“Is This Even Legal?” Our Top Cars-And-Privacy Question, Answered.

Update on Feb. 29, 2024:

• On February 28th, 2024, US Senator Markey published the car companies responses to his data privacy questions -- which offered him "little comfort" -- and called on the FTC to investigate cars and privacy. We wrote about the implications of this, here.

Update Dec. 7, 2023:

• On November 16th, 2023, we sent a letter to regulators at the Department of Transportation and the Federal Trade Commission encouraging urgent action to protect consumers’ privacy behind the wheel.
• On December 1, 2023, US Senator Markey sent letters of his own to 14 car companies that cited our research, asked much-needed questions, and urged them to "implement and enforce strong privacy protections for consumers."

In case you haven’t heard, our latest product guide on cars is getting a lot of attention. And our figurative privacy phone has been ringing off the hook with questions from readers, journalists, and even policy makers. Questions like how, why, and what the… heck!? But by far, the single-most asked question we’ve received from our readers (after “how is Nissan collecting information about my sexual activity?” of course) is: “How is this even legal?”

It’s a great question. In fact, it is THE question for our readers in the United States.

Yes (*depending on where you live), it can be perfectly legal for car companies to collect personal information on your sexual life, your genetic information, where, when and how you drive, and more. It can be legal for those car companies to then share and sometimes even sell that information. And yes, it can even be legal for them to share this personal information with law enforcement based on something as simple as an “informal request.”

• [ICYMI– Last week, we published a review of 25 major car brands’ privacy policies in our latest *Privacy Not Included guide. Shockingly all 25 car brands we researched earned our *Privacy Not Included warning label -- making cars the official worst category of products that we have ever reviewed for privacy. A shocking 76% of studied brands allow your personal data to be shared, and 56% will share data with government or law enforcement if they “request” it. Click here to read through the full findings.]

When we reached out to the companies to ask them questions about their privacy practices and policies, they pretty much ignored us. But when journalists reached out to car companies with those same questions they were a little more forthcoming. A common defense from the car companies was that they weren’t doing anything illegal. Like Nissan, who said:

The thing is, they’re mostly right -- but that’s part of the problem. To explain, here’s a quick summary of how privacy laws in the US & Europe regulate data privacy differently:

• European law: Europe has in effect a comprehensive privacy law called the General Data Protection Regulation (GDPR), which requires companies to provide a specific legal basis for processing EU citizens’ personal data, and other safeguards that try to limit excessive or inappropriate uses. The GDPR also provides data subjects with rights like the right to erasure, and to compensation for damages when their rights under the law are violated. GDPR is proven to be a very good blueprint when it comes to privacy legislation and more importantly it establishes a strong baseline set of consumer rights. However, GDPR has not necessarily been enforced in its full potential and the automobile sector as a whole has received less scrutiny from data protection authorities.

• U.S. federal law: In the US, the picture is much more complicated. At the federal level, there is no comprehensive “GDPR” equivalent that gives consumers sweeping data rights. Rather, there are a handful of laws that are more limited in scope or apply to a specific sector. For example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets a privacy rule for patient health data and the Gramm-Leach-Bliley Act (GLBA) creates safeguards on sensitive data for financial institutions in particular. The Federal Trade Commission (FTC) Act has been used to go after unfair or deceptive data practices, but it is a general-purpose law that was not designed specifically for privacy violations.

• U.S. State Law: The absence of federal regulation has resulted in much more momentum at the state level. So far, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah and Virginia have passed comprehensive state laws (though several have not gone into effect yet). In fact, the only reason we even know about how Nissan shares and sells personal data (thanks again, Nissan, for your utmost transparency) is because stronger state privacy laws like the California’s Consumer Privacy Act made it the law for companies to tell us how they are using our data in their privacy policies. Despite this progress, a majority of people are left without laws in their own states, many existing state privacy laws are weak, and the patchwork of conflicting rules makes compliance harder.

I think we can all agree there’s something inherently invasive and creepy about your car collecting intimate details about your personal life. The sad reality is, without a federal privacy law in the US, companies often have free reign to collect, share and in some cases, sell our personal data.

That’s not normal. A reporter we spoke to in France was shocked that all Americans are not guaranteed the right to delete their data, like the French citizens covered by GDPR.

Which is why fundamentally we need to pass a privacy law at the federal level and strengthen existing state laws in the meantime (shout out to the California Privacy Protection Agency for investigating privacy issues and connected cars). Mozilla has supported initiatives in the past, like a bipartisan bill called the ADPPA. And we’ll continue to prioritize this until we truly have privacy for all.

This isn’t going to be easy. But it’s necessary.

Because right now, you have few options. Sure, you can ask companies to delete your data or try to opt-out of some of the vast data collecting and sharing they do. Some may honor it. Honestly though, many probably won’t.

We at *Privacy Not Included do our best to shed light on the privacy risks associated with your favorite brands and products, to give you the information you need to make an informed choice. But what about when there are no good choices, like we found with car companies?

If you would like to be a voice for meaningful change here is something you can do today: Join Mozilla’s upcoming “Privacy for All” campaign to push for a strong, consumer-friendly federal privacy law. We’re all going to have to get involved to push for this change because the powerful companies who make money off this will fight it every step of the way.

We can’t speak to whether Nissan is fully compliant with the law in all ways. But when they say in their Nissan USA Privacy Notice that they can collect and share your sexual activity, health diagnosis data, and genetic information and other sensitive personal information for targeted marketing purposes, they are relying on the appalling privacy law vacuum that exists in the United States.

When they say they can share and even sell "Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes'' to others for targeted marketing purposes, they are again taking advantage of weak state laws and a vacuum in federal comprehensive legislation. Regulators and litigants, too, are trying to change the rules of the road on privacy, but those smaller steps are also filling in the cracks that are caused by a shaky privacy law foundation in the US. But we’re hopeful that with enough public outrage and pressure, this won’t be the case for long.

Thank you for reading, and more soon.