EV Data Privacy 2026 Guide
Last Updated: May 2026
Your electric vehicle is collecting data about you right now β not just location and speed, but driving behavior sampled as frequently as every three seconds, charging patterns that map your daily schedule, voice recordings from in-car microphones, and in some cases sensitive personal attributes that have no plausible connection to vehicle operation. Most EV owners have no idea this is happening. The manufacturers would prefer it stays that way.
This guide maps exactly what your EV collects, where it goes, which brands are worst, what enforcement has revealed, and what you can actually do about it β including brand-specific opt-out steps that most privacy guides never bother to document.
Table of Contents
The EV Data Exposure Matrix 2026
According to Axis Intelligence’s analysis of manufacturer privacy policies, FTC enforcement records, Mozilla Foundation research, and California Privacy Protection Agency (CPPA) actions, these are the five dimensions that determine how exposed your data is as an EV owner:
| Brand | Data Minimization | Third-Party Sales Disclosed | Gov. Sharing Threshold | User Deletion Rights | Meaningful Opt-Out | Overall Risk |
|---|---|---|---|---|---|---|
| Tesla | Partial | Does not sell personal data (policy) | “Legal obligations” | Yes (data request portal) | Partial (loses OTA + remote features) | π‘ Medium |
| GM / OnStar | Poor | Confirmed (sold to Verisk + LexisNexis; FTC action) | “Informal request” | Yes (post-FTC order) | Improved (post-FTC order) | π΄ High |
| Ford | Poor | Shares with insurers and fleet managers | “Informal request” | Partial (CCPA states) | Partial | π΄ High |
| Hyundai / Kia | Poor | Yes (policy discloses sharing with partners) | “Lawful requests, whether formal or informal“ | Partial | Limited | π΄ High |
| BMW | Moderate | Does not sell in-vehicle personal data (US policy) | Standard | Yes (granular control) | Better than average | π‘ Medium |
| Rivian | Moderate | Shares with service providers | Standard | Yes | Moderate | π‘ Medium |
| Lucid | Moderate | Shares with affiliates/partners | Standard | Yes | Moderate | π‘ Medium |
| Nissan | Very Poor | Yes β including sensitive personal data | “Formal or informal” | Limited | None meaningful | π΄ Critical |
| Mercedes-Benz | Moderate | Shares with partners | Standard + encryption noted | Yes | Moderate | π‘ Medium |
| Volkswagen Group | Poor | Shares with affiliates | Standard | Partial | Limited | π΄ High |
Source: Axis Intelligence analysis of manufacturer privacy policies (May 2026), Mozilla Foundation Privacy Not Included research, FTC complaint and consent order (GM, JanuaryβJanuary 2026), CPPA enforcement actions. Risk levels are editorial assessments, not legal conclusions.
The Three Layers of EV Data Collection
Understanding what gets collected requires separating three distinct collection systems that most privacy articles collapse into one. Each has different data types, different technical mechanisms, and different legal exposure.
Layer 1: Vehicle Telemetry (What the Car Generates)
The vehicle itself is the primary collection node. Modern EVs contain dozens of sensors feeding data into an onboard telematics control unit (TCU) that maintains a persistent connection to the manufacturer’s cloud infrastructure over cellular networks. This connection is always-on when the vehicle is on, and in many cases remains active when parked.
Data continuously transmitted by the vehicle includes:
Location and movement data. GPS position, speed, heading, and acceleration sampled at high frequency β in GM’s case, confirmed at intervals as short as every three seconds. Over a month of daily commuting, this produces a comprehensive map of your home address (where the car sits overnight), workplace (where it sits during the day), medical facilities, religious institutions, and anywhere else you drive.
Driving behavior metrics. Braking patterns (how hard, how often, at what GPS coordinates), acceleration profiles, lane change patterns, cornering behavior, and turn signal usage. These are the specific metrics GM sold to LexisNexis and Verisk for insurance underwriting β data that raised premiums for drivers who had no idea it was being collected.
