Warning: *Privacy Not Included with this product
Cadillac is an famous American luxury car brand owned by parent company General Motors. Founded in 1902, Cadillac is one of the US's oldest car brands with quite an interesting history. Driving a Cadillac -- often loving called a Caddy -- has a long pop culture reference to having made it in life. If you could drive a Caddy, you were somebody. Today's Cadillac models include the legendary Escalade, and lesser know models such as the XT5, XT6, CT5, and the electric Lyric. The myCadillac app and their OnStar Connected services lets users do remote car things like start and stop, lock and unlock your car, honk the horn, and check and see how much gas you have left in the tank. OnStar is the OG connected car service, first offered way back in 1996 and has offered services like automatic crash response and stole vehicle assistance for years. So, how is Cadillac, OnStar, and General Motors at privacy? Dare we say, crappy? Yes, they are crappy at privacy.
What could happen if something goes wrong?
If your idea of a good time is to search out and read many, many, many various privacy statements, well, Cadillac's parent company General Motors' privacy landscape is for you! (At least for folks in the US, you Europeans have it a bit easier). At least six separate privacy statements for folks in the US was our count. That includes their General Privacy Statement, their OnStar Privacy Statement, their US Connected Services Privacy Statement, their Privacy Statement for Application Services, the OnStar Guardian Privacy Statement, and their California Privacy Statement (which, pro tip for folks who don't read privacy policies for a living: if you only have time to read one privacy statement, read the California one as California's strong privacy law known as CCPA, requires companies to disclose more of what they are collecting on you, who they are sharing it with, and for what purposes than anywhere else). Yeesh GM! Maybe take a little of that money you have and build folks a nice, easy to navigate privacy hub. Just a suggestion. (Also, we linked to all these privacy documents below so you don't have to search for them)
Anyway, after reading though all those lovely privacy statements, what did we learn about GM's privacy? Well, we learned it's not great.
Here's the thing. GM really, really wants you to connect to their cars with your phone and use their connected services. It makes them money, so of course they want that. In fact, earlier in 2023 they started adding $1,500 onto the sticker price of some GM cars for three years of their OnStar and Connected Services Premium Plan. They call this an "option" on the sticker, but turns out, it's really not much of an option. Car buyers don't have a choice but to pay that $1,500 for the OnStar connected services "option" and even if they choose not connect and use the OnStar connected service, they still have to pay that $1,500. One article we read called this a "forced option" and well, that doesn't sound like much of an option to us. On top of that, OnStar's privacy policy says they collect a whole lot of personal information and car data on you and use it for things like marketing and more. Even worse, it seems GM and OnStar have a fairly close relationship with law enforcement and government, including the US's ICE (Immigration Customs Enforcement) agency. It has been reported they turn over location data to law enforcement often.
And GM does say they can collect a whole lot of data on your through your car, the myCadillac app, and those OnStar connected services. Their privacy policies say they can collect everything from your name, address, geolocation data, characteristics such as age, race, color religion, medical conditions, physical or mental disabilities, sex, gender identify, pregnancy, medical conditions, sexual orientation, genetic, physiological, behavioral, and biological characteristics such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data, audio, electronic, visual, thermal, olfactory, or similar information. Sooo much information. And that's just the information they say they might collect about you. Then there's the information they say they can collect on your car and driving habits, including license plate number, vehicle identification number (VIN), geolocation, route history, driving schedule, speed, vehicle direction (heading), audio or video information such as information collected from camera images and sensor data, voice command information, and infotainment (including radio and rear-seat infotainment) system and WiFi data usage. Like we said, sooo much information.
But wait! There's more (there's always more). They add (as nearly all car companies do) that they can take the personal information they collect on you and us it to draw inferences about you "reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes" for things like marketing purposes. Yikes! Do we really need GM drawing inferences about our intelligence and abilities to determine how to market things to us? Sounds like a bad idea.
Another thing that concerns us is the issue of consent. Just when do you consent for GM to collect all this data? Is it when you buy the car (because we're pretty sure no one is reading privacy policies then). Perhaps when you connect your phone to your car? Yeah, most people probably aren't reading privacy policies then either. We read an article where a GM executive states, "Nothing happens without customer consent." But what does that consent really look like? Remember, it took your intrepid privacy researchers a full day to try and sort through GM's many, many privacy policies. Are consumers really understanding what they sign up for when the buy a car with OnStar or download and connect the app? We'd sure like to see GM (and all car companies) make sure consumers actually understand all the personal information and car data they are collecting and give consumers more ways to. opt-out, control, and change what data is collected on them from these connected computers on wheels.
And what if you want to get all that data GM has on you deleted? Well, you're probably out of luck. Unless you live somewhere with strong privacy laws like California's CCPA or Europe's GDPR. If you don't live there, