Your Car is Spying on You: The Auto Data Privacy and Autonomy Act Explained

December 17, 2025 | Compliance & Privacy Analysis

Modern vehicles have transformed into sophisticated data collection machines, quietly harvesting information about your daily movements, driving habits, and personal routines. Senator Mike Lee (R-UT) and Congressman Eric Burlison (R-MO) have introduced the Auto Data Privacy and Autonomy Act to combat what privacy advocates describe as one of the most egregious privacy violations affecting American consumers today.

The Scale of Automotive Surveillance

If you've purchased a vehicle in the past five years, it's collecting far more data than you realize. Connected vehicles now represent a $750 billion market opportunity for data brokers, insurance companies, and manufacturers. By 2030, over 95% of passenger cars sold will have embedded internet connectivity, creating an unprecedented surveillance infrastructure on American roads.

The data harvesting is extensive and invasive:

• Geolocation tracking: Your exact location, sometimes collected every three seconds
• Driving behavior: Every instance of hard braking, acceleration, sharp turns, and speeding
• Temporal patterns: Late-night driving, rush hour commutes, and trip frequencies
• Personal habits: Radio stations, climate control preferences, and voice recordings
• Biometric data: In some vehicles, driver attention monitoring and facial recognition

According to Mozilla Foundation's analysis of major automakers, modern cars rank as "the worst product category" they've ever reviewed for privacy protection. Their research found that 84% of automakers share or sell personal data, and 56% share data with government agencies or law enforcement upon request. The vulnerability of this data extends beyond privacy violations—automotive manufacturers have suffered devastating cybersecurity breaches that exposed millions of customer records, demonstrating that vehicle data isn't just being sold, it's also being stolen by ransomware groups.

The GM OnStar Scandal: A Wake-Up Call

The issue exploded into public consciousness in March 2024 when a New York Times investigation revealed that General Motors had been secretly collecting and selling driving data from millions of customers through its OnStar Smart Driver program. The Federal Trade Commission's subsequent investigation found that GM collected precise geolocation and driving behavior data from customers and sold it to data brokers LexisNexis and Verisk, who compiled "driver risk scores" for insurance companies.

The consequences were severe. Insurance companies used these scores to deny coverage, cancel policies, and raise premiums—often without drivers understanding why their rates had increased. One customer told GM: "When I signed up for this, it was so OnStar could track me. They said nothing about reporting it to a third party. You guys are affecting our bottom line."

In January 2025, the FTC reached a settlement with GM and OnStar, banning them from selling driver data to consumer reporting agencies for five years and requiring them to delete previously collected information. However, this settlement only addresses one manufacturer and doesn't prevent future violations once the ban expires.

The Texas Attorney General also filed suit against GM in August 2024, alleging the company unlawfully collected and sold private driving data from 1.8 million Texas residents. According to the complaint, GM allegedly pressured drivers into enrolling by threatening to disable safety features if they didn't sign up for data collection programs.

What Carmakers Know About You

Data collection by automotive manufacturers extends far beyond simple GPS tracking:

Location and Movement Data

Manufacturers can track every trip you take, creating detailed profiles of your daily routines. This includes visits to medical facilities, religious institutions, political events, and other sensitive locations. One investigation found that nearly 400 Oregon residents who requested lists of companies receiving their data received zero responses from automakers—despite state privacy laws requiring disclosure.

Behavioral Profiling

Automakers compile comprehensive behavioral profiles including:

• Acceleration and braking patterns that indicate "aggressive" driving
• Speed violations and traffic law compliance
• Seat belt usage and safety compliance
• Night driving frequency
• Vehicle loading patterns that suggest family size

Financial and Insurance Implications

Consumer reporting agencies use this data to create "driver risk scores" that directly impact insurance rates. Some drivers have seen premium increases of 20-30% based solely on driving behavior data they didn't know was being collected.

National Security Concerns

The data collection infrastructure also poses national security risks. Foreign adversaries can potentially access granular location data about millions of Americans, including military personnel, government officials, and critical infrastructure workers. The Department of Defense recently banned the use of Chinese-made vehicles due to these exact concerns.

The automotive industry has faced unprecedented cyberattacks in 2024-2025, with major manufacturers including Volvo, Stellantis, Hyundai, and Jaguar Land Rover suffering devastating breaches. These incidents exposed not just customer data, but critical vulnerabilities in connected vehicle infrastructure that could be exploited by nation-state actors.

