Assume every mainstream current-production vehicle has embedded connectivity unless a VIN check, trim sheet, and physical inspection prove otherwise. Mozilla’s Privacy Not Included team gave every one of the 25 car brands it reviewed a warning label, the worst product category it has ever tested, and California’s GM/OnStar settlement, the largest CCPA penalty in the state’s history, shows the risk is not theoretical.
The consumer answer is not “buy a new privacy car.” It is: buy a used vehicle from a verified non-telematics trim and year, or physically bypass the telematics module when a newer vehicle is unavoidable.
Toyota said cellular DCMs would be standard in nearly all new Toyota and Lexus vehicles by 2020, so treat 2020+ Toyota/Lexus as presumptively connected. Older vehicles still need trim-level verification: Safety Connect, Starlink, OnStar, Blue Link, HondaLink, and similar packages vary by year and trim. GM has had OnStar embedded since the late 1990s; avoid the brand entirely. Nissan was the single worst brand in Mozilla’s review.
Before any purchase: run the VIN through Privacy4Cars and physically inspect for an SOS or emergency-call button near the mirror or overhead console. On pre-2020 Toyotas, no SOS button is a strong sign that Safety Connect hardware was not installed, but still confirm by VIN and trim sheet before treating the car as clean.
