Personalized driving: Balancing privacy & preferences in today’s cars

The automotive industry is on the cusp of an exciting time similar to the early days of mobile phones.  

In the beginning, mobile phones were simple communication devices. They were mobile equivalents of landline phones, allowing consumers to receive and make phone calls away from home.

Rapidly, however, mobile phones became smarter. They began to allow alternate forms of communication through apps, including social media apps. Mobile phone apps also allow a smart phone to record the owner’s life and help the owner interact with the outside world in a personalized way.  

Now, mobile phones and other mobile devices, including any loaded apps, can store contact information for our family and friends, our health information, and our preferences. They allow us to pay or receive money for products and services anywhere and anytime.  

We take, store, and share photos through our mobile devices. We can interact with each other through social media, and with our service providers. Smart phones can also provide convenience services, such as turning our photos into music-embedded videos across a common theme, such as “Pet Friends,” “Winter Wonderland,” and “Thailand 2025.” In other words, mobile devices are essentially mobile extensions of our digital selves, all in a tiny handheld or worn device.  

• The evolution of cars
• The opportunities and risks of connected cars
• Where does the law stand?
• How to balance privacy and preferences in cars

The evolution of cars

Newer vehicles increasingly have the same ability. Like the evolution of mobile devices, the first version of connected vehicles functionality was limited and involved plugging in a mobile device (later, using Bluetooth to connect) to use vehicle speakers to receive and make phone calls and listen to music. 

Today’s connected cars – vehicles that have some level of connectivity with the outside world – allow drivers and passengers to load apps and communicate with the outside world.

Also like later mobile devices, today’s connected vehicles also have the ability to perform sophisticated convenience services, like predicting destinations and suggesting routes, finding nearby electric car chargers or suggesting cost-effective at-home electric charging times, adjusting seat position automatically for the individual driver, calling 911 and/or taking external/internal photos on triggers like airbag deployment or detection of a break-in attempt.  

A recent Mercedes ad revealed some of the power of connected vehicles, showing how much visibility into a driver’s life that a connected vehicle may have. Though the ad was intended to show the benefits of these abilities, it also underscored the privacy sensitivity of these same features.  

The opportunities and risks of connected cars

Today’s vehicles are much closer in their abilities and the amount of data they may hold about an individual to today’s mobile devices, but the privacy context for vehicles is quite different from that of mobile devices.  

After all, a mobile phone typically stays with its owner and, if lost, requires facial recognition or password completion before displaying information. A vehicle, however, is more often a family device. Family members frequently drive the same vehicle, both together and solo. Friends often also ride in vehicles. This means that the information a vehicle collects about its routes, speed, locations, charging, music, phone calls and text messages, payments, and other interactions is likely to apply to more than one person.  

As the example Mercedes ad demonstrates, the intended driver may not be the person receiving a vehicle’s helpful suggestion on how to get to a favorite restaurant. Instead, the innocent-sounding recommendation may reveal to the wrong person information that the data subject did not want to share.  

Where does the law stand? 

Regulators are beginning to agree. The United States has seen both enforcement actions related to sharing connected vehicles data without appropriate consent, as well as new legislation designed to protect victims of domestic abuse from abuser misuse of connected vehicle services.  

For example, in 2024 GM faced a lawsuit related to its sharing of driver behavior information to Lexis Nexis, which in turn shared that information with auto insurance companies. In 2025, the Federal Trade Commission determined that users did not have appropriate notice and consent for the practice and barred GM for selling this information for five years.  

Also in the United States, California passed a law aimed at protecting victims of domestic violence from having their connected vehicles weaponized against them. At the most basic level, this law requires auto makers to establish a clear process through which victims of domestic violence can request (and auto makers complete) termination of another driver’s remote vehicle access. New York may pass similar legislation soon. 

Fortunately, the technology that allows for sophisticated and individualized connected vehicle services also should allow for individualized notice, consent, and other privacy protections.  

How to balance privacy and preferences

That said, the auto industry is facing an opportunity for innovation in the privacy space as it designs privacy into the complex, and sometimes multi-user, set of interfaces related to connected vehicle services. Just a couple of the special challenges the auto industry will need to address include: 

• Transparency – though vehicle owners and drivers may have the opportunity to see robust privacy notices when signing up for connected services, passengers and other drivers may not have the opportunity to also see these notices when subsequently driving or being in the vehicle. The car industry will want to carefully consider the distinct types of data subjects and reasonable ways to include them in transparency interactions.  

• Consent – similarly, vehicle owners and individuals who sign up for connected services may provide explicit consent for interior camera usage, driving behavior analysis, location suggestions, and other services through the vehicle console, paper or online agreements, apps, and other mechanisms. Subsequent drivers and passengers, however, may wind up as data subjects in that vehicle without explicit consent.  

• Multiple channels – given that vehicles interact with personal data across multiple channels – through the vehicle itself, connected devices, and apps – it will be a challenge to manage transparency and consent across all these different channels.  

It might be that vehicles in the future will require a login, biometrics recognition, or facial recognition before enabling connected services data selection, and from there manage transparency and consent on an individual basis.  

Alternately, tomorrow’s vehicles may ask for and receive a set of consents and preferences from a user’s mobile device and manage data collection and use according to that single user’s permissions. Regardless, personalized vehicle experience is an area for which privacy is critical.