What your car knows about you: How smart vehicles in Australia are collecting your data

As connected cars become more common on Australian roads, we investigate how modern vehicles track, store and share personal data — and what it means for your privacy

A man and woman look at a car app outside the vehicle

Our cars are no longer simply vehicles that get us, and our loved ones, from A to B. We live in a digital age – they are now just as much tech devices as they are transport.

They help us navigate, warn about speed cameras, and stream playlists straight from our phones. They ferry our loved ones to and from school and work, and they also witness some of our most personal conversations (anyone with a teenager can attest to this). They literally know when and where we are going. Powerful stuff.

And as the saying goes, “With great power comes great responsibility.”

Personal data collection goes hand-in-hand with all digital services these days, and in Australia this is (legally) collected as a matter of course. But when we hop in behind the wheel, we may be underestimating how much of our personal information is collected, and with whom and where it is shared.

So, should we be thinking harder about our data when we get in our ‘smart cars’?

What data is collected by cars and carmakers?

First: what is a smart car? Typically, this means a car with “connected services” that has an embedded SIM and modem that enables data to be shared beyond the car itself: such as to your smartphone, to the maker of your car and to other third-party service providers.

Gaurav Vikash of security and defence firm Axon, an expert in information security and cyber governance, is outspoken when it comes to car data collection. He tells The NRMA that the list of personal data collected by smart cars is longer than most people realise.

“There's a very large and diverse range of personal data that cars collect,” says Vikash, from basics like your name, phone number and email, to your driving history, location data, synced contacts, voice transcriptions and smartphone app usage.

One car often comes with multiple privacy policies linked to the manufacturer, software and hardware providers. Add a smartphone app connected to your car, and things get murkier. These apps often request a wide range of permissions, from access to contacts and calendars to location tracking and call logs.

A recent research paper titled ‘Driving Blind: The Unexamined Privacy Risks of Connected Cars’ published in November 2024 by Katharine Kemp of UNSW Law & Justice department goes so far as to call connected cars ‘highly sophisticated surveillance devices’.

The paper looks at whether carmakers and importers fully appreciate how smart cars present serious security and privacy threats, and how consumers can compare and decide on the privacy policies of carmakers before buying a car. It also makes a full list of types of data that is being collected by carmakers and importers, and the risks associated with each type of data.

Its findings are concerning. A summary of the paper’s findings found many carmakers and importers:

Underestimate privacy and security risks
Misunderstand legal obligations under Australia's Privacy Act
Make misleading claims about de-identified data
Have opaque and fragmented privacy terms
Collect and share with data brokers and ad platforms
Have broad and vague permissions for marketing and profiling
Make vague disclosures about how much data is provided to insurers and even authorities

In the paper, Kemp notes that one brand even indicated in the fine print “that data would be used for surveillance of ‘suspected improper activities’”.

How do Australia’s privacy laws compare to overseas?

Privacy laws in places like Europe and California are much stricter than Australia’s Privacy Act 1988.

Under the European Union’s GDPR (General Data Protection Regulation) and California’s CCPA (California Consumer Privacy Act), software providers must offer users the option to deny collection of personal data upfront and allow users full access to services even if they don't agree to data collection.

“For example, if you jump on a website in the European Union, you can reject your cookies, your personal data being collected while you're browsing, and you will still be able to use the website,” says Vikash.

“Whereas in Australia, there is no such requirement."

Bundling means using features can require agreeing to data collection by the carmaker and third parties. In practice, carmakers and importers in Australia can require you to accept all terms – including data collection – to access full vehicle functionality.

Where is your data kept, and what is being done with it?

Even if you have your car manufacturer’s privacy policy in front of you, it can be difficult to work out where your data will end up. Vikash says many policies include vague terms like “and more” when describing who the data is shared with.

In Europe companies must be specific about this. But in Australia, carmakers are not required to list in detail which companies they are sharing your data with, nor an exhaustive list of the countries your data is being sent to.

If the data is stored overseas, local privacy protections may not apply. Other countries are not obligated to uphold Australia’s privacy standards. Once your data’s offshore, so are your rights.

The lack of clear definitions makes it difficult to know which third parties have access, or where they’re located.

Some companies that carmakers share data with openly monetise your data. One such company is Luxoft, which makes money from car data via platforms that aggregate and profile users. It works with MOTER Technologies, which offers insurance data services.

