AI Ethics Education  ·  Vehicle Privacy Literacy

You Agreed.
But Were You Informed?

Why understanding privacy in the age of connected vehicles matters

Every time you drive, your car generates data. That data is collected, sold, and fed into AI systems that make inferences about you — your financial stress, your health, your habits, your psychology. You didn't consent to the inference. You consented to the terms and conditions. Those are not the same thing. This guide (six modules, a quiz, and an optional action plan) addresses the gap between what you agreed to and what that agreement actually means.

The cars, apps, and services covered here collect data most people assume stays private. Some of it is sold within seconds of leaving your vehicle. Some of it ends up with companies — and AI systems — you will never interact with directly. The terms and conditions said it was possible. What follows explains what that actually looks like.

25/25
Major car brands failed Mozilla's 2023 privacy test — every single one
37
Companies identified by The Markup in the connected vehicle data ecosystem
20 yrs
Length of the FTC consent order against GM — the landmark 2026 federal enforcement action
26¢
What Honda received per car when selling driver data to a data broker
Start the lesson Jump to the quiz
Module 01

Your personal vehicle

Car manufacturers have promoted their vehicles as "computers on wheels" — emphasizing navigation, emergency assistance, and remote diagnostics. Those are real benefits. There are also costs. Ones that weren't in the brochure.

What connectivity gives you
  • +Real-time navigation and traffic rerouting
  • +Emergency SOS and automatic crash detection
  • +Remote start, lock, and vehicle diagnostics
  • +Recall alerts and over-the-air safety updates
  • +Stolen vehicle tracking and recovery
What connectivity costs you
  • Continuous location tracking, logged with timestamps
  • Behavioral profiles sold to insurance companies
  • Biometric data captured via cameras and sensors
  • Phone data retained after you unpair your device
  • Data shared with government on informal request
What your vehicle collects
Location
GPS & movement data
Precise routes, timestamps, your home address, workplace, schools, medical facilities, and places of worship — every trip logged.
Biometrics
Body & identity data
Voice recordings, facial recognition, eye tracking, weight via seat sensors, and camera recordings of driver and passengers.
Behavioral
Driving behavior
Speed, hard braking, acceleration, cornering, seatbelt use, distraction indicators, and time-of-day patterns — logged continuously.
Device sync
Phone & app data
Contacts, call logs, text messages, app data, navigation history, and garage door codes stored in infotainment systems — even after you unpair.
Inferred
Profiles built from your data
Manufacturers can infer financial status, health conditions, race, religion, and psychological traits from raw data — and sell those inferences.
Extreme
What some brands explicitly list
Nissan and Kia explicitly name "sexual activity," "immigration status," and "genetic information" as data categories in their own privacy policies.

Over 80% of vehicles sold today still contain the personal data of previous owners — contacts, navigation history, garage door codes — accessible to the next user. Simply unpairing your phone is not sufficient. (Privacy4Cars)

56% of car brands will share your data with law enforcement on an informal request — not a warrant, not a court order. Just a request. (Mozilla Foundation, 2023)

Note on the Mozilla data: Mozilla's 2023 car privacy research remains the most comprehensive automotive privacy audit published. Mozilla's Foundation reorganized in late 2024, reducing advocacy capacity. The underlying 2023 findings — confirmed by FTC enforcement, state AG actions, and KPMG's 2024 industry survey — remain accurate.

Module 02

Emotion detection in vehicles

In-vehicle AI systems increasingly attempt to infer emotional states from observable signals — facial movements, vocal tone, driving behavior. Those inferences can be wrong, biased, and culturally variable. And the data they generate doesn't stay in the car.

