‘Your weight, your speed, where you work’: How your connected car is tracking your every move

Connected cars equipped with internet capabilities are becoming the new normal, but the rise of this technology has raised questions about carmakers' ability to potentially collect and monetise private driver data.

RELATED: Experts issue keyless car theft warning

A March 2024 report by The New York Times identified various car manufacturers in the US that have allegedly collected personal information from drivers and passed it onto external data brokers who, in turn, sold it to insurance companies.

The harvesting of private driver data has reportedly led to higher insurance premiums for some car owners – bringing into question the legality of carmakers monetising private information without explicit driver consent.

An Insurance Council Australia (ICA) spokesperson told Drive it is “not aware of this practice occurring in Australia" as the insurance industry must adhere to "significant regulations" regarding personal data collection and sharing.

However, the terms and conditions for some connected cars sold in Australia provide a grey area that could potentially enable other forms of data harvesting. Here's what you need to know.

While selling personal information to external third parties is a predominantly US issue – the ambiguity surrounding private driver data collection laws in Australia has recently been scrutinised by experts and regulators.

Privacy Commissioner Carly Kind from the Office of the Australian Information Commissioner (OAIC) – the national regulator for privacy information – told Drive a lot of Australians are unaware of what type of data is collected and how it is used once they have purchased a brand-new car.

“Data increasingly collected by cameras, microphones, sensors and connected phones and apps can include personal and sensitive data such as visits to medical providers or adherence to road rules,” Commissioner Kind told Drive.

“Many Australians may not expect that data is even being collected, let alone used and potentially even shared with insurers for the purposes of assessing their premiums,” she added.

Chandni Gupta, the Deputy CEO and Digital Policy Director of the consumer advocacy group CHOICE told Drive Australia’s privacy laws are outdated and most consumers don’t feel in control of their private information.

“Australia’s privacy laws are stuck in the 80s … they are no longer fit for purpose in an economy where we interact daily with devices and businesses that collect and use more of our data in more ways than ever before,” Ms Gupta told Drive.

“Our research confirms that over 70 per cent of Australians feel that they have little to no control of what information is collected from businesses they have no direct contact with, such as data brokers,” she added.

Alex Hoffmann, the Industry Lead for Logistics and Transport of CyberCX – one of Australia's largest cyber security firms – said modern vehicles have evolved beyond a conventional mode of transport.

“Your standard new car in Australia now has more lines of code than a Boeing 747,” Mr Hoffmann told Drive.

“Wherever we are using internet-connected devices, we’re creating data about ourselves that the manufacturer of that device can potentially access and share,” Mr Hoffmann explained.

Bill Hanvey, the CEO of Auto Care Association – a US-based automotive aftermarket organisation – told Drive: “The car transmits about 20 gigabytes an hour of data back to the automaker while the vehicle is in use … that’s about 20,000 songs on Spotify when you think about it."

“Anything that the vehicle does transmits data, it’s an incredible amount of data and the automakers are monetising [it],” he added.

Mr Hanvey told Drive modern cars with connective capabilities harvest every “type of data you can imagine".

“The [collected] data includes everything from your geolocation, your rate of acceleration, hard braking, and how much you weigh,” he added.

“Modern cars track and store a lot of information about drivers and car owners, including where they live, where they work, where and when they travel and how long for ... this information can paint a pretty intimate picture of someone’s life,” Mr Hoffmann told Drive.

"There's more concern around the transparency of data collection practices by car brands in Australia, as well as what data is being captured, what happens to it, and whether drivers have sufficient opportunities to opt-out," he added.

All manufacturers in Australia collect personal information normally associated with car ownership such as a driver’s name, gender, address, age, date of birth, telephone number, email address, driver’s licence, employment and bank details.

However, according to the terms and conditions listed on the websites of some carmakers in Australia, they are also technically able to collect ‘sensitive’ information such as a customer’s racial background, political opinions, religious beliefs, and sexual orientation – with a driver's consent.

In more extreme circumstances, manufacturers can view and access personal information such as videos recorded by on-board cameras.

In 2023, Tesla faced a lawsuit in the US due to its employees internally sharing “highly invasive videos and images recorded” by its vehicles from 2019 to 2022, according to Reuters.

Reuters spoke to several anonymous former Tesla employees who claimed workers could previously gain access to video recordings even after customers had turned the cameras off.

“I’m bothered by it because the people who buy the car, I don’t think they know that their privacy is not respected,” an unnamed person told Reuters.

“We could see them doing laundry and really intimate things. We could see their kids,” they added.

When looking at the privacy policies of all manufacturers in Australia, most carmakers state private customer data could be shared internally within various sections of the brand including marketing and dealership networks.

The data could also be disclosed to external third parties such as financial and insurance services, consumer research, marketing agencies as well as government and law enforcement.

However, some carmakers state they do not sell and/or share customer data with external companies without their customers' implied, written or verbal consent.

“The automakers are very ambiguous in terms of where that data goes,” Mr Hanvey told Drive. “Their argument will be it’s anonymised, but yet people are getting higher insurance rates."