Which car manufacturers win and fail at data collection?

A 2024 analysis by consumer protection body Choice found that numerous car companies in Australia are collecting and sharing swathes of personal data.

It analysed the privacy policies of big names including Toyota, Subaru, Mazda, Mitsubishi, MG, Isuzu, Ford, Tesla, Hyundai and Kia.

"We discovered that Kia, Hyundai and Tesla were the worst offenders when it came to protecting the privacy of their customers. Kia and Hyundai both collect and share voice recognition data with third parties, along with other information," said Rafi Alam, Senior Campaigns and Policy Advisor at CHOICE.

Kemp’s report highlights a “wild goose chase” when tracking down complete privacy policies of various carmakers, singling out Audi, BMW, BYD, GWM, Kia, Mazda and Mercedes-Benz from a list of 15 carmakers it investigated. It congratulates Ford, Honda, Hyundai, Lexus, MG, Tesla, Toyota and Volvo in having privacy policies that are clear and easy to find.

However, it also questions how some carmakers are defining what personal data is, calling into question the policies of Ford, Hyundai, Kia, Tesla, and BYD. It also calls out BYD, Ford, Honda, Hyundai, Lexus and Mazda for broad terms that share data to other parties such as data sellers, marketers, advertisers and even AI developers.

BYD’s policy is also called into question for “surveillance of ... improper activities” that it defines in a separate agreement, including terms such as “insult other countries or regions” or “[s]pread rumors, disrupt social order, and undermine social stability”.

Impacts for car owners, drivers and passengers

There are real benefits to connected cars: better navigation, smarter emergency response, repair alerts that save on expensive overhauls, and even crash detection.

But there are trade-offs: like overseas data storage where protections are weaker, or the risk of a hack.

The consent model in Australia means you’re likely already opted in – without fully realising it. That’s because buying the car, signing digital forms or downloading the app often implies consent. And even when the policy is presented at the time of purchase or access, most people don’t read the fine print.

And here’s a kicker: existing privacy laws apply only to the car owner and driver. Passengers have no legal protections. If voice transcriptions are saved and later leaked – say, in a data breach – there’s no redress for whoever else was in the car.

For example, Toyota’s Connected Services Privacy Policy and Tesla's Vehicle Data Policy puts the onus on the vehicle owner to let passengers know if their personal information (such as transcripts of conversations) are being recorded by the car.

“To ensure the personal information we hold is accurate, complete, up-to-date, and relevant, we require that you …. inform passengers and drivers of your connected vehicle that vehicle data is collected and used by us to provide the Connected Services,” Toyota’s policy says.

“Note, it is your responsibility to confirm the consent of occupants in the vehicle,” says Tesla in regard to sharing sound inside the vehicle.

Tech-facilitated abuse is a serious concern, says Vikash. Data from the Women’s Services Network shows 99.3% of frontline domestic violence workers have clients facing tech-based coercion. Joint vehicle ownership can enable tracking through apps — one US case saw Tesla admit it lacked safeguards to stop a co-owner using its app to stalk an ex-partner.

Kemp’s paper raises concerns that personal data collected by smart cars could be commercially misused, or even accessed by law enforcement without a warrant.

Kemp also warns of the risks to national security if accessed by foreign governments, and personal risks if accessed by individuals or groups with nefarious motives – from domestic violence and stalking to kidnapping, robbery, and blackmail.

It’s important that risks associated with personal data collection by our cars are avoided, but some data collection can be of benefit – especially if drivers can choose what is shared and who with.

In the US, one driver accused General Motors of sharing driving data with a broker that used it to generate a risk score and raise his insurance premium. Be warned: while careful drivers could benefit from lower premiums, this practice — already in use in Australia — can pressure consumers to share data just to get a fair deal.

What can you do about it?

Always ask questions when buying a car. "What data is collected? Where is it stored? How is it protected? What happens if it’s breached?" Vikash says asking specific questions at the point of sale or during servicing is a good habit – and legally, companies must provide answers.

He also recommends reading the privacy policy for your car brand and its associated apps, although that’s easier said than done, as Kemp’s report notes. Kemp’s analysis notes that the average car owner would have to read around 3 documents with almost 14,000 words to understand how their data will be used.

And even that is not always straightforward – some brands may change distribution models (such as BYD, which is changing from selling via an importer to direct from the manufacturer), resulting in different data policies. As a result, your policy may differ depending on when you bought your vehicle.