Legitimate safety applications
  • +Detecting drowsiness or distraction before accidents occur
  • +Alerting drivers showing signs of fatigue to take breaks
  • +Adapting vehicle settings — lighting, alerts — to improve alertness
  • +EU General Safety Regulation mandates driver monitoring in new vehicles sold in Europe
The privacy concerns
  • The same cameras used for safety can build psychological profiles
  • Inferred emotional state data can influence insurance premiums
  • Systems trained on non-diverse data carry significant bias risk
  • In the US, no regulatory framework governs how this data is used or sold
How inference works — four methods
Facial analysis
Camera-based inference
Cabin cameras capture facial movements continuously. AI classifies them as indicators of drowsiness, distraction, or agitation. There is no scientific consensus that emotions are universally expressed through fixed facial signals. Accuracy varies significantly across individuals, cultures, and lighting conditions. Over 140 million vehicles worldwide now include some form of camera-based driver monitoring system.
Voice analysis
Speech & tone monitoring
Microphones analyze tone, pitch, pace, and cadence to infer emotional state from how something is said, not just what is said. At CES 2025, Qualcomm unveiled the Snapdragon Cockpit Elite chip specifically designed for emotion-aware in-cabin AI — processing voice and facial signals in real time, on device.
Physiological
Biometric sensing
Steering wheel grip, seat-based heart rate variability, and eye movement are used as proxies for stress and fatigue. Once considered research-stage, these sensors are increasingly standard — a leading European manufacturer has confirmed its 2027 fleet will include "Human-Centric Cockpits" that adjust semi-autonomous driving modes based on inferred driver state.
Behavioral
Driving as emotional proxy
Braking patterns, lane changes, and speed variation build inferred emotional and psychological profiles over time. This data is already collected commercially — it is what gets sold to insurance companies and data brokers, as the GM and Honda cases in Module 05 document.
The regulatory dividing line
EU
The EU AI Act's Article 5 banned emotion recognition AI in workplaces and education, effective February 2, 2025. Driver fatigue detection is explicitly exempted — the EU Commission's guidelines clarify that detecting fatigue is not classified as "emotion recognition" under the Act, because fatigue is a physical state, not an emotion. Safety monitoring is permitted. Using that same data to build psychological profiles or sell inferences has no such exemption. Fines reach €35 million or 7% of global annual turnover.
US
No equivalent federal law governs in-vehicle emotion inference in the United States. Data collected by driver monitoring systems is subject to general state privacy laws where they apply — but no US law specifically restricts how inferred emotional or psychological state data from vehicles can be retained, shared, or sold. The gap between what the technology can do and what the law prevents is wide.

The critical distinction: Emotion AI systems interpret surface-level cues and label them as evidence of internal states. As researchers at IFOW note, a furrowed brow does not necessarily signal sadness. A raised voice does not necessarily indicate anger. Context, culture, and individual variation all affect expression. Misclassification has real consequences when data is used to profile or price people. (MIT Sloan; IFOW; ABA Business Law Today)

Nissan's privacy policy explicitly states it can infer and record "preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" — and sell those inferences to data brokers and law enforcement. This is in the terms you agreed to. (Mozilla Foundation, 2023)

Module 03

Rideshare apps

Uber and Lyft have transformed how cities move. They've also become significant collectors of personal data — and the story of what happens to that data, and to passengers, is still unfolding.

The real value of rideshare
  • +On-demand transportation without owning a vehicle
  • +Real-time trip sharing with trusted contacts
  • +Driver and passenger rating systems for accountability
  • +Accessible mobility for people who cannot drive
The data cost of every ride
  • Precise pickup and drop-off location saved permanently
  • Location tracked continuously if background access is on
  • Payment method, trip history, and device identifiers collected
  • Data about the driver — including complaint history — is not shared with you
Four documented incidents
57M
Uber · 2016 breach & cover-up
Uber suffered a breach exposing data on 57 million users and drivers. The company paid attackers $100,000 to stay quiet and concealed the breach for a year. It was later fined $148 million — the largest state data breach settlement in US history at that time.
SSN
Uber & Lyft · 2024 tracking pixel
Northeastern University researchers found tracking pixels in Uber and Lyft's driver application forms were transmitting Social Security numbers to Meta and TikTok through advertising analytics code. Both companies said it was unintentional and fixed it after notification. Class action investigations followed.
22
Uber · background check gaps · 2025
A December 2025 New York Times investigation found that in 22 states, Uber approved drivers convicted of violent felonies, child abuse, assault, and stalking — so long as convictions were at least seven years old. In 35 states, checks only covered where a driver lived during those years, missing prior offenses in other states.
$8.5M
Uber · federal jury verdict · 2026
In February 2026, a federal jury in Phoenix ordered Uber to pay $8.5 million to a passenger who said a driver had raped her. The jury rejected Uber's argument that it bore no responsibility for driver conduct — providing a roadmap for more than 3,000 pending lawsuits alleging systemic safety failures.
A shift: Uber tightens background checks

