The average modern vehicle has dozens of connected systems constantly collecting data. Most of this data collection happens without any visible sign. There’s no blinking red light when a smart car logs your GPS coordinates every few seconds. No audible alert when it analyses your driving behaviour to make predictions about the type of driver you are.
Unlike phones or laptops, which we all know collect data as we use them, vehicles fly under the radar when they collect our data. You don’t need to download an app or visit a website. Simply getting into your car and starting the ignition is enough to activate a sprawling data pipeline that feeds manufacturers, insurers, analytics platforms, and third-party vendors.
And there is almost no public understanding of where that data goes, how long it is stored, or who has the authority to use it. To propel smart vehicles into the future, we must first contend with the privacy issues they pose.
What automotive learned from big tech
Over the past decade, automakers have embraced the logic of Silicon Valley. The goal is no longer just to manufacture cars. It is to create platforms that extract data and monetise it. This shift has allowed companies to introduce subscription features, build advertising models around in-vehicle media use, and offer insurers real-time tools for risk profiling based on driving habits.
But the tech industry playbook comes with ethical baggage. It depends on surveillance as a baseline and treats privacy as something users must actively seek out – if it’s available at all. In this model, privacy isn’t built into the system; it’s tucked away in settings menus, gated behind subscriptions, or entirely absent unless regulators force the issue. Automakers are adopting that mindset in full, but applying it to a domain with even fewer consumer protections and virtually no transparency.
Most people don’t realise their vehicle continuously records where they drive, how they drive, and when they drive – including patterns like hard braking, late-night trips, or frequent stops at certain locations. Even fewer understand that this data is treated as a proprietary asset, often shared with insurers, advertisers, or analytics firms without clear disclosure.
Data sovereignty should extend to the road
We need to start treating vehicle data as a privacy issue. Just as frameworks like the EU’s GDPR or California’s CCPA have helped define digital data rights, similar protections should extend to the data generated by vehicles. Just as citizens have begun to demand more control over how their digital data is collected and used online, they should have the same authority over the information generated by their physical movements.
That includes the right to say “no.” Today’s vehicles can log everything from biometric data captured by seat sensors and facial recognition systems to audio recordings from voice assistants and footage from onboard cameras. If someone does not want their smart cars to perform this level of monitoring, they should be able to opt-out without disabling safety features or forfeiting warranty coverage.
Ownership also needs to be redefined. In most cases, drivers do not truly own the data their cars produce, even though it is generated by their behaviour, on their property, during private use. Instead, the manufacturer reserves rights to that data in vague terms of service. That imbalance must be corrected.
Regulators can’t keep playing catch-up
Legislation in this space is patchy at best. The U.S. lacks a comprehensive federal privacy law, and most existing regulations were not written with vehicles in mind. As a result, automakers are left to set their own standards or avoid the question entirely. And given the deregulatory posture of the current administration, there’s little reason to expect meaningful federal oversight anytime soon.
This has created an environment where aggressive data collection is the default, and restraint is rare. While states like California and Colorado are beginning to enforce consumer data rights more broadly, the automotive space is often treated as an exception rather than a priority.
That needs to change. Just as regulators begin to focus on algorithmic transparency in hiring and content moderation, they now need to investigate the algorithmic systems inside vehicles. This includes evaluating how driving data influences insurance pricing, how predictive maintenance logs are shared across platforms, and how law enforcement agencies may access this information without proper oversight.
The road forward must include boundaries
A smart car must not only know things but also be cognizant of what it shouldn’t know – what data not to collect. Privacy is not a hurdle to innovation, it is the foundation of long-term progress. Proactive design choices, such as data minimisation and clear opt-out options, are key to establishing these boundaries early.
