Cars are collecting and selling your personal data
If you own a car, you might be surprised to learn that it is collecting and storing a lot of personal information about you. A report from Mozilla, the nonprofit that develops the Firefox browser, reveals how the policies of more than two dozen car manufacturers allow for the collection, storage and sale of a wide range of sensitive information about auto owners.
According to the report, cars now routinely collect data on par with tech companies, offer few details on how that data is stored and used, and don’t give drivers any meaningful way to opt out. The report also warns that this data could be used for targeted advertising, insurance pricing, law enforcement surveillance, or even hacking and identity theft.
Some of the personal information that carmakers say they may track include employment and purchasing history, education, internet browsing history, location data, music and podcast listening habits, immigration status, religious and philosophical beliefs and health information. Six of the manufacturers say they can collect “genetic information” or “genetic characteristics,” though it’s unclear how.
Carmakers have vague and broad privacy policies
The report analyzed the privacy policies of 25 car brands available in the U.S., including Ford, Toyota, Tesla, Honda, Hyundai, Nissan, Kia and others. It found that all but four of them say they can or do sell at least some of their customers’ data. The report also found that most of the policies are vague and broad, giving carmakers a lot of leeway in how they use and share the data.
For example, Nissan’s policy says “sexual activity” is an example of the type of sensitive information it can collect. Kia’s mentions “sex life or sexual orientation.” Nissan did not respond to a request for comment. A Kia spokesperson said that the company does not actually collect its users’ sex life information, and that it includes that language in its privacy policy because it was part of the list of examples of “sensitive information” under California law. The spokesperson didn’t respond to a request for a full list of what types of sensitive personal information Kia does collect.
Other manufacturers indicated they have lower standards than legally necessary for sharing users’ information with police. As a rule, U.S. companies turn over information to police if they are compelled to do so by a warrant or court order, and car manufacturers are no exception. But Hyundai’s explanation of its policies goes significantly further, saying it may turn over customer data simply because a police officer or government official asks for it.
Drivers have little control over their car data
The report also found that drivers have little control over their car data. Most of the policies do not offer any way for drivers to access, delete or correct their data. Some of them require drivers to agree to the data collection as a condition of using certain features or services. Others do not provide any clear opt-out option at all.
“Cars are a humongous privacy nightmare that nobody’s seemingly paying attention to,” said Jen Caltrider, who directs Privacy Not Included, a consumer privacy guide run by Mozilla. “And they’re getting away with it. It really needs to change because it’s only going to get worse as cars get more and more connected.”
The report recommends that carmakers adopt more transparent and user-friendly privacy policies, give drivers more control over their data, limit the collection and retention of sensitive data, and implement strong security measures to protect the data from unauthorized access or misuse.
The report also urges drivers to be more aware of their car data and take steps to protect their privacy. Some of these steps include reading the privacy policies before buying or using a car, disabling or limiting unnecessary features or services that collect data, using encryption or VPNs when connecting to Wi-Fi or Bluetooth in the car, and deleting personal data before selling or returning a car.
