Warning: *privacy not included with this product
Renowned German car manufacturer BMW made its first car way back in 1928. Nearly 100 years later, BMW cars are now known for their luxury, their expensive price tag, and increasingly, their connected features. They aren't exactly known for their fun car names though. Current BMW models include the X1, X3, X4, X5, X6, X7,. 2, 3, 4, 5, 6, 7, 8, Z4, i4, i5, i7, iX, XM, and the BMW M.
The My BMW app does things like remotely lock and unlock your car, see where you vehicle is located, take pictures from the "vehicle environment", pay your car payment, navigate to where you want to go, find a parking spot, find a place to charge your electric vehicle, and more. So, how does BMW fair at privacy? Well, they aren't the worst car brand we reviewed. Unfortunately that bar is really low, so while they aren't the worst, we wouldn't exactly say they are great at privacy either.
What could happen if something goes wrong?
Here's some good-ish news in the nightmare world of cars and privacy. BMW isn't actually the worst car company we reviewed. Don't get us wrong, they are far from great. But compared to many of the other car companies' privacy and security we've reviewed, they are better than most. Yes, the bar is low. But alas, we're looking for something we can point to that isn't terrible in this bleak landscape. BMW is it.
BMW cars and their My BMW app absolutely collect huge piles of data on you and your car. Soooo much personal information, driving data, location data, app and internet usage data, and more. They don't do much, if any, better than any car company we reviewed on this front. They still know all the things like: your name, email, phone number, address, Vehicle Identification Number (VIN), location data on you and your car, your contacts' names and phone numbers (if you give them access to them, of course), vehicle images, including 3-D images around your car, environmental information like the temperature and if it is raining, sensor information which they describe as "e.g. radar, ultrasonic devices, gestures, voice, etc.", how fast you drive, where you drive.
BMW also says they can collect even more personal information about you from third parties, such as data brokers, data aggregators, social media networks, the government, publicly available databases, and more. They say that personal information could include your buying habits and interests and other publicly observed data (such as from social media) as well as demographic information such as your age, gender, ethnicity. Yikes! That's a lot of data. But they aren't done yet. BMW also says they can take all this personal information and other data they collect on you, your car, how your drive your car, what websites you click on, what you do in their app, and then use it to make inferences about you regarding your preferences and habits. Yes, that is a lot. Unfortunately, this is also pretty common among car companies. Your data is big business for them.
BMW goes on to say they can share that data a whole bunch of places. They share it within their BMW Automotive Group family of companies, which is a pretty good sized corporate conglomerate. They also say they can share this data with third party dealers, services providers, and business partners (this is all pretty common sharing, but it's good to remind you that this can be a vast network of places your data lands that you have to hope protect and respect it.).
One bad thing we do want to point out about BMW -- we've no idea if you can get your data deleted if you live somewhere that right isn't guaranteed by law. In fact, we're pretty sure you can't get your data deleted if you don't live somewhere that right is protected by law. Indeed, the Data Safety section of the My BMW app page in the Google Play store specifically states, "Data can’t be deleted. The developer doesn't provide a way for you to request that your data be deleted." So yeah, that's bad. It's also, unfortunately, not uncommon. We always ding companies that don't guarantee everyone the same rights to access and delete their data, no matter what privacy laws they live under, because it's just the right thing to do. We're sure love to see BMW step up and do the right thing here.
As for their track record of protecting and respecting all that personal information and driving information they collect, BMW does seem to have had fewer serious security breaches and data leaks than some of the other car companies we've reviewed. They aren't perfect. We did find a couple of recent incidents, including one that could have exposed the sensitive personal information of BMW customers, and a few older incidents reported back in 2015 and 2018. The good news is, as far as we can tell, BMW is generally proactive and responsive when security vulnerabilities are brought to their attention. They even have a section on their website where they recognized and thank security researchers that have pointed out vulnerabilities to them, which we think is pretty cool.