In February 2026, following the NYT investigation and the Phoenix verdict, Uber announced it will permanently ban drivers convicted of violent felonies, sexual offenses, and child or elder abuse — regardless of when those crimes occurred. The policy change is in progress; implementation timelines have not been specified. (NYT, February 2026)

NYC
The Taxi and Limousine Commission requires Uber, Lyft, and other rideshare companies to share trip data — pickup, drop-off, and duration — with the city government monthly. NYC's Public Advocate raised concerns about using the system to track millions of riders.
Policy
Uber's own privacy policy states it "may" de-identify data before selling it to third parties — but this is not guaranteed. The data collection scope is broad: location, contacts, payment credentials, device identifiers, and communication logs.
Teens
Both Uber (2023) and Lyft (February 2026) now offer teen accounts for riders aged 13–17 across hundreds of US cities. Teen accounts collect more data than standard adult accounts — real-time location shared with a guardian throughout every trip, audio recording enabled, and full trip history retained. The 13–17 age range falls outside COPPA's protections, which cover only under-13s, meaning a 13-year-old's precise location and trip patterns receive weaker federal privacy protections than a 12-year-old's would. Lyft's teen terms explicitly state that it may disclose a teen's ride information to law enforcement without being obligated to notify the parent or the teen. The same background check gaps identified in the December 2025 NYT investigation apply to drivers transporting teens on both platforms.
What Uber and Lyft say
Both companies state that 99.9% of rides occur without a safety incident. Uber says its background checks are national, multi-database, and continuously updated — and that name-based checks are more complete than fingerprint-based ones. Both companies provide in-app safety features including trip sharing, emergency buttons, and 24/7 support. Uber states it does not sell personal data without consent but reserves the right to share it with business partners, law enforcement on legal request, and in connection with business transactions.
Module 04

Autonomous & semi-autonomous vehicles

Think of a self-driving car as a global learning machine on wheels. No simulator can replicate every real condition it will encounter. The only way to teach the system is to put cameras in real cars on real roads and collect real data. That is genuinely necessary. It is also where the privacy question begins.

The distinction that matters: two fundamentally different kinds of data exist in any AV or semi-autonomous vehicle. Environmental data — roads, obstacles, pedestrians, weather — is what the system needs to drive. Personal data — who you are, where you go, what you look like — is not. The question is whether companies separate these, or bundle them together.

Waymo
Commercial robotaxi · Level 4 autonomous

The only company generating substantial US robotaxi revenue — over 500,000 paid rides per week across 10 cities including Los Angeles, San Francisco, Phoenix, Austin, Atlanta, Dallas, Houston, San Antonio, Orlando, and Miami. No human driver present. Passengers ride alone with cameras running.

500K
rides per week, March 2026
Across 10 US cities coast to coast. Interior cameras record throughout every ride. Target: 1 million weekly rides by end of 2026.
$126B
valuation, February 2026
Waymo raised $16 billion in a February 2026 round led by Sequoia, DST Global, and Alphabet. Despite massive investment, the path to profitability still depends partly on how passenger data can be monetized.
2025
AI training concern
Draft language in an unpublished Waymo privacy policy suggested plans to use interior camera data to train AI models. Waymo called it placeholder text and said it did not reflect final plans.
Law
enforcement requests
Waymo has received requests for footage captured during autonomous journeys in San Francisco — raising questions about whether AV fleets function as ambient surveillance infrastructure.
What Waymo says
Waymo does not use facial recognition to identify passengers. It does not sell personal information in the conventional sense. Microphones are only active during support calls. Riders can delete their data through the app. Waymo acknowledges that some state laws may classify its targeted advertising arrangements as a "sale" of data.
Tesla
Privately owned vehicle · Level 2 driver assistance · Robotaxi pilot since June 2025

Tesla is both a consumer vehicle company and an emerging robotaxi operator. Its privately owned cars run Level 2 driver assistance — a human must always supervise. In June 2025, Tesla launched a commercial Robotaxi service in Austin using unmodified Model Y vehicles. As of early 2026, roughly 135 Tesla robotaxis are in service — compared to Waymo's 3,000+. Whether you own a Tesla or ride in one, the privacy question is the same.

