Is Your Connected Car Spying on Your Driving Habits in Canada?

The moment you sync your phone, ask for directions, or simply drive to the grocery store, your connected car is watching, listening, and recording. This isn’t a dystopian fantasy; it’s the unsettling reality of modern vehicle ownership in Canada. While drivers worry about their smartphone’s privacy, the four-wheeled computer in their driveway has become one of the most powerful and invasive data collection devices they own. Most drivers assume that privacy laws and the vehicle’s purchase price grant them control over their data. This assumption is fundamentally flawed.

Beneath the surface of convenience features like remote start and live traffic updates lies a sprawling data brokerage ecosystem. Your driving habits, location history, and even in-car conversations are valuable commodities. This article moves beyond the common knowledge that « cars collect data. » We will investigate the specific economic incentives driving this surveillance, expose the actors buying your information, and critically examine whether Canadian laws like PIPEDA offer any meaningful protection. We’ll also uncover the alarming connection between your car’s digital vulnerabilities and the physical threat of theft, and provide concrete steps to reclaim a measure of control.

This is not about forgoing technology; it’s about understanding the high-stakes trade-off you’re making, often without full consent. We will deconstruct the mechanisms of this new automotive data economy, from software-locked features to the questionable value of insurance telematics, equipping you with the knowledge to challenge the status quo.

To navigate this complex issue, we have structured this investigation to address the most critical questions a privacy-conscious Canadian driver should be asking. The following sections will guide you through the key threats, legal realities, and defensive actions you can take.

Who is buying your location history from your car manufacturer?

The simple answer is a complex and opaque network of companies you’ve likely never heard of. Your car manufacturer is the primary gateway to a sprawling data brokerage ecosystem. Every trip you take generates valuable data points: where you go, when you go, how fast you drive, how hard you brake, and even the music you listen to. This information is aggregated, anonymized (a term with a notoriously loose definition), and sold to third parties. These buyers include insurance companies, urban planners, retail marketers, and financial institutions, all seeking to build detailed profiles of consumer behaviour.

The scale of this collection is staggering, and it’s happening against a backdrop of significant public concern. In fact, a recent survey found that 57% of Canadian drivers with connected cars are concerned about data privacy. This concern is well-founded. A landmark 2023 study from the Mozilla Foundation reviewed 25 major car brands and labelled modern cars a « privacy nightmare. » The investigation concluded that every single brand collected more personal data than necessary, often using it for vague, unrelated purposes like « marketing. »

The average Canadian is uncertain about the data that companies extract, repurpose, sell, or exploit while we’re in our cars.

– Natasha Tusikov, Rates.ca interview on vehicle data privacy

This uncertainty is by design. Automakers bury consent in lengthy terms-of-service agreements that few customers read, effectively getting a free pass to monetize a continuous stream of your personal information. The value isn’t just in a single data point, but in the patterns that emerge over time, creating a behavioural profile that can be incredibly lucrative and deeply invasive.

Why you must factory reset the infotainment system before returning a rental?

Returning a rental car without clearing its digital memory is like leaving your personal diary on the passenger seat. When you pair your smartphone, the car’s infotainment system syncs an astonishing amount of personal information: your contact list, call logs, text messages, and a detailed map of your recent destinations, including your home address. This data doesn’t automatically disappear when you return the keys. It remains stored in the system, accessible to the next driver, rental agency employees, or anyone with basic technical knowledge.

This creates a significant privacy and security risk. A malicious actor could potentially access your home address, see who you’ve been calling, and even gain access to connected accounts if you’ve logged into apps via the car’s interface. It’s a digital footprint you leave behind that extends far beyond the rental period. This is why performing a factory reset is not just good practice; it’s a critical security measure. This function is designed to wipe all user-added data and return the infotainment system to its original state, just as it was when it left the factory.

As the image above illustrates, these settings are often buried within layers of menus. Taking the time to locate and execute the reset is your only guarantee of privacy. Before you hand back the keys, you must perform a digital cleanup to protect your personal information.

Does PIPEDA protect your vehicle data better than US laws?

