It used to be that your car provided something of a retreat from the world. Not anymore. Some modern cars collect more information about you than any other connected device you might own. This includes everything from records of your speed and use of the brake pedal to details of your philosophical beliefs and sexual identity.
It seems unbelievable, but data is a precious commodity and car-makers are doing all they can to collect yours. But just how much data does your car log? We cover that and more in this guide.
The problem: connected cars collecting data
Cars have had computers in them for decades. The first production automotive microcomputer ECU was used way back in 1977, in the General Motors Oldsmobile Toronado. Nowadays, even budget cars have between 30 to 50 ECUs embedded everywhere from the doors, to the roof, to the seats. Top of the range cars – like the Mercedes-Benz S-class – contain almost as many ECUs as an Airbus A380 (the world’s largest passenger aircraft).
Newly built cars are increasingly internet-enabled, allowing them to send between 50% and 70% of the data generated by on-board ECUs and sensors to the cloud. 2022 was notable as being the first year that connected car sales overtook non-connected cars. By 2027, the number of connected vehicles in service is projected to reach 367 million globally.
This reliance on advanced electrical components in car manufacture has spawned a plethora of sub-industries. An original equipment manufacturer (OEM) is a company whose products are used as components in the products of another company. The Pioneer company, for example, acts as an OEM for producing amplifiers and speakers used in some Toyota and Chevrolet cars. A 2013 Mercedes-Benz B Class has parts from 34 different companies.
While this sounds like a sensible division of labor, it creates a complex web of companies that have a claim to your data.
Andrea Amico, the founder of auto-data-removal company, Privacy4Cars, gives the example of a car’s GPS system. The data from this will primarily be available to the manufacturer of the component. However, the company that provided the map used in navigation might also have access to it, as might the company that provides the infotainment system, the company that provides parking data, and the company that provides the traffic data.
Obviously, a GPS system is just one component. There are many others, each armed with one or more sensors to enable them to function. This process generates data that can sometimes be fed back through embedded communications systems to the manufacturers – who can then choose to share and/or sell the data to yet more companies. This data is great for generating a constant stream of income, so it’s not surprising that car makers design their vehicles to collect more and more of it.
The amount of data generated varies. Some estimates suggest a connected car produces in excess of 25 gigabytes of data per hour. Others claim it’s more like 383 gigabytes an hour. While either of these figures is mind-boggling enough, yet more data will be produced if and when autonomous vehicles become commonplace.
Siemens suggests that vehicles at the lower end of the autonomous spectrum will produce about 1.4 terabytes every hour. At higher levels of autonomy, this will be approximately 19 terabytes per hour.
What data is collected?
Researchers from ‘*Privacy Not Included’ looked at the data collection policies of the 25 largest car manufacturers, and compiled a list of all the information they can gather. Here’s a sample:
- Data about you: Address, date of birth, bank account details, sexual orientation, medical information, genetic data, facial features, sleep data, marital status, employment history, and ancestry.
- Data about what you do in your car: Route history, voice recordings, gestures, vehicle speed, driving habit and style, seatbelt use, swerving events, and crash or near-crash information.
- Data about the world around your car: Road surface conditions, traffic signs, weather, temperature, and 3-D images around your vehicle.
The amount of data logged by any one particular car will vary between manufacturers. For example, according to auto-data-aggregation company, Otonomo, vehicles made by Stellantis collect 50+ parameters. Mercedes-Benz vehicles collect more than 80 data points.
Created data
All this data can be combined to create yet more data. According to *Privacy Not Included, 88% of the car companies they looked at “mentioned creating inferences – assumptions about you based on other data”. A further 39% of them said “that they might sell them to third parties”. These inferences allow seemingly meaningless data points to be combined in ways that make them infinitely more saleable.
Check what data your car is collecting
The Vehicle Privacy Report allows you to see what personal data your car has in it and what the manufacturer’s privacy policies are. The tool is provided by Privacy4Cars, a company that provides automotive data-deletion services to car dealerships and consumers.
To use it, all you need to do is enter your vehicle’s VIN number. The vehicle identification number (VIN) is usually stamped into the chassis of the vehicle.
