products in existence.

What exactly is a connected car and why does it affect your privacy?

When we talk about a connected car, we're not just referring to having a nice navigation system or being able to plug in your phone. A vehicle falls into this category when It has internet access, communicates with other systems, and generates a constant flow of digital data. about how it works and about you.

Connectivity includes several layers: communication with your smartphone (Bluetooth, Android AutoCarPlay), with the manufacturer's cloud for updates and services, and with the environment. Thus, many current models incorporate features of V2V (vehicle-to-vehicle), V2I (vehicle-to-infrastructure) and V2P (vehicle-to-pedestrian) to exchange real-time information on traffic, safety, or road conditions.

In practice, every time you activate the turn signals, turn on the lights, press the brake pedal, or consult the GPS, the car generates a small digital message. This sequence of signals creates a comprehensive record that, when properly analyzed, allows us to deduce driving patterns, daily habits, places you frequent, and times you move around.

This tracking capability will become widespread: several consulting firms predict that, by 2030, The vast majority of new vehicles will be connectedAnd in Europe, double-digit growth is expected in this market in the coming years. The transition from the "analog" car to the connected car is already underway and there's no going back.

In addition to traditional sensors, many recent models incorporate interior and exterior cameras, systems that monitor whether you take your eyes off the road or show signs of drowsiness, and Microphones that capture your voice for assistants and hands-free useAll of this adds up to a much larger ecosystem of personal data than we usually imagine.

What data do connected cars collect (and why is it so serious)

Various independent reports, including an exhaustive study by the Mozilla Foundation and analyses by privacy specialists, all point to one devastating idea: Car manufacturers collect far more data than necessary and manage it with very little respect for privacy. of the driver.

The figures are compelling. In Mozilla's study, after reviewing the privacy policies of 25 major manufacturers, all the brands failed. 100% obtain more personal data than they need to provide the service, and 84% shares or sells that information to third parties and 92% provide the user with little or no control over the subsequent use of their data.

What's worrying is not just the quantity, but the type of information. We're not just talking about mileage or fuel consumption: many policies open the door to processing Extremely sensitive data, such as health or genetic information, ethnic origin, sexual orientation or life, biometric traits or facial expressionsIn some cases, this level of detail is mentioned in a surprisingly explicit way.

Much of this data is generated inside the car, through GPS, cameras, sensors, or the infotainment system. Other data comes from official mobile applications, the sales network (dealerships, workshops), or from external sources such as social media, public records, and government data that intersect to refine the profiles.

The result is a very precise map of who you are and how you behave on and off the road: where you live, where you work, who you hang out with, what places you frequent, what time you leave and return home, what music you listen to, who you talk to on the phone, and what radio station you tune into daily. All of this has a extremely high commercial value and fuels a new business model in the automotive industry focused on data exploitation.

Types of data your car records, step by step

To understand the scope of this intrusion, it's helpful to separate the categories of information handled by connected vehicles. Each one opens up a different avenue of risk to your privacy and security.

First, there's location and route data. The car usually has GPS that's always active, so The departure time, the complete journey, and the arrival time are recorded. of every movement. Some brands keep these records for years, creating veritable movement diaries that can reveal very intimate personal routines.

Next, we find everything related to driving behavior: hard acceleration, braking, speed on different sections, seatbelt use, engine revolutions, fuel consumption, hours you drive, and even tire wear level or lane change patternsTogether, these parameters build a detailed profile of your driving style.

Another key source of data is the entertainment and connectivity systems themselves. pair the phone Whether via Bluetooth or through Android Auto and CarPlay, the car often requests permission to access the contact list, call history, SMS messages, or certain photo foldersIn some cases, some of that information is copied to the car's equipment and can later be transmitted to the manufacturer.

Built-in voice assistants—whether from the brand itself or based on Alexa, Google Assistant, or Siri—capture audio snippets that are processed in the cloud. These platforms then carry over The same privacy issues as with smart speakers or mobile phones: accidental activations, long-term storage of recordings, and human review. to improve the algorithms.

Finally, vehicle diagnostic data, which years ago was used almost exclusively in workshops, now also serves commercial purposes. Telematics records faults, component behavior, and "unusual" usage patterns, something that of interest to both insurance companies and fleet management companies and they want to monitor what each driver does.

Who has access to this data: manufacturers, insurers, governments, and data brokers

The flow of information leaving the car doesn't stop at a single recipient. It often passes through a chain of actors with different interests, which aren't always clearly explained in the fine print of contracts and privacy policies.

The first link in the chain is the car manufacturers themselves. They are the ones who They collect, store, and combine most of the data generated by the vehicleThey do this, in theory, to improve security, prevent breakdowns, develop new functions or personalize services, but also to explore lines of business based on the sale of information.

