Modern Cars Are Surveillance Machines, and a New US Law Will Expand the Haul

Connected vehicles have quietly become one of the most invasive consumer data collection platforms in existence. Manufacturers harvest precise location traces, in-cabin camera footage, biometric details like weight and facial expressions, driving behavior, and infotainment activity, then ship it off over built-in cellular links. McKinsey projects 95% of cars on the road will be internet-connected by 2030, and a 2023 Mozilla review of 25 brands concluded cars were the worst product category it had ever assessed for privacy, with every manufacturer failing baseline standards.

The downstream market is largely unregulated. Nineteen of the brands Mozilla examined reserve the right to sell driver data, and brokers like LexisNexis repackage it for insurers who use it to raise premiums or deny coverage. The FTC has already barred GM from selling vehicle data for five years after it fed LexisNexis granular trip histories that pushed one driver’s insurance up 21%, but the restriction expires and rival brokers continue sourcing equivalent data from other automakers and driving apps. Law enforcement can also buy records that would otherwise require a warrant.

The surface is about to expand. A forthcoming US federal mandate will require automakers to install infrared biometric cameras and behavioral sensors to detect impaired or drowsy drivers, generating a new stream of health and attention data with no statutory limits on secondary use. Drivers retain little practical control once data leaves the dashboard, and most have no idea collection is happening at all.