2016
Shadow Mode begins
Even when you are driving, Autopilot runs in parallel and uploads data snapshots when its predictions differ from your behavior. The car learns from you whether or not you chose to engage any autonomous feature — and Tesla's privacy policy does not require it to notify you when a snapshot is taken.
2.5B
telemetry packages, Q3 2025
Received from the global fleet in a single quarter, excluding China. As of February 2026, customers had driven 8.3 billion miles with FSD engaged.
201922
employee footage sharing
Groups of Tesla employees shared invasive videos from customer cameras — including footage inside garages and private property — via internal messaging. Tesla's policy had stated footage "remain anonymous and are not linked to you." A class action followed.
135
robotaxis in Austin, late 2025
Tesla launched its commercial Robotaxi service June 22, 2025. NHTSA opened an investigation the next day after riders documented wrong-way driving, phantom braking, and passengers dropped at intersections. As a robotaxi passenger, there is no opt-out — data collection is not in your control at all.
What Tesla says
Tesla does not continuously collect personally identifiable camera recordings — most processing occurs within the vehicle. Camera recordings sent to Tesla are anonymous and not linked to the owner unless received as part of a safety event. Fleet learning data is used to improve safety systems. Tesla states it never sells or rents personal data to third parties. Tesla's quarterly safety reports show meaningful crash rate reductions with Autopilot engaged versus manual driving. With the launch of its Robotaxi service, Tesla has published a separate Robotaxi Privacy Notice, acknowledging the different data obligations of a commercial ride service.
The cameras that protect you are the same cameras that collect from you. The safety feature and the data collection are the same feature. Every driver — in a Waymo or a Tesla — faces a version of this tradeoff. The question worth asking is whether you were told.
Module 05

Where the data goes

Your data doesn't stay with your manufacturer. The Markup identified 37 companies in the connected vehicle data ecosystem — brokers, hubs, insurers, and analytics firms operating entirely outside your awareness.

"Your driving data goes to a half a dozen companies you've never even heard of for reasons you'd perhaps never agree to if asked directly." — EFF
YOUR VEHICLE cameras · GPS · sensors MAKER collects · sells DATA BROKER Insurance companies Advertisers Law enforcement Anyone who pays
Four documented cases
20 yrs
GM / OnStar
FTC consent order finalized January 2026 — the most significant federal vehicle privacy enforcement in history. GM sold location and driving data every three seconds without adequate disclosure. No financial penalty imposed.
26¢
Honda
What Verisk paid per car for data from 97,000 Honda vehicles — approximately $25,920 total. California's CPPA later fined Honda $632,500 for related privacy violations.
45M
Allstate / Arity
Americans profiled through driving data collected via apps including Life360 and GasBuddy — without adequate disclosure. Texas AG sued under the state Data Privacy and Security Act.
Auto
Hyundai
Drivers automatically enrolled in its "Driving Score" data-sharing program simply by enabling internet connectivity — without being told their data would be sold to Verisk.
A shift: Verisk exits the market

In 2024, data broker Verisk stopped accepting data from car makers and shut down its driving behavior product for insurers. It shows enforcement pressure works. LexisNexis and other brokers remain active. (Privacy4Cars; The Record)

The regulatory landscape
Federal
Two bills introduced December 2024 — the bipartisan Auto Data Privacy and Autonomy Act and the Car Privacy Rights Act — would require opt-in consent and ban data sales without explicit permission. Both pending.
States
Oregon (2025) now covers auto makers regardless of scale. Virginia passed a geolocation data sale ban (Feb 2026), joining Maryland and Oregon. New Jersey requires dealerships to offer data deletion at resale. California and New York protect domestic violence survivors from connected vehicle tracking.
The gap
19 states have comprehensive data privacy laws. Zero have a law that specifically and comprehensively governs connected vehicle data. The gap between what cars collect and what the law protects remains wide. (Nelson Mullins, 2026)
What the industry admits
86%
of auto privacy leaders say they've increased privacy budgets
16%
explicitly use "privacy by design" as an actual strategy

KPMG "Driving Trust" survey of 50 global automotive privacy leaders, 2024.

Module 06

Knowledge check

Ten questions based on documented facts from the lesson. An honest measure of what you now know.

Question 1 of 10
Your result
Module 07

What you can do

Now that you're informed, here are some steps you can take using the rights you already have. The tools below are free — and some may surprise you with how much your vehicle already knows. You may not be able to opt out of everything, but you have more choices than the terms and conditions suggested.

