PrivacyLawMap
Back to Blog
GuidesMarch 28, 202610 min read

Connected Car Data Privacy: How Your Vehicle Collects and Shares Your Data

Share:

Your Car Is Watching You — And Sharing What It Sees

Modern vehicles collect an enormous amount of data: GPS location, driving speed, braking patterns, acceleration habits, trip histories, and even cabin audio in some cases. For most drivers, this data collection happens invisibly. But a landmark Texas lawsuit has exposed how that data can flow from your car to insurance companies — and ultimately raise your premiums.

This article breaks down what connected car data privacy looks like in 2026, what state privacy laws say about it, and what businesses and consumers should know.

The Texas vs. Allstate Lawsuit: A Wake-Up Call

On January 13, 2025, Texas Attorney General Ken Paxton filed the first-ever enforcement action under a state comprehensive data privacy law — suing Allstate and its subsidiary Arity for illegally collecting and selling the driving behavior data of over 45 million Americans.

How the Scheme Worked

Arity, a data analytics subsidiary wholly owned by Allstate, paid developers of popular mobile apps — including GasBuddy, Fuel Rewards, and Routely — to embed a software development kit (SDK) into their apps. Once installed, the SDK tracked users' precise geolocation data in real time, even when users thought they were simply finding cheap gas or earning fuel rewards.

Arity compiled this data into what it called the "world's largest driving behavior database" — trillions of miles of driving data. Insurance companies, including Allstate and others, then purchased this data to evaluate drivers and adjust premiums. Consumers who drove in ways the algorithm flagged as risky saw their car insurance rates increase, often without any idea their driving was being monitored.

What Laws Were Violated

Texas alleged violations of the Texas Data Privacy and Security Act (TDPSA), which requires:

  • Clear notice before collecting sensitive data (including precise geolocation)
  • Informed consent for collecting, processing, and selling sensitive personal data
  • The right for consumers to opt out of data sales

Allstate provided none of these protections. The AG is seeking over $1 million in penalties, with fines of up to $7,500 per TDPSA violation and $10,000 per Texas Data Broker Law violation. Given 45 million affected consumers, the potential liability is enormous.

It's Not Just Allstate: The Broader Connected Car Privacy Problem

The Allstate case is part of a larger pattern. In 2024, the FTC took action against General Motors for selling driver data to insurance companies without proper consent. And automakers like Toyota, Honda, and Hyundai have all faced scrutiny over their connected-vehicle data practices.

According to a 2023 Mozilla Foundation study, cars are the worst product category for privacy — every major car brand failed their privacy standards, with 84% sharing or selling driver data.

Types of Data Connected Cars Collect

  • Location and trip data — GPS coordinates, routes taken, destinations visited, trip frequency
  • Driving behavior — speed, braking force, acceleration patterns, cornering
  • Vehicle diagnostics — mileage, engine status, tire pressure, maintenance needs
  • Infotainment data — phone contacts synced to the car, call logs, media preferences
  • Biometric data — some vehicles collect facial recognition data for driver identification or drowsiness detection

How State Privacy Laws Protect Drivers

State comprehensive privacy laws provide several layers of protection for connected car data, though coverage varies significantly by state.

Sensitive Data Protections

Precise geolocation data — the core of the Allstate case — is classified as sensitive personal data under most state privacy laws. This means businesses typically need opt-in consent before collecting it, not just an opt-out. States with this protection include California, Texas, Colorado, Connecticut, Virginia, and most other states with comprehensive privacy laws.

Opt-Out of Data Sales

Every state privacy law gives consumers the right to opt out of the sale of their personal data. If a connected car platform or app is selling driving data to insurers or advertisers, consumers have the right to say no. The challenge is that most consumers do not know the data sale is happening in the first place.

Data Minimization

Several state laws require businesses to collect only the data reasonably necessary for the purpose disclosed to the consumer. Collecting driving behavior data through a gas-price app — as Arity did — likely violates data minimization principles under multiple state laws.

State-Specific Vehicle Data Legislation

Some states are going further with vehicle-specific privacy legislation:

  • Utah HB 357 (2026) — Amends Utah's consumer privacy law to add specific protections for motor vehicle data. Effective May 6, 2026, it addresses data collected by connected vehicles and shared with third parties.
  • Oregon HB 3875 — Addresses motor vehicle data sharing practices, adding protections specific to automotive telematics data.
  • California SB 1210 (2024) — Requires automakers to obtain opt-in consent before sharing geolocation data with insurance companies, effective July 2026.

What Businesses Should Do

If your business collects, processes, or uses connected vehicle data — whether you are an automaker, app developer, insurance company, or data broker — here is what you need to do:

  1. Audit your SDKs and third-party integrations — Know exactly what data is being collected by any embedded code, including third-party SDKs in your apps
  2. Get proper consent for sensitive data — Precise geolocation requires opt-in consent under most state laws. A buried disclosure in a 30-page terms of service does not count.
  3. Provide clear opt-out mechanisms — Make it easy for consumers to opt out of data sales and targeted advertising
  4. Check your data broker status — If you collect and sell consumer driving data, you may qualify as a data broker in California, Texas, Vermont, and Oregon, which have separate registration requirements. Take our data broker quiz to find out.
  5. Evaluate your state-by-state obligations — Use our privacy law calculator to determine which state laws apply to your business

What Consumers Can Do

  1. Review app permissions — Check which apps have location access on your phone, especially driving-related apps like GasBuddy, fuel rewards programs, and insurance apps
  2. Check your vehicle's privacy settings — Most connected cars have a settings menu for data sharing. Opt out of data collection where possible.
  3. Enable Global Privacy Control — Install a browser with GPC support to automatically signal opt-out preferences to websites
  4. Exercise your state privacy rights — If you live in a state with a privacy law, you can request to know what data has been collected and request deletion. Check your state's privacy law page for details.

This article provides general educational information and is not legal advice. Consult qualified legal counsel for guidance specific to your organization. Last updated: March 28, 2026.

Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.