Canada’s primary federal privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is often seen as a robust framework. However, when applied to the complex world of connected vehicle data, it reveals significant legal grey zones and limitations. PIPEDA is based on principles of consent, but it often allows for « implied consent, » which is exactly what automakers rely on when you tick a box during the vehicle purchase process. The protection it offers is, in practice, far weaker than what many Canadians assume.

In contrast, newer, more specific legislation like Quebec’s Law 25 provides a glimpse of a more stringent future. Law 25 moves away from implied consent and demands explicit, opt-in consent for data collection and tracking. It also grants consumers more concrete rights, including the right to data portability and the right to be forgotten (deletion). The enforcement teeth are also sharper, with penalties for non-compliance that can reach up to CAD $25 million or 4% of global turnover, far exceeding PIPEDA’s maximum fine of CAD $100,000.

This table, based on an analysis of modern privacy regulations, highlights the key differences and shows why a patchwork of laws across Canada leaves many drivers exposed.

While PIPEDA provides a baseline, it was not designed for the age of the rolling supercomputer. Its principles are too broad to effectively govern the specific, high-volume data streams generated by cars. Quebec’s model demonstrates a stronger path forward, but for the majority of Canadians, federal law offers a porous shield at best against the aggressive data collection practices of global automakers.

The « Relay Attack » that steals cars from driveways in 60 seconds

The digital vulnerabilities of your connected car have a terrifying physical consequence: theft. Canada is in the grips of an auto theft crisis, with organized crime syndicates exploiting a simple technological flaw in keyless entry systems. Insurers paid out a record-breaking $1.5 billion in theft claims in 2023 alone, a clear indicator of the scale of this problem.

The most common method is the « Relay Attack. » It requires two thieves and two electronic devices. One thief stands near your house with a relay amplifier, which captures the weak signal from your key fob inside. This signal is then amplified and relayed to a second device held by an accomplice standing next to your car in the driveway. The car is tricked into thinking the key is present, allowing it to be unlocked and started. The entire process can take less than a minute, and it happens silently, often while you’re asleep. This has created a climate of fear, particularly in urban centres; a recent poll found that 63% of Greater Toronto Area residents live in fear of their vehicle being stolen.

The most effective defence against this digital-to-physical threat is surprisingly low-tech: a Faraday pouch or box. These signal-blocking containers are lined with a metallic fabric that creates a cage, preventing the key fob’s signal from escaping. By simply storing your keys in a Faraday pouch when at home, you sever the first link in the relay attack chain, rendering the thieves’ equipment useless. Other deterrents include steering wheel locks and OBD port protectors, which add physical barriers that slow criminals down.

How to opt-out of data sharing in your car’s infotainment menu?

While completely stopping data collection is nearly impossible, you can take steps to limit the flow of information. The process is called « informed dissent »—actively refusing to share data once you understand the risks. The key is to navigate the labyrinthine menus of your car’s infotainment system to find the privacy controls, which are often deliberately obscured.

Start by looking for a main « Settings » menu, then search for sub-menus labeled « Privacy, » « Data Sharing, » or « Connected Services. » Here, you are looking for any option that allows the car to transmit data about its usage, location, or your driving behaviour. Automakers use appealing names for these features, such as « Driving Coach, » « Vehicle Health Report, » or « Connected Navigation. » In reality, they are often surveillance tools. You must be methodical in disabling them, one by one.

I suspect the car companies don’t really want to have this conversation. Their argument will be, ‘well, you consent to this at the time of purchase’.

– Michael Power, Toronto privacy lawyer quoted in National Magazine

To exercise a greater degree of control, consider the following practical steps. This is not a one-time fix; software updates can sometimes reset these preferences, requiring you to check them periodically.

• Locate Privacy Settings: Systematically go through every menu option under Settings > Privacy, Connectivity, or Connected Services.
• Disable Behaviour Monitoring: Turn off any feature with names like ‘driver behaviour monitoring,’ ‘driving score,’ or ‘remote access.’
• Opt-Out of Diagnostics: Disable ‘connected diagnostics’ and ‘usage-based services’ unless a specific repair situation requires it. You can always enable it temporarily.
• Disconnect from Cloud Services: Log out of and disconnect any manufacturer’s cloud services or companion mobile apps, which are major data pipelines.
• Use Your Legal Rights: For drivers in Canada, you can formally request a copy of the data your manufacturer holds on you under PIPEDA.

