Your Car Is Spying on You: Connected Vehicle Data Privacy and POPIA

Your connected car knows more about you than your smartphone. It tracks where you drive, how fast you brake, whether you wear your seatbelt, and increasingly, it can capture voice recordings and even images from inside the cabin. Most drivers have no idea this data is being collected, let alone shared with third parties like insurance companies.

A landmark lawsuit in the United States has brought connected vehicle data privacy into the global spotlight, and the implications for South African motorists under POPIA are significant. If you drive a car manufactured in the last five years, this article is for you.

The Toyota Lawsuit: What Happened

In early 2026, a Florida man filed a $5 million lawsuit against Toyota after discovering that his connected vehicle had been silently transmitting his driving data to Progressive Insurance. The data included his GPS location, speed, braking patterns, acceleration habits, and seatbelt usage. What makes this case particularly alarming is that the driver had specifically opted out of Progressive's own telematics tracking programme. He believed he had taken the necessary steps to protect his privacy. He was wrong.

The data did not flow directly from Toyota to Progressive. Instead, it passed through an intermediary company called Connected Analytic Services, a data aggregation firm that collects vehicle telemetry from multiple manufacturers and packages it for third-party buyers, including insurance companies. This creates an opaque data supply chain where consumers have no visibility into who is receiving their personal information or how it is being used.

Progressive reportedly used this data to assess the driver's risk profile, potentially influencing his insurance premiums. The driver only discovered the arrangement after conducting his own investigation into why his insurance costs had increased. Without that personal initiative, the data sharing would have continued indefinitely, entirely without his knowledge or consent.

"I opted out of everything I could find. I said no to every tracking programme. But my car was sending data anyway, through a back door I didn't even know existed."

To make matters worse, Toyota's terms and conditions include a forced arbitration clause, effectively preventing the plaintiff from pursuing a class action lawsuit on behalf of the millions of other Toyota owners whose data may have been shared in the same manner. This is a deliberate strategy to limit legal exposure and keep individual disputes out of the public eye.

What Data Does Your Connected Car Actually Collect?

Modern connected vehicles are essentially rolling surveillance platforms. The amount of personal information they generate and transmit is staggering, and most of it falls squarely within the definition of personal information under POPIA.

Here is what a typical connected car from 2022 or later is capable of collecting:

• Location and GPS data: Real-time tracking of every journey, including start points, destinations, routes taken, stops made, and time spent at each location. Over time, this creates an extraordinarily detailed map of your daily life.
• Driving behaviour: Speed, acceleration, braking force, cornering patterns, seatbelt usage, and lane discipline. This data is precisely what insurers want to build risk profiles.
• Vehicle diagnostics: Engine performance, fuel consumption, tyre pressure, service history, and fault codes. While seemingly technical, this data is linked to your VIN and therefore to you personally.
• Infotainment data: Phone contacts synced via Bluetooth, call history, text messages, music preferences, and navigation search history.
• Voice recordings: Many vehicles with voice-activated assistants record and transmit audio for processing, potentially capturing private conversations.
• Camera and image data: Vehicles with cabin-facing cameras (increasingly common for driver attention monitoring) can capture images and video of occupants.
• Biometric indicators: Some premium vehicles monitor heart rate, drowsiness levels, and eye movement through steering wheel sensors and cameras.

Under POPIA, virtually all of this data qualifies as personal information because it can be linked to an identifiable individual through the vehicle identification number (VIN), registration details, or connected services account.

Your Features Can Be Remotely Disabled Overnight

The Toyota lawsuit is not the only connected vehicle controversy making headlines. In a separate incident, German regulators forced Toyota to push an over-the-air (OTA) update to Lexus vehicles that disabled the remote start feature. Owners woke up one morning to find that a capability they had paid for as part of the purchase price of their vehicle had simply been switched off overnight. No prior notice was given. No refund was offered. No consent was sought.

This incident exposes a fundamental tension at the heart of connected vehicle ownership: you own the hardware, but the software is licensed. The car sitting in your driveway belongs to you, but the software that makes it function is governed by an end-user licence agreement that the manufacturer can modify at any time.

OTA updates are a double-edged sword. On one hand, they allow manufacturers to patch security vulnerabilities and improve vehicle performance without requiring a physical visit to a dealership. On the other hand, they give manufacturers the ability to alter, downgrade, or remove features from vehicles that consumers have already purchased. The owner has no practical ability to refuse these updates because declining them may void warranty coverage or disable essential safety systems.

For South African consumers, this raises serious questions under the Consumer Protection Act (CPA). Section 56 of the CPA provides an implied warranty that goods must be suitable for the purpose for which they were purchased. If a vehicle is marketed and sold with a specific feature such as remote start, and that feature is subsequently removed via a software update, the manufacturer may be in breach of this warranty.

The challenge is enforcement. The CPA was drafted before connected vehicles were commonplace, and its provisions do not explicitly address the scenario where a manufacturer can remotely alter the functionality of a product after the point of sale. This is a regulatory gap that South African lawmakers will need to address as connected vehicles become the norm.

What POPIA Says About Vehicle Data Collection

POPIA applies to any entity that processes personal information of South African data subjects, regardless of where that entity is based. If Toyota, BMW, Mercedes-Benz, or any other manufacturer collects data from vehicles registered in South Africa, they are subject to POPIA. The Act sets out clear requirements that connected vehicle manufacturers must comply with.

Consent and Lawful Processing

Section 11 of POPIA requires that personal information must be processed on a lawful basis. The most common basis is consent, which Section 11(1)(a) stipulates must be voluntary, specific, and informed. Burying data collection clauses in a 40-page terms and conditions document written in dense legal language does not constitute informed consent under POPIA.

Moreover, Section 15 requires that data subjects be notified of the purpose for which their data is being collected. If a manufacturer collects driving behaviour data ostensibly for "improving the driving experience" but then shares it with insurance companies, this constitutes a secondary purpose that was not disclosed at the point of collection. This is a direct violation of POPIA's purpose limitation principle under Section 13.

The intermediary model used in the Toyota case, where data flows through aggregators like Connected Analytic Services, creates additional compliance complications. Under POPIA, each entity in the data processing chain must have a lawful basis for processing. The aggregator is an "operator" under POPIA (Section 1), and the manufacturer as "responsible party" remains accountable for ensuring the operator processes data in compliance with the Act (Section 21).

The Right to Object

Section 11(3) of POPIA grants data subjects the right to object to the processing of their personal information. This is particularly relevant in the connected vehicle context because many manufacturers do not provide a meaningful mechanism for drivers to object to data collection without disabling essential vehicle functions.

A connected vehicle owner in South Africa should be able to object to their driving data being shared with third parties without losing access to safety features like collision avoidance or emergency calling. If a manufacturer bundles consent for data sharing with consent for essential services, this may constitute a violation of Section 11(1)(a), which requires that consent be given freely. Consent is not free if refusing it means your car will not function properly.

Data Subject Access Requests

Section 23 of POPIA gives every data subject the right to request access to the personal information that an organisation holds about them. South African connected car owners can submit a formal data subject access request (DSAR) to their vehicle manufacturer demanding a complete record of all personal data collected from their vehicle, including details of any third parties with whom that data has been shared.

Manufacturers are required to respond within a reasonable time (generally interpreted as 30 days in line with PAIA timeframes). The response must include the categories of data collected, the purposes of processing, any recipients of the data, and the retention period. In practice, this means you have a legal right to demand that Toyota, or any other manufacturer, tell you exactly what data your car has been transmitting, to whom, and why.

How to Protect Your Privacy as a Connected Car Owner

Key Takeaways