Insurance companies are another major player in this ecosystem. Many promote pay-as-you-drive policies, where the price adjusts based on your driving style: how many kilometers you drive, how often you brake hard, your typical speeds, and the times of day you use your car. if you tend to break certain rulesIn some countries, opaque agreements between manufacturers and insurers through data intermediaries have already been detected.

In addition, there are the major technology providers, which offer cloud infrastructure and analytics services. Platforms such as Amazon Web Services or Microsoft Azure end up processing some of the vehicle dataAnd it's not always easy to know the extent of the information exchange with their other businesses.

Data brokers, companies specializing in buying and selling personal data on a large scale, play an increasingly important role. In some cases, it has been documented how these intermediaries receive location and traffic behavior histories from vehicles and repackage them into products for marketing, risk analysis, or audience segmentation.

Finally, we must not forget the public authorities. Several studies indicate that more than half of the manufacturers are willing to providing driver information to law enforcement or government agencies when requested, sometimes even in response to informal requests and not just through court orders. This makes the connected car a potential surveillance tool.

The car as a private space: what the law says and its contradictions

There is a striking paradox: in the eyes of the regulations, the car is in many contexts a a privacy space similar—though not identical—to the homeBut at the same time, technologically, it has become an environment of intense surveillance.

Certain court rulings and guidelines from public authorities have recognized that the interior of a parked vehicle enjoys a significant level of privacy. In some cases, it has even been stated that It is not considered public space for the purposes of certain sanctionsequating it in part to private environments where state intervention must be more cautious.

This concept clashes head-on with how connected vehicles operate today. While you are granted the right to do certain things inside the car without being penalized as if you were on the street, the car itself generates a meticulous digital trail of what you do, what you hear, who you're going with and what routes you're takingFrom a data protection perspective, this asymmetry poses a serious problem.

In the European Union, the General Data Protection Regulation (GDPR) requires that any information that identifies or could identify a person be under the control of that person, with transparency, adequate legal basis and rights of access, rectification, objection and deletionIn theory, manufacturers should comply with these requirements just as large digital platforms do.

The practical reality is much more lukewarm. While internet giants have been fined millions for violating privacy regulations, the automotive sector... It has barely received any significant punishments in EuropeAnd that's despite massive data leaks, multiple cybersecurity incidents, and frankly aggressive information usage policies.

This regulatory mismatch means that privacy protection in cars currently depends more on the goodwill (or bad) of manufacturers than on a rigorously enforced legal framework. Several experts are calling for regulations to be enforced in the automotive sector with the same rigor as in the world of social media or online advertising.

Privacy by design and by default: the ideal that almost no one achieves

Among data protection specialists, there is a consensus on two principles that should guide the development of any technology that handles personal information: Privacy by design and privacy by defaultIn the case of connected cars, these principles are invoked a lot, but applied little.

Privacy by default means that, by default, The level of data protection should be the highest possible.In other words, all functionalities not strictly necessary for the safety or basic operation of the car should be deactivated until the user consciously enables them.

Privacy by design means that every technological advance—a new camera, a driver monitoring system, an app that connects to the car—must It should be planned from the outset taking into account data protection regulations, minimizing the information collected, and granular control by the user.It shouldn't be a patch that's added at the end.

In practice, most manufacturers do the opposite: cars leave the factory with Telemetry and data transmission are enabled by default.with confusing cookie policies and permissions in apps, and with privacy settings hidden in secondary menus or designed in a way that makes them inconvenient to disable.

Digital law and cybersecurity experts have long pointed out that the automotive sector is still “immature” in terms of privacy. The rise of in-car connectivity is relatively recent, and many brands have rushed to monetize data without fully understanding their legal obligations or the implications. ethical risks of profiling their own clients to such intimate levels.

A reasonable balance would require that improvements in road safety—driver assistance, drowsiness alerts, automatic emergency call—not be used as an excuse to implement a massive collection of information that has nothing to do with preventing accidents, but rather with sell highly segmented profiles to the highest bidder.

Cybersecurity risks and leaks: when the car opens the door to attackers

Excessive data collection isn't the only problem. The more vehicles are connected to the internet, the more vulnerable all that information becomes to external attacks. In recent years, a significant amount of data has accumulated. serious cybersecurity incidents in major automotive brands, with millions of users affected.

Data breaches have been reported involving customers of top-tier manufacturers, in some cases going undetected for very long periods. The exposed data included: contact information, vehicle history, connected services data, app identifiers, and sometimes location-related itemsEach escape of this kind opens up a very dangerous playing field for criminals.

