According to BBC reporting, there’s a man who got a copy of his driving data from a company called LexisNexis. It was 130 pages long. Six months of every trip he and his wife took, logged, packaged, and sold without them knowing. Shortly after, his insurance costs jumped 21%. An insurance agent confirmed the data was a factor.
He hadn’t signed anything that felt like permission. He’d just set up his car’s infotainment system.
That’s where we are with car privacy in 2026. Modern vehicles are collecting your location, your speed, how hard you brake, who’s sitting next to you, and in some cases your weight, age, facial expressions, and driving patterns. Mozilla examined 25 car brands and found every single one failed its privacy and security standards. Cars, Mozilla concluded, were the worst product category it had ever reviewed for privacy. And most people have no idea any of this is happening.
What your car already knows about you
Location data is the obvious one. Your car knows everywhere you go, how often, and at what time. But modern vehicles go further. Sensors in the seats, dashboard, steering wheel, and cabin cameras can capture your weight, your age, your facial expressions, whether you’re wearing a seatbelt, and how you react behind the wheel. Kia’s privacy policy at one point listed “sex life” among the categories of data the company may collect, something a spokesperson later attributed to California’s legal definition of sensitive data rather than actual collection, though the company declined to specify what it does collect.
General Motors sold driver location data to LexisNexis, a data broker that packages and resells consumer information. Both federal and state agencies took action. GM is now barred from selling vehicle data for five years but faces no permanent prohibition and can resume the practice afterward with consent requirements attached. LexisNexis is still buying data from other manufacturers and apps.
Mozilla found 19 of the 25 car brands it studied said they might sell your data. That’s not a loophole. That’s the business model.
The permission structure that enables all of this is the privacy policy you clicked through when you set up your infotainment system. Or the terms you agreed to when you downloaded the companion app. Or the insurance telematics program you enrolled in hoping for a discount. A Maryland analysis found 31% of drivers who enrolled in telematics saw their rates drop. Prices went up for 24% and 45% saw no change. The data collection happened for everyone regardless of outcome.
The law
A federal mandate is coming that will require car manufacturers to install advanced impaired driving prevention technology in new passenger vehicles. The intent is legitimate, keeping drunk and drowsy drivers off the road using infrared cameras and biometric sensors that monitor eye movement, body language, and other behavioral signals.
The problem is the law includes zero provisions addressing what happens to the data these systems create.
Privacy advocates are not arguing against keeping impaired drivers off the road. The argument is harder to dismiss. You are about to have biometric health data, infrared scans of your body and behavior, collected every time you sit behind the wheel, with no rules limiting what automakers can do with it, who they can sell it to, or how long they can keep it.
The National Highway Traffic Safety Administration said it is committed to reducing impaired driving fatalities and continues to address privacy concerns. That’s not a framework. That’s a statement of intent with no enforcement mechanism attached.
Jen Caltrider, who led Mozilla’s car research, put it directly: “So many of the data collecting advances we see in cars are done under the guise of safety.” The impaired driving mandate is the clearest example of that pattern yet. A legitimate safety goal becomes the mechanism for expanding the data collection empire with legal cover and no corresponding protections.
Implementation will likely be delayed because the technology isn’t fully ready. That delay is not a solution. It’s a countdown.
You May Like: DuckDuckGo Installs Jumped 30% as Frustration With Google’s AI Search Grew
Where your data ends up and why that should bother you
Jen Caltrider, who led Mozilla’s car research, describes it this way. Companies take everything they collect and use it to build a picture of who you are, how intelligent you are, what your psychological profile looks like, what your political beliefs might be. That’s what data brokers do with behavioral data at scale.
And once it leaves your dashboard there’s essentially no trail you can follow. There’s no national privacy law in the US that covers this. Individual state protections exist but they’re inconsistent and enforcement is spotty even where rules do exist. Car companies are legally required to disclose their practices in privacy policies but not required to make those policies readable or prominently placed. The consent you gave when you tapped through the setup screen on your infotainment system covered all of it.
Law enforcement can buy this data when they can’t get a search warrant. Employers could factor it into hiring decisions. Advertisers are already using it. The GM and LexisNexis situation became public because a driver got curious and requested his data. Most people never do that. Most people don’t know they can.
Europe is marginally better. GDPR gives drivers some rights to access and delete their data and creates real penalties for violations. But Caltrider is clear that even European drivers are still largely at the mercy of privacy policies and enforcement that doesn’t always happen. The gap between the rule existing and the rule being followed is wide enough to drive a data-loaded truck through.
You May Like: Microsoft and Uber Are Running Into an AI Cost Problem
What you can actually do about it
The clearest win is the insurance telematics program. Don’t enroll unless you’ve done the math and accepted the risk. The discount isn’t guaranteed. The data collection is. A significant chunk of drivers who enroll see no rate change or actually pay more. The program exists because it makes insurance companies money, not because it saves drivers money.
If you’re in the UK, EU, or certain US states you can request a copy of the data your car manufacturer holds on you and demand they delete it. You can opt out of having it sold. Most people don’t know this is an option and car companies aren’t exactly advertising it. Links to manufacturer privacy tools exist and are worth finding for your specific brand.
Some cars offer privacy settings buried in the infotainment system or companion app that limit certain types of data sharing. They’re worth checking. They won’t solve the problem but they narrow it.
Beyond that the options thin out quickly. You can avoid connecting your phone to the infotainment system. You can read the privacy policy before agreeing to it, though that’s an unfair ask given how deliberately unreadable most of them are. You can buy an older car without an internet connection, which is increasingly difficult as connected vehicles become the default.
The uncomfortable truth is that individual action only goes so far when the entire system is designed around extraction. Caltrider said it plainly. Until people own their data and companies have to ask permission to use it rather than bury consent in forty pages of legal text, this problem gets worse not better. The federal mandate on impaired driving technology is arriving soon. The data protections that should come with it are not.
Your car knows a lot about you. Right now the only people who seem to care about that are the ones buying the data.
