Your new car has a SIM card, a 4G antenna, a GPS, sensors everywhere. While you drive, it quietly sends to its manufacturer: your location, your speed, your accelerations, your braking, radio usage, activated features. Sometimes directly, sometimes indirectly. And more and more often, this data is monetised or shared with your insurer. Without drama but without naivety, here is what really happens in your dashboard in 2026.
What manufacturers collect
A longer list than you think
Tesla, BMW, Mercedes, Hyundai, Renault, Stellantis: all continuously collect precise geolocation (with timestamp), instantaneous speed, longitudinal and lateral accelerations, braking, lights usage, wipers, A/C, cruise control, and even how often you press each dashboard button. Add to that engine diagnostics, battery, tyres and brakes. On EVs, the full charging history is also uploaded.
Why this collection
Manufacturers invoke three main justifications: product improvement (spotting defects across fleets), safety (issuing recalls) and premium services (real-time navigation, connected parking, OTA updates). That last category is most used to explain why refusing this or that consent disables this or that feature. It is true: no data, no integrated Waze, no remote updates, no range prediction.
Sharing with insurers
Pay-how-you-drive contracts (PHYD)
Since 2022, many companies (Allianz, AXA, Generali, MAIF Connect) offer pay-how-you-drive contracts: your premium adjusts based on your driving style, measured either via an installed box or directly through manufacturer data if you opt in. Promise: 10 to 30% discount for careful drivers. Reality: the premium can also go up for nervous drivers.
What is actually transmitted
The insurer usually receives: an overall driving score (out of 100), mileage, number of harsh braking events per 100 km, number of harsh accelerations, rush-hour usage and night driving. Less often precise geolocation, since France's data protection authority CNIL strictly framed it: only an aggregate score per zone is allowed, no trip trail.
What happens after an accident
With PHYD active, the insurer can request access to the last 30 days of data to analyse your driving and assess any aggravating behaviour. Without PHYD, the insurer can only request EDR (black box) data via adversarial expertise or judicial requisition. The distinction matters: signing a PHYD amounts to permanent transparency, not just post-accident.
What GDPR says
Mandatory explicit consent
GDPR frames every personal data collection in connected cars. The manufacturer must obtain your explicit consent per processing category, and provide clear information on purpose, retention duration and recipients. In practice these consents are requested at vehicle delivery via an app or screen. Any consent can be withdrawn at any time.
The all-or-nothing trap
The major caveat: refusing certain consents often disables premium features. Refuse geolocation, kill connected navigation. Refuse technical data uploads, no more OTA updates. Refuse insurer sharing, lose the preferential rate. CNIL criticised this logic in 2024, requiring manufacturers to offer genuinely granular consent and not condition core functions on excessive collection. Several brands have since redesigned their interfaces.
Right of access and erasure
You can request the full list of data your manufacturer holds about you, its retention duration and recipients. They have one month to reply. You can also request deletion of anything not essential to a legal obligation (EDR, eCall). CNIL has been processing hundreds of connected-car complaints each year since 2023, a sign this issue is rising in public concern.
The Tesla and premium brand case
More intensive collection
Tesla collects particularly broadly: second-by-second geolocation on Autopilot models, exterior camera video (anonymised) to train its AI, biometric usage data. The brand has faced several European inquiries, including a CNIL one in 2023, which ended in transparency commitments but not collection restrictions. BMW and Mercedes practise similar intensity, just better documented.
Resale of aggregated data
Several journalistic inquiries revealed in 2024 that some manufacturers sold aggregated data to data brokers, who resold it to insurers in a less traceable form. The French Road Safety and CNIL requested a thorough investigation, ongoing in late 2026. The manufacturers concerned publicly denied or changed their practices. Lesson: even anonymised, car data sharing is a sensitive topic.
How to regain control
At purchase
Read the data notice and account terms. Refuse by default marketing consents and third-party insurer programs. Activate the bare minimum: eCall (mandatory), built-in navigation if you use it, security updates. Everything else is negotiable and generally reversible.
Over time
Check your car's privacy settings every 6 months (usually in a companion app). Conditions change with software updates, and a consent can be reactivated without explicit alert. Also monitor notification emails: they carry policy changes.
At resale
Before reselling your connected car, do a factory reset and disconnect all accounts (manufacturer, apps). Otherwise the new owner inherits your history. Several documented cases show personal data left in resold used cars, with privacy impact.
The DevisPermis expert opinion
The connected car is neither a trap nor a utopia. GDPR gives you real tools to control what happens, but those tools only work if you use them. Read the consents at delivery, refuse what adds nothing, and be very careful with PHYD offers: the promise of low prices can cost a lot in permanent surveillance. The modern car remains extraordinary, just do not let it decide alone what it shares.
Find the right driving school with DevisPermis.fr
Understanding your car's tech starts during highway code training. Our partner schools cover data, ADAS and regulation issues in modern licence training. Fill in the form in 2 minutes and get a proposal within 48 hours tailored to your project and budget.
Next step
How to get the right support?
DevisPermis.fr connects you for free with a certified driving school near you. Answer 5 questions in 2 minutes, and an advisor will call you back within 48h* to offer a tailored package.
Discuss it for free*Excluding Sundays and public holidays
Frequently asked
Your questions on this topic
What personal data does a connected car collect?
A connected car collects hundreds of parameters: GPS location, speed, braking, Bluetooth contacts, destination history, usage frequency, driving profile. Tesla processes 200 to 300 parameters per second via 8 cameras and 12 ultrasonics. BMW iX records 25 GB/day. Mozilla Foundation 2023 classifies all car brands as "privacy fail", none fully complying with GDPR.
Can the manufacturer sell my car data?
Yes, the manufacturer can sell data to third parties (insurers, ad networks, marketing studies) if the customer accepted Terms of Service, which 87 percent of users validate without reading (CNIL 2023 study). General Motors and Honda share data with LexisNexis and Verisk for insurer scoring. Revocation is in the manufacturer app, sometimes hidden in 4 to 5 menus.
How do you exercise the right to access vehicle data?
GDPR requires the manufacturer to provide all collected data within 1 month, free (article 15). Request by registered letter or email to manufacturer DPO (Data Protection Officer), mentioning name, VIN, period. Tesla, BMW, Mercedes offer a self-service portal. In case of refusal, CNIL complaint via cnil.fr, possible fine up to 4 percent of manufacturer turnover.
How do you disable connectivity in your car?
To disable connectivity: go to Settings > Privacy or Communication menu, disable data sharing, geolocation and online services. Tesla, Renault, Peugeot offer an "offline mode". On some models, removing the TCU (Telematics Control Unit) SIM card totally cuts 4G connection. Warning: this disables eCall (emergency call), illegal in France.
Find your driving school
Continue your research with our dedicated pages.