25 Major Car Brands Flunk Data Privacy Review

Modern cars are connected, which means they are treasure troves of data. *Privacy Not Included, a project from the nonprofit Mozilla, reviewed 25 different car brands and concluded that cars are a privacy nightmare. Cars can gather personal information from users -- drivers and passengers -- via connected services, apps, and third-party sources. And they are likely using that data for a whole slew of purposes.

Many of the car brands reviewed disagree with Mozilla’s assessment of their data privacy practices, but the way the car industry handles personal data is still in the spotlight.

What are the biggest data privacy concerns in the car, and how could privacy improve in the auto industry?

Data Privacy Concerns

Researchers spent more than 600 hours combing through the 25 brands’ privacy practices before assigning the *Privacy Not Included label to each and every one. Brands and products earn the label when they receive two or more warnings based on criteria including how they use data, how users can control their data, the company’s track record on protecting user data, and whether they meet Mozilla’s Minimum Security Standards.

The Mozilla report dinged the car brands on all four of those criteria. It notes that all 25 brands reviewed collect more data than necessary, including incredibly personal information.

“When you see companies say in their privacy policies that they can collect personal information about your sexual activity, sex life, genetic information, sexual orientation, immigration status and more, that should always raise an eyebrow,” Jen Caltrider, program director of Mozilla’s *Privacy Not Included, tells InformationWeek via email.

The report calls out Nissan and Kia for mentioning data on “sexual activity” and “sex life” in their respective privacy policies.

In an emailed statement, Nissan denies knowingly collecting that kind of data: “Nissan does not knowingly collect or disclose consumer or employee information on several of the areas cited, including sexual activity or religious beliefs. Some state laws require us to account for inadvertent data collection or information that could be inferred from other data, such as geolocation.

Kia also claims it does not collect that type of information. “To clarify, Kia does not and has never collected ‘sex life or sexual orientation’ information from vehicles or consumers in the context of providing the Kia Connect Services. This category of information is included in our privacy policy, which tracks the CCPA, as an example of the type of information defined as ‘sensitive personal information’ under Section 1708.140(ae) of the CCPA,” the company shared in an emailed statement.

Subaru states that data collection is voluntary. “Subaru does not collect any connected vehicle data unless the owner voluntarily enrolls in Subaru’s telematics service, and customers can cancel at any time,” according to an emailed statement.

Once car brands have collected the data, they are likely going to make use of it. The Mozilla report found that 84% of the brands researched say they are able to share personal data and 76% say they can sell it.

Consumers have very little control over what happens to their data once it is in the hands of car companies. And short of eschewing driving altogether, they likely have to live with that means for their data privacy. “Clearly you cannot opt out from driving or using your car,” says Dante Malagrino, chief product officer of data protection company Protegrity, in a phone interview.

Mozilla found that 92% of the brands reviewed offer consumers little to no control when it comes to their personal data. It notes that Renault and Dacia allow consumers to delete their data.

In an emailed statement BMW NA says that it allows “drivers to make granular choices regarding the collection and processing of their personal information.”

“Further, we allow our customers to delete their data whether on their apps, vehicles or online. BMW NA does not sell our customer’s in-vehicle personal information,” according to the emailed comment. BMW also released a longer statement in response to the Mozilla report.

If a consumer takes the time to examine how their data is being used and decides to opt out of collection, they may find that collection is inextricably linked to services they use in their vehicle. “Often the choice becomes well, if you don't agree to the terms of the way in which we collect and use your information then don’t subscribe to our service,” says Peter Cassat, a privacy and data security and technology law attorney and partner at full-service law firm Culhane Meadows.

Mozilla also notes that it could not confirm if any of the brands meet its minimum-security standards. In other words, car company privacy policies are not easy to understand.

“I think there's a lot of opaqueness with respect to what is going on with the practices about how data is being maintained and used by manufacturers,” says Cassat.

The car companies’ responses to InformationWeek’s requests for comment varied in length. Some sent paragraphs, others just a few sentences. Ford, Honda, and Nissan shared links to their privacy policies. Some companies did not respond.

Stellantis, which owns the Chrysler, Jeep, Dodge, and Fiat brands among others, stated that the Mozilla report includes inaccuracies. “Multiple claims in this document are incorrect as they relate to Stellantis brands. We carefully and diligently consider data privacy and act accordingly. Customers with questions may call our customer care center,” according to an emailed statement.

“I think the top takeaway for consumers is to understand that all modern cars are connected, computers on wheels that can track, monitor, and collect huge amounts of data from you,” says Caltrider. “Add in connected services like navigation, streaming music, and emergency contact and car apps, and the data collection is out of control.”

Addressing Privacy in the Car Industry

Privacy is a hot button issue in any industry that collects data. Many industries have stringent privacy regulations, i.e., HIPAA in the health care space. Could targeted privacy regulation be coming for the car industry?

The California Privacy Protection Agency (CPPA) is looking into auto industry privacy practices, according to Reuters. Regulatory scrutiny could lead to new laws.

“A regulation would certainly move the industry to provide more detail in how they’re handling consumer data and addressing privacy at a more rapid rate than you would see the industry do organically,” Roman Lysecky, co-founder and CTO of IoT cybersecurity software company BG Networks, says in a phone interview with InformationWeek.

Data collection practices in the auto industry also have the potential to spark class action lawsuits. “I think there’s also the potential for some kind of invasion of privacy type claims against automobile manufacturers, possibly pertaining to biometric information,” shares Cassat. “Biometric data has always been a hot topic for state legislative action and for class action litigation.”

Enacting new legislation and filing lawsuits takes time. Will car companies make any changes to their privacy practices in advance of potential regulation and lawsuits?

Caltrider thinks not. “The companies aren’t going to do better on their own because there is too much money involved in them collecting, owning, and monetizing our personal information.”

Malagrino anticipates that some companies may decide to use privacy as a competitive edge. “Privacy is a business differentiator in many other industries today. So, I think it’s just a matter of time for privacy to become a business differentiator also in the car industry,” he says. “The most visionary car manufacturers will see the opportunity and will seize on that opportunity.”

Consumer Outlook

What does the current state of data privacy mean for consumers who get into their cars? They may be able to jump through some hoops to opt out of some types of data collection. But for now, it seems that the convenience of connected cars means sacrificing some data privacy.

“It means it’s time to get mad at the terrible state of privacy in cars and tell the companies you want better, and even more importantly, reach out to your elected officials and demand better privacy laws and regulations,” says Caltrider.

If and when change comes -- whether due to regulatory action or a market reaction to consumer demand -- it will not be as simple as halting data collection. “We cannot expect or ask companies to stop collecting data altogether. That is unrealistic, and it’s not going to happen. What we can ask is exactly what we have asked all the other industries, which is to protect our sensitive confidential personal data,” says Malagrino.

What to Read Next:

Special Report: Privacy in the Data-Driven Enterprise

5 Questions Organizations Should Ask Themselves Before Collecting Data

8 Data Privacy Concerns in the Age of AI