The European Union Cybersecurity Agency has already warned that connected cars can become veritable gateways to manufacturers' systems, dealer networks, and even other related services. If an attacker manages to breach the security of the servers that manage the car's connection, they could access daily routes, frequent addresses, usage patterns and data associated with user profiles.

Beyond data theft, there is a fear that an intrusion could allow remotely manipulate certain vehicle functionsThis could include disabling safety systems or interfering with communication between the car and its surroundings. Although the most extreme scenarios are still rare, the mere risk has already raised alarms among regulators and road safety experts.

The history of failures demonstrates that many brands were unprepared to adequately defend these new hyperconnected systems. Patches and security updates are arriving, but the reputational damage and the exposure of millions of people's information are a fait accompli. Once again, the driver becomes the weak link in a chain where they have virtually no say.

To make matters worse, data that ends up in the hands of attackers can be resold on underground forums, integrated into other sets of stolen information, and used for blackmail, identity theft, or attacks targeting high-profile individualsThe car, which for many was a symbol of freedom of movement, is thus transformed into yet another vector of digital risk.

What you can do as a driver: realistic steps to protect your privacy

In a context where the balance of power is clearly tilted towards manufacturers, it's easy to feel like there's little that can be done. However, there are some practices that, while not perfect, help to reduce exposure and regain some control over your data when you use a connected car.

The first step is to get informed. Although they may seem tedious, it's worth locating and reviewing the manufacturer's privacy policy and official car appIt details (at least in theory) what types of data are collected, for what purposes, for how long, and with whom they are shared. You don't need to memorize it, but you should be able to identify the most sensitive points.

Secondly, adjust the vehicle's privacy settings. Many models allow you to disable—fully or partially—the transmission of location data, limit connected services, or restrict certain uses of telemetryIt's usually found in sections like "Data and Connectivity" or "Privacy". Not all manufacturers offer the same options or make them equally accessible.

It's also advisable to be very selective about what you share when pairing your phone. When the car's system asks for permission to sync all your contacts, call history, or messages, consider whether you really need that convenience. Deny access to your contacts or SMS messages. It does not prevent the use of basic hands-free calling.and greatly reduces the amount of sensitive information that can end up being copied to the vehicle.

Another crucial step is to clear the data before selling, returning, or leasing the car. Before the vehicle changes hands, access the menus and reset the infotainment system to factory settings, unlink all associated phones, and Sign out of any connected services account. (manufacturer's app, Spotify, Google or Apple accounts, etc.).

In parallel, during the purchase of a new vehicle, it is worth taking a moment to look at the forms where consent is requested for personalized advertising, transfer of data to third parties, or loyalty programsIn many cases, this additional exploitation of information can be rejected without losing critical car functions; it simply means receiving fewer "tailor-made" promotions.

Why the fundamental solution lies in legal and industry changes

While all these recommendations help, the root of the problem won't be solved with individual decisions alone. The power imbalance between an isolated driver and a global automotive company is so evident that A structural response is needed at the regulatory and business model level.

Several consumer organizations and professional associations have raised the possibility of creating neutral platforms where vehicle data is hostedThe idea would be that the information is not exclusively in the hands of the manufacturer, but in repositories under independent supervision, from which the driver authorizes or rejects access by insurers, workshops, complementary services or authorities.

Meanwhile, the European Commission and other regulatory bodies are studying mechanisms to ensure that the information generated by the car can be transfer between suppliers only with clear, specific and informed consent from the user. This aligns with the philosophy of data portability and with the goal of preventing a single company from controlling the entire ecosystem of services surrounding the car.

The need to strengthen the transparency and simplicity of privacy policies in the automotive sector is also discussed. Today, most drivers accept terms and conditions with a click, in just a few seconds, largely because the documents are long, convoluted, and written in a language far removed from the average citizenIf the rules demanded real clarity, companies would have less room to hide intrusive practices under layers of legal jargon.

Regarding cybersecurity, authorities are beginning to demand stricter certifications and continuous auditing processes that require manufacturers to demonstrate they adequately protect connected vehicle systems. This includes regular software updates, independent penetration testing, and clear data breach notification protocols to the affected users.

Until these reforms are implemented and fully applied, drivers will have to live with a situation in which the car behaves like a black box of data that primarily benefits the manufacturer and its business partnersVoluntarily reducing connectivity, being more critical of permissions, and always cleaning up information before parting with the vehicle are, for now, the most realistic defenses available to everyone.

Ultimately, the evolution of the connected car has oscillated between two extremes: on the one hand, the promise of safer, more comfortable, and more efficient driving thanks to technology; on the other, a model of surveillance and exploitation of personal data that borders on abusive. The challenge in the coming years will be to shift the balance from almost always favoring the data business and move closer to a scenario in which Road safety and driver privacy can coexist without one being systematically sacrificed in favor of the other..