The Auto Data Privacy and Autonomy Act: Key Provisions

The legislation introduced by Senator Lee and Representative Burlison establishes comprehensive protections for vehicle owners:

Mandatory Informed Consent

Manufacturers must obtain affirmative, written consent before accessing covered data. This consent must be:

• Freely given without coercion
• Informed, specific, and unambiguous
• Documented in writing
• Easily withdrawable at any time

The law explicitly prohibits the enrollment tactics GM used, where sales representatives signed customers up for data collection programs without clear disclosure.

Data Sharing Restrictions

Automakers are prohibited from selling, leasing, or sharing covered data except in three narrow circumstances:

1. When required by lawfully executed warrant
2. Pursuant to court order with 48-hour notice to the vehicle owner
3. To facilitate emergency response

Protection from Foreign Adversaries

The Act specifically bars manufacturers from sharing personally identifiable information with five adversarial nations:

• Democratic People's Republic of Korea
• People's Republic of China
• Russian Federation
• Islamic Republic of Iran
• Bolivarian Republic of Venezuela

This provision addresses growing concerns about foreign access to American transportation infrastructure data.

Owner Data Access and Control

The legislation grants vehicle owners unprecedented control over their data:

No-Cost Access: Owners receive access to all vehicle-generated data at no additional charge beyond the purchase price

Real-Time Access: Data must be available in real time, not delayed or batched

No Restrictions on Use: Owners can use their data without limitations or requirements to purchase licenses

Multiple Access Methods: Data must be accessible both through physical vehicle ports and wireless transmission

Open API Requirements: Manufacturers must provide open application programming interfaces that facilitate:

• Complete deletion of all stored user data
• Configuration of any user preferences by the owner or authorized users

Enforcement Through the FTC

Violations constitute unfair or deceptive acts under the Federal Trade Commission Act, carrying significant penalties—up to $51,744 per violation. This means manufacturers could face massive fines for systematic data collection violations affecting millions of vehicles.

Mandatory Transparency Report

Within 180 days of enactment, the FTC must submit a comprehensive report to Congress detailing:

• Types of data manufacturers currently access
• Third parties who receive vehicle data
• Government entities accessing the data and their usage
• Foreign governments receiving data
• Cybersecurity risks associated with connected vehicles
• Data breaches and foreign government involvement
• Feasibility of technology-neutral data access standards

The Current Privacy Nightmare

Consumer Reports' investigation into automotive data practices revealed disturbing findings:

Opacity and Complexity: Privacy policies run hundreds of pages with technical legal jargon. Even privacy experts find it nearly impossible to understand what data is being collected and shared.

Deceptive Enrollment: Dealership sales representatives routinely enroll customers in data collection programs to earn enrollment bonuses, often without clearly explaining the implications.

Impossible Opt-Outs: While manufacturers claim to offer opt-out options, these settings are buried in complex menu systems. Some automakers make it functionally impossible to disable data collection without losing essential vehicle features.

Lack of Accountability: Despite Oregon's privacy law requiring companies to disclose data recipients, not a single automaker complied with nearly 400 information requests filed in 2024.

Industry Resistance and Lobbying

The Alliance for Automotive Innovation, representing major automakers, has defended current practices, arguing that:

• Vehicle telematic data supports proper vehicle functioning
• Information improves safety and enables compliance with government rules
• Data collection facilitates emergency response

However, privacy advocates point out that none of these justifications require selling data to insurance companies, data brokers, or foreign entities. Essential safety features can function without creating comprehensive surveillance dossiers on American drivers.

The vulnerability of centralized automotive data infrastructure was dramatically demonstrated when CDK Global suffered a ransomware attack that paralyzed 15,000 dealerships across North America for nearly two weeks, costing the industry over $1 billion. This incident revealed how interconnected vehicle data systems create single points of catastrophic failure.

The auto industry has also expressed concern about a "patchwork of state laws" creating conflicting requirements. The federal Auto Data Privacy and Autonomy Act would establish uniform national standards—but would also impose stronger protections than most states currently require.

Why This Matters for Compliance Officers

Organizations with vehicle fleets face several immediate compliance considerations:

Fiduciary Responsibility

Companies have obligations to protect employee privacy. Using vehicles that harvest employee location and behavioral data without clear disclosure may violate employment contracts and privacy expectations.

Insurance Implications

Fleet insurance rates may be influenced by driving behavior data collected without employee knowledge or consent. This creates potential liability for employers who fail to disclose monitoring practices.