So, yay, BMW isn't the worst car company we reviewed when it comes to privacy! Still, they are far from great. So, what's the worst that could happen? Well, we must admit when reading about their Digital Key Connected Drive feature that allows BMW owners to share access to their cars with up to five friends or family members all while limiting things like speed, radio volume, and then being able to revoke that digital key at any time, our brains went crazy with worst case scenarios. Can you imagine if you shared your car with an abusive spouse who only allowed you access to drive your BMW through the Digital Key features and thus revoke your access to your car at any time, or limit the speed you could drive all while tracking your location at all times? Yikes! To be fair, this isn't only a concern with BMW connected car features. But sheesh, playing out worst case scenarios with connected cars can get scary fast. Oh yeah, there's also the fact that while BMW hasn't had any major data leaks or security breaches yet, with all that crazy amount of personal information and location information and knowing how fast you like to drive, here's hoping that never happens in the future. You might not want your insurance company to know about your lead foot....except, there's a pretty high likelihood they already do.
Tips to protect yourself
- If you use BMW CarData, only give access to your data to trusted third-parties.
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"Last name, first name, address, email address, phone number. Potentially gender, age, or marital status, calendar events, including event title, location, or start or end times; your contacts, including names, addresses, or phone numbers; Inferences, ""Examples include information BMW NA collects to create a profile about a consumer reflecting the consumer's preferences, characteristics, marketing, analytics, and preference data, brand loyalty, behavior, or attitudes."" Vehicle- and driving-related data: Geolocation data, Vehicle status information (e.g. mileage, battery voltage, door and hatch status, etc.), Position and movement data (e.g. time, position, speed, etc.), Vehicle service data (e.g. due date of next service visit, oil level, brake wear, etc.), Dynamic traffic information (e.g. traffic jams, obstacles, signs, parking spaces, etc.), Vehicle images, including 3-D images around your vehicle;, Environmental information (e.g. temperature, rain, etc.), User profile (personal profile picture/ avatar, settings as navigation, media, communication, driver’s position, climate/light, driver assistance, etc.), Sensor information (e.g. radar, ultrasonic devices, gestures, voice, etc.), analytics pertaining to your use of the Services, such as click events or app launch events"
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In April 2023, one independent dealer of BMW France suffered a data breach. Play Ransomware group has claimed responsibility for the cyber attack on BMW France. BMW stepped in and offered to help the independent dealer address the problem.
In January 2023, a security researcher discovered API flaws in BMW's that reportedly could have allowed access to BMW's customer files and revealed sensitive personal information of their customers. BMW fixed the security issue after they were made aware of it.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
BMW had few links to various privacy policies than other car companies we reviewed. However, their privacy notices were still long, complicated, and full of legalese that was often difficult to follow and understand clearly.
Links to privacy information
Does this product meet our Minimum Security Standards?
BMW say, "Collected data is transferred only in encrypted form. Sensitive data is also saved only in encrypted form." However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
All personal information stored in your online My BMW profile requires a unique password and Login ID to access it (your BMW Login). With this password you can edit, delete or add to information you have shared while visiting our Sites.
"We periodically release software updates so the vehicle has the latest compatible SYNC version."
BMW runs a bug bounty at HackerOne. Not only that, BMW has a section on their website recognizing and thanking security researchers who have helped them identify security issues. Not gonna lie, that's pretty good. Good work BMW.
"Available in many models since the end of 2018, the Intelligent Personal Assistant uses AI and makes it easier for the customer to operate the vehicle. With the command "Hey BMW" the driver can activate the IPA and control many functions by voice command and without predetermined commands."
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at RiskThe Drive
From Ferrari to Ford, Cybersecurity Bugs Plague Automotive SafetyDark Reading
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakersSecurity Affairs
BMW claims data breach limited to local dealerCybernews
Toyota, Mercedes, BMW API flaws exposed owners’ personal infoBleeping Computer
BMW Potential Data Breach Puts Customers Information At Risk!The Cyber Express
The Potential Risks Of Digital Car KeysSlash Gear
Apple and BMW’s digital car key hints at the future of the iPhoneWired
BMW and the Digital Key Plus support for Pixel and SamsungMedium
Over a dozen vulnerabilities uncovered in BMW vehiclesZD Net
BMW fixes security flaw in its in-car softwareReuters
BMW racing to patch 14 security vulnerabilities found in its carsDigital Trends
BMW cars found to contain more than a dozen flawsBBC
Car buyers balk at monthly fees for add-on featuresAxios
Got a comment? Let us hear it.