Update May 14th: The FTC published a blog post putting connected car companies on notice for “unlawful collection & use” of consumers’ sensitive data.

  • They warned car-makers to “take note” of three actions they’ve taken recently against other companies for abusing their access to sensitive data by sharing it or using it for decision-making without consumers’ consent.

The Federal Trade Commission (FTC) is in charge of protecting US consumers from deceptive on unfair business practices. So if there’s any agency that can hold US car-makers accountable for their terrible privacy practices, it’s them! This is definitely a step in the right direction for cars and privacy.

Have you ever heard the advice, “Don’t answer the question you were asked. Answer the question you wish you were asked”? Well, it seems like certain United States car company executives have.

Let’s back up. Last year, we raised the flag on cars and privacy when we called them the worst product category we have ever reviewed for privacy. Even though what we found out from reading cars’ privacy policies was awful, we had more concerns about what we couldn’t find. Our research left us with so many questions! Questions that the car companies ignored when we asked. So we were so excited when US Senator Ed Markey followed up with carmaker CEOs asking the same questions we had, pointing to our research as a cause for concern. He also promised to publish their answers, which he then did! We read those 84 pages for you. But sadly, their answers were pretty vague, incomplete, and dodgy as ever. Here’s the highlights.

Do car companies sell your personal data -- and for how much?

Our research showed that many car-makers say they can sell your personal data. But do they? Yes, they absolutely do.

Senator Markey asked:

Does your company sell, transfer, share, or otherwise derive commercial benefit from data collected from its vehicles to third parties? If so, how much did third parties pay your company in 2022 for that data?

US Senator Ed Markey

General Motors, one of the largest US automakers, said:

If an owner opts in to Connected Services, GM has the ability to share data collected from Vehicles with third parties, as outlined in our US Connected Services Privacy Statement. For example, data might be shared to help emergency responders respond more quickly and accurately, to support in-vehicle services utilized by the owner, and where the owner directs GM to do so (such as helping owners optimize their charging patterns). For those limited data shares where there is a commercial benefit attributable directly to the data sharing, the impact to GM’s overall 2022 revenue was de minimis.

Omar A. Vargas, General Motors Vice President, Global Public Policy

By now, you might have heard that GM sold personal driving data to data brokers who used it to create “risk scores” for insurance companies. Some drivers only found out this was happening when their premiums skyrocketed. They weren’t happy. In fact, it caused such an outrage among drivers (including a class-action lawsuit!) that GM had to promise to stop (at least as far as selling that specific data to those specific data brokers goes).

So it’s interesting that GM doesn’t mention its relationship with LexisNexis or Verisk -- the two data brokers in question -- at all in their response to the senator. (This is why we have trust issues when it comes to companies’ public statements on privacy!) GM also doesn’t share that “opting in” could reportedly involve a salesperson at the dealership opting in on your behalf without your knowledge or consent -- and receiving a bonus for doing so. Yeesh.

Oh, and in case you’re wondering, “de minimis” (as in the stated impact on GM’s revenue) to anyone (else) who assumed that was a typo, means a small or unimportant amount. What counts as not a lot to a billion-dollar company? It was reported to be in the “low millions”. We’re not sure if we’d feel better or worse if GM earned more money from selling drivers’ data. Hmm… Is it better to be sold out for a penny or a dollar?

Hyundai said:

Bluelink® offers Driving Score and usage-based insurance (UBI), which is powered by Verisk Insurance Solutions. Certain vehicle data is transmitted to Verisk only for vehicle owners subscribed to Driving Score, so that Verisk can generate the Driving Score which is not shared by Hyundai with third parties other than Verisk. Drivers currently enrolled in Driving Score may also choose to separately opt in to receive offers and information about vehicle insurance discount and offers or request UBI quotes from participating insurers.

Robert R. Hood, Vice President of Government Affairs, Hyundai Motor

So Hyundai does mention a relationship with data broker Verisk. And just like GM, they say that the program is opt in only. They also say drivers who have opted in can turn off data-sharing with Verisk through their MyHyundai account (just in case anyone’s opted in who doesn’t want to be). As for what they get in exchange for the data, “Hyundai may receive a fee per lead for insurance discount offers sent to drivers who have opted in to receive these offers and when a driver requests a UBI quote from an insurer and expressly authorizes and directs Verisk to provide their UBI data to the insurer.”

