Buying a car used to mean buying a machine. You paid for the engine, the frame, the seats, and maybe a warranty. What you did in the car, where you went, how hard you braked, and how long you sat in a parking lot outside your therapist's office was your business and nobody else's. That arrangement is largely over.
The modern connected vehicle is, functionally, a data collection platform that also happens to provide transportation. Automakers, insurance companies, data brokers, and law enforcement agencies have all quietly built ecosystems around the information your car generates, and most drivers have no clear picture of how deep that apparatus runs or who benefits from it.
What Your Car Already Knows About You
The average modern vehicle contains well over 100 sensors monitoring everything from engine performance and braking patterns to steering inputs and seatbelt usage. McKinsey has estimated that connected cars generate up to 25 gigabytes of data per hour. Not all of that is transmitted continuously, but a substantial portion of it is collected, stored onboard, and in many cases uploaded to manufacturer servers through built-in cellular connections without requiring any action from the driver.
Beyond raw driving data, newer vehicles track location history, the contacts synced from your phone, the apps you use through the infotainment system, and in some cases audio recorded by built-in voice assistants. In 2023, Mozilla Foundation reviewed 25 major car brands for its Privacy Not Included guide and concluded that every single one of them failed its minimum privacy standards, making cars what the researchers called the worst product category they had ever reviewed for privacy. Every brand collected more personal data than necessary, and most shared or sold that data to third parties.
The consent mechanisms burying all of this are almost comically inadequate. Somewhere in the documentation you sign when you buy or finance a vehicle, often within a broader terms of service agreement that runs dozens of pages, you technically authorize this collection. The FTC has flagged these practices in its ongoing work on commercial surveillance, noting that the gap between what consumers understand they're agreeing to and what they're actually agreeing to is substantial and growing.
The Insurance Industry Found the Data First
In 2023, the New York Times reported that General Motors had been sharing detailed driving data from millions of OnStar subscribers with two data brokers, LexisNexis and Verisk, without drivers realizing the implications. LexisNexis and Verisk both sell risk scores to insurance companies, meaning that driving behavior captured by a vehicle's own systems was flowing directly into the calculations that determined what drivers paid for coverage. Some drivers discovered their premiums had risen or their policies had been dropped based on data they had no idea was being transmitted.
GM was not an isolated case. The data broker pipeline connecting automaker telematics systems to the insurance industry runs through multiple manufacturers and has been operating for years. Verisk's driving data business, which it calls Telematics Exchange, aggregates information from a range of sources, and insurance underwriters use it to build behavioral profiles that go far beyond what drivers self-report. The practice is legal, largely unregulated at the federal level, and invisible to most of the people it affects.
What makes this particularly difficult to push back against is that automakers have framed telematics systems as safety features and driver conveniences since the beginning. OnStar started as an emergency response service. Usage-based insurance programs market themselves as ways for safe drivers to save money. The surveillance infrastructure was built into products people genuinely wanted, which made it much easier to normalize before anyone had a chance to object to it.
Law Enforcement Discovered It Was Useful Too
Vehicle data has become a meaningful tool in criminal investigations, and the legal framework governing how police access it has not kept pace with how much of it exists. Event data recorders, the black boxes that have been required in American vehicles by the NHTSA since 2014, capture speed, braking, and seatbelt status in the seconds before a crash. That data is regularly subpoenaed in accident cases, manslaughter prosecutions, and DUI investigations, often without the driver's knowledge until it's already been used against them.
Beyond crash data, location history stored by connected vehicle systems has become a target for law enforcement requests. In 2022, the Associated Press reported on Fog Reveal, a tool used by hundreds of law enforcement agencies to access large-scale commercial location data, including data derived from vehicles, without obtaining a warrant. The legal question of whether the Fourth Amendment protects your car's location history remains genuinely unsettled, with courts reaching different conclusions in different jurisdictions.
The regulatory response at the federal level has been slow. The American Data Privacy and Protection Act has stalled in Congress repeatedly. California has moved further than most states on data privacy, but vehicle-specific protections remain thin nationwide. Automakers have lobbied hard to keep this data categorized as proprietary business information rather than personal data subject to consumer protection law, and so far that framing has mostly held.