Battery and charging data. State of charge, charge rate, charge location (GPS coordinates of every charging event), duration of each charge session, battery temperature, degradation metrics, and energy consumption patterns. Charging location data reveals home address with high confidence when repeated overnight charging is present.
Cabin data. Voice commands and recordings from microphones used for infotainment control and driver assistance. Camera feeds in vehicles with interior monitoring systems (used for drowsiness detection in some ADAS systems). Mobile devices paired via Bluetooth β contacts, call logs, and text message previews in many infotainment systems.
OTA update interactions. When firmware is pushed to the vehicle, transmission logs capture connectivity data. Opting out of data collection often means opting out of OTA updates β a trade-off manufacturers structure deliberately.
Layer 2: Charging Network Data (What Chargers Collect)
The charging network is a separate data collection system that most privacy guides ignore entirely. Every public DC fast charging session generates a distinct data record held not by your vehicle manufacturer, but by the charging network operator.
A single Supercharger session generates: your account identifier, vehicle identification number (VIN), session start and end times, energy delivered (kWh), session cost, GPS coordinates of the charger, and payment information. The charging network’s payment processor generates an additional record. If you use a third-party app (PlugShare, ChargePoint app, ABRP) to locate or navigate to the charger, that app generates its own location and routing record.
Tesla’s privacy policy states it does not sell personal data to third parties and does not associate fleet-level data with individual accounts by default. However, VIN-associated data is collected during charging sessions for diagnostic and safety purposes. The data request portal at tesla.com allows owners to download a copy of held data.
Electrify America, EVgo, ChargePoint, and Blink each have separate privacy policies with distinct data retention and sharing practices. None of them are subject to the same competitive scrutiny as OEM policies, and none have faced equivalent regulatory enforcement action as of May 2026.
According to Axis Intelligence, the charging network layer is the least scrutinized segment of EV data privacy and the most likely to see regulatory action in the next 24 months as connected vehicle enforcement expands beyond OEM telemetry. For a technical breakdown of how each charging network’s authentication protocol works at the session level, see our NACS adapter technical guide and EV Research Hub.
Layer 3: Manufacturer App Data (What the App Collects)
The manufacturer’s mobile app β FordPass, myChevrolet, MyHyundai, Tesla app, Rivian app β is a third collection layer that operates independently of the vehicle itself.
When you install the app and create an account, you typically grant: location access (often “always on”), push notification permissions, Bluetooth access for phone-as-key functions, and in some cases, access to contacts or calendar for integration features. The app collects session metadata (when you open it, what you tap, how long you stay), payment data for remote charging authorization, and in some implementations, device identifiers that enable cross-app tracking.
The governance structure of these apps creates a particular risk: as Mozilla Foundation researchers noted, BMW USA manages an app for Toyota, meaning data governance and liability can differ from what the vehicle brand implies. App updates can silently add data collection categories, and privacy policies change without direct notification to users.
The Data Monetization Pipeline: How Your Driving Reaches Your Insurer
This is the mechanism that most EV owners find most alarming when they learn about it, and it is the mechanism that the GM/OnStar FTC enforcement action confirmed in explicit detail.
The pipeline has four nodes:
Node 1: OEM Collection. The vehicle manufacturer collects telemetry continuously. The legal basis for collection varies by state: in California, it requires disclosure under CCPA; in most other US states, it required only acceptance of terms buried in a multi-step enrollment flow. GM enrolled drivers in OnStar Smart Driver through an enrollment process the FTC characterized as “misleading” β drivers believed they were signing up for a personal driving feedback tool, not authorizing their data to be sold.
Node 2: Telematics Data Brokers. OEMs sell or share the data with specialized analytics companies β most prominently Verisk Analytics and LexisNexis Risk Solutions. These firms aggregate driving data across millions of vehicles, standardize it, and resell scored risk profiles. A 2024 investigation by Mashable confirmed that GM, Honda, and Hyundai shared driver data with both Verisk and LexisNexis.
Node 3: Insurance Underwriting. Insurance carriers purchase risk profiles from telematics data brokers to inform premium calculations. The profile contains driving behavior metrics β hard braking frequency, acceleration patterns, late-night driving β combined with location history. Some carriers apply these profiles at renewal without notifying the policyholder that third-party driving data was used in the calculation. California consumers can request their data file from LexisNexis and Verisk to determine if their driving data was collected and shared β a right that remains unavailable to most residents of other states.
Node 4: The Premium Impact. For affected drivers, the impact was concrete: insurance premiums increased based on driving behavior data they didn’t know was being collected, assessed by an algorithm they never saw, purchased from a company they never interacted with. Several consumers reported premium increases of 20β40% following the period when GM was transmitting driving data to brokers.
According to Axis Intelligence, this pipeline represents the most direct financial harm from EV data collection β not an abstract privacy risk, but a measurable premium increase with no transparency and no recourse outside of state-level enforcement.
Brand-by-Brand Privacy Analysis
Tesla
Tesla’s stated privacy position is one of the strongest among major EV manufacturers: the company states clearly that it does not sell or rent personal data to third parties. Mozilla Foundation research acknowledged this as a positive differentiator, noting that clearing this bar β while low relative to best privacy practices β is more than most automakers achieve.
The significant concerns with Tesla’s approach are structural. First, opting out of vehicle data collection disables OTA software updates, remote diagnostics, mobile app control, location search, voice commands, and in-car web browser functionality. This makes opt-out functionally unavailable for most owners. Second, Tesla’s privacy policy language is broad and imprecise β researchers noted the repeated use of “may,” “for example,” and “legitimate interests of Tesla” language that leaves meaningful ambiguity about what data is shared with “affiliates” and under what circumstances. Third, Tesla was the second product in Mozilla’s history to receive warnings in every privacy evaluation category, primarily due to the Autopilot and Full Self-Driving data collection systems.
Tesla owners can submit a Data Privacy Request at tesla.com/privacy to download or request deletion of held data. This portal exists independently of whether the state of residence has a statutory deletion right.
General Motors (Chevrolet, GMC, Cadillac)
GM represents the most consequential enforcement case in connected vehicle data privacy to date.
Between 2016 and 2024, GM’s OnStar platform collected precise geolocation and driving behavior data from vehicles enrolled in the OnStar Smart Driver feature β in some periods, sampled every three seconds β and sold it to Verisk Analytics and LexisNexis Risk Solutions. The FTC’s complaint, filed January 2025, alleged that GM used a misleading enrollment process that did not clearly disclose these sales. The FTC’s full complaint and consent order against GM and OnStar is publicly available and contains the most detailed government documentation of connected vehicle data monetization practices published to date. Millions of drivers had their insurance risk profiles altered by this data without their knowledge or consent.
The FTC finalized a consent order on January 14, 2026, imposing a 5-year ban on GM sharing geolocation and driving behavior data with consumer reporting agencies, requiring affirmative express consent before collecting connected vehicle data going forward, and mandating systems allowing all U.S. consumers to request their data and seek deletion.
Separately, on May 8, 2026, California Attorney General Rob Bonta announced a $12.75 million CCPA settlement β the largest CCPA penalty ever recorded β covering GM’s data sales to Verisk and LexisNexis from 2016 to 2024. The settlement requires GM to delete retained data within 180 days unless it obtains specific consumer consent to retain it, and bars GM from selling personal consumer data for five years.
Additional litigation is active in Arkansas and Texas.
What GM owners should do now: Submit a data access request through GM’s privacy portal to determine whether your data was shared with LexisNexis or Verisk. California residents can also request their data file directly from LexisNexis and Verisk. If your insurance premium increased during 2020β2024, your driving data may have contributed to the change.