01
Find your VIN
Your 17-character Vehicle Identification Number is on your dashboard (visible through the windshield, driver's side), the door jamb sticker, or your registration documents.
02
Look up your vehicle's privacy report
Visit vehicleprivacyreport.com — enter your VIN to see what your manufacturer collects, shares, and sells. The report is free. Note: this tool is run by Privacy4Cars, a for-profit company that sells privacy tools to dealerships. Entering your VIN is subject to their privacy policy.
03
Read your manufacturer's privacy policy
Search "[your car brand] privacy policy." Ask: How long is it? Does it mention data brokers or insurance by name? Is consent explicit — or buried?
04
Find your state's data rights
Search "[your state] data privacy consumer rights" or visit your state Attorney General's website. California, Colorado, Connecticut, Virginia, Texas, and Oregon residents have specific opt-out rights. The EFF's legislative tracker at eff.org covers vehicle-related bills in real time.
05
Audit your rideshare app settings
Open Uber or Lyft. Is location set to "always on"? What data-sharing settings are enabled? Check their privacy policy for what's retained after rides end.
06
Request your LexisNexis consumer report
Request it free at consumer.risk.lexisnexis.com under the Fair Credit Reporting Act. See if your driving has already been profiled and scored.
07
Submit your data deletion requests directly
Go to your car manufacturer's website and search "privacy request" or "data deletion." Under CCPA and state equivalents, covered residents can request deletion directly — no intermediary required. Once you have your LexisNexis report from Step 06, you can submit a deletion request through the same portal.
Questions worth asking
What data did you find most surprising that your vehicle or rideshare app collects?
Were you enrolled in a data-sharing program without realizing it?
Does your privacy policy mention data brokers or insurance companies by name?
What can you actually opt out of — and what are the consequences of doing so?
Where does convenience end and surveillance begin? Who gets to decide?
Who should be responsible for protecting this data: individuals, companies, or governments?
Sources & further reading

All claims verified

Every fact in this guide is drawn from primary sources, investigative journalism, regulatory filings, and peer-reviewed research. The terms and conditions were always there — this is what they actually say.

