Connected Car Privacy in Canada: 7 Shocking Data Points Your Vehicle Collects

Connected car privacy in Canada what data your vehicle collects — this is the question every Canadian driver should be asking before accepting the next terms-of-service pop-up on their dashboard screen. Your vehicle likely knows where you sleep, how hard you brake, what you say to your passengers, and where you stop for coffee every morning. In 2023, the Mozilla Foundation rated every major car brand an F for privacy, calling automobiles “the official worst category of products for privacy” they had ever reviewed. Yet almost no one in Canada is talking about what rights you actually have — or how to exercise them.

RIDEZ dug into the legal frameworks, the data pipelines, and the opt-out options that Canadian drivers need to understand right now.

What Data Does Your Connected Car Collect in Canada? 6 Critical Categories

Modern connected vehicles are rolling data centres. Industry estimates suggest a heavily sensorized vehicle can generate up to 25 gigabytes of data per hour — though that figure varies by manufacturer and which systems are active. What is not in dispute is the sheer breadth of what gets captured.

Data Category	Examples	Typically Shared With
Location & Navigation	GPS coordinates, route history, destination searches	Automaker servers, mapping partners, insurers
Driving Behaviour	Speed, braking force, acceleration, cornering	Insurance data brokers (e.g., LexisNexis, Verisk)
Vehicle Diagnostics	Engine codes, tire pressure, battery health, mileage	Dealers, warranty systems, third-party repair networks
Infotainment & Voice	Voice commands, media preferences, phone contacts synced via Bluetooth	Automaker cloud services, voice-recognition subcontractors
Cabin Sensors	Driver-monitoring cameras, occupancy detection, seatbelt status	Automaker safety R&D, autonomous-driving datasets
Connected Services	Wi-Fi hotspot usage, app logins, subscription status	Telecom partners, app developers

Most of this collection begins the moment you pair your phone or accept the infotainment setup wizard — the same moment you are least likely to read the fine print. At least 84 percent of new vehicles sold in Canada now ship with embedded telematics hardware that cannot be fully disabled by the owner.

If you are shopping for your next vehicle and want to evaluate what you are really buying, our buyer guides cover the practical side of ownership — but the privacy implications deserve equal weight.

How Automakers Share and Sell Your Connected Car Data to Insurers

Your driving habits have monetary value to parties well beyond the automaker. The most high-profile example came in 2024, when reporting revealed that General Motors had been sharing granular driving data — including trip-level speed, braking, and acceleration records — with insurance-industry data brokers LexisNexis and Verisk through its OnStar Smart Driver program. Many drivers believed they were simply receiving a personal driving score. Instead, that data flowed directly to insurers who used it to adjust premiums. A U.S. Senate inquiry followed, and GM eventually announced it would wind down the program.

“Drivers thought they were getting a fun driving score. What they were actually getting was a pipeline from their car to their insurance company’s pricing algorithm.” — Sen. Ron Wyden, U.S. Senate Commerce Committee

Canadian drivers using OnStar-equipped vehicles were subject to similar data-collection infrastructure. While Canadian insurers operate under different provincial regulatory frameworks, the underlying data flows crossed borders through the same corporate systems.

GM is not alone. Mozilla found that 84 percent of car brands reviewed share or sell user data, and 56 percent will share data with law enforcement without requiring a court order.

PIPEDA and Connected Car Privacy: 5 Essential Rights Canadian Drivers Have

Canada’s federal privacy law — the Personal Information Protection and Electronic Documents Act (PIPEDA) — establishes a consent-based framework that applies directly to automakers collecting data from Canadian drivers. In principle, it offers stronger protections than most U.S. states. In practice, enforcement has lagged far behind the technology.

Here is what PIPEDA requires:

1. Meaningful consent before collection. Companies must obtain informed, specific consent — not a blanket “accept all” pop-up buried in legalese.
2. Purpose limitation. Data can only be collected for purposes a reasonable person would consider appropriate. Collecting braking patterns to improve safety is defensible; selling them to insurers is harder to justify.
3. Right to access your data. You can request a copy of all personal information an automaker holds about you. They must respond within 30 days.
4. Right to challenge and correct. If a telematics record attributes aggressive driving to you when someone else was behind the wheel, you can request correction.
5. Right to withdraw consent. You can revoke consent for non-essential data collection, though automakers may argue certain telematics are tied to safety systems.

