A modern car knows whether you pick your nose. Per the BBC’s Thomas Germain, writing in May 2026 on how much cars collect, the data automakers harvest can include precise location for everywhere you go, who is in the car, what is on the radio, whether you buckle your seatbelt, whether you brake too hard, and details you would never expect: your weight, age, race, and facial expressions, captured by cameras pointed at the driver’s seat. Darrell West of the Brookings Institution puts the consequence plainly in the same piece: “It basically means your life can be recreated almost on a second-by-second basis.” The car is the most vivid example of a pattern every founder should study, because the logic that turned cars into surveillance devices is the same logic quietly running inside ordinary SaaS products: collect everything, because collecting is cheap and someone might want it later.

The reframe worth holding is that the data you collect is not an asset by default. It is a liability that occasionally becomes an asset. Cars make the liability visible. Most products keep it hidden until something goes wrong.

What the car teaches

The scale is the first lesson. Per the BBC, the consulting firm McKinsey found that 50 percent of cars on the road in 2021 had internet connections and predicted that figure would reach 95 percent by 2030. Connection is the precondition for collection, and once the pipe exists, the data flows whether or not anyone has a use for it. A 2023 analysis by Mozilla, maker of Firefox, examined the privacy policies of 25 car brands, and per the BBC every single one failed Mozilla’s privacy and security standards. Not most. All 25. When an entire category fails the same audit, the failure is structural, not the result of a few bad actors.

The second lesson is that collected data finds buyers the collector cannot control. Among the biggest customers for car data, per the BBC, are insurance companies using it to charge some drivers more, and while some carmakers admit they sell data, they do not have to disclose who is buying. The information leaves through doors the company does not watch. The third lesson is that regulation can force collection wider rather than narrower: the BBC reports a federal law set to require American carmakers to install infrared biometric cameras to detect drunk or tired driving, opening a new trove of health and behavior data with, in Germain’s words, “no rules limiting what the car companies can do with that information.”

Read those three together and the moral for a product founder is uncomfortable. The car industry did not set out to build surveillance machines. It added connectivity for convenience, collected data because it could, and arrived at a category-wide trust failure without any single decision that looked like a mistake at the time.

The same risk lives in ordinary products

A founder building a SaaS tool, an IoT device, or a mobile app is not exempt because the product is not a car. The mechanism is identical. Every analytics event, every retained log, every “we might need this later” field is the software version of the camera pointed at the driver’s seat. It is cheap to add and expensive to be responsible for.

The costs are real and they are mostly invisible until they land. Storage of data you never use is a recurring bill. Every field you retain is something a breach can expose, which means each one expands the attack surface and the blast radius. Compliance overhead scales with what you hold: the more categories of personal data you collect, the more of GDPR, CCPA, and their successors apply to you, and the burden falls hardest on early-stage companies with no dedicated privacy function. The data sitting in your database is not inert. It is a standing obligation that accrues cost and risk every day it exists, whether or not it ever produces value.

The data you collect is not an asset by default. It is a liability that occasionally becomes an asset.

There is also the trust cost, which is slower and harder to reverse. The BBC notes that most consumers have no idea their cars are collecting any of this, and the reputational damage arrives the moment they find out. A product that quietly hoards data is fine right up until a journalist, a regulator, or a curious user reads the privacy policy. Then the hoarding becomes the story.

When the platform you depend on turns

Two recent episodes show the failure from the user’s side, which is the side founders should imagine themselves on. Owners of Volkswagen vehicles who used the open-source homeassistant-volkswagencarnet integration to read their own car data into Home Assistant reported, in a GitHub issue opened on May 27, 2026, that login through the integration suddenly stopped working (“authentication is expired, re login with credential is no more possible”) even though the official Volkswagen Connect app still logged in fine. We are reading a community bug report, not a statement of corporate intent, so the cause is not established here. But the lived experience is the point: a user’s access to data about their own car ran through a door the manufacturer controlled, and when that door changed, the user was locked out of their own information with no recourse but to wait. Data you hold about someone is power over them, and power over your users is exactly what they will resent when it is used.

The second episode is not about data at all, which is what makes it instructive. Per the Salem Statesman Journal, Bryan Mansell consigned his father’s Star Wars Lego collection, valued at more than $200,000 and built since 2000, to a Bricks & Minifigs store in Keizer, Oregon, part of a chain that opened its first store in 2010 and now runs 240 franchised locations. The store changed hands in 2024, and per Kotaku’s account, the new managers claimed full ownership and locked the Mansells out “without pricey litigation.” The family sued, and per the Statesman Journal they won, after which the store simply closed to escape paying what it owed.

Why the Lego story is a data story

The Lego collection is a parable about custody. The Mansells handed an asset they owned to a third party they trusted, on the strength of a relationship and a contract, and discovered that possession and the corporate structure around it mattered more than ownership when the counterparty changed and decided not to honor the deal. The asset was physical, so the betrayal is easy to see.

Data is no different, except that the betrayal is harder to see because the asset is invisible. When your product collects user data and stores it on a platform, or when your users entrust their data to your product, the same custody question applies. Who actually controls it when ownership changes hands, when the company is acquired, when the terms quietly update, when the franchise sells? The Mansells could at least point at a shelf of Lego. A user whose data sits in your systems has even less recourse, because they often cannot see what you hold, cannot retrieve it without your cooperation, and cannot verify it is gone when they ask you to delete it. Every product that collects more than it needs is asking its users to make the same bet the Mansells made: trust us with something valuable, and trust that nothing about us will ever change.

Treat privacy as a feature, not an afterthought

The practical response is the inverse of the car industry’s. Collect the minimum the product genuinely needs to function, not the maximum the infrastructure can capture. Data minimization is not only a compliance posture under GDPR; it is the cheapest way to shrink the recurring cost, the attack surface, and the trust liability all at once. The field you never collected cannot be breached, cannot be sold without your knowledge, and cannot become a headline.

Then say what you do plainly, in language a user reads rather than a policy they scroll past. The BBC’s recurring point is that the harm compounds because collection is hidden. A product that tells users exactly what it keeps and why, and keeps little, converts the usual liability into a genuine differentiator, because the default expectation is now the car: silent, total, and adversarial. Clarity is rare enough to be a feature.

The car industry built its data empire one convenient sensor at a time and arrived at a category where all 25 audited brands failed and consumers feel watched. A founder gets to choose the opposite default, and the choice is cheapest at the start, when the database is empty and every field is still a decision rather than a migration. The Mansells learned that an asset in someone else’s custody is only as safe as that someone’s willingness to honor the deal. Your users are making the same bet about their data every time they sign up, and most of them have not read the policy that tells them so.