Skip to main content
Open this photo in gallery:

A car camera for Affectiva, a company that is developing technology for measuring driver emotions, in Boston, on Oct. 6, 2018. As more technology creeps into the front seat to help drivers, so too will systems that eavesdrop on and monitor them.TONY LUONG/The New York Times News Service

Your car knows all about you – your habits, where you like to go and when, and maybe even what sort of temperament you have. Cameras inside cars even track your eyes to see whether you’re watching the road.

If you spent as much time one-on-one with a friend as you do with your car, your friend would know an awful lot about you, too. The difference is that car companies, unlike friends, have a financial incentive for knowing things about you.

“Cars already collect a significant and growing amount of data,” says Teresa Scassa, Canada Research Chair in information law and policy at the University of Ottawa. The car itself is collecting driving data such as speed and braking patterns, but the built-in navigation and entertainment services are also collecting information of a more personal nature, she says. That could include location information, taste in music, voice commands, search history and so forth. Apps such as Waze, Apple CarPlay or Android Auto connected to the vehicle will also be collecting similar data.

New cars have more radar sensors and cameras than a typical smartphone, and the number and quality of those sensors will only increase as cars eventually become capable of driving themselves.

As cars become like two-tonne rolling smartphones – always online, anticipating your needs, listening to your voice, tracking your movements and loaded with apps that have access to your credit card information – what your car knows about you and who has access to that data for what purpose could become an increasingly contentious issue.

“People should be aware that any connected devices – appliances, vehicles – come with massive collection of data, much of which will be personal data,” Scassa advises. “Now, this data also has an enormous commercial value, not just directly in relation to the services being provided, but in all kinds of other applications.”

For example, if you often drive to Second Cup, a Starbucks coupon could pop up on the car’s dashboard as you head to work. Or, if you’re searching for an independent garage to take your car in for maintenance, your dealer could catch on and give you a call.

This kind of behaviour wouldn’t be unique to the automotive realm. Smart-home devices from Amazon and others are spying on us, collecting enormous amounts of data from which these companies make tremendous profits, Scassa says. "So, there’s an interest in collecting as much as possible and seeing all the different things you can do with it. It’s a bit of a wild west in that sense.” Cars are just the latest frontier in the data gold rush.

What your car knows

Right now, vehicles are collecting a lot of whatʼs known as “telematics” data, says J.D. Ney, director of J.D. Powerʼs automotive practice in Canada. “Black box” recorders log vital information such as speed, sudden braking and the position of a car. “That kind of information is being stored and, increasingly, being exported from the vehicle to the manufacturer as well,” he adds. This data could let the dealer know when your car’s due for an oil change, or give you an opportunity to lower your insurance rates.

In the event of a crash, police might also be interested in such data to determine who is at fault. But whether they are entitled to it is still being hashed out.

“There have already been legal skirmishes,” Scassa says, over whether the police need a warrant to acquire that data. The cases often turn on whether an individual has a “reasonable expectation to privacy in this vehicle data,” she says, which drivers often donʼt realize is even being collected. The results of those court cases have been mixed, Scassa says.

For most drivers, it will come as a surprise to learn that cars come with extensive privacy policies – just like Google or Facebook – which outline all the data about you and your car that manufacturers collect, how they collect it, who they share it with and how it is used.

In-car services – for example, General Motors’ OnStar or Mercedes Me Connect – can collect information to varying degrees. Though it can differ from manufacturer to manufacturer, services may collect data such as your credit card information, voice-command information, WiFi data usage and images from the car’s cameras. That information may be used to collect outstanding debts, to target ads, to provide customer support, and to develop new products and services, among other things.

That data can also be shared with third-party businesses, content providers, dealers, researchers, as well as law-enforcement agencies and the government, where required or permitted by law.

As for who owns the data generated when you drive your car, there isn’t an easy answer. “Everybody’s talking about ownership of data, but that’s a really complicated concept,” Scassa says. “We really have nothing but a kind of a complex mess of laws.”

The privacy policies of all major automakers seem very similar. By way of example, we asked Scassa to give us her opinion on the policies of a couple of Canadaʼs most popular automakers, General Motors and Toyota. The huge volume of data being collected didn’t surprise her, but two things stood out: the open-ended nature of the collection and need for customers to opt out (rather than opt in) to parts of these agreements.

With opt-out data collection, you’re enrolled automatically unless you take action. With opt-in collection, companies have to ask for permission, which you must actively grant.

“Iʼm certainly surprised by this: ‘The types of information may include but are not limited to,’ ” Scassa says, quoting from GM’s privacy policy. In other words, GM could collect any and all information it wants. “It seems to me that if youʼre going to give notice of collection, you have to actually say what youʼre collecting. … What exactly are you consenting to?”

Toyota’s privacy policy was similar, but slightly less open-ended, Scassa found. The Toyota policy allows customers to request to have their data deleted, but warns that after doing so, Toyota may not be able to supply a particular product or service.

The privacy policies of several automakers stated that these companies could keep your data as long as they deem necessary, which Scassa says is not a best practice. “Companies want to keep information for as long as possible because information has value for purposes that have yet to be discovered,” she explains.

Having all this personal, potentially sensitive and valuable data in cars and stored in the cloud opens up a Pandora’s Box of security concerns. Automakers have nearly 100 years of experience making cars physically safer, in the event of a crash, but relatively little experience making cars digitally secure, in the event of a hack. It’s an entirely new frontier.

We asked both GM and Toyota to comment about their data collection and usage policies. Both declined to comment.

Like it or not, cars are now part of a bigger discussion about data privacy, control and ownership.

“There’s just massive amounts of data being collected, and if you want the service, you have to agree to it. And people do agree to it, and they have relatively little control over things,” Scassa says.

Shopping for a new car? Check out the new Globe Drive Build and Price Tool to see the latest discounts, rebates and rates on new cars, trucks and SUVs. Click here to get your price.

Stay on top of all our Drive stories. We have a Drive newsletter covering car reviews, innovative new cars and the ups and downs of everyday driving. Sign up for the weekly Drive newsletter, delivered to your inbox for free. Follow us on Instagram, @globedrive.

Follow related authors and topics

Authors and topics you follow will be added to your personal news feed in Following.

Interact with The Globe