Trillions of miles of data: Your car is spying on you, and it's only just the beginning

From your weight and facial expressions to your destination, cars collect a startling amount of data about you. Some of it may even raise your insurance costs. But you can take some simple steps to limit what they know about you.

Cars used to mean freedom. When I first got the keys to the old family Toyota it was a rite of passage, a sign I was old enough to step away from the watchful eyes of my parents and enter a world where time and decisions were mine alone. Things change.

Modern cars are computers on wheels, and giant corporations are using them to suck up intimate details about your life and make more money. If you think driving today is a chance for solitude and independence, think again. And it looks like it's about to get a lot worse.

Car companies will tell you themselves if you wade through their privacy policies. The information they harvest can include precise location data about everywhere you go, who's in the car with you, what's on the radio and whether you buckle your seatbelt, drive too fast or brake too hard. Some can gather details you might not expect like your weight, age, race and facial expressions. Do you pick your nose? Some cars have cameras on the inside pointed at the driver's seat. And most come with internet connections that can ship off that data as you drive in blissful ignorance.

This is a privacy problem that can cost you money. Among the biggest customers for car data are insurance companies, and they're using it to charge some people higher prices. But there's no telling where your information is going. Some car companies admit they sell your data, but they don't have to say who's buying. That's to say nothing of the fact that you might find it a little creepy. Most consumers, experts say, have no idea it's even happening. 

"People would be shocked at the number of data points that their car collects and transmits to other people, either the manufacturer or third-party applications," says Darrell West, a senior fellow in the Center for Technology Innovation at the Brookings Institute in Washington DC. "It basically means your life can be recreated almost on a second-by-second basis." 

Feeling uncomfortable yet? A federal law is about to increase the amount of data your car can gather about you. It will soon require American car companies to install infrared biometric cameras and other systems to scan your body language, track your eyes or other aspects of your behavoiur to detect whether you're too drunk or tired to drive. But it will also open up a whole new trove of data about your health and your habits. There are no rules limiting what the car companies can do with that information. 

Of course, there are benefits too. Internet-connected cars can be more convenient. The sensors they bristle with can make driving safer and more comfortable. Insurance companies could decide to charge you less because you're such a good driver.

But with automakers set to expand their data empires, this is a critical moment to understand what's happening under the hood and how it affects you.

If your car is even relatively new, it's probably involved. The consulting firm McKinsey found 50% of cars on the road in 2021 had internet connections and predicted the number will rise to 95% by 2030. If your car is hooked up to the internet, privacy is almost certainly an issue you need to care about.

Car companies can also snoop when you hook your phone up to the infotainment system, or if you use certain apps made for driving. Some drivers also use insurance companies' telemetrics system, which monitor you in exchange for potential discounts.

A 2023 analysis by Mozilla, the maker of the Firefox browser, examined the privacy policies of 25 car brands. Every one failed to meet the privacy and security standards that Mozilla uses to compare brands. Mozilla said cars were "the worst product category we have ever reviewed for privacy".

According to the report, car companies reserve the right to collect details including your name, age, race, weight, financial details, facial expressions, psychological trends and more. Kia's privacy policy, for example, suggests the company may even collect details about your "sex life" and general health.

Kia spokesperson James Bell says the company has never actually collected data on drivers' sex lives or health. These details only appear in Kia's privacy policy because the company is listing California's definition of "sensitive data", he says. Bell says Kia's privacy practices are transparent and the company only shares data with insurance companies if drivers opt in. The company did not explain what kinds of "sensitive data" it does collect, however.

Some of that might be hard to picture, but cars are littered with sensors: in the seats, the dashboard, the engine, the steering wheel, you name it. Many cars, for example, have cameras inside and out. If you're doing something in a modern car, chances are there's a way for companies to learn about it.

Mozilla found 19 of the car companies said they might sell your data, and that's exactly what's happening. For example, both state and federal agencies in the US took action against General Motors (GM) for allegedly selling car location data without consent. US Senators have accused Honda and Hyundai of similar practices – and these are just the examples the public knows about.

"They're taking all the information they collect on you, which is a lot, and using it to make inferences about who you are, how intelligent you are, what your psychological profile is, what your political beliefs are," says Jen Caltrider, a privacy analyst who led Mozilla's car research. "That's the stuff people don't necessarily think about." 

There are basically no rules about who can buy this data or what its used for, Caltrider says. It can be used to market things to you. Companies could used it in hiring decisions. Law enforcement can buy car data when they can't get a search warrant. Once it leaves your dashboard, you have no control over where it ends up. 

This is about more than companies snooping on your private life. For example, General Motors sold driver information to a company called LexisNexis, a data broker that buys and sells details about consumers. A driver who got a copy of that data reportedly found LexisNexis had 130 pages of information, detailing every trip he and his wife took over six months. He told the New York Times that after his insurance costs jumped 21%, an insurance agent told him the data was a factor. LexisNexis did not respond to a request for comment.

The US Federal Trade Commission took action, and GM is now barred from selling vehicle data for five years – but it's free to resume the practice afterwards so long as it obtains express consent from drivers and follows other conditions. Meanwhile, LexisNexis and other companies are still selling vehicle data they get from other car manufactures and apps the people use while driving. GM and LexisNexis did not respond to requests for comment.

Deals between insurance companies, car makers and data brokers are widespread, and as long as the practices are spelled out in privacy policies you agree to, it's all perfectly legal.

"Insurance companies have been collecting vast amounts of consumer data, especially on consumer driving data, and using it to try and charge people higher premiums, deny coverage or slice and dice consumers into various categories," says Michael DeLong, a research and advocacy advocate who covers auto insurance for the Consumer Federation of America, a US-based non-profit.

Car companies say they get their permission before tracking you. In practice, that usually means agreeing to forms and privacy policies when you set up the infotainment system or apps connected to your car. In some vehicles they pop up every time you start the engine. Did you read them? Of course not.

In the US, there is no privacy law at the national level. Protections in individual states are piecemeal, and according to some privacy experts, they don't go far enough. The picture is a little better in Europe, including the UK, where there are special protections for certain sensitive categories of information and consumers have some rights that let them access their data and tell companies to delete it. But it's not a solved problem in Europe either. 

"Europeans are still beholden to privacy policies," Caltrider says. "And you have to count on the regulations to be followed and enforced, and that's something that's not always happening, with cars especially."

The problem isn't new, but there are reasons to think it's accelerating. US law mandates that car manufactures will soon need to install "advanced impaired-driving prevention technology" in new passenger vehicles within the next few years. The technology is meant to stop people from driving if they're drunk, tired or unfit to drive using infrared cameras or other systems.

The problem, Caltrider and others say, is the law includes zero provisions that address what happens to the data these systems create.

A spokesperson for the US National Highway Traffic Safety Administration (NHTSA) – which is charged with enforcing the rule – says "NHTSA is committed to reducing impaired driving fatalities using every tool at our disposal", and it "continues to address critical and complex topics" such as privacy concerns. It's likely the implantation of this law will be delayed because the technology isn't ready, but privacy advocates are sounding the alarm.

"We need to keep drunk drivers off the road, and it would be great if there was a guarantee that the data won't be used for other purposes, but that's not what's happening," says Caltrider. "So many of the data collecting advances we see in cars are done under the guise of safety." It could hand the auto industry a trove of what amounts to medical information with no safeguards in place.

More like this:

• TikTok is tracking you, even if you don't use TikTok

• People are selling your home address online. This privacy tool will help

• Your phone's blue light isn't ruining your sleep

Like so many privacy problems, the car data problem isn't one you can solve entirely, but there are steps you can take.

For one, "do not enrol in the insurance telematics programme if you've got any concerns about privacy", DeLong says. The privacy risks are significant and the payoff isn't a guarantee. An analysis from the state of Maryland found 31% of drivers saw their insurance rates drop, but prices went up for 24% of drivers and 45% found no change. 

In the UK, the EU and some US states, you can request a copy of the data companies collect on you and can opt out of having that data sold or shared. You can also demand that companies delete it. You can find links to the big car manufacturers' privacy tools here.

Some car manufactures offer privacy settings you can adjust that may limit the sharing and collection of data. Look for options in the settings of your car's infotainment system and any accompanying app that works with your car. Consumer Reports (where I used to work) has a detailed guide you can use with more information.

Steps like these can help, Caltrider says, but it shouldn't be your responsibility to do a bunch of work to stop companies from violating your privacy. "Until the whole game changes, until we own our data and we control our data, and companies have to ask us for permission to use it, I think this issue is just going to keep getting worse and worse."

--

For timely, trusted tech news from global correspondents to your inbox, sign up to the Tech Decoded newsletter, while The Essential List delivers a handpicked selection of features and insights twice a week.

For more science, technology, environment and health stories from the BBC, follow us on Facebook and Instagram.