​When a Ride Isn’t Just a Ride: Telematics and Privacy

Imagine getting into a ride-share vehicle, chatting casually with a friend, and then discovering that your conversation was secretly recorded, transcribed, and possibly shared without your knowledge. That’s exactly what happened to a Lyft passenger in Toronto, as reported by CBC in a recent article that’s sparked serious concern about the intersection of convenience, technology, and privacy.

In this case, the Lyft driver had installed a camera in his vehicle. This is not entirely unusual. However, the camera audio was recorded and uploaded to a third-party transcription service. Right after returning to her downtown Toronto apartment, the Lyft passenger received a text from an unknown number with a transcript of a conversation she had had with her roommates during their eight-minute Lyft ride. When one of the passengers reached out to Lyft with concerns, she was left feeling that the company wasn’t taking the privacy breach seriously enough. Lyft, for its part, says that their recording device policy prohibits recording another person without their express prior consent and that “proper actions” were being taken against the driver.

That lackluster response highlights a much bigger issue: as vehicles become smarter and more connected, how well are our privacy rights keeping up?

This incident — the secret audio recording and transcription — isn’t exactly what experts would call “telematics.” Traditionally, telematics refers to the automatic collection and transmission of data from vehicles: things like location, speed, acceleration, braking patterns, and fuel usage. Insurance companies use it for usage-based policies. Fleet managers use it to optimize routes and monitor driver behavior. It’s data-driven and generally doesn’t involve recording voices or faces.

While the Lyft situation doesn’t involve telematics in the technical sense, it fits within a broader trend: the datafication of our movement through the world. That passenger conversation was recorded, turned into searchable text, and potentially shared — not unlike how telematics systems transmit driver data to an insurance company. So, while no one was analyzing g-forces or cornering habits here, the underlying privacy questions are strikingly similar: Who’s collecting data about you? Did you agree to it? And what happens to that data next?

In Canada, telematics is on the rise. More and more drivers are opting into “pay-how-you-drive” insurance programs that promise discounts in exchange for allowing insurers to monitor driving habits. It sounds harmless — until you consider that a vehicle’s data profile can paint a surprisingly detailed picture of your life: where you work, when you leave, which school your kids go to, or what medical clinics you visit.

And like with the Lyft recording, consent is often murky. In both scenarios, users might not fully grasp what they’re agreeing to, or how far the data might travel once it’s collected. Canadian privacy laws — like PIPEDA and provincial equivalents — require clear, informed consent for the use of personal data. But in practice, disclosures are often buried in fine print or worded in ways that obscure the implications.

We’re at a point where vehicles are becoming rolling data hubs. Some are equipped with driver-facing cameras, voice assistants, biometric sensors, and third-party apps — all capable of gathering information. Add in telematics, and the line between convenience and surveillance starts to blur. The real challenge is that most people simply don’t know how much data their vehicles are collecting, or how it’s being used. And the burden shouldn’t be on the average passenger or driver to investigate the privacy practices of every tech tool installed in a car. There can be no question that we need a clearer, more modern framework — one that sets boundaries for all types of in-vehicle data collection, whether it’s traditional telematics or rogue audio recordings.  

If you have questions about this or similar privacy law topics, please reach out to Roshni Veerapen or any other member of our Privacy Law group.