Vikash recommends single-name ownership to reduce risks in breakups or legal disputes. Also, don’t sync personal contacts, calendars or email accounts with your infotainment system. Bluetooth, instead, is relatively secure due to its 10-metre range and transient connection.

Privacy4Cars is a helpful resource that guides you through deleting your data from vehicles. Be aware, though, that companies may retain some data for fraud or compliance reasons, typically for seven years.

What about secondhand cars?

If you’re selling a used car, scrub your data using tools like Privacy4Cars, and contact the carmaker to request backend deletion.

If you’re buying a used car, review the OEM’s privacy policy, and don’t be afraid to ask the seller or dealer what data may still be stored in the car or its cloud systems.

What is the NRMA doing about it?

In short, Australia’s privacy laws are outdated compared to Europe and California. With the increasing volume of personal data being collected by our vehicles, it's increasingly important we understand what personal and vehicle data is being collected and shared by our cars.

The Privacy Act is currently being overhauled but has left out a “fair and reasonable test” recommendation that would require more accountability from those collecting data. In simple terms, it would determine whether data being collected “passes the pub test.” It is expected this will be addressed in future reforms.

In the meantime, The NRMA believes it is important Australians have better control over what personal data is shared, and who it is shared with.

In collaboration with the Australian Automobile Association, The NRMA is currently working on a policy position that would lobby on three main points:

Stronger consumer data protections and personal data definitions;
Giving drivers the opportunity to share in the benefits of sharing their data, and choose which third parties to whom it is shared;
Allowing vehicle owners to have their car repaired regardless of accessibility of their vehicle data.

What do carmakers say about how they handle data?

Open Road reached out to carmakers mentioned in this article regarding the claims made by cited reports. We have included selected comments from carmaker statements, in alphabetical order by brand.

Audi

Audi’s response to our questions said customers must agree to policies and terms and conditions via a “click wrap” in the myAudi app before being able to use the app, and that customers can opt out of certain types of data by enabling ‘Privacy Mode’. They can also opt out of multiple privacy settings, ‘none of which will compromise functionality of the vehicle.’ Navigation and emergency assistance can also continue to operate even when opting out of certain data collection.

It said that some 'baseline functionality of the vehicle which cannot be changed or opted out of by the customer. This is to ensure that Audi Australia can fulfil its contractual obligations to the customer that purchased the vehicle and comply with Australian Privacy Laws.’

Audi also confirmed that ‘driving behaviour including acceleration and deceleration statistics are not collected as a data point via Audi Connect,’ and that ‘the warranty policy attached to eligible vehicles are not voided if vehicle connectivity is deactivated,’ nor does this have a ' bearing on insurance premiums, eligibility, or the provisioning of claims.’

Lastly, it said that ' Audi Australia and Audi AG do not share personal and/or sensitive telematic information to jurisdictions that provide lesser data protection standards than Australia.’

BYD

Although EV importer BYD Automotive (EV Direct) did not respond to our initial questions due to the impending takeover by its BYD, we note that the carmaker’s new Australian policies are now available online at https://www.byd.com/au/ and make no mention of surveillance of ‘improper activites’ or the like. It does list third-party services to which it shares data, why it is shared and links to their privacy policies. It also adds it ‘may also send your personal information overseas,’ including to third-party service providers and financial institutions but does not provide a list of those jurisdictions. BYD's Australian arm, which has taken over from EV Direct, confirmed that the new policies will apply to all owners of BYD vehicles, and the former EV Direct policies will continue to apply to customers who bought via the importer.

Ford

Ford in its statement said that it gives customers a choice on whether they share connected vehicle data with it. Customers can turn vehicle connectivity off entirely from within the vehicle and change granular settings “that control sharing vehicle data (e.g., odometer, oil level), driving data (e.g., braking), and/or location data with Ford.”

It added that services that rely on this connectivity – including the Fordpass App and Connected Services would not operate. “Otherwise, vehicle functionality is not affected,” Ford said.

“In the case of navigation, the system will revert to embedded navigation. Drivers are able to input a destination and receive routing guidance, but will not have access to live traffic updates, weather reports or updated map data.

“In the case of emergency assistance, the service relies on the customer’s mobile phone which is paired to the vehicle via Bluetooth. Therefore, disabling connectivity will not affect its operation.”