Ford
Ford’s SYNC infotainment platform collects driving habits, location data, and interaction patterns. Ford’s connected vehicle platform enables data sharing with insurance carriers and fleet management services. The California Privacy Protection Agency fined Ford $375,703 in March 2026 for adding unnecessary friction to its opt-out process β the CPPA found that Ford’s opt-out mechanism was deliberately difficult to use, placing more roadblocks between users and their privacy rights than California law permits.
Ford’s privacy policy uses “informal request” language for government data sharing, placing it in the same category as Hyundai and below the court-order threshold that stronger policies require.
Hyundai and Kia
Hyundai’s Bluelink and Kia’s Connect systems collect location, driving behavior, and infotainment interaction data. Both brands’ privacy policies explicitly state compliance with “lawful requests, whether formal or informal” β the lowest government access threshold among the brands reviewed by Mozilla, and a formulation the Mozilla researchers specifically flagged as alarming.
The California Privacy Protection Agency also pursued parallel enforcement against Hyundai as part of its broader connected vehicle investigation. Hyundai’s 2025 IONIQ 5 ships with native NACS and a redesigned Bluelink implementation β the new app version’s data collection practices warrant independent review before connecting accounts.
Nissan
Mozilla Foundation researchers described Nissan’s privacy policy as “the most mind-boggling, creepy, scary, messed up privacy policy we have ever read.” The Nissan USA privacy notice claims the right to collect and share: sexual activity, immigration status, race, national origin, religious beliefs, health diagnosis data, and genetic information. The policy does not specify how this data is collected. It states the company may sell it to data brokers, share it with law enforcement on “formal or informal” request, and use it to develop inferences about psychological trends, predispositions, and abilities.
Mozilla concluded: “If you care even a little about privacy, please stay as far away from Nissan’s cars, apps, and connected services as you possibly can.”
The 2026 Nissan Leaf, with its redesigned NACS port, brings a new vehicle but the same corporate privacy posture. The policy should be reviewed independently before the new Leaf’s NissanConnect platform is activated.
BMW
BMW’s North America privacy policy includes language absent from most competitors’ policies: the company states it does not sell customers’ in-vehicle personal information, allows granular user control over data collection and processing, and voluntarily honors data access and deletion requests even in states where not legally required. Mozilla researchers noted BMW’s response as one of the more substantive among the 25 brands reviewed, though BMW still received the Privacy Not Included label.
BMW’s European operations fall under GDPR, which provides considerably stronger data minimization and purpose limitation requirements than US state laws. US-market BMW owners benefit from a policy shaped in part by GDPR compliance obligations even where CCPA does not apply.
The Enforcement Record: What Regulators Have Found
The past 18 months have produced the most significant regulatory action in connected vehicle data history. The FTC’s January 2025 complaint against GM β the agency’s first action targeting connected vehicle data β set the enforcement framework that shaped every subsequent regulatory action. This enforcement timeline is the clearest evidence of what was happening with your data:
| Date | Regulator | Target | Violation | Outcome |
|---|---|---|---|---|
| Jan 2025 | FTC | GM / OnStar | Collected + sold geolocation and driving behavior without consent | FTC complaint filed; 5-year ban on selling to consumer reporting agencies |
| Mar 2025 | CPPA (California) | Honda | Excessive data collection beyond what disclosed | $632,500 CCPA settlement |
| Jan 14, 2026 | FTC | GM / OnStar | Consent order finalized | 20-year FTC consent order; affirmative consent required for all future data collection |
| Mar 2026 | CPPA (California) | Ford | Unnecessary friction in opt-out process | $375,703 CCPA settlement |
| May 8, 2026 | California AG + CPPA | GM / OnStar | CCPA violations from 2016β2024 data sales | $12.75 million settlement β largest CCPA penalty ever recorded |
Source: FTC press releases (January 2025, January 2026); CPPA enforcement announcements; California AG Office announcement (May 8, 2026).
