Chapter 05: That Car in Your Driveway Knows More About You Than Your Spouse Does.
Here is something most people never think about. The car sitting in your driveway right now knows where you slept last night. It knows what time you left this morning, how fast you drove, how hard you hit the brakes, and whether you were wearing your seatbelt. It knows the phone numbers in your contacts, the last address you plugged into navigation, and possibly the words you spoke out loud inside the cabin. And it has been sending that information, over a hidden cellular connection you never asked for, to servers controlled by your automaker, who then sells it to insurance companies, data brokers, and sometimes law enforcement agencies that never obtained a warrant.
If that sounds extreme, stay with me. Because what has unfolded over the past two years around connected vehicle surveillance is one of the most disturbing privacy stories in American life. It involves secret data sharing, rigged consent forms, insurance premiums spiking because of driving data you never agreed to hand over, domestic violence survivors being tracked through their own cars, and a massive federal enforcement action that confirmed what privacy advocates had been warning about for years. Your car is no longer just a car. It is a data collection machine, and the people profiting from it are counting on you never finding out.
Your Car Knows More About You Than Your Phone Does
A modern connected vehicle generates an estimated 25 gigabytes of data every single hour. Let that sink in for a moment. That is more data than most people use on their phones in an entire month, and it is streaming off your car in real time. Much of it stays onboard in the vehicle's computer systems. A growing portion of it gets transmitted through a factory installed cellular modem to cloud servers run by your automaker, sometimes as often as every three seconds, according to the Federal Trade Commission's case against General Motors.
The categories of data are staggering. Your car records your precise GPS location, your speed, your acceleration patterns, every hard braking event, your seatbelt status, your steering behavior, and complete trip logs with start and end points. Some vehicles now include driver monitoring cameras that use facial recognition and eye tracking, voice command systems that process your words through cloud servers, and always on microphones that capture audio inside the cabin. When you pair your phone over Bluetooth, many vehicles pull in your contacts, call logs, and text messages. Your navigation history, what stations you listen to, what apps you use on the infotainment screen, all of it gets logged.
And the privacy policies that automakers bury in their paperwork go further than any reasonable person would expect. Nissan's privacy policy admits to collecting data about sexual activity, health diagnoses, genetic information, and what it calls psychological trends. Nissan also claims the right to develop inferences about a driver's intelligence, abilities, and aptitudes, and to sell those assessments to third parties. Kia's policy similarly allows the collection of information about sex life. Tesla received every possible privacy warning from the Mozilla Foundation, and its cabin camera can record and transmit video. Toyota maintains twelve separate privacy policy documents that researchers described as near incomprehensible. Subaru's policy states that if you are simply a passenger in the vehicle, you are considered a user who has consented to data collection.
In September 2023, the Mozilla Foundation published the results of 600 hours of research across all 25 major car brands sold in America. The report was called Privacy Not Included, and its conclusion was devastating. Every single brand received a failing grade. Mozilla called cars the worst product category they had ever reviewed for privacy. Eighty four percent of the brands share or sell your data. Ninety two percent give drivers little to no control over their personal information. Fifty six percent will hand your data to law enforcement based on nothing more than an informal request, no court order required. Not one single brand could confirm that it encrypts all of the personal data stored on its vehicles. Senator Edward Markey sent letters to fourteen automakers demanding answers. Their responses, published in early 2024, were described as vague, incomplete, and evasive.
Why do automakers collect all this information? Because selling it is enormously profitable. The car data market is projected to reach somewhere between 450 billion and 750 billion dollars by 2030. When that kind of money is on the table, protecting your privacy is not the priority. Monetizing your life is.
The Pipeline From Your Dashboard to Your Insurance Premium
The most important privacy revelation of 2024 was that automakers had been quietly funneling detailed driving data to insurance companies through data brokers, and that drivers' premiums were going up as a direct result. The story broke in March 2024 when a reporter at the New York Times published an investigation showing that GM's OnStar Smart Driver program had shared data from as many as eight million vehicles with LexisNexis Risk Solutions and Verisk Analytics, two massive consumer reporting agencies that serve the insurance industry.
