AUTOMOTIVE
Data on Wheels
Today’s vehicles are rolling information collectors, but when it comes to personal privacy, owners are generally not in the driver’s seat.
By Matt Bubbers | Illustrations by Mike Ellis
THERE'S A CLICHÉ that says cars have become like rolling smartphones or computers on wheels, and — for better and worse — the cliché is true.
Modern “connected cars,” as they’re often called, are linked to the Internet and often to your phone. Just like any other high-tech digital device, like smart fridges and doorbells, new cars are constantly collecting personal information on their owners.
“Your vehicle is the [device] that knows the most about you other than your cellphone. It knows where you go, how fast you go, where you stay, where you sleep at night, where you work,” says Jason Kerr, managing director of government relations at CAA National.
This opens a Pandora’s box of security and privacy issues. While some of the data is used to make cars safer and more reliable, the average driver might not want to share personal information with the likes of advertisers, automakers or insurance providers.
Even though there are some steps you can take to protect yourself from this data mining, CAA and other advocates feel that drivers are currently not adequately protected.
As part of CAA’s advocacy work — a key part of its mandate since it was founded in 1913 — the association is talking with policy-makers to establish the following three key pillars of automotive data privacy.
1
TRANSPARENCY
Make it easy to understand what data is being collected and for what purposes, so consumers can provide consent or not.
2
CHOICE
Provide drivers with granular and easy-to-use privacy controls with options on the amount of personal data collected and with whom it is shared.
3
CONTROL
Offer a means to easily erase personal data when a vehicle is sold, rented or shared.
“We underscore to government that this isn’t a future tech issue,” says Kerr. “It’s an issue today and needs to be addressed.”
Indeed, some automakers in the U.S. have recently come under fire for sharing their customers’ driving habits with insurance companies without customers’ knowledge. It could happen here in Canada too, so you’ll want to check your car’s privacy policies to be sure you understand what you’re sharing.
In other cases, people have purchased a used car only to find the previous owner’s phone number still saved in the vehicle. It’s not unusual for the purchaser of a used car to find, for example, the previous owner’s contact information, including home and office addresses, and even pre-programmed access to a home garage or other secure location.
THE INFORMATION HIGHWAY
So, how do cars rake in all this data about you and your life? Onboard GPS and cellular connections track the car’s location. Microphones pick up conversations and voice instructions (such as, “Hey Alexa, turn up the volume.”). Some cars use voice recognition to identify who is speaking. Giant touchscreens (or three) connect to the Internet and your phone, providing access to your stored contacts. Vehicles can record when and how you interact with their touchscreens, while a black box (a.k.a. an event data recorder) tracks information, including vehicle speed, position, acceleration, braking and steering. Some new cars have a camera pointed at the driver — a safety feature of any good hands-free driving system. The camera can be used for facial recognition or to monitor if a driver is watching the road or not. Outside of the car, an array of radar sensors and video cameras monitor the surroundings. A typical connected vehicle can generate nearly 25 gigabytes of data per hour, according to automotive data provider S&P Global Mobility. Today, 43% of Canadian drivers have a vehicle that connects to the Internet, according to a survey conducted in 2024 by RatesDotCa, which tracks car insurance rates in the Canadian marketplace. That number will only increase — and quickly. Management consulting firm McKinsey predicts that, by 2030, more than 90% of vehicles will be connected.
WHAT’S YOUR DATA DOING?
For car companies, controlling all this data could be a big money-maker. McKinsey estimates the global market for car data monetization could be worth $750 billion by 2030. In a comprehensive study conducted in 2023 by U.S. non-profit Mozilla Foundation, experts spent 600 hours wading through privacy policies of 25 vehicle brands, including Tesla, Toyota, Honda and GMC. Their conclusion: “Modern cars are a privacy nightmare.” All 25 brands were bestowed with Mozilla’s “privacy not included” warning label. (No similar study has been conducted recently in Canada, where automaker privacy policies do differ slightly.) When you’re shopping for a new car, privacy is, quite understandably, not front of mind, says Vincent Gogolek, a retired lawyer and a former executive director of the non-profit BC Freedom of Information and Privacy Association (FIPA), which is based in Victoria, B.C. “The basis of privacy law, generally, is that whomever’s personal information is being collected, they agree to it. This is why you have ‘agree to our terms and conditions’ check boxes,” explains Gogolek, who was part of FIPA’s two Canadian studies — in 2015 and 2019 — on car data privacy. The fundamental problem, however, is that users have little choice but to agree to the privacy policy of whatever car they’re driving. Even if you’re fine with most of it, notes Gogolek, there’s often no way to partially opt out or to decline permission for, say, facial recognition or video recording. “It’s a problem. By putting your check mark in the box, you don’t know what you signed away.”
PRIVACY REGULATIONS
Experts say the relevant federal privacy law — the Personal Information Protection and Electronic Documents Act (PIPEDA) — is outdated. The proposed update — the Digital Charter Implementation Act, Bill C-27 — would give consumers more control and transparency on how their personal information is handled. But the bill died in the House of Commons.
Drivers must be given the choice of meaningful consent when it comes to their car’s data, says CAA’s Jason Kerr. “The thing that we’re advocating against is [automakers] simply hoovering it up, like a vacuum just sucking all of your data and putting it into the cloud and storing it there for who-knows-what purpose.”
Until firmer checks are in place, Kerr advises vehicle owners to get familiar with their car’s privacy settings, usually found deep in a submenu on the infotainment screen. Consider the privacy implications of putting an automaker’s app onto your phone or sharing your phone’s data with the car. Take advantage of optional “privacy mode” or “guest mode” features available on some newer cars, which should limit data collection. Finally, before you sell or trade your vehicle, remember to delete your data from the infotainment system. And, of course, take all personal documents out of the glovebox.
Just as with your smartphone, it’s up to you to make sure you understand what you are sharing each time you operate your vehicle — and to do what you can to keep your information private. Especially because, for now, nobody’s making this very easy. CAA
“Just as with your smartphone, it’s up to you to make sure you understand what you are sharing each time you operate your vehicle.”
Public Opinion
In October 2024, CAA conducted its most recent survey to gauge public opinions on car data privacy. Three-quarters of Canadians were not aware that, as part of their vehicle purchase/lease agreement, they granted the ownership of their vehicle data to the automaker. About the same number of respondents believe that whoever owns or leases the vehicle should control the data generated by it, not the automakers.
1
TRANSPARENCY
Make it easy to understand what data is being collected and for what purposes, so consumers can provide consent or not.
2
CHOICE
Provide drivers with granular and easy-to-use privacy controls with options on the amount of personal data collected and with whom it is shared.
3
CONTROL
Offer a means to easily erase personal data when a vehicle is sold, rented or shared.