chevron-down Created with Sketch Beta.

GPSolo Magazine

GPSolo November/December 2023: Transportation Law

Is Your Car Storing and Selling Your Private Data?

James Ellis Arden


  • Cars have been deemed a “privacy nightmare on wheels,” as car brands have turned their vehicles into powerful data-gobbling machines.
  • Once people get into their cars and sync their phones, all their data can be sucked up and sold. Businesses of various sorts will get to know them very well.
  • Lawyers should consider the possibility that client confidences could be revealed by the cars they drive.
Is Your Car Storing and Selling Your Private Data?

Jump to:

A feature article in this issue of GPSolo magazine discusses how the privacy of commercial drivers is invaded by electronic logging devices (ELDs) recording engine hours, power levels, and Global Positioning System (GPS) motion data to determine how much time a driver has been on or off duty. Not to minimize commercial drivers’ concerns, but new passenger cars—all of them—are “privacy nightmares on wheels” (“Privacy Nightmare on Wheels”: Every Car Brand Reviewed by Mozilla—Including Ford, Volkswagen and Toyota—Flunks Privacy Test, Mozilla (Sept. 6, 2023)).

Mozilla, maker of the Firefox browser and Thunderbird email app, is a community that promotes exclusively free software and open standards. Mozilla’s judgment about the state of privacy in passenger cars can be summed up by the title of a recent article on its website: “It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy.” In the article, the authors note:

While we worried that our doorbells and watches that connect to the Internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines. Machines that, because of all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car.

Jen Caltrider et al., It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy, Mozilla (Sept. 6, 2023).

Car Makers Know You Better Than Your Own Mother

Privacy and convenience exist at opposite ends of a spectrum. People readily reveal personal data and allow themselves to be tracked just so they can use Google while away from home or work. Well, once those people get in their cars and sync their phones, all their data will be sucked up and sold. Businesses of various sorts will get to know them very well.

“Data” is an innocuous-sounding term for all the very personal information that gets vacuumed from a phone once it is plugged into a car. It also gets taken by sensors in cars, microphones, cameras, and other plugged-in devices. It includes not just driver names and addresses (email and physical) but also contact lists, call records, and text messages; driver’s license numbers; location data showing where people are and have been; voice recordings collected by car voice assistants; biometrics collected by car microphones and cameras; and information about “sexual activity, immigration status, race, facial expressions, weight, health and genetic information” (“Privacy Nightmare on Wheels,” Mozilla, supra). Car makers share such data with business partners, and they use it to develop inferences about drivers’ intelligence, abilities, characteristics, preferences, and more.

This is called car data monetization. Mozilla says estimates are that, by 2030, it could be an industry worth $750 billion (id.).

Ever rent a car? According to Ben LeMere, the founder of a company that manufactures vehicle forensics kits used by U.S. Customs and Border Protection (CBP), when CBP pulled data from a Ford Explorer that had been rented at an airport outside Washington D.C.,

[w]e recovered 70 phones that had been connected to it. All of their call logs, their contacts and their SMS history, as well as their music preferences, songs that were on their device, and some of their Facebook and Twitter things as well. . . . And it’s quite comical when you sit back and read some of the text messages.

Sam Biddle, Your Car Is Spying on You, and a CBP Contract Shows the Risks, Intercept (May 3, 2021) (quoting a podcast posted on the Cellebrite website, since removed).

Lawyers Need to Make Sure Their Cars Aren’t Revealing Client Confidences

Everyone should be concerned about privacy whether or not they believe it still exists. But lawyers should consider the possibility that client confidences could be revealed by the cars they drive.

American Bar Association Model Rule of Professional Conduct 1.6 requires attorneys to keep confidential the information relating to the representation of a client. But here’s the thing: Whereas intent is needed to violate a criminal statute, attorneys can violate ethics rules without having any intent to violate (see, e.g., Phillips v. State Bar, 49 Cal.3d 944, 952 (1989) (a willful violation of a rule does not require that the lawyer intended to violate the rule)). An attorney who accidentally reveals confidential client information still commits an ethical violation.

Subsection (c), related to protection of privacy, was added to Model Rule 1.6. It reads, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Now, many lawyers (for the sake of convenience) use their phones for the same purposes as their office computers: to communicate with clients via voice, email, and text, to do research, and to draft documents. So, do you leave your phone with the valet when you park or with the attendant who takes your car when you wash it? Maybe you do. Still, you’re probably safe at most parking lots and car washes—unless someone steals your car and, with it, your phone. And note that modern keyless vehicles have become more vulnerable to theft thanks to cloning devices such as JBL Unlock + Start (see Joseph Cox, The Car Thieves Using Tech Disguised Inside Old Nokia Phones and Bluetooth Speakers, Motherboard (Apr. 18, 2023)).

Lawyers Having Sex with Clients Should Avoid Nissans and Kias, Particularly

Model Rule 1.8 forbids sexual relations with clients. Well, Nissan admits in its privacy policy to collecting information that includes sexual activity, health diagnosis data, and genetic data (“Privacy Nightmare on Wheels,” Mozilla, supra). Kia, according to its privacy policy, can collect information about a user’s “sex life.” Six car companies say they can collect “genetic information” or “genetic characteristics” (id.).

By far, the two most asked questions Mozilla received from their readers in response to its article “Privacy Nightmare on Wheels” (id.) were “How is Nissan collecting information about my sexual activity?” and “How is this even legal?” (Jen Caltrider et al., “Is This Even Legal?” Our Top Cars-and-Privacy Question, Answered (Sept. 25, 2023) (boldface in original)). Lawyers ought not have sex with clients, but those who do should not drive Kias or Nissans.

By the way, a growing number of jurisdictions now consider sexting with a client to be a violation of Rule 1.8, too. “Sext messages” get sucked from phones like everything else. Accordingly, Rule 1.8 violators should avoid U.S. Customs and Border Protection.

Sharing Isn’t Caring as to Law Enforcement

Car makers, beyond unnecessarily collecting too much personal data, share all that data with many others. Nissan (again!) says it can sell consumers’ “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties (“Privacy Nightmare on Wheels,” Mozilla, supra).

Fifty-six percent of the car makers will share data with law enforcement upon request—no subpoena needed. Most (92 percent) give users little to no control over personal data; only Renault and Dacia (owned by the same parent company) allow personal data to be deleted (id.).

Commercial drivers, on the other hand, have the opportunity to review “all information generated by ELDs,” according to the U.S. Department of Transportation (Bill Mahorney & Karyn Gorman, U.S. Dep’t of Transp., Fed. Motor Carrier Safety Admin., Privacy Impact Assessment: Electronic Logging Device (ELD) System (Dec. 20, 2021)).

Volkswagen collects demographic data (e.g., age and gender) and driving behaviors (e.g., your seatbelt and braking habits) for targeted marketing purposes (“Privacy Nightmare on Wheels,” Mozilla, supra). Toyota has “a near-incomprehensible galaxy of 12 privacy policy documents” (id.). Mercedes-Benz manufactures certain models with TikTok, which has its own privacy issues, pre-installed (id.).

Maybe Siri, Alexa, and Ring users know they’ve relinquished some privacy in order to use those devices. But car drivers?

Prospective drivers are tested on the meanings of graphic road signs, awareness of intoxication levels, ability to discern appropriate driving speeds, and more, all for the sake of safety. Given the dangers Internet-connected automobiles present, shouldn’t transportation privacy laws be a subject added to driver examinations?

The actress and activist Alexandra Paul said, “The cars we drive say a lot about us.” Yes, they do, and far too much.