The way it worked was deceptively simple. Smart Driver was marketed as a free feature to help people become better drivers. It tracked habits through the MyChevrolet, MyBuick, MyGMC, and MyCadillac apps. What drivers did not realize was that every hard brake, every rapid acceleration, every instance of driving above 80 miles per hour, and every late night trip was being recorded and transmitted to LexisNexis and Verisk. Those companies converted the raw data into risk scores and something called Driving Behavior Data History Reports, which insurance companies purchased to set your rates. The FTC found that GM collected this data as often as every three seconds.
The consequences hit real people immediately. Kenn Dahl, a 65 year old software company owner in Seattle with a perfectly clean driving record, watched his insurance spike 21 percent in 2022 after leasing a Chevrolet Bolt. He had no idea why. When he requested his LexisNexis report under the Fair Credit Reporting Act, he received a 258 page document that detailed 640 trips over six months. Every instance of hard braking and rapid acceleration had been logged. He told the Times it felt like a betrayal. A Cadillac driver in Palm Beach County, Florida was denied insurance by seven separate companies after his LexisNexis report revealed months of driving behavior data he never knew was being collected. Another consumer, Temeika Clay, saw her premium jump 80 percent after GM shared 603 entries of driving data from her Chevy Camaro.
The reporter who broke the story later discovered that she and her husband had been enrolled in Smart Driver despite never opting in. GM called it a bug. Her deeper investigation revealed that dealership salespeople were auto filling consent forms with yes entries because their pay was docked if they failed to enroll buyers. GM graded its dealerships on enrollment percentages. So the system was designed from the ground up to ensure that as many people as possible were enrolled, whether they knew about it or not.
On January 14, 2026, the FTC finalized a 20 year consent order against GM and OnStar. This was the agency's first enforcement action targeting connected vehicle data. The order imposes a five year ban on sharing geolocation and driver behavior data with consumer reporting agencies. It requires affirmative express consent before any data collection. It gives consumers the right to access, delete, and disable collection of their data. And it requires GM to destroy all previously retained information. No monetary fine was imposed, though GM's 2025 annual report disclosed 500 million dollars in accumulated litigation costs from the scandal. State attorneys general have piled on. Texas sued GM over data collected from 1.8 million Texas drivers, seeking up to 10,000 dollars per violation, which could mean as much as 18 billion dollars in penalties. Nebraska, Arkansas, Indiana, and Iowa have filed their own lawsuits. Arkansas alone is seeking up to one billion dollars in damages.
The Allstate Shadow Network That Tracked 45 Million Americans
At the same time GM was being exposed, a parallel surveillance operation came to light. In January 2025, Texas Attorney General Ken Paxton filed the first ever enforcement action under a comprehensive state data privacy law, targeting Allstate and its subsidiary Arity. The complaint tells a remarkable story. Arity developed a piece of tracking software and paid app developers millions of dollars to embed it in popular consumer apps including Life360, GasBuddy, and Fuel Rewards. That software operated silently in the background, capturing your location, accelerometer data, speed, and trip details every 15 seconds or less from 40 million active connections. Arity marketed what it built as the world's largest driving behavior database, covering over 45 million Americans.
The software could not even tell whether the phone user was actually driving. A passenger on a bus or a rider on a rollercoaster could have their data recorded as bad driving and used against them for insurance pricing. Arity also purchased driving data directly from automakers including Toyota, Lexus, Mazda, and the Stellantis family of brands. On March 3, 2026, a federal judge in Chicago allowed wiretapping, Fair Credit Reporting Act, and privacy tort claims against Allstate and Arity to go forward.
How to Check What Is in Your File
Two companies controlled the pipeline between your car and your insurer. LexisNexis Risk Solutions operates its Telematics Exchange, working with automakers that represent 46 percent of new car sales in America and 95 of the top 100 auto insurers. Under the Fair Credit Reporting Act, you have the right to request one free report each year. You can do this at consumer.risk.lexisnexis.com or by calling 1 888 497 0011. Verisk Analytics operated a parallel system containing over 260 billion miles of driving data from 8 million vehicles. After the GM scandal broke, Verisk shut down its automaker sourced driver behavior data product entirely in mid 2024. You can still check your Verisk records at fcra.verisk.com or by calling 1 800 627 3487. I want to encourage you to request both reports. You may be shocked by what you find.
Police Are Trained to Get Your Car's Data
Here is something that may or may not surprise you. Law enforcement officers are being systematically trained to extract data from connected vehicles. A 2025 investigation based on California Highway Patrol training documents obtained through public records requests revealed that police receive detailed instruction on how to acquire telematics data based on a vehicle's year, make, and model. The training materials even note that GM's OnStar transmits location data twice as frequently as Ford's system.
A landmark congressional investigation in 2024 asked fourteen automakers about their law enforcement practices. The findings should concern every American. Only five automakers, GM, Ford, Honda, Stellantis, and Tesla, require a warrant before handing over your location data to police. Eight manufacturers, including Toyota, Nissan, BMW, Mercedes Benz, and Volkswagen, admitted they would surrender your location data in response to a mere subpoena, meaning no judge ever has to sign off. Only Tesla notifies vehicle owners when the government requests their data. None of the automakers publish transparency reports comparable to what tech companies like Google and Apple release.
The physical extraction of data from vehicles has become routine. A company called Berla Corporation manufactures forensic tools that can pull call history, contacts, text messages, GPS history, and social media data from infotainment systems. In one documented case, a Berla analyst extracted data from 70 different phones that had been connected to a single Ford Explorer rental car over time. Michigan State Police reported extracting vehicle data for everyday felonies two to three times per week. Police in Oakland, California sought warrants in 2024 specifically to tow Tesla vehicles into evidence and access their Sentry Mode camera footage for homicide investigations.
There is another pathway that is even more troubling. After the Supreme Court's 2018 Carpenter v. United States decision required police to get a warrant before accessing historical cell site location data, federal agencies found a workaround. They started buying equivalent location data from commercial data brokers, no warrant needed. The FBI, IRS, DHS, ICE, and Secret Service have all purchased commercial location data without any court authorization. A company called Fog Data Science sells a subscription search engine covering 15 billion data points daily from 250 million devices to at least 18 law enforcement agencies, and none of those agencies need a warrant. The Fourth Amendment Is Not For Sale Act passed the House in April 2024, which would have closed this loophole. It died in the Senate. As of March 2026, the loophole is still wide open.
The Supreme Court is now poised to address mass location surveillance more directly. On January 16, 2026, the Court agreed to hear Chatrie v. United States, the first geofence warrant case to reach the justices, with oral arguments scheduled for April 2026. The Fifth Circuit Court of Appeals had already declared that geofence warrants are categorically prohibited by the Fourth Amendment in United States v. Smith in 2024. The resulting disagreement among federal courts demands resolution, and whatever the Supreme Court decides will shape the future of digital privacy for decades.
When You Try to Opt Out, They Take Away Your Safety Features
Here is where the story becomes especially cynical. When drivers try to reclaim their privacy by opting out of data collection, automakers strip away safety features that you have already paid for. The bundling of safety critical functions with data hungry services is deliberate.
If you cancel GM's OnStar, you lose automatic crash response. That is the system that contacts emergency services when your airbags deploy. If you press the red SOS button after cancellation, you hear nothing but an automated recording telling you the subscription is inactive. OnStar routes through private call centers, not directly to 911, so the FCC's E911 rules for cell phones do not apply. Stellantis, the company behind Jeep, Ram, Dodge, and Chrysler, explicitly warns customers that canceling connected services for privacy reasons eliminates SOS Call, Automatic SOS Call, and Roadside Assistance. Tesla's privacy notice warns that opting out of data collection may result in your vehicle suffering from reduced functionality, serious damage, or inoperability, partly because Tesla delivers recall fixes through over the air updates that require connectivity.
Navigation, remote start, and software updates all disappear when you disable data collection. GM vehicles without an OnStar subscription lose Google Maps, Google Assistant, and Google Play entirely. Multiple automakers withhold software updates from customers who opt out, meaning those vehicles may miss safety patches indefinitely. Think about what that means. You paid for a car. You own it. And the manufacturer is telling you that if you do not let them surveil you, they will take away features that protect your life on the road.
The Privacy4Cars organization published the first quantitative privacy scorecard for the auto industry in August 2025, evaluating 49 brands. The median score was just 1.7 out of 5.0. Only five brands scored above 3.0. Honda scored a dismal 0.8 before the California Privacy Protection Agency fined it 632,500 dollars in March 2025, the CPPA's first ever enforcement action against any company. After that fine, Honda overhauled its practices and now leads the industry with a score of 4.6. That tells you something important. Enforcement works. When regulators impose real consequences, companies change their behavior. Porsche offers a Private Mode that limits data transmission to only what the law requires while keeping navigation functional, one of the few genuinely respectful designs in the industry.
For those willing to go further, the only guaranteed way to stop data transmission is to physically disable the Telematics Control Unit by pulling the TCU fuse or removing the cellular modem. Online forum communities for GM, Ford, Subaru, and Toyota vehicles have documented the specific procedures. The consequences include dashboard warning lights, loss of the WiFi hotspot, and the elimination of all connected features. Under the Magnuson Moss Warranty Act, a physical modification like this should not void your entire vehicle warranty, though a manufacturer could deny claims specifically related to the modification.
Domestic Violence Survivors Are Being Tracked Through Their Own Cars
This is the part of the story that keeps me up at night. Connected car technology has given abusers a new and terrifyingly effective way to track and control their victims. A joint investigation published in April 2024 documented case after case of internet connected cars being used to locate domestic violence survivors after they flee.
Yenni Rivera, who works with domestic violence survivors in Los Angeles, told reporters that she hears the story over and over from survivors about being located by their vehicle and having it taken. Stephanie Davidson, managing attorney at the Legal Aid Foundation of Los Angeles, reported that multiple domestic violence shelters now prohibit survivors from parking their connected cars on site because the vehicles could reveal the shelter's confidential address.
The cases are devastating. Christine Dowdall of Louisiana discovered her ex husband was stalking her through the Mercedes Benz Mbrace app, showing up beside her at locations she had never told anyone about. Because the vehicle title was in his name, Mercedes told her there was nothing they could do. She paid a mechanic 400 dollars to disable the software. In another case, a woman parked her Lexus at a confidential survivor shelter behind a gated garage, and her court advocate still spotted the abuser nearby. The car had given away her location.
An FCC report documented a man who used remote vehicle access to activate his wife's car lights and horn in the middle of the night and run the heat on hot days as a form of harassment. In the most dangerous case on record, a woman's vehicle was repeatedly started at night inside her closed garage, causing dangerous carbon monoxide to build up inside the home.
California responded with SB 1394 in 2024, requiring automakers to sever an abuser's remote vehicle access within two business days when a survivor requests it. At the federal level, the Safe Vehicle Access for Survivors Act was introduced in March 2025. These are steps in the right direction. They are nowhere near enough.
Consumers Are Fighting Back in Court
Americans are not taking this lying down. The first class action lawsuit was filed on March 13, 2024, when Romeo Chicco of Florida sued GM, OnStar, and LexisNexis, claiming his Cadillac's data was shared without his consent and that the resulting LexisNexis report caused seven insurance companies to deny him coverage. By November 2024, 32 separate lawsuits had been consolidated into a single multidistrict litigation called In re Consumer Vehicle Driving Data Tracking Litigation, assigned to Judge Thomas W. Thrash Jr. in the Northern District of Georgia. A Master Consolidated Class Action Complaint was filed in December 2024, with fact discovery expected to continue through late 2026. The legal claims span Fair Credit Reporting Act violations, state consumer protection statutes, invasion of privacy, and breach of contract.
The litigation goes well beyond GM. A Toyota class action was filed in Texas in April 2025 after a plaintiff discovered that Progressive Insurance already had his driving data from a 2021 RAV4, even though he had never enrolled in any monitoring program. Toyota's affiliate had partnered with Arity to share the information. Mass arbitrations are being pursued against Hyundai, Kia, and Mitsubishi for similar practices.
Security researchers have exposed how fragile these systems are. In November 2024, a researcher named Sam Curry discovered that Subaru's STARLINK admin portal could be accessed using nothing more than a person's last name and ZIP code. That access allowed anyone to remotely start, stop, lock, or unlock any Subaru, pull up a full year of location history accurate to five meters, and add themselves as an authorized user without the owner ever receiving a notification. He demonstrated the vulnerability by tracking his own mother's 2023 Impreza to the doctor's office, friends' homes, and church. In September 2024, Curry found that Kia's dealer portal allowed remote control of over 600 Kia models manufactured after 2013 using nothing more than a license plate number.
76,000 License Plate Cameras Are Watching Every Road
Everything discussed so far involves data flowing through automaker systems. A separate surveillance network runs in parallel, and most people do not know it exists. Automated License Plate Readers, known as ALPRs, are high speed cameras mounted on poles, overpasses, police cruisers, and even private vehicles. They capture plate images at rates of up to 1,800 per minute, recording the plate number, date, time, GPS coordinates, a photograph of the vehicle, and in newer systems, distinguishing features like bumper stickers, dents, and roof racks. Over 76,000 of these cameras have been mapped across the United States.
The dominant player is Flock Safety, founded in 2017 and now operating in over 5,000 communities across 49 states with contracts covering more than 4,800 law enforcement agencies. Flock performs over 20 billion vehicle scans each month and crossed 300 million dollars in annual revenue in 2025, earning a 7.5 billion dollar valuation. Its competitor, Vigilant Solutions, was acquired by Motorola Solutions for 445 million dollars and maintains a database of over 5 billion license plate detections with 150 million new ones added every month.
The private sector operates its own ALPR network with almost no oversight. Digital Recognition Network, a Motorola affiliated company, maintains over 20 billion confirmed vehicle sightings collected by a network of more than 600 repossession agents who mount cameras on their vehicles and scan plates all day long. Anyone, not just law enforcement, can search that database for about 20 dollars per query. No warrant is required because the Fourth Amendment does not apply to private companies.
An analysis of 63 California law enforcement agencies found that only 0.05 percent of license plate reader data was connected to any public safety interest at the time it was captured. That means 99.95 percent of scanned plates belonged to people who were not suspected of any crime. The California State Auditor found that Los Angeles alone had stored 320 million images, of which 99.9 percent were not matches to any wanted list.
Immigration and Customs Enforcement holds a 6.1 million dollar contract giving over 9,000 officers access to Vigilant's plate reader database. In 2025, journalists discovered that local police departments were conducting over 4,000 immigration related searches through Flock's system on ICE's behalf, despite Flock's stated policy banning immigration enforcement use. San Francisco police allowed 1.6 million unauthorized out of state searches of its Flock database, including at least 19 ICE related queries, in violation of California's sanctuary laws. In response, at least 30 cities have deactivated cameras or canceled Flock contracts since early 2025, including Santa Cruz, Cambridge, Eugene, Austin, and Mountain View.
California's SB 34, which took effect in 2016, requires ALPR operators to maintain public usage policies, put reasonable security measures in place, and keep access logs. It prohibits public agencies from sharing plate reader data with entities outside the state, a provision that 71 agencies were found to have violated. Civil remedies include minimum 2,500 dollar liquidated damages per violation plus potential punitive damages.
Who Owns the Data Your Car Creates? Nobody Knows
Despite everything you have just read, the fundamental question of who owns the data your car generates has no answer in American law. Three federal bills sit pending. The Auto Data Privacy and Autonomy Act would prohibit automakers from accessing or selling vehicle data without your explicit written consent. The REPAIR Act would require manufacturers to give owners and independent repair shops standardized access to vehicle data. The DRIVER Act would establish that vehicle data belongs to you and must be available in real time at no additional cost. None of these bills have advanced to a floor vote.
The right to repair movement has become the most visible battleground. Massachusetts voters approved a right to repair ballot measure in November 2020 by a 75 percent margin, requiring automakers to provide standardized telematics data access to vehicle owners and independent repair shops. The automaker alliance spent 26 million dollars trying to defeat it. When voters passed it anyway, the Alliance for Automotive Innovation immediately sued, claiming compliance was technically impossible and would create cybersecurity risks. A federal judge dismissed the industry's lawsuit in February 2025. The appeal was argued before the First Circuit in February 2026. In the meantime, Subaru responded by simply turning off its Starlink telematics system for all Massachusetts customers rather than share the data. Maine voters passed a similar measure in 2023 and automakers sued there too.
The automotive industry has spent heavily to resist data transparency. Federal lobbying by the automotive industry reached 109 million dollars in 2025. GM alone spent 14.17 million dollars in a single year. The industry's position is that giving consumers access to their own vehicle data creates cybersecurity risks and conflicts with federal safety law. It is worth pausing to absorb the full picture here. These companies argue that sharing data with vehicle owners is too dangerous, while they sell that same data to insurance companies and data brokers for profit.
Europe has taken a different path. The EU Data Act, which became applicable on September 12, 2025, requires automakers to give vehicle owners control over the data their cars generate and to share that data with third parties under fair conditions, in a readable format, free of charge. The United States remains the only G20 nation without a comprehensive federal data privacy law.
For those of us in California, the CCPA and CPRA apply fully to connected vehicle data, giving us the right to know what is collected, to delete it, and to opt out of its sale. The CPPA's 632,500 dollar Honda fine proved that enforcement has real teeth. California is the only state that prohibits telematics data from being used for insurance rating. The CPPA launched its connected vehicle investigation in July 2023 and has signaled that more automakers remain under scrutiny.
What You Can Do Right Now
I wrote this chapter because I believe that once you understand what is happening, you will want to take action. So here is what you can do today.
Request your LexisNexis report at consumer.risk.lexisnexis.com or by calling 1 888 497 0011. Request your Verisk report at fcra.verisk.com or by calling 1 800 627 3487. You are entitled to one free copy per year from each company under federal law. If you find errors, dispute them in writing.
Review your vehicle's connected services settings. Look for data sharing or driving behavior features that may have been activated without your knowledge, especially if your car is a GM, Toyota, Honda, Hyundai, Kia, or Stellantis brand. Read the privacy settings in your vehicle's companion app, and disable everything you can.
Think twice before pairing your phone to a rental car or a vehicle you do not own. The infotainment system will store your contacts, call logs, and text messages, and that data can persist long after you return the keys.
If you live in California, exercise your CCPA rights. Submit a data access request to your automaker to find out exactly what they have collected. Then submit a deletion request. Then opt out of the sale of your personal information. You can do all of this through the automaker's privacy portal or by contacting their privacy office directly.
Talk to your elected representatives. Tell them you want a federal law that establishes vehicle data as belonging to the person who owns the vehicle, not the company that manufactured it. Three bills are sitting in Congress right now. They need public pressure to move forward.
And share this information with the people you care about. Because most Americans have no idea that the car in their driveway is collecting this kind of data. They do not know that their insurance rates may already be affected. They do not know that their location history is being sold. The single most effective thing any of us can do right now is make sure more people know the truth.
Your car should take you where you want to go. It should not tell the world where you have been.