In the scope of Australian law, manufacturers are allowed to monetise anonymised data as consumers have technically consented once they have signed the contract or ticked a box online.

“Under Australia’s Privacy Principles, a business can sell or trade information about its consumers that is anonymised and typically aggregated … consent is not required in this situation,” Melbourne University Law Professor Jeannie Paterson told Drive.

“This might sound fair and reasonable [as] aggregated information is less personally damaging than individual information although that is not always the case … sometimes consumers find they have ‘consented’ to uses of their data they are not comfortable with,” she added.

In a previous University of New South Wales article, Associate Professor of Law and Justice Dr Katherine Kemp said "Australia's privacy laws aren't up to the task of protecting the vast amount of personal information collected and shared by car companies".

"In Australia, we have little information about how our information can be used and by whom ... Australian privacy law doesn't require specific disclosures, this is one reason car brands often have separate privacy policies for Australia," she added.

While car brands always outline their privacy terms and conditions, the problem is that it is usually via a vague statement buried in the fine print which most people skim over when buying a new car.

However, as cars become more technologically advanced, various experts agree Australia's Privacy Act needs a major reform to better protect drivers and their personal information.

“In [Australian] law, consent can be found in conduct that indicates agreement – such as ticking a box or signing a name, consent might even be found in using a website,” Professor Paterson told Drive.

“Consent in law does not necessarily require the consumers to have understood what they were consenting to – or even that they knew they were consenting, how many times do you click I agree?” she added.

Commissioner Kind told Drive: "As new technologies create new opportunities for data to be created, used and shared, including to the disadvantage and harm of the Australian community, it is becoming clear that our current legal framework is not fit for the purpose."

"We are prioritising regulatory action that addresses activities that pose a significant potential for harm to individuals [which] includes practices that impact [an] individual's choice and control through opaque terms and conditions of service," she added.

According to the OAIC, the Federal Government has "considered a number of proposed reforms" to Australia's Privacy Act which includes amending the definition of consent which "must be voluntary, informed, current, specific and unambiguous".

"We need our laws to hold businesses accountable for how they collect and use our personal information," Ms Gupta told Drive.

"[Manufacturers] need to meet basic standards of safety and care when it comes to [driver] data," she added.

In response to the Privacy Act review, the Federal Chamber of Automotive Industries (FCAI) – a representative organisation in Australia with more than 68 brand members – argued more stringent data consent laws "would lead to consumers being swamped by an unmanageable deluge of consent requests."

Tony Weber, the FCAI CEO told Drive: "The FCAI stands ready to adapt to new requirements to maintain compliance and consumer interests.

"The FCAI'S guiding principle is to ensure transparency, security, consent, and respect for the privacy of individuals ... we continue to monitor the development of connected vehicle technologies as the regulatory environment evolves."

It's not all bad news. In fact, most car manufacturers in Australia state the private data they collect is used to enhance services such as navigation, in-car features like Apple Carplay and Android Auto, and smartphone app functions like vehicle location and security.

The FCAI previously said collecting personal information is a "fundamental requirement for many connected vehicles" as it can also be used for important safety features such as notifying emergency services of a driver's location in the event of an accident.

The organisation argues that connected cars contribute to "achieving societal goals" by improving road safety, reducing vehicle emissions and fuel consumption and facilitating traffic management and parking – which are gathered from driver data throughout their ownership of the vehicle.

Data sharing can also be used for predictive analysis of vehicle parts that are critical for safety and maintenance.

“Sharing data would help the [automotive] industry do more predictive analysis on parts failure when a part is beginning to break on a vehicle or beginning to wear out,” Mr Hanvey told Drive.

“The repair and maintenance data for our industry is critical for us to be able to inventory products better and for us to have the right part at the right place at the right time."

Mr Hoffman said connected cars can solve as many problems as they create.

"While [collecting private driver data] creates some obvious advantages for car manufacturers … and can improve safety, [but] more software creates more vulnerabilities,” Mr Hoffmann said to Drive.

“For drivers, the risk becomes that these vulnerabilities can be exploited by cybercriminals or used to harness unnecessary amounts that users lose sight of when [it] is sold or given to third parties like insurance companies."

Before you start to feel helpless, it's worth contacting your car's manufacturer or the dealership where you bought your vehicle and check if your data is being collected and what they are using it for.

When approached by Drive, several carmakers made it clear customer data protection is a priority and consumers always have the choice to opt-out.

"We attach great importance to the responsible and transparent data handling of vehicle data," a Mercedes-Benz spokesperson told Drive.

"Customers decide for themselves which services they want to use and what they want to pass on either by consent or by contract," they added.

Likewise, MG offers its customers the opportunity to opt out of any unwanted data collection through its connected services.

"Customers are asked to grant consent upon activation of connected services. The scope of the consent granted is disclosed to the customer and the customer is given the opportunity to grant or decline that consent," an MG spokesperson told Drive.