The GM/California settlement is the benchmark that every other OEM’s legal team is now using to evaluate their own exposure. The $12.75 million penalty, announced four days ago as of this article’s publication, covers data collected from 2016 to 2024 β an eight-year window during which millions of drivers had no idea their precise location and driving behavior were being sold. The settlement requires GM to delete all retained data within 180 days and prohibits personal data sales for five years. The California Privacy Protection Agency tracks all current enforcement actions against connected vehicle data practices. For broader context on data exposure trends, see our Data Breach Statistics hub.
According to Axis Intelligence, the enforcement pattern reveals a deliberate industry strategy, not a collection of isolated mistakes: enroll consumers in connected services through default-on flows, collect as much data as technically possible, sell it to brokers before regulatory enforcement catches up, and then comply after the fact at a penalty that represents a fraction of the data’s commercial value. The $12.75M California fine, while record-setting, is minimal compared to years of revenue from insurance industry data sales.
The FTC’s framing of the GM case as its “first targeting connected vehicle data” signals this is the beginning of enforcement, not its peak. Additional investigation of Honda, Hyundai, and other manufacturers by state regulators is ongoing.
What You Can Realistically Opt Out Of β And What You Can’t
The opt-out picture is more limited than most privacy guides represent. Here is the honest assessment by data category:
Location Data
What you can turn off: Most manufacturers allow you to disable active GPS sharing via the companion app. In-app location permissions can be set to “never” or “only while using” at the OS level on iOS and Android.
What you cannot turn off: The vehicle’s telematics control unit transmits location data over its own cellular connection, independent of your phone. Disabling the manufacturer app does not stop this. The only way to fully prevent vehicle-level location transmission is to disable the vehicle’s cellular modem β which on most EVs also disables OTA updates, remote diagnostics, the mobile app entirely, and in some cases navigation services.
Driving Behavior
What you can turn off post-GM enforcement: Following the FTC consent order, GM must now obtain affirmative express consent before collecting and using driving behavior data. For other brands, opt-out options vary:
- Tesla: Disable “Data Sharing” in the vehicle’s Privacy settings. This stops transmission of driving data to Tesla, but disables remote diagnostics.
- Ford: Under California CCPA and other state laws, submit an opt-out of sale request through Ford’s privacy portal. Ford’s opt-out process was specifically cited as friction-heavy by the CPPA.
- Hyundai: Opt-out via MyHyundai privacy settings. The CCPA opt-out applies only to residents of states with active privacy statutes.
Charging Session Data
What you can partially control: Creating a guest account or using RFID cards without account linkage at compatible charging stations reduces the personal identifiability of charging session records. This is not available at Tesla Superchargers, which require account authentication.
What you cannot avoid: The charging session record exists at the charger operator level regardless of your vehicle’s data settings. The VIN is transmitted as part of the ISO 15118 session initialization β this is a protocol-level requirement, not a manufacturer policy choice.
Voice and Microphone Data
What you can turn off: Disable the voice assistant/wake word detection in the vehicle’s settings. This stops the always-listening microphone monitoring for the wake phrase, though it does not disable microphones used for hands-free calling.
What you cannot easily verify: Whether voice data from activated sessions is stored on-vehicle only, transmitted to the manufacturer, or processed by third-party voice recognition providers (Google, Amazon, Nuance) varies by brand and feature and is rarely disclosed with technical specificity in consumer-facing privacy policies.