Ford also said that: “Voice data is not recorded, transcribed, stored, nor used to train AI,” and that “Data collected is not used to profile driver behaviour.”

Kia

Kia, in its response to Open Road’s queries, said that, “In order to use connected car services, the customer needs to accept the terms of use and privacy policy upon account creation. If the customer is connected, they’ve accepted these terms.”

Its customers cannot opt out of specific data collection, and if declining to share data, it said that, “Connected Car services will not operate, including Over the Air Updates.”

Kia added that if Connected Car services were not opted into, " Roadside Assist/SOS call function would need to be done via a phone call as opposed to pressing the button in the vehicle.”

In regards to a question about voice data, it said that, “Voice data is only used when activating the AI feature in the vehicle and make a command to a vehicle. General conversation is not listened to or stored.”

It added that regarding sharing data to third parties, “We prohibit any third-party contractor from using personal information about customers except for the specific purpose for which we supply it.”

Mazda

“Enrolling in Mazda Connected Services is optional,” said Mazda in a statement. “However, if the customer wishes to experience the Safety and Security features of Mazda Connected Services, they must enrol via the MyMazda App.”

Mazda added that the only data that is transmitted for a vehicle that is not enrolled is ignition on and off times.

In regards to recording of customer conversations, Mazda said: “Mazda does not record any audio of customer conversations unless the customer or vehicle initiates an emergency call with an enrolled Connected Vehicle (SOS eCall or Automatic Crash Notification).” It added, “De-identified vehicle information may be used for product quality, data analysis, research, and product development” and that “Mazda Australia does not sell your Connected Services data to any third parties.”

Lastly, Mazda noted that, “Warranty is not void if the TCU (Telematics Control Unit) in a Connected Vehicle is deactivated.”

Mercedes-Benz

Mercedes-Benz in its response said “At Mercedes-Benz, data protection and security are of great importance. We recognise that responsible data handling is essential to building trust in automated and connected driving technologies, fostering acceptance and enabling innovative services that enhance safety and deliver value to our customers.”

It said its car owners have access to their privacy settings through the “Mercedes-Benz Privacy Center”, which according to this press release is available through a customer’s “Mercedes Me” account. Our Digital Extras terms of use and privacy statement provide detailed information on how Mercedes-Benz uses and processes customer and vehicle data.”

In regards to its connected services, Mercedes-Benz said: “Digital Extras are additional services that do not affect the core functionality of the vehicle. If customers choose not to activate the Digital Extras, they will not be able to access any application based functions such as remote door lock/unlock or certain entertainment products.”

“Our customers decide which services they want to use and which data they want to share,” a statement from the company said. It also said that, “Digital Extras are additional services that do not affect the core functionality of the vehicle.”

MG

MG said that it “collects anonymised data about an MG vehicle (which may not be personal information, ie information about an identified or identifiable individual) in order to provide in-car services and functionality to customers who have opted-in to using these services and the requisite collection of data.

“Customers may elect to opt-out of the collection of this data, in which case the functionality or service that depends on that data will not be provided,” and that opting in or out can be done via the vehicle’s in-car settings

In regards to voice data, it said: “Voice transcription is visible on screen in the vehicle and is not captured beyond the immediate use of the voice command function. It is not currently used in training of AI or recorded.”

MG added that, “Opting out of connected services via the in-car menus does not void the warranty of the vehicle. The user may choose to delete all data collected by MG Motor by following the “account deletion” steps shown in the app. For the in-vehicle unit, the user may log out, in which case data transmission will cease to occur.”

Tesla

Tesla’s response to Open Road’s questions pointed simply to its Privacy statement found here. Amongst other things, this policy says that, “By default, Tesla provides this seamless experience while protecting your privacy. However, if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity.

It adds that, "certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity.” If a driver opt outs, Tesla says it will “not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.”

In regards to voice data, Tesla’s policys says, “To support ongoing quality improvements, Tesla captures and processes the transcription of the command" and that “audio voice recordings are not captured, and the transcription of the command is not associated with your account or VIN.

“In addition, Tesla does not collect any information when using voice-to-text, as such your text messages are never sent to Tesla.”

It adds that, “Before features can use the microphone for sound detection, the vehicle will request your permission,” and that this sound is processed in-vehicle, and cannot be transmitted unless data sharing is enabled. “Tesla does not capture continuous recordings and does not have live-listening functionality,” it says.

References: