What will you leave behind when you sell your car, hand it to a dealer or give it back to a leasing or rental company? As well as that pound coin which fell into the seat, it could be a nice amount of personal data.
Some people compare the modern car to a laptop on wheels. The data gathering centre is the infotainment screen which you will be tapping and swiping or talking to. Here’s a list of the potential harvest:
- location data – where you are
- navigation history – where you’ve been and frequently visit
- synced phone contacts
- call logs, and sometimes text messages
- paired device IDs, user profiles, e-mail addresses, usernames, subscription identifiers
- payment information
Under new safety rules for new cars, systems must track the driver’s head and eyes to monitor for micro-sleep, sleep, and unresponsiveness, and then warn the driver. These can capture biometric data.
Several years ago, car manufacturers looked at the lucrative use companies such as Facebook were making of the data generated by our interactions and decided that they too could capitalise on the data that we were donating to their cars.
Every year the not-for-profit Mozilla Foundation and parent of the Mozilla Corporation (web browsing and safeguards) produces Privacy Not Included (PNI) reports that analyse how much data is extracted from consumers who buy different kinds of products, including cars, and rates them. It’s perhaps better known in the USA than here in the UK.
All 25 major car brands reviewed in Mozilla’s 2023 edition of PNI received fail marks for consumer privacy. According to Mozilla’s researchers (who combed through the privacy agreements, apps and asked questions), global brands — including BMW, Ford, Toyota, Tesla, Kia and Subaru could collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive.
Data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics. Researchers couldn’t confirm whether any of the brands encrypted all the personal information they stored on vehicles.
What do the carmakers do with all this information?
Brands can then share or sell this data to third parties. Mozilla said that they can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences and more.
There aren’t many public examples of this happening, although data security is a worry. In 2024, Volkswagen inadvertently exposed the personal information of 800,000 electric vehicle owners, including their location data and contact details.
Last month, General Motors (GM) agreed to pay $12.75m to resolve claims that it illegally sold hundreds of thousands of Californians’ locations and driving data to two data brokers. It included precise and personal location data. While state laws prevented insurers using that data to set premiums, the Californian Attorney General said that GM misled consumers for saying in its privacy policy that it would not sell driving or location data and then doing it anyway.
Hang on – isn’t most of this personal data just on my mobile phone?
Of course, some drivers don’t load any favourite phone numbers, destinations or music directly into their car. They do all the interaction via their mobile phones, using Apple CarPlay or Android Auto.
You might think that when you unplug your mobile phone from your car, you walk away with all the data in the phone.
“The reality is, data is being pulled and stored by the car,” says Martin Wilson, vice president of partnerships at Privacy4Cars, which calls itself the world’s leading authority on vehicle privacy and data security. “Even if it’s Apple CarPlay, the information will be cached in that car by the entertainment system. It depends on what settings you’ve put on your devices. Quite often, they’ll ask you, ‘Do you want to sync your phone to the car?’ Well, if that is the case, that will typically take a copy of your contacts out of your phone and store it in the dashboard. All that data is stored unencrypted, everywhere you have driven is recorded and all this can be potentially viewed by anyone getting into the car.
“Would you give me your mobile phone – unlocked, for me to do whatever I want with it? Probably the answer is no. So why would you do the same in a car?”
Well established in America, Privacy4Cars holds details on which data is stored on over 140,000 makes and models and how to remove it which, like Mozilla, it has gleaned through all the very long and complicated documents few of us would ever have the time or will to read. It sells a data deletion platform to dealers which enables them to clear data from cars and prove it to buyers. Now the company is also working with UK and European car dealers, fleet and leasing suppliers on ‘data cleansing’ used cars to meet our legal requirements. It’s the sole approved supplier for the Data Deletion and Privacy Protection Certificate launched this year by the National Association of Motor Auctions (NAMA).
An increasing number of cars now have an infotainment system with an operating system from Google. It was sold to some carmakers under the names Android Automotive and then Google Built-In. They then put their own wrapping around it.
To take one example, the Renault 5 E-Tech Google system is called openR link. This brings real-time navigation routes indicating charging points and estimated stopping times according to your preferences, the car’s consumption and the state of the traffic. Say “Hey Google” and it will play music, make calls, turn the heat up or down and take you to the nearest pizza restaurant if you desire. Google Play gives you sports news, entertainment, music and podcasts.
Google in the business of providing clever navigation, entertainment and better searches. And also targeting advertising at you based on your inputs. You don’t have to have a Google account or sign-in to use a car with Google Built-in, but you might find you have to if you want to use some of the apps. “As soon as you use any Google service, you’ve given them an incentive for them to collect data,” says Martin.