Primary sources
Privacy4Cars
privacy4cars.com →
Vehicle Privacy Report tool, Assert Your Data Rights, Data In Cars hub, and Laws by Geography. The world's leading automotive privacy company, covering more than 600 million vehicles globally.
The Markup — "Who Is Collecting Data from Your Car?"
themarkup.org →
Landmark 2022 investigation identifying 37 companies in the connected vehicle data ecosystem, mapping the full pipeline from manufacturer to data broker to insurer. Primary source for the data broker landscape and the Life360/Arity connection.
Electronic Frontier Foundation
eff.org →
Legal and legislative analysis of automaker data practices, police surveillance use of connected vehicle data, and advocacy for federal privacy laws. Source of the "half a dozen companies" quotation from Thorin Klosowski.
KPMG — "Driving Trust" (2024)
kpmg.com →
2024 survey of 50 global automotive privacy leaders. Key findings: 86% have increased privacy budgets; only 16% use "privacy by design" explicitly; industry described as in "early stages" of leading privacy practices.
FTC — GM/OnStar Consent Order
ftc.gov →
January 2026 finalized 20-year consent order against GM and OnStar — the most significant federal enforcement action on connected vehicle data privacy to date.
Mozilla Foundation — Privacy Not Included (2023)
foundation.mozilla.org →
2023 review of 25 major car brands — all 25 received failing marks. Note: Mozilla reorganized in late 2024, reducing its advocacy capacity. The 2023 findings remain accurate and have been confirmed by subsequent FTC enforcement and state AG actions.
Consumer Reports
consumerreports.org →
Investigation reviewing thousands of pages of automaker privacy policies across 15 major brands and the insurtech data broker ecosystem that profits from driver data.
The New York Times
nytimes.com →
Multiple investigations: Kashmir Hill's reporting exposing the GM/OnStar/LexisNexis data selling scandal (the reporter discovered she herself was among those tracked); Emily Steel's December 2025 investigation revealing Uber approved drivers with violent felony convictions in 22 states; and February 2026 reporting on Uber's policy change following that investigation.
Northeastern University / Prof. David Choffnes
news.northeastern.edu →
2024 peer-reviewed research uncovering that Uber and Lyft were inadvertently transmitting driver Social Security numbers to Meta and TikTok through misconfigured tracking pixels.
California Privacy Protection Agency
cppa.ca.gov →
2023 investigation into automaker data practices; March 2025 $632,500 enforcement action against Honda for CCPA violations.
Texas Attorney General
texasattorneygeneral.gov →
Lawsuits against GM, Allstate/Arity, and others; investigations into Ford, Hyundai, Toyota, and Fiat Chrysler for data collection and sharing practices.
TechCrunch
techcrunch.com →
Multiple stories cited: April 2025 reporting on Waymo's draft privacy policy and interior camera data plans; January 2026 coverage of the finalized FTC/GM consent order; February 2026 reporting on Lyft Teen launch in 200+ US cities; March 2026 reporting on Waymo crossing 500,000 weekly rides across 10 cities.
Waymo Privacy Documentation
waymo.com →
Waymo's official privacy policy and help center documentation on cameras, microphones, and data practices — including their stated positions on what they do and do not collect.
Tesla Full Self-Driving Safety Report
tesla.com →
Tesla's own quarterly safety report. Source of the Q3 2025 figure of 2.5 billion telemetry packages received from the global fleet, and the 8.3 billion cumulative FSD miles as of February 2026.
IEEE Spectrum — "Tesla's Autopilot Depends on a Deluge of Data"
spectrum.ieee.org →
Authoritative technical investigation of Tesla's Shadow Mode — in which Autopilot simulates driving in parallel with the human driver and uploads data snapshots when its predictions diverge from human behavior. Operating since 2016.
Reuters — Tesla Employee Footage Sharing
reuters.com →
2023 investigation based on interviews with nine former Tesla employees, revealing groups of staff privately shared invasive videos and images from customers' car cameras — including footage inside garages and private property — between 2019 and 2022.
Future of Privacy Forum
fpf.org →
FPF's mobility and location data portfolio covers connected vehicles, autonomous vehicles, rideshare, and mobility data privacy. Publisher of connected vehicle privacy guidelines and EDPB compliance analysis.
MIT Sloan — Emotion AI Explained
mitsloan.mit.edu →
Foundational explainer on emotion AI as a subset of AI that measures, understands, simulates, and responds to human emotions. Covers automotive applications and accuracy limitations.
ABA Business Law Today
businesslawtoday.org →
Legal analysis of emotion AI privacy, manipulation, and bias risks under US and EU frameworks, including data minimization challenges and regulatory gaps.
Institute for the Future of Work (IFOW)
ifow.org →
Research on emotional privacy and the scientific limits of emotion AI — including the dispute over whether emotions are universally readable from facial or physiological signals.
Senator Ed Markey / FTC
markey.senate.gov →
2024 letter urging FTC investigation into automaker data practices; findings on Honda and Hyundai's data-sharing arrangements with Verisk.
Nelson Mullins — Auto Privacy Regulation 2026
nelsonmullins.com →
February 2026 legal analysis of accelerating state-by-state vehicle privacy regulation, including Oregon's 2025 update, Virginia's proposed geolocation ban, and Connecticut AG enforcement focus on connected vehicles.
Lutzker & Lutzker
lutzker.com →
Running legal tracker of class action lawsuits, AG investigations, and regulatory enforcement actions across multiple states related to vehicle data practices.
EU AI Act — Article 5 & European Commission Guidelines
digital-strategy.ec.europa.eu →