Toyota (and Lexus) said:

In the context of vehicle ownership, Toyota only sells (as that term is defined under applicable privacy laws, such as the CCPA) consumers’ personal information in one instance: to a third party who provides a satellite radio subscription service, in order to offer consumers a free trial of satellite radio subscription service and for related post-trial marketing campaigns.

Stephen J. Ciccone, Group Vice President, Government Affairs

Toyota is the only car company that confirms they “sell” consumers’ personal information -- and at this point, we’re grateful for the honesty. They say they sell it to a satellite radio subscription service so that they can offer you a free trial and market their service to you afterwards.

Do car companies share drivers’ personal data with law enforcement?

All of the car-makers we researched said they can share driver data with law enforcement in certain situations. That’s true of pretty much any company that has your data, but what we like to see spelled out in the privacy policy is strict limits on that sharing and a commitment to push back on overly broad requests. That is something we didn’t find in cars’ many privacy policies. And that worried us since they can have soooo much of your personal information, including your precise geolocation as well as data from in-car cameras and microphones.

Senator Markey asked:

Has your company ever provided to law enforcement personal information collected by a vehicle? If so, please identify the number and types of requests that law enforcement agencies have submitted and the number of times your company has complied with those requests.

US Senator Ed Markey

Here’s what the car companies (who bothered to answer the question) said about the number of requests for personal data they receive from law enforcement:

Volkswagen broke down the number of requests by year. They said there were “fewer than 20” in 2021, “fewer than 25” in 2022, and “fewer than 45” in 2023. That means the requests from law enforcement doubled in the last three years. Interesting! Hyundai and Kia also shared the total number of requests they responded to, which was 50 (86%) and 25 (83%) respectively. Honda said they don’t track these requests but guessed they get about one per month. Tesla said they do track requests but decided not to share the numbers with us. They were also the only car brand to say outright that they may sometimes challenge or reject requests.

You might remember Hyundai’s privacy policy said they may respond to an “informal request” for your data from law enforcement or government (yikes). But in their response to Senator Markey, they were a lot more specific, saying Hyundai will only provide data in response to “exigent circumstances, search warrants, customer consent, and subpoenas''. Most of the car companies’ answers were stricter or more specific than what we found in their privacy policies last year. Hopefully that means they’ve made changes to their official policies too, where it really counts. For Hyundai at least, the “informal request” line seems to be missing from the latest version of their privacy policy, which seems like a good start!

Do car companies inform drivers when their information is shared?

Another thing we didn’t find in car companies’ pretty vague sharing-with-law-enforcement statements in their privacy policies is whether or not they give drivers a heads up when their information is shared.

Senator Markey asked:

Does your company notify the vehicle owner when it complies with a request?

US Senator Ed Markey

None of the car companies who answered this question said they have a policy of informing drivers. Hyundai came the closest, saying “Hyundai reserves the right to notify our customers when it complies with such requests” unless giving notice is “explicitly prohibited by the legal process itself.” That’s as generous as it gets, which isn’t great.

Most other car companies said they’re not allowed to tell drivers. For example, Nissan said “where Nissan is responding to [a] valid compulsory process to provide customer vehicle data, Nissan is precluded from notifying a customer of such requests by statute or court order.” BMW went as far as saying they won’t tell the vehicle owner unless law enforcement tells them to. “If we are instructed by law enforcement to notify the vehicle owner when we comply with a request, we will do so.” And that seems pretty unlikely to happen since GM said that “[l]aw enforcement routinely directs GM not to notify the vehicle owner”.

Can drivers get their personal data deleted?

At the time of our research last year, the only brands we could confirm would let customers delete their personal information were two European car brands (Renault and Dacia) who have to give drivers that right because it’s the law in the EU, according to the privacy law GDPR.

Senator Markey asked:

Can all users, regardless of where they reside, request the deletion of their data? If so, please describe the process through which a user may delete their data. If not, why not?

US Senator Ed Markey

Toyota, Subaru, BMW, Tesla, and Ford said that all drivers in the US do have this right or will soon. Well, that’s new and good! We hope to see that commitment in their privacy policies -- where it matters. So far, Toyota is the only company to make that promise official with a change to their privacy policy.

But other car-makers doubled down, saying it’s not possible to commit to deleting their customers’ data or that they’re waiting for a law to force them to. Yeah, we don’t really believe that. And hey! Here's an idea. Car-makers, you’re officially invited to join our fight for federal privacy legislation in the USA. Until then, how about you apply the strictest state privacy law (generally, California’s CCPA) to all US states? That way you don’t, like Nissan worries, have to use an “arbitrary standard in the meantime. You can do it!