These connections we make to our cars are very convenient, but they are often left behind. You may have climbed into a rental car to find the phone numbers of the previous renters. “We did a fun audit recently.,” Martin continues. “We took 30 ex-lease cars in a in a compound and looked at them. Out of those 30, 27 still had personal data in them. There were 121 phones connected to them.”
He uses the example of the car of a military contractor, which contained the locations of where vehicle had been driven, most of which were classified MoD sites, plus his home address, with email address and phone number.
There’s a very specific worry for American drivers. Many of them have electric garage doors which receive a code from the car when it approaches and then open. Leaving that data when the car is moved on could risk being burgled as a future owner of the car could then enter their house through a door inside the garage.
Did I hear that Chinese cars could be spying on me?
In April 2025, The i paper reported that the Ministry of Defence had banned EVs with Chinese components from sensitive sites and military training bases.
It followed up with a report that MoD officials were being warned against having sensitive conversations or connecting work phones inside their government-provided EVs due to espionage fears, some of which were Chinese-built.
While it’s logical that security-sensitive workers and organisations are alert to any potential threats, if you have a Chinese car or are thinking of buying one, your phone calls are unlikely to be hacked by a foreign power. However, data gathering infotainment and camera systems are fitted across global brands, so the same privacy issues apply.
The UK consumer does have protection
Good news. Ever heard of GDPR? In the UK, data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and it’s much stricter than privacy laws in the USA.
Under GDPR, once a car or van leaves your hands as a private individual, manufacturers, dealerships, leasing, motor finance, motor insurance and car rental/car sharing companies must delete personal data collected and stored in vehicles (e.g., navigation and smartphone data).
Under the legislation, you have rights in relation to your personal data, with some exceptions. These include the right to have data erased. You could, in theory demand that a dealer shows you they have done so when you complete the deal.
Jonathan Butler is legal counsel to the Vehicle Remarketing Association (VRA), Partner and Head of Automotive at Geldards law firm. “Consumers may choose to delete their data before disposal, but they are not the party carrying the legal obligation once control of the vehicle has transferred. GDPR places that duty on the organisation determining the continued use and handling of the data.
“It is not uncommon for dealers to include terms suggesting that customers should wipe data before returning a vehicle. While that may be sensible as a matter of good practice, it does not displace the dealer’s obligations under GDPR. Data protection duties cannot be contracted away. If a business is the controller, it must have its own processes to identify and securely delete personal data: it cannot rely on the customer to have done so.”
Deleting data is now a massive topic in the motor trade and its associations. The Information Commissioner’s Office hasn’t yet taken anybody to court, but should that happen the fine is likely to be immense.
You yourself could take action at the County Court if you believed that your car-stored data could be out in the world, says Butler. “The evidence of misuse is not the point, because the law is that it must not be retained without a lawful basis. Where a vehicle changes hands, the original purpose for holding your data will almost always have fallen away. At that point, the law requires deletion – without any need to show that harm has already occurred. The obligation to delete personal data is fundamentally preventative.”
Incidentally, there is a household exemption in GDPR. A private individual selling their own car is not generally considered a data controller where a sale is genuinely private and not commercial. You won’t be in trouble.
The Data Deletion Certificate may have its day
It is possible for somebody to use the owner’s manual and other instructions to go through a car and delete the data, but it’s likely to take a very long time and because it’s down to one person’s judgment, not provable and prone to error.
Under GDPR, the dealer/data controller must have a data wiping process which is repeatable, objective and certifiable for an audit trail.
Privacy4Cars has an app designed for the motor trade, which works with a tablet and mobile phone. The registration plate or Vehicle Identification Number (VIN) in the corner of the windscreen is scanned by phone, and the user is presented with a step-by-step guide to clear all the data on that individual vehicle. This is claimed to typically takes less than 90 seconds. The user can then capture an image to demonstrate they’ve been in the vehicle and at the end of the process, a time, date-stamped and location-based certificate is generated to say that vehicle has been cleaned, when it was cleaned and who’s done it.
For buyers of used cars who want to know that it’s a blank slate, Privacy4Cars is working with organisations like CAP HPI and MotorCheck to have the info presented on vehicle history checks as well as manufacturer ‘approved used’ schemes, being able to produce a certificate showing it’s been done.
The expectation is that ‘data cleansed’ will become one of the standard things in a used car ad along with ‘Not recorded stolen’, ‘never written off’ and battery health certificates.
Read more:
