Garmin says you control your data, but their dash cam app tracks your location in the background, reads your call history and contacts, can send text messages and make phone calls on your behalf, and scans every app on your phone — far beyond what a dash cam needs. Garmin's privacy policy lists only basic data like your email and location, but their app can actually access your microphone, camera, phone call history, contact list, and text messages — none of which are mentioned in the policy.
What they claim: Garmin privacy policy states: "Your personal data belongs to you, and you control what you share and with whom you share it." Policy emphasises user control over data.
What we found: The Garmin Drive companion app requests 40 permissions including ACCESS_BACKGROUND_LOCATION (continuous GPS tracking even when app is not in use), READ_CALL_LOG, READ_CONTACTS, SEND_SMS, CALL_PHONE, and ANSWER_PHONE_CALLS — none of which are necessary for a dash cam. The app also requests QUERY_ALL_PACKAGES to scan all installed apps on the user's phone.
What they claim: Garmin Consumer Automotive Privacy Policy states it collects "contact information, location, device information, and email address" — a seemingly limited list.
What we found: The Garmin Drive app requests RECORD_AUDIO (microphone access), CAMERA, HIGH_SAMPLING_RATE_SENSORS (accelerometer/gyroscope data), READ_CALL_LOG, READ_CONTACTS, and SEND_SMS. These data categories — audio recordings, phone call history, contact lists, SMS capability, and high-frequency sensor data — are not disclosed in the privacy policy's data collection summary.
What they claim: The Garmin Dash Cam Mini 2 is marketed as a simple, compact dash cam for recording drives and incidents.
What we found: The companion app requests ACCESS_BACKGROUND_LOCATION for continuous GPS tracking, RECORD_AUDIO for microphone recording, HIGH_SAMPLING_RATE_SENSORS for accelerometer/gyroscope data, and REQUEST_COMPANION_RUN_IN_BACKGROUND to keep running permanently. The device connects to connect.garmin.com, di-edge.garmin.com, sso.garmin.com, api.garmin.com, and vault.garmin.com — a full telemetry infrastructure for a device that records video.
What they claim: The Garmin Dash Cam Mini 2 has no built-in GPS — it requires pairing with another GPS-equipped device for location data.
What we found: Despite having no GPS, the companion app requests ACCESS_FINE_LOCATION, ACCESS_COARSE_LOCATION, and ACCESS_BACKGROUND_LOCATION — using the phone's GPS to continuously track location. This means the app collects precise location data through the phone even though the camera itself has no GPS capability, effectively making the phone a location tracker for the camera.
What they claim: Garmin states "We don't sell your personal data to anyone" and positions itself as privacy-respecting.
What we found: The Garmin Drive app includes Google Firebase Analytics and Google CrashLytics trackers which transmit device telemetry to Google. The app also requests ACCESS_ADSERVICES_AD_ID and ACCESS_ADSERVICES_ATTRIBUTION — Google advertising identifiers used for ad tracking and attribution across apps. App endpoints include di-edge.garmin.com suggesting edge analytics infrastructure.
What they claim: Garmin privacy policy states it "only stores footage that you manually save or that is saved automatically via incident detection."
What we found: The 2020 WastedLocker ransomware attack took all Garmin services offline for days, including Vault cloud storage. Customers could not access stored dash cam footage. Garmin reportedly paid 0 million ransom. While Garmin claims no customer data was accessed, the incident proves that "your" footage stored in Vault is entirely dependent on Garmin's infrastructure security, which was compromised by a known Russian cybercrime group (Evil Corp).
What they claim: Garmin dismissed Which? security findings, stating "numerous factors limit the exploitability of any purported vulnerabilities such that there is no practical risk to our customers."
What we found: Which? consumer testing found Garmin dash cams use weak default Wi-Fi passwords allowing nearby attackers to access journey data, saved recordings, and personal information. Simultaneously, Anvil Secure discovered 7 critical CVEs (CVE-2023-23298 through CVE-2023-23306) in GarminOS including buffer overflows and complete permission bypasses with CVSS scores up to 9.8. CVE-2020-27486 (CVSS 9.9) allowed malicious apps to escape the ConnectIQ sandbox entirely.
What they claim: Garmin policy states activity data "defaults to private" and users control sharing.
What we found: CVE-2022-46081 demonstrated that terminating a Garmin LiveTrack session did not actually stop the LiveTrack API from exposing private location data. Users who believed they stopped sharing were still being tracked. The Garmin Drive app has ACCESS_BACKGROUND_LOCATION and REQUEST_COMPANION_RUN_IN_BACKGROUND permissions, meaning location collection continues even when the user is not actively using the app.
What they claim: Garmin policy states data is shared with "service providers" for "analytics and hosting services" — implying limited, functional sharing.
What we found: Garmin shares data with "Garmin subsidiaries globally" — a worldwide corporate network. The 2020 ransomware attack demonstrated that Garmin's global infrastructure (covering fitness, aviation, marine, and automotive) is interconnected. Garmin operates across fitness tracking, vehicle monitoring, aviation, and marine — creating potential for cross-product data correlation. The Garmin Drive app includes Google advertising attribution trackers (ACCESS_ADSERVICES_ATTRIBUTION).
What they claim: Garmin Drive app is positioned as a companion for dash cams and car navigation.
What we found: The app requests SEND_SMS (send text messages), CALL_PHONE (make phone calls), ANSWER_PHONE_CALLS, and READ_CALL_LOG — telephony permissions typically associated with communication apps, not automotive accessories. The app also requests SYSTEM_ALERT_WINDOW to draw over other apps. Which? found these excessive permissions combined with weak security constitute a privacy risk.