What about data breaches, leaks, and hacks?

Most (68%) of the car brands we researched earned a bad track record “ding” for having had data breaches, leaks, or hacks that threatened their customers' privacy in just the last three years.

Senator Markey asked:

Has your company suffered a leak, breach, or hack within the last ten years in

which user data was compromised? If so, please detail the event(s), including the nature of your company’s system that was exploited, the type and volume of data affected, and whether and how your company notified its impacted users.

US Senator Ed Markey

Volkswagen is the only car company that answered “yes”. And even then, they only told half the story -- acknowledging one major breach in 2021, but leaving out three other security and privacy incidents since 2020.

Even Kia, who had to patch eight million cars because of a security vulnerability that allowed them to be hacked -- resulting in hundreds of thefts, 14 crashes, and eight fatalities -- only mentioned cybersecurity to describe the “important steps” they take which are “designed to maintain the confidentiality, integrity, and availability of vehicle data”. So, yeah. We’re not at all confident that we’re getting the best answers from these car companies. (Neither were Senator Markey and his team.)

More than answers, we want change

It seems like the kind of answers we hoped for from these car company CEOs probably aren’t coming any time soon. It is funny though (but not ha-ha funny) that so many of the car-makers responded to Senator Markey’s questions by saying to look for answers in their privacy policies… Since reading those privacy policies raised these questions for us and Senator Markey in the first place. “Boooo” in particular to BMW, Mazda, Mercedes-Benz, Stellantis (and to a lesser extent Ford, Kia, Subaru, and Tesla) who responded with essays that didn’t address each of the questions directly. If we were grading these as homework, you all would get an “incomplete”.

The good news is that we don’t have to wait for car companies to be honest with us or to do the right thing on their own. Since we sounded the alarm on cars and privacy last September -- change is already happening:

  • Toyota and Lexus now grant all US consumers the right to delete their personal data.
  • Thanks to public pressure, GM (which includes Chevrolet, Buick, GMC, and Cadillac) said they’ll stop selling some OnStar data to data brokers LexisNexis and Verisk.
  • The Bidden-Harris administration in the US is looking into connected cars’ privacy due to national security concerns.
  • The FCC is proposing applying the US’ Safe Connections Act to cars, making it harder for domestic abusers to stalk survivors using cars’ tracking systems (one of our privacy nightmares).
  • California legislators also proposed a bill that would make car-makers disconnect abusers’ remote access to cars when that access is being used to “stalk, harass, surveil, and intimidate survivors.”
  • US Senators Markey and Wyden are asking the FTC to take action against Toyota, Nissan, Subaru, Volkswagen, BMW, Mazda, Mercedes-Benz, and Kia -- and their executives -- for sharing drivers’ location data with government agencies without a warrant, violating the industry’s own “privacy principles”.

And even the car companies’ noodly answers are helpful in driving change. Because car companies’ responses gave Senator Markey “little comfort” and “ignor[ed] the real privacy risks their data practices create,” he’s urging the US Federal Trade Commission (FTC), the federal agency charged with protecting consumers’ rights, to investigate all US car-makers’ privacy practices. And it’s not just US legislators who are paying attention. Members of the European parliament pointed to our research to flag a lack of privacy protections for drivers to the European Commission on three occasions. And another MEP (member of European Parliament) recently suggested more laws are needed to prevent cars from being misused to spy on drivers -- again, citing our research. We love to see it! You can help us keep the ball rolling.

Jen Caltrider

Jen Caltrider

During a rather unplanned stint working on my Master’s degree in Artificial Intelligence, I quickly discovered I’m much better at telling stories than writing code. This discovery led to an interesting career as a journalist covering technology at CNN. My true passion in life has always been to leave the world a little better than I found it. Which is why I created and lead Mozilla's *Privacy Not Included work to fight for better privacy for us all.

Misha Rykov

Misha Rykov

Kyiv-native and Berlin-based, Misha worked in big tech and security consulting, before joining Mozilla's privacy effort. Misha loves investigative storytelling and hates messy privacy policies. Misha is an advocate for stronger and smarter privacy regulations, as well as for safer Internet.

Zoë MacDonald

Zoë MacDonald

Zoë is a writer and digital strategist based in Toronto, Canada. Before her passion for digital rights led her to Mozilla and *Privacy Not Included, she wrote about cybersecurity and e-commerce. When she’s not being a privacy nerd at work, she’s side-eyeing smart devices at home.

*Privacy Not Included