You can expect to find out whether your vehicle collects driver details, location data, biometric information, and data synced from connected devices like phones. The tool will also tell you what the car company is likely to do with your data. Furthermore, the tool will identify whether your vehicle has its own cellular data plan (telematics).
A journalist from USA Today used the tool to interrogate a Kia. The results showed that Kia collects data and uses it to predict the driver’s “preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information”. It also revealed that the data would be shared with and/ or sold to Kia’s parent company, Hyundai, as well as subsidiaries, sister companies and service providers.
Another journalist, this time from Motherboard, looked up information for a Mazda car. The tool said that the company collected “identifiers, location data, and user profiles”.
One of my own colleagues drives a Honda CR-V. His car – likened to a “hard-drive on wheels” due to its lack of telematics – collects “identifiers” as well as “location” data. This data is either shared or sold to Honda’s affiliates, together with service providers, and the government.
What happens to the data our cars collect?
Individual car companies are typically made up of several brands and a network of subsidiaries – all of which could receive data shared internally. Data may also be sold externally. Interested parties include insurance companies, data brokers, advertisers, financial institutions, law enforcement, and the military. Some companies may then sell the data again to other companies.
High Mobility, for example, offers its data to insurance companies, with the promise to “score driver risk based on car usage and driving style using acceleration, speed and ADAS information”. Otonomo is another auto-data aggregator. Its corporate investor presentation shows that it sells data to transportation clients such as EVgo and PARKD at a rate of up to $100 per million data points per year.
Can we trust car companies without data?
Car manufacturers don’t have an impressive record when it comes to protecting their customers’ data. According to research from Mozilla’s *Privacy Not Included team, 68% of the top 25 car companies they analyzed had a “bad track record” for “failing to protect and respect their users’ privacy with a leak, breach, or hack”. It’s not hard to see why, as the following examples illustrate.
In 2022, Mercedes-Benz USA disclosed that a third-party vendor had leaked the personal information of up to 1.6 million prospective and actual customers. Volkswagen of America also suffered a data breach in 2022, when the personal information of 3.3 million prospective and actual Audi customers was exposed on a third-party vendor’s database.
In 2021, a bug on Ford Motor Company’s website allowed third-party access to customer databases and other proprietary data. In 2023, Nissan North America warned approximately 18,000 customers of a data breach at a third-party service provider. That same year, Toyota disclosed that issues with cloud configuration had exposed customer data for several years. Approximately 260,000 customers in Japan were potentially exposed between February 2015 and May 2023.
Of course, it’s not just car companies that can leak your data. It’s the unnamed entities who buy or otherwise receive your data. As these are often bunched together under the catch-all “service provider” tag in car company privacy policies, it’s almost impossible to find out who they are – let alone evaluate their own data protection policies. That said, we do know of some high-profile companies milking consumer car data.
Otonomo, for example, claims to collect 4.3 billion data points a day and have a relationship with 16 car manufacturers. Its website offers data from “more than 18 million passenger and commercial vehicles”, with information gleaned from infotainment units, and “other systems that monitor vehicle operations”.
The company is able to provide granular location data of vehicles around the world – some of which is available as part of a free trial. Although this data is supposed to be pseudonymous, a Vice article described how it was possible to “find who a car potentially belongs to and follow their movements”.
Can you limit the amount of data your car collects?
In many instances you can, though it’s not a straightforward process. A good starting point is the owner’s manual. If you haven’t got one, the car manufacturer may have an online connected-car privacy policy with details of how you can change the connectivity settings. Here are the links for Ford, Honda, and Toyota.
It’s also wise to let your car manufacturer know your privacy preferences. You can make a “Do Not Sell My Personal Information” request, an “Opt-out of Targeted Advertising” (or “Do Not Share My Personal Information” for those in California) request, and an “Opt-out of Profiling” request. Find out where to submit the requests by calling the relevant manufacturer’s customer service team.
Some car manufacturers, such as Ford, have a Master Reset feature that removes imported personal data like “contact lists, names of paired devices and/or connected networks”. This is useful if you’re selling your vehicle. Alternatively, consumers can use the free Privacy4Cars app to delete data retroactively.