Article 5(1)(f) of the EU AI Act bans emotion recognition AI in workplaces and educational settings, effective February 2, 2025. The Commission's guidelines (published February 4, 2025) clarify that driver fatigue detection is not classified as "emotion recognition" — it is a physical state, not an emotion — and is therefore exempt. Fines for non-compliance reach €35 million or 7% of global annual turnover. Source for the EU regulatory section in Module 02.
Qualcomm — Snapdragon Cockpit Elite (CES 2025)
qualcomm.com →
Qualcomm unveiled the Snapdragon Cockpit Elite platform at CES 2025, specifically designed for next-generation emotion-aware in-cabin AI — processing voice, facial, and behavioral signals in real time, on device. Source for the voice analysis data-row in Module 02.
AI In-Vehicle Surveillance Market Report (Industry Research)
industryresearch.biz →
Market research report citing that over 140 million vehicles worldwide now include camera-based driver monitoring systems or cabin surveillance features. Source for the facial analysis data-row in Module 02.
Lyft Privacy Policy (February 9, 2026)
lyft.com →
Lyft's updated privacy policy, effective February 9, 2026 — the same date as the Lyft Teen launch. Governs data collection, use, and sharing for all Lyft accounts including teen accounts.
Lyft Teen Terms and Conditions
lyft.com →
Lyft's terms for teen accounts (ages 13–17), effective February 9, 2026. Explicitly states that Lyft may disclose a teen's ride information to law enforcement or government agencies without being obligated to notify the parent or the teen. Source for the Teens reg-item in Module 03.
Lyft Teen Launch — TechCrunch (February 2026)
techcrunch.com →
TechCrunch reporting on Lyft Teen launching February 9, 2026 in 200+ US cities for riders aged 13–17, including features such as PIN verification, audio recording, and real-time guardian tracking. Source for Module 03.
Federal Jury Verdict — Uber, Phoenix (February 2026)
dnyuz.com →
A federal jury in Phoenix ordered Uber to pay $8.5 million in February 2026 to a passenger who said a driver raped her. The jury rejected Uber's independent contractor defense, establishing a roadmap for more than 3,000 pending lawsuits. As reported by The New York Times (via DNYUZ). Source for the $8.5M proof card in Module 03.
Waymo — 500K Weekly Rides (Inside EVs / TechCrunch, March 2026)
insideevs.com →
Reporting from late March 2026 confirming Waymo crossed 500,000 paid driverless rides per week across 10 US cities. The company targets 1 million weekly rides by end of 2026. Source for Waymo's ride count stat card in Module 04.
Waymo — $126B Valuation (Automotive World, February 2026)
automotiveworld.com →
February 2026 reporting on Waymo's $16 billion investment round, valuing the company at approximately $126 billion — larger than most global automakers. Led by Sequoia, DST Global, and Alphabet. Source for Waymo's valuation stat card in Module 04.
Tesla Robotaxi — Wikipedia
en.wikipedia.org →
Timeline of Tesla's Robotaxi service: launched June 22, 2025 in Austin with human safety monitors; NHTSA investigation opened the following day after documented incidents including wrong-way driving and passengers dropped at intersections; approximately 135 vehicles in service as of December 2025; unsupervised vehicles integrated from January 2026. Source for Module 04.
Tesla Robotaxi Privacy Notice
tesla.com →
Tesla publishes a separate Robotaxi Privacy Notice (listed on tesla.com/legal), distinct from its standard vehicle privacy policy — acknowledging that the commercial ride service creates different data obligations than a personally owned vehicle. Source for the "What Tesla says" panel in Module 04.
The Driverless Digest — Waymo Statistics (2025–2026)
thedriverlessdigest.com →
Comprehensive, regularly updated tracker of Waymo's weekly ride counts, city-by-city growth, fleet size, and funding history. Last updated March 2026. Source for Waymo ridership and expansion data in Module 04.
Auto Data Privacy and Autonomy Act (December 2024)
congress.gov →
Bipartisan federal legislation introduced in December 2024 — the first bill specifically targeting connected vehicle data privacy at the federal level. Would require affirmative consent before collection and restrict data sharing with third parties. Status: introduced, pending. Source for the regulatory landscape in Module 05 and the "What to Watch" section.
The Record — Verisk Exit from Driving Data
therecord.media →
Reporting on Verisk's announced exit from the driving behavior data business following regulatory pressure from the Texas AG and other enforcement actions. Source for the Verisk section in Module 05, illustrating that enforcement can change industry behavior.
What to watch in 2025–2026
1
PrivacyTests.org — Currently focused on browser privacy testing, this site represents the model researchers hope to eventually apply to automotive software: automated, reproducible, real-time privacy testing that any consumer can understand.
2
The Markup's ongoing automotive investigations — The Markup pioneered the technical breakdown of connected vehicle data flows. Their continued reporting on data brokers, telematics companies, and the insurance pipeline is the most technically rigorous journalism in this space.
3
EFF's legislative tracking — The EFF tracks how connected vehicle features are used for police surveillance and advocates for federal privacy laws. Their Deeplinks blog is updated regularly with automotive and connected device cases.
4
State AG enforcement actions — Texas, California, and Connecticut have been the most active. The pattern of enforcement is shifting from "what is collected" to "where it goes" — with particular focus on the insurance data pipeline and consent practices.
5
The Auto Data Privacy and Autonomy Act — The bipartisan federal bill introduced in December 2024. If passed, it would be the first comprehensive federal law specifically governing connected vehicle data. Follow its progress at congress.gov.