Cybersecurity Risks

The automotive industry's vulnerability to cyberattacks extends beyond data theft. Jaguar Land Rover suffered a £200 million loss from a ransomware attack that shut down global production for five weeks. Connected vehicles represent a potential attack vector for industrial espionage and operational disruption.

Competitive Intelligence Risks

Vehicle location data can reveal sensitive business information including:

• Customer visit patterns and sales territories
• Supply chain relationships and vendor locations
• Competitive intelligence about market expansion
• Proprietary route optimization and logistics

Government Contractor Requirements

Organizations with government contracts may face restrictions on using vehicles with data collection capabilities that could expose classified locations or personnel movements.

What Organizations Should Do Now

While the Auto Data Privacy and Autonomy Act works through the legislative process, compliance officers should take immediate action:

Conduct Vehicle Data Audits: Inventory all company vehicles and document their data collection capabilities. Request copies of manufacturer privacy policies and data sharing agreements.

Review Fleet Contracts: Examine vehicle purchase and lease agreements for data collection provisions. Negotiate opt-out clauses for new acquisitions.

Implement Access Controls: Where possible, disable wireless data transmission features. Use physical vehicle ports to access diagnostic data while preventing external data sharing.

Update Employee Policies: Clearly disclose to employees what data company vehicles collect and who has access to it. Obtain explicit consent where required by employment law.

Evaluate Insurance Arrangements: Discuss with insurance providers whether rates are influenced by telematics data. Consider whether disclosed monitoring could reduce premiums while being transparent with employees.

Monitor Legislative Developments: The Auto Data Privacy and Autonomy Act has bipartisan support and strong backing from privacy advocates. Organizations should prepare for new compliance requirements.

The Broader Privacy Context

Automotive surveillance exists within a larger ecosystem of consumer privacy violations:

Smart Home Devices: IoT devices collect similar behavioral and location data Mobile Applications: Apps harvest location, contact, and behavioral information Wearable Technology: Fitness trackers and smartwatches monitor health and movement Connected Appliances: Even refrigerators and thermostats now collect usage data

What makes automotive surveillance particularly concerning is its mandatory nature. While consumers can choose not to use smart home devices or fitness trackers, modern vehicles have become essential for most Americans. The lack of privacy-respecting alternatives effectively forces consumers to accept surveillance as a condition of transportation.

The vulnerability extends beyond manufacturer data collection. Third-party supply chain breaches have exposed millions of automotive records, with Volvo Group's vendor suffering a ransomware attack that compromised 870,000+ employee and customer accounts. These incidents demonstrate that vehicle data faces risks from multiple attack vectors.

Looking Forward

The Auto Data Privacy and Autonomy Act represents a significant step toward addressing automotive surveillance. If enacted, it would establish the United States as a global leader in vehicle data privacy protection—potentially influencing international standards.

The legislation has received endorsement from the American Vehicle Owners Alliance, which emphasized that "vehicle owners must have access to and control over their vehicle-generated data, which is critical for privacy, safety, innovation, and fair market competition."

However, the bill faces significant headwinds from the powerful automotive lobby. The industry argues that data monetization helps offset the cost of connected vehicle development. This argument essentially asks consumers to subsidize vehicle technology by sacrificing their privacy—a trade-off most Americans would reject if presented clearly.

Conclusion: The Road to Privacy

Your car knows where you go, how fast you drive, who you visit, and countless other details about your daily life. For years, manufacturers have exploited this information stream for profit while keeping consumers in the dark about data collection practices.

The General Motors scandal pulled back the curtain on an industry-wide practice of surveillance and monetization. The Auto Data Privacy and Autonomy Act offers a path forward that respects both innovation and privacy—establishing that Americans own the data generated by vehicles they purchase.

As compliance professionals, we must advocate for strong privacy protections while preparing organizations for the regulatory changes ahead. The current automotive surveillance infrastructure is unsustainable and incompatible with fundamental privacy rights.

The question isn't whether regulation will come—it's whether it will come soon enough to prevent further violations of consumer privacy and trust.

Learn More:

• Full Bill Text - Auto Data Privacy and Autonomy Act
• Senator Lee Press Release
• FTC Action Against General Motors

About ComplianceHub.wiki: We provide practical analysis of emerging privacy regulations and compliance requirements for cybersecurity professionals and organizational leaders navigating the complex landscape of data protection.