Connected cars that will reach the market in 2026 will send personal data to manufacturers' servers at a rate of 95%, and will do so without explicit consent from the driver, according to a study by the Hermes Foundation. The collection includes everything from location every few seconds to driving habits, mobile contacts, interior audio, and biometric patterns.
The contradiction arises at a time of increased digitalization of automobiles and greater legal demands in Europe. While vehicles accumulate more sensitive information than ever before, an analysis of 25 brands concludes that 92% offer little or no user control over what is collected and that 84% share or sell that data to third parties.
The European regulation will be applicable in September 2025
The EU will attempt to correct this imbalance with the Data Act, Regulation EU 2023/2854, which will be applicable from September 2025. The regulation obliges manufacturers to facilitate access to the data generated by the vehicle and prevents them from restricting basic functions when the user exercises this right.
This change reduces dependence on the manufacturer to access the car's information. It also opens up opportunities for predictive maintenance, remote diagnostics, and fleet management companies that until now depended on the technical and commercial control of the brands over this data.
At the same time, the GDPR places some of this information at the highest level of protection. Biometric data becomes a special category when it uniquely identifies a person, which requires obtaining explicit consent and relying on reinforced legal bases.
The United States already acted against General Motors until 2030
Regulatory pressure already has a precedent in the United States. The FTC prohibited General Motors from disclosing, sharing, or trading customer personal data until 2030 after detecting the sale of location and driving data to data brokers.
This case illustrates a different model from the European one, because in the United States there is no single federal law on biometrics applied to vehicles. Control depends on sectoral actions by the FTC, state laws, and specific cases opened by the authorities.
For 2026, furthermore, surveillance will increase on products and services that depend on audio, video, or biometrics captured inside the car. This group includes solutions linked to behavior analysis, cabin security, or the personalization of digital services.
Outside of Europe, the scenario is uneven. European sanctions for non-compliance with data protection can reach millions, while in Latin America the regulatory framework remains more fragmented, although the adoption of global standards by local companies is accelerating that adjustment.
The study by the Hermes Foundation adds that, among the 25 brands analyzed, 84% share or sell data to third parties and 92% leave drivers with little control over the information generated by the vehicle.