What Your Car Knows About You, and What Automakers Sell It For

The Electronic Frontier Foundation put it plainly in its March 2024 piece "How to Figure Out What Your Car Knows About You": modern vehicles are rolling surveillance devices, and the data they generate is a product the manufacturer sells. The June 2024 follow-up, "Car Makers Shouldn't Be Selling Our Driving History," traced where that data ends up and what it does to insurance premiums.

This post walks through the numbers that keep turning up in the primary sources, names the brokers by name, and summarizes the opt-out path. No speculation. Every figure below cites a documented source.

The data volume

A typical connected vehicle generates roughly 25 GB of data per hour of operation, according to EFF's March 2024 guide. The categories are familiar if you think about what a modern car can sense: GPS traces, speed, hard-braking events, rapid-acceleration events, cornering force, seatbelt use, airbag and crash severity, voice commands captured by the infotainment microphone, Wi-Fi hotspot usage, and cabin activity on vehicles with interior cameras.

Mozilla Foundation's *Privacy Not Included review in September 2023 examined 25 major car brands. Every single brand failed. It was the first time in seven years of that review that an entire product category flunked. The headline numbers from Mozilla's write-up:

• 84% of reviewed brands share or sell vehicle data.
• 76% state in their own privacy policies that they can sell personal data.
• 56% will share data with government or law enforcement on "request," language that does not require a warrant.

The brokers

Two names show up on almost every sharing disclosure.

LexisNexis Risk Solutions runs a product called the Telematics Exchange that aggregates driving-behavior data from multiple automakers and resells it to auto insurers. You can request your own LexisNexis consumer disclosure at consumer.risk.lexisnexis.com and look for the "Telematics" section. A separate report called CLUE (Comprehensive Loss Underwriting Exchange) is also pulled from LexisNexis. In the Romeo v. General Motors class action filed in 2024, GM confirmed it had shared Smart Driver data with LexisNexis from 2018 through 2024.

Verisk (formerly ISO) runs the Verisk Data Exchange. This is the name that caught the headlines in March 2024 when Kashmir Hill at The New York Times reported how driving data was flowing from automakers into insurance underwriting files. You can request your Verisk DriverFacts report by calling 1-800-627-3487.

A third category matters separately. Mobilisights is a Stellantis-owned data subsidiary launched in 2023. Stellantis publicly targets about $20 billion of incremental annual revenue by 2030 from software and data, with Mobilisights as the monetization arm, per the company's Dare Forward 2030 plan. Mobilisights is not exactly a broker in the same sense as LexisNexis or Verisk; it is an automaker's in-house data-sales business. It survives even after you cancel your in-vehicle connected-services subscription.

Third-party marketplaces round out the landscape: Otonomo, Wejo (filed Chapter 7 in mid-2023), and Smartcar. Otonomo's own filings showed per-vehicle revenue growing from about $0.05 in 2021 to about $2.47 projected in 2025. Fleet use was valued at roughly $25 per vehicle per year, and usage-based insurance at roughly $15 per vehicle per year.

What Senators Wyden and Markey actually documented

The most concrete dollar figures anyone has pinned down on automaker-to-insurer data sales come from a July 2024 letter from Senators Ron Wyden and Ed Markey to the Federal Trade Commission. The letter reported the automakers' own disclosures to the senators' offices:

• Hyundai sold data from about 1.7 million vehicles to Verisk for approximately $1,040,000. That works out to roughly $0.61 per vehicle.
• Honda sold data from about 97,000 vehicles to Verisk for approximately $26,000. Roughly $0.27 per vehicle.
• General Motors confirmed that it shared Smart Driver data with insurance brokers from 2015 through 2024. GM did not disclose the specific payment to the Wyden investigation.

Those are small per-vehicle numbers. They are not small numbers in aggregate. They are also the figures a single automaker chose to disclose in response to a senator's letter. Nobody outside the companies knows the full scope of what was actually sold, to whom, and for how much.

The industry-level estimate

McKinsey projected in their analysis "Unlocking the full life-cycle value from connected-car data" that connected-vehicle data services will generate $450 to $750 billion globally by 2030. That's the scale the industry believes it is playing for. Whether the actual prize lands anywhere near that is a separate question; what matters is that $450 to $750 billion of expected revenue is why the default in every modern car is to collect.

Stellantis's public $20 billion annual target for 2030 is one data point inside that broader McKinsey estimate. It is the only hard number any major automaker has put on the record.

What this does to your insurance premium

Kashmir Hill's March 11, 2024 New York Times piece ("Automakers Are Sharing Consumers' Driving Behavior With Insurance Companies") is where the practical consequence got documented. Drivers who had their data shared with insurers without clearly informed consent reported 20% to 40% premium increases on renewal. In several cases, quoted drivers said their insurer pointed directly at specific hard-braking events recorded by the manufacturer's telematics system and scored into the risk model.

That is the concrete harm. A data broker bought your driving behavior, sold it to your insurer, and you paid the difference.

The regulatory side, for completeness

The Federal Trade Commission issued a policy statement in May 2024 titled "Cars & Consumer Data: On Unlawful Collection & Use." It said, in short, that automakers do not have a free license to monetize consumer data beyond what is needed to deliver services the customer actually requested, and that geolocation in particular is sensitive personal data. GM discontinued Smart Driver in June 2024 within weeks of the media exposure and the FTC statement.

State privacy laws give you the enforceable hooks. California (CCPA/CPRA), Colorado (CPA), Virginia (VCDPA), Connecticut (CTDPA), Oregon (OCPA), Texas (TDPSA), Montana (MCDPA), Iowa (ICDPA), Indiana (INCDPA), Tennessee (TIPA), and Delaware (DPDPA) all give residents the right to request deletion, the right to know what is collected, and the right to opt out of sale or sharing. Over 20 states had a version of this law in force by mid-2026, per the IAPP state-tracker. Automakers and brokers generally respond to these requests in 45 to 90 days.

Federally: there is no comprehensive privacy law. ADPPA stalled. The Bureau of Industry and Security's Connected Vehicles rule took effect in March 2025, but it regulates foreign-adversary components (Chinese and Russian telematics hardware and software), not domestic data sales. The EU has the Data Act in force as of September 2025 and the AI Act in force as of August 2024. Neither applies to US drivers.

What the EFF recommends, in order

The Electronic Frontier Foundation's guidance condenses down to a short list. These are the steps they suggest, not invented for this post:

1. Request your LexisNexis consumer disclosure at consumer.risk.lexisnexis.com and inspect the Telematics section. Dispute anything unexpected in writing.
2. Request your Verisk DriverFacts report by calling 1-800-627-3487.
3. Pull your CLUE report from LexisNexis to see what has already been shared with insurers.
4. File a Right to Delete and a Do Not Sell or Share request with your automaker and with each broker named in the disclosure, citing whichever state privacy law applies to you.
5. Use Privacy4Cars' Vehicle Privacy Report tool at privacy4cars.com to see what your specific year and trim is known to collect.
6. Do not connect the vehicle to your home Wi-Fi network. It creates a correlation vector outside the manufacturer's own visibility and gives your IP address to every data partner in the chain.
7. Review the companion app's permissions on your phone. The phone-side data collection continues even after you disable in-vehicle telematics.
8. Before any dealer service visit, ask in writing that no telematics data be extracted via the OBD-II port.

Physical disconnection is possible on most models but it is an advanced step. Disconnecting the cellular and GPS coax antennas from the telematics control module shuts off the data pipe without breaking Bluetooth or the microphone. It also disables emergency SOS and automatic crash notification. If your vehicle is financed or leased, some lenders require active telematics for recovery; check your contract before cutting anything. Hardware locations vary by model year and trim. The Autopian's August 2024 piece "Here's How To Stop Your Car From Sharing Your Data" is the best practical step-by-step across 22+ brands.

What a reasonable person does about this

No single step here fixes the problem. The pattern that actually moves the needle looks like this:

• Do not sign up for connected services at point of sale. This is the single highest-use moment. Once you are enrolled, cancellation is a 45-to-90-day project. Never-enrolled is free.
• If you are already enrolled, file deletion requests under your state's privacy law and disable every sharing toggle in the app. Then verify 60 days later with a fresh LexisNexis disclosure.
• Price in the insurance-premium delta. Every hard-braking event your car logs and shares is a scored feature in an underwriting model. If your insurer offers a telematics-based discount program, understand that it is a one-way ratchet: the discount is available for a year or two, and the premium adjustment that follows your data is permanent.

The industry estimate is $450 to $750 billion by 2030 per McKinsey. Stellantis alone is planning for $20 billion a year by 2030. Those numbers get paid for by drivers in the form of higher premiums, more targeted advertising, and fewer places where the fact of a ten-minute trip to a doctor's office stays private. The opt-outs work. They are not fast and they are not obvious, but they work.

Related reading on this site

• Serverless Posture Audit for the broader "who's sending what to third parties" question on a site you operate.
• Legal Pages Audit for the privacy-policy-as-contract side.
• PQC Analyzer and the "Blockchain quantum risk" section of the PQC blog for the long-shelf-life encrypted-data threat.

Fact-check notes and sources

Primary sources cited inline:

• Electronic Frontier Foundation, "How to Figure Out What Your Car Knows About You" (March 2024), eff.org/deeplinks/2024/03. The 25 GB per hour figure and the opt-out sequence come from this guide.
• Electronic Frontier Foundation, "Car Makers Shouldn't Be Selling Our Driving History" (June 2024), eff.org/deeplinks/2024/06.
• Federal Trade Commission policy statement, "Cars & Consumer Data: On Unlawful Collection & Use" (May 2024), ftc.gov/policy/advocacy-research.
• Mozilla Foundation, *Privacy Not Included, "It's Official: Cars Are the Worst Product Category for Privacy" (September 2023), foundation.mozilla.org/en/privacynotincluded.
• Senators Ron Wyden and Ed Markey, letter to the Federal Trade Commission, July 26, 2024. Public letter available via wyden.senate.gov. Contains the Hyundai 1.7M / ~$1.04M, Honda 97K / ~$26K, and GM Smart Driver 2015-2024 disclosures.
• McKinsey & Company, "Unlocking the full life-cycle value from connected-car data." $450 to $750 billion global projection for 2030.
• Stellantis Dare Forward 2030 plan and the Mobilisights announcement. $20 billion incremental annual revenue by 2030 target.
• Otonomo marketplace revenue disclosures via EE Times. Per-vehicle ARPU $0.05 (2021) rising to $2.47 projected for 2025; fleet use ~$25/yr, usage-based insurance ~$15/yr.
• Kashmir Hill, "Automakers Are Sharing Consumers' Driving Behavior With Insurance Companies," The New York Times, March 11, 2024. 20 to 40 percent premium impact.
• Romeo v. General Motors class action filing (2024). Confirms GM's LexisNexis sharing 2018 to 2024.
• LexisNexis Risk Solutions consumer disclosure portal, Telematics Exchange documentation.
• Bureau of Industry and Security, "Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles" final rule, Federal Register, January 2025, effective March 2025.
• IAPP US State Privacy Legislation Tracker, iapp.org/resources/article/us-state-privacy-legislation-tracker.
• EU Data Act (Regulation 2023/2854), EU AI Act (Regulation 2024/1689).
• Consumer Reports, "Stop Your Car From Collecting and Sharing Your Driving Data" (2024).
• Privacy4Cars Vehicle Privacy Report tool, privacy4cars.com.
• The Autopian, "Here's How To Stop Your Car From Sharing Your Data" (August 2024).

This post summarizes the findings of those sources. Direct quotes above are brief and attributed. Names of automakers, brokers, and regulatory agencies are used under nominative fair use. No affiliation with, or endorsement by, the Electronic Frontier Foundation, Mozilla Foundation, Federal Trade Commission, or any named automaker is implied. The Electronic Frontier Foundation is credited as the primary source for the consumer opt-out sequence and the "25 GB per hour" figure; all substantive recommendations trace back to EFF's public guidance.

Informational only. Not legal advice. Modifying vehicle hardware may affect warranty, lease, or finance terms. Physical disablement of telematics also disables emergency SOS and automatic crash notification. Verify hardware locations on your specific VIN before disconnecting anything. State laws and manufacturer policies change frequently. All sources cited as of April 2026.