Why is your heated seat function locked behind a software paywall?

The concept of « Features-as-a-Service » (FaaS) represents a new and alarming frontier in the automotive industry. Imagine buying a house and then having to pay a monthly fee to use the furnace that was already installed. That is the principle behind automakers locking hardware features, like heated seats or a more powerful engine mode, behind a software paywall. The physical components are built into every car on the assembly line to save costs, but they are deactivated by default. To use the feature, you must pay a recurring subscription fee.

This business model creates a fundamental hardware-software disconnect. You own the physical car, but you are merely licensing the software that makes it fully functional. From the automaker’s perspective, this creates a continuous revenue stream long after the initial sale. For the consumer, it feels like being charged for something you’ve already paid for. This practice is particularly frustrating in Canada, where a feature like heated seats is considered by many to be a near-necessity during harsh winters, not a luxury add-on.

This model is also legally questionable under Canadian consumer protection laws. Legal experts are beginning to question whether selling a vehicle with intentionally non-functional hardware, only to charge a fee to activate it, constitutes a deceptive or unfair practice. The argument is that the consumer reasonably expects all installed hardware to be operational at the time of purchase. As this FaaS model becomes more common, it is likely to face significant legal challenges and regulatory scrutiny, but for now, it’s a growing trend that further erodes the traditional concept of vehicle ownership.

Is saving 25% worth letting the insurance company track your braking?

Usage-Based Insurance (UBI) is the most explicit data-for-discount trade-off a driver can make. Insurers across Canada offer programs that promise discounts of up to 25% in exchange for monitoring your driving habits. This is typically done through a smartphone app or a device that plugs into your car’s OBD-II port. These devices track metrics like hard braking, rapid acceleration, time of day you drive, and total distance. The insurer then assigns you a « risk score » that influences your premium.

On the surface, it seems like a fair deal for safe drivers. However, you are handing over a granular and continuous stream of behavioural data to a company whose entire business model is based on assessing risk. As one insurance expert noted, with claims costs rising, insurers are more motivated than ever to find new ways to segment customers. This data could potentially be used for more than just calculating a discount; it could be used to deny claims, increase rates after a minor incident, or be shared with other parties.

The following table, with data drawn from a recent CBC investigation into insurance telematics, shows what some of the largest Canadian providers are tracking.

The critical question every Canadian driver must ask is whether the potential savings are worth the permanent digital record of their every move behind the wheel. A single hard-braking event to avoid a pedestrian could be misinterpreted by an algorithm as « risky driving. » The context is lost, but the data point remains. Before enrolling, you must weigh the guaranteed loss of privacy against a potential, but not guaranteed, discount.

Over-The-Air Updates: New Features or New Glitches?

Over-the-Air (OTA) updates are the mechanism that enables the connected car’s evolving functionality. Just like your smartphone, your vehicle can now receive software updates remotely, delivering new features, security patches, and bug fixes without a trip to the dealership. According to projections from Deloitte, virtually 100% of new cars were equipped with this wireless technology by 2022, making it a standard feature of modern vehicle ownership. This capability is what allows for the Features-as-a-Service model and enables insurers to monitor your driving in real time.

However, this constant connectivity also introduces new risks. A poorly tested OTA update can introduce new glitches, disable critical functions, or even create security vulnerabilities that weren’t there before. Unlike a mechanical recall, where a physical part is replaced, a software-induced problem is invisible and can be difficult to diagnose. This has created a new challenge for regulators.

Transport Canada is actively conducting consultations to modernize its vehicle standards, recognizing that a safety issue caused by a line of code needs a different regulatory approach than a faulty brake line. The key question they are grappling with is one of liability: if an OTA update causes a crash, who is at fault? The automaker who pushed the update? The software developer? The driver who accepted the update? These are the complex legal grey zones that define the future of automotive safety and privacy. As cars become more reliant on software, the integrity and security of that software become paramount.

The evidence is clear: your connected car operates within a complex ecosystem where your data is the primary currency and your privacy is an afterthought. To navigate this new reality, the first and most critical step is to shift your mindset from passive consumer to active, informed owner. Start by investigating your own vehicle’s data collection policies and taking control of its privacy settings. Your security depends on it.