Your Legal Rights by State in 2026
Privacy rights for EV data vary significantly by state. According to Axis Intelligence’s review of active state privacy legislation:
| State | Law | Key Rights for EV Owners |
|---|---|---|
| California | CCPA / CPRA | Right to know, delete, opt-out of sale, correct; strongest enforcement in the US; DROP platform launching Aug 1, 2026 for data broker deletion requests |
| Colorado | CPA | Right to access, delete, opt-out of targeted advertising and profiling |
| Connecticut | CTDPA | Right to access, delete, opt-out of sale and profiling |
| Virginia | VCDPA | Right to access, delete, opt-out of sale and profiling |
| Texas | TDPSA | Right to access, delete, opt-out of sale β active in state litigation against GM |
| Washington | My Health MY Data Act | Specific protection for health and location data in health-adjacent contexts |
| All other states | No comprehensive state privacy law | No statutory deletion or opt-out rights; limited to federal FTC Act remedies |
California’s DROP platform (Delete Request and Opt-out Platform), launching August 1, 2026, will allow state residents to submit deletion requests to any of the 500+ registered data brokers β including Verisk Analytics and LexisNexis Risk Solutions β through a single state-operated interface. This is the most consequential development in EV data privacy rights since CCPA’s passage and applies directly to the data broker node in the OEM-to-insurer pipeline.
Residents of states without comprehensive privacy laws have no statutory right to access or delete their vehicle data held by manufacturers or brokers. Their recourse is limited to contractual rights offered voluntarily by manufacturers (like Tesla’s deletion portal) and the remedies available through FTC enforcement of unfair and deceptive practices.
The Practical EV Privacy Playbook: 8 Steps You Can Take Now
According to Axis Intelligence, this is the ordered action plan that materially reduces your data exposure as an EV owner, starting with the highest-impact steps:
Step 1: Check whether your driving data was shared with LexisNexis or Verisk. If you owned a GM vehicle connected to OnStar between 2016 and 2024, your data was likely sold. California residents can request their LexisNexis Comprehensive Loss Underwriting Exchange (CLUE) report at no cost; the full consumer disclosure request includes driving data. Verisk offers a similar consumer data request. Both are accessible online. If your data is on file, document the record before GM’s 180-day deletion obligation under the California settlement expires (November 2026 approximately).
Step 2: Review and tighten app permissions at the OS level. On iOS: Settings β Privacy & Security β Location Services β [Manufacturer App] β set to “While Using.” Revoke microphone and contacts permissions unless actively required. On Android: Settings β Privacy β Permission Manager β audit by permission type. The manufacturer app does not need “always on” location access to unlock your car.
Step 3: Opt out of data collection via the vehicle’s privacy settings. Every major EV brand has a data sharing toggle in the vehicle’s settings menu, the companion app, or both. Tesla owners can also adjust settings directly via tesla.com/privacy. Locate the relevant setting and apply minimum sharing. Accept that this will likely disable some connected features β OTA updates (Tesla), remote diagnostics, or location-based services. This is the intended trade-off. Most owners who have not checked this setting are sharing data with the manufacturer’s default-maximum configuration.
Step 4: Submit formal opt-out requests via state-applicable mechanisms. If you are in a state with CCPA, CPA, CTDPA, VCDPA, or TDPSA coverage: submit a “do not sell or share my personal information” request through your manufacturer’s privacy portal. These requests must be honored within 15β45 days depending on state law. Keep a timestamped record of submission and confirmation.
Step 5: Use a VPN on your phone when using EV-related apps. The manufacturer app, charging network apps (EA, EVgo, ChargePoint), and route planning apps (ABRP, Waze) all transmit data over your mobile connection. A no-log VPN on your device encrypts this traffic from your mobile carrier and adds a transport-layer barrier against app-level data collection by ad networks embedded in these apps. This does not stop server-side collection by the app developer but eliminates carrier-level visibility and reduces cross-app tracking.
Step 6: Use a password manager for all EV-related accounts. Each charging network, each manufacturer app, and each third-party EV service requires a separate account. Using a password manager with unique strong credentials for each account prevents credential stuffing attacks β a growing vector given that phishing attacks targeting automotive accounts have increased alongside EV adoption. Unique credentials make it easier to close unused accounts rather than leaving dormant profiles with stored location history. See our best password managers guide for current options.
Step 7: Monitor your insurance rates for unexplained increases. If you own a GM, Ford, Honda, Hyundai, or Kia EV or connected vehicle from 2019 to 2024, request a copy of your consumer data file from LexisNexis Risk Solutions and Verisk Analytics. Both companies are required under FCRA to provide a consumer disclosure. If driving data appears in your file from a period when you did not consent to sharing, you have grounds for a dispute and potentially a legal claim depending on state of residence.
Step 8: At charging stations, prefer roaming authentication over account-linked payment where available. Some public chargers in Europe and increasingly in the US accept Plug and Charge (ISO 15118-based automatic authentication) or RFID cards without requiring app account linkage. Where this is available, it reduces the personally identifiable data attached to charging session records. At Tesla Superchargers, account authentication is required β there is no anonymous charging path.
Who Should Be Most Concerned
Not all EV owners face equivalent exposure. According to Axis Intelligence, the highest-risk profiles are:
GM vehicle owners from 2016β2024 enrolled in OnStar Smart Driver: your data was almost certainly sold to Verisk and LexisNexis. The California settlement is evidence. Check your data file from both brokers before the November 2026 deletion window closes.
EV owners in states without privacy laws who rely on the manufacturer’s voluntary privacy practices. Without statutory enforcement backing, voluntary commitments carry no reliable legal weight.
Owners of Nissan vehicles using NissanConnect, where the privacy policy’s claims over sensitive data collection are the most expansive of any major brand reviewed by Mozilla.
Anyone who connected a smartphone to their vehicle’s infotainment system and did not review the data sharing consent at first connection. The moment-of-connection consent is often presented as a single-tap acceptance covering extensive contact, call log, and message preview access.
Frequently Asked Questions
What data does an electric vehicle collect?
Modern EVs collect three categories of data: vehicle telemetry (location sampled at high frequency, speed, acceleration, braking, battery state, charging events), cabin data (voice commands, paired device information, in-car camera feeds in vehicles with driver monitoring systems), and app interaction data (how you use the companion app, what features you access, payment information for remote services). According to Axis Intelligence’s analysis, the combination of location history and charging behavior data alone is sufficient to reconstruct a detailed behavioral profile β home address, workplace, medical facility visits, religious attendance β without any additional data categories.
Do EV manufacturers sell your data?
Most of them reserve the right to. Mozilla Foundation research found that 19 of 25 major automakers state in their privacy policies that they may sell personal data. General Motors confirmed through FTC and California enforcement action that it did sell driving behavior and location data to Verisk Analytics and LexisNexis Risk Solutions. Tesla states it does not sell or rent personal data to third parties. BMW USA states it does not sell in-vehicle personal data. Most other brands either explicitly reserve the right to sell or use language that does not exclude it.
Can your EV manufacturer share your data with the government?
Most can, on a threshold lower than a court order. Mozilla Foundation found that 56% of the 25 automakers it reviewed say they will share data with government or law enforcement in response to a “request” β not specifically requiring a warrant or court order. Hyundai’s policy specifies compliance with “lawful requests, whether formal or informal.” Tesla’s policy covers sharing required by “legal obligations.” BMW’s US policy specifies compliance with lawful government requests under a standard process. No automaker reviewed by Mozilla met the standard of requiring a formal court order before disclosing location or behavioral data.
What is the biggest EV data privacy case so far?
The California settlement against GM and OnStar announced May 8, 2026 β $12.75 million, the largest CCPA penalty ever issued. It covers eight years (2016β2024) of location and driving behavior data sold to data brokers without consumer consent. The FTC had previously finalized a 20-year consent order against GM in January 2026. Combined, these actions represent the first systematic regulatory enforcement of connected vehicle data practices in the United States.
What happened with the GM OnStar data scandal?
GM’s OnStar Smart Driver program enrolled millions of drivers β often without their clear awareness β in a telematics program that collected precise geolocation and driving behavior, sampled as frequently as every three seconds in some reports. This data was sold to Verisk Analytics and LexisNexis Risk Solutions, which provided it to insurance carriers for premium calculation. Many drivers experienced insurance rate increases without knowing their vehicle data had contributed. The FTC filed a complaint in January 2025 characterizing GM’s enrollment process as misleading. The consent order was finalized January 14, 2026. California’s AG announced a $12.75M CCPA settlement on May 8, 2026.
Can you opt out of EV data collection?
Partially. You can disable app-level location permissions, submit statutory opt-out requests under applicable state privacy laws, and adjust vehicle data sharing settings. What you typically cannot opt out of without losing connected features: the vehicle’s own cellular telemetry transmission, OTA software updates (in Tesla’s implementation), remote diagnostics, and the VIN transmission that occurs during every DC fast charging session at the protocol level. The opt-out options that exist are often difficult to find β Ford was specifically penalized by California for making its opt-out process unnecessarily difficult.
Does a VPN help with EV privacy?
A VPN on your smartphone protects the traffic generated by EV companion apps and charging network apps from your mobile carrier and from ad network trackers embedded in those apps. It does not affect the vehicle’s own telemetry, which transmits over the vehicle’s dedicated cellular connection independently of your phone. A no-log VPN is most relevant for protecting charging app usage patterns, payment data transmission on less secure networks, and cross-app tracking. For current recommendations, see our best VPN for privacy guide.
What is the California DROP platform for EV data?
California’s DELETE Request and Opt-out Platform (DROP), launching August 1, 2026, allows California residents to submit data deletion and opt-out requests to all 500+ registered data brokers through a single state-operated interface. This directly applies to Verisk Analytics and LexisNexis Risk Solutions β the two primary buyers of automotive driving behavior data. Prior to DROP, affected drivers had to submit individual requests to each broker. DROP represents the most operationally significant development in consumer data rights for EV owners in 2026. For California drivers who had their data sold by GM or other OEMs, this is the most direct mechanism to act on that harm.
Is EV charging data private?
No, not by default. Every public DC fast charging session generates a record at the charging network operator containing: your account identifier, VIN, session timestamps, location, energy delivered, and payment information. This data is held by the network operator (Tesla, Electrify America, EVgo, ChargePoint, etc.) under its own privacy policy, separate from the vehicle manufacturer’s policy. The VIN transmitted at session initiation is a protocol-level requirement under ISO 15118 and cannot be disabled by the vehicle owner. For sessions paid through a linked account, the full record is personally identifiable.
What should I do if I owned a GM vehicle with OnStar from 2016 to 2024?
Take three specific actions: (1) Request your consumer disclosure file from LexisNexis Risk Solutions (lexisnexis.com/risk/privacy/consumer-disclosure) and Verisk Analytics to determine if your driving data is in their systems. (2) Review your insurance premium history for the same period β if rates increased without obvious cause, your driving data may have been a factor. (3) If you are a California resident, monitor the California AG’s office for claims processes related to the $12.75M settlement β consumer distribution mechanisms may follow. For non-California residents, consult the active litigation in Arkansas and Texas for your state’s status. GM is required under the California settlement to delete retained data within 180 days β act before that window closes to document what was held.
Marcus Chen covers cybersecurity, privacy, and connected device security at Axis Intelligence. His work focuses on the intersection of technology architecture and user data exposure.
Marcus Chen is the Cybersecurity & Privacy Editor at Axis Intelligence. With over 12 years of experience in enterprise security, he holds CISSP and CISM certifications and previously served as a SOC analyst at a Fortune 500 financial institution. Marcus personally tests every VPN, antivirus, and security tool he reviews, running them through standardized threat simulations in his home lab. He covers cybersecurity tools, VPN reviews, privacy guides, scam analysis, and enterprise security frameworks.
Voice: Technical but accessible. Speaks like a security analyst explaining things to a non-technical colleague. Uses concrete analogies. Never hypes, always measures risk.