Mozilla's Privacy Not Included review (September 2023) described Kia's claimed data categories as 'some of the creepiest data categories we have ever seen' and gave Kia the worst possible '*Privacy Not Included' label. There is no technical mechanism in a vehicle or companion app that could collect genetic information or data about a driver's sex life. Kia's policy is so broad that it grants legal permission to collect virtually any data imaginable, regardless of whether the vehicle has the capability to do so.

Reuters (Apr 2023): Tesla employees shared cabin camera footage — garages, naked bodies, crashes — on internal Slack. Employees looked up owners by VIN. Footage included children and intimate moments. Two former employees confirmed to Reuters. Tesla's privacy claims directly contradicted by documented internal behavior.

BYD's own Vehicle Privacy Statement (byd.com/au/privacy-statement-of-byd-vehicle) explicitly states: 'We collect driving data about your vehicle such as speed, acceleration, and braking data; direction of travel; trip data (mileage, date, location).' Also collects GPS location, seatbelt status, steering data, and cabin environmental data.

Nissan privacy policy explicitly discloses sharing data with marketing partners, data brokers, service providers, SiriusXM, dealerships, analytics companies, and advertising networks. Mozilla confirmed this direct contradiction in their review.

A 2024 New York Times investigation found GM was selling detailed driving behaviour data — including hard braking, rapid acceleration, speeding, and late-night driving — to insurance data brokers LexisNexis and Verisk. Drivers' insurance premiums increased by hundreds of dollars based on data they did not know was being collected or sold. The data was gathered through the OnStar Smart Driver programme, which many owners had enrolled in unknowingly.

In 2024, security researchers discovered a misconfigured GitHub token that exposed Mercedes-Benz's entire internal source code repository, including cloud access keys, internal API credentials, and design documents. The leak was discovered by RedHunt Labs and reported through responsible disclosure. The exposed repository included code for Mercedes's connected vehicle backend.

In January 2025, security researchers Sam Curry and Shubham Shah demonstrated they could remotely access Subaru Starlink's admin portal, enabling them to unlock any Subaru, start the engine, retrieve a full year of location history, and access customer PII for millions of vehicles — all through a vulnerability in a single employee-facing web application.

In December 2024, a Der Spiegel investigation with the Chaos Computer Club revealed that Volkswagen's software subsidiary Cariad had exposed precise GPS location data for 800,000 electric vehicles — including VW, Audi, Seat, and Skoda — in an unsecured Amazon cloud storage bucket. The data included precise parking locations, trip histories, and could be linked to owners' names and contact details. Vehicles belonging to German politicians, intelligence service employees, and police officers were among those exposed.