25 Major Car Brands Flunk Data Privacy Review
A new report from Mozilla shines a light on data privacy in the auto industry. Some car brands may be collecting info that would likely raise more than a few eyebrows.
Modern cars are connected, which means they are treasure troves of data. *Privacy Not Included, a project from the nonprofit Mozilla, reviewed 25 different car brands and concluded that cars are a privacy nightmare. Cars can gather personal information from users -- drivers and passengers -- via connected services, apps, and third-party sources. And they are likely using that data for a whole slew of purposes.
Many of the car brands reviewed disagree with Mozilla’s assessment of their data privacy practices, but the way the car industry handles personal data is still in the spotlight.
What are the biggest data privacy concerns in the car, and how could privacy improve in the auto industry?
Data Privacy Concerns
Researchers spent more than 600 hours combing through the 25 brands’ privacy practices before assigning the *Privacy Not Included label to each and every one. Brands and products earn the label when they receive two or more warnings based on criteria including how they use data, how users can control their data, the company’s track record on protecting user data, and whether they meet Mozilla’s Minimum Security Standards.
The Mozilla report dinged the car brands on all four of those criteria. It notes that all 25 brands reviewed collect more data than necessary, including incredibly personal information.
“When you see companies say in their privacy policies that they can collect personal information about your sexual activity, sex life, genetic information, sexual orientation, immigration status and more, that should always raise an eyebrow,” Jen Caltrider, program director of Mozilla’s *Privacy Not Included, tells InformationWeek via email.
The report calls out Nissan and Kia for mentioning data on “sexual activity” and “sex life” in their respective privacy policies.
In an emailed statement, Nissan denies knowingly collecting that kind of data: “Nissan does not knowingly collect or disclose consumer or employee information on several of the areas cited, including sexual activity or religious beliefs. Some state laws require us to account for inadvertent data collection or information that could be inferred from other data, such as geolocation.
Kia also claims it does not collect that type of information. “To clarify, Kia does not and has never collected ‘sex life or sexual orientation’ information from vehicles or consumers in the context of providing the Kia Connect Services. This category of information is included in our privacy policy, which tracks the CCPA, as an example of the type of information defined as ‘sensitive personal information’ under Section 1708.140(ae) of the CCPA,” the company shared in an emailed statement.
Subaru states that data collection is voluntary. “Subaru does not collect any connected vehicle data unless the owner voluntarily enrolls in Subaru’s telematics service, and customers can cancel at any time,” according to an emailed statement.
Once car brands have collected the data, they are likely going to make use of it. The Mozilla report found that 84% of the brands researched say they are able to share personal data and 76% say they can sell it.
Consumers have very little control over what happens to their data once it is in the hands of car companies. And short of eschewing driving altogether, they likely have to live with that means for their data privacy. “Clearly you cannot opt out from driving or using your car,” says Dante Malagrino, chief product officer of data protection company Protegrity, in a phone interview.
Mozilla found that 92% of the brands reviewed offer consumers little to no control when it comes to their personal data. It notes that Renault and Dacia allow consumers to delete their data.
In an emailed statement BMW NA says that it allows “drivers to make granular choices regarding the collection and processing of their personal information.”
“Further, we allow our customers to delete their data whether on their apps, vehicles or online. BMW NA does not sell our customer’s in-vehicle personal information,” according to the emailed comment. BMW also released a longer statement in response to the Mozilla report.
If a consumer takes the time to examine how their data is being used and decides to opt out of collection, they may find that collection is inextricably linked to services they use in their vehicle. “Often the choice becomes well, if you don't agree to the terms of the way in which we collect and use your information then don’t subscribe to our service,” says Peter Cassat, a privacy and data security and technology law attorney and partner at full-service law firm Culhane Meadows.
Mozilla also notes that it could not confirm if any of the brands meet its minimum-security standards. In other words, car company privacy policies are not easy to understand.