Provincial laws in Quebec (Law 25), Alberta (PIPA), and British Columbia (PIPA) add additional layers around breach notification and cross-border data transfers.

Canada’s proposed Bill C-27 (Digital Charter Implementation Act) would have modernized these rules with stronger consent mechanisms and a new enforcement tribunal. However, the bill died on the order paper when Parliament dissolved in early 2025 and has not been reintroduced as of March 2026. This leaves PIPEDA — a law written before smartphones existed — as the primary federal framework governing how your car handles your data.

For Canadian drivers navigating consumer protection issues, understanding this legal gap is critical.

Worst Offenders: Which Car Brands Collect the Most Driver Data

Mozilla’s “Privacy Not Included” report — the most comprehensive independent audit available — scored brands on data collection scope, sharing practices, security track record, and user control. Every brand failed. Some failed harder than others.

1. Tesla collected the widest range of data types, including cabin camera footage, voice recordings, and detailed driving telemetry with minimal opt-out options.
2. Nissan’s privacy policy disclosed the right to collect “sexual activity” and “genetic information” — categories that stunned privacy researchers even if their practical collection remains unclear.
3. Hyundai and Kia reserved the right to share data with law enforcement on informal request, without requiring a warrant or court order.
4. GM, Ford, and Toyota all maintained data-sharing arrangements with insurance brokers or advertising partners with consent mechanisms that privacy advocates called inadequate.
5. BMW and Mercedes-Benz offered somewhat more granular privacy controls in their connected-services apps but still received failing grades.

The entry of Chinese automakers like BYD into the Canadian market adds another dimension. Connected vehicles from manufacturers headquartered in China raise cross-border data-flow concerns under PIPEDA and national security questions that regulators have largely left unaddressed.

7 Proven Steps to Limit What Your Connected Car Shares About You

You cannot eliminate connected-car data collection entirely without disabling safety-critical systems. But you can significantly reduce your exposure:

1. File a PIPEDA data access request. Write to your automaker’s privacy office and ask for all personal information they hold about you. Templates are available on the Office of the Privacy Commissioner’s website.
2. Review your infotainment privacy settings. Most brands bury data-sharing toggles three or four menus deep. Look for “connected services,” “data sharing,” or “privacy” settings and disable anything optional.
3. Disconnect from non-essential connected services. If you do not use the manufacturer’s app for remote start or vehicle status, deauthorize it. Fewer active connections mean fewer data pipelines.
4. Decline “driving score” or “smart driver” programs. These are the primary conduits for sharing granular trip data with insurance brokers.
5. Do not sync your phone contacts or call history. Pair via Bluetooth for audio if needed, but decline the prompt to import contacts. Once synced, that data often persists on the vehicle’s system even after you unpair.
6. Check for cabin cameras — and learn how to disable them. Tesla, Subaru, and several other brands include driver-monitoring cameras. Some allow you to turn off data upload; others do not.
7. Read the privacy policy before you buy. A 10-minute skim during your test drive can reveal deal-breaking terms. If a brand refuses to let you opt out of data sharing, factor that into your purchase decision.

What to Do Next

Connected car privacy is no longer an abstract concern — it is a concrete exposure that affects your insurance rates, your personal security, and your legal rights. Here is your action plan:

• This week: Log into your vehicle manufacturer’s app and review your data-sharing settings. Disable everything marked optional.
• This month: Submit a PIPEDA data access request to your automaker’s Canadian privacy office. Document what they send back.
• Before your next purchase: Compare privacy policies alongside horsepower and fuel economy. Mozilla’s “Privacy Not Included” guide is a free starting point.
• Stay informed: Follow RIDEZ coverage in our technology and policy section for updates on federal and provincial privacy regulation affecting Canadian drivers.
• Talk to your insurer: Ask directly whether they receive telematics data from any automaker program you may have enrolled in — and request written confirmation of what data they hold.

The connected car is not going away. But informed consent should not be optional. Know what your vehicle knows about you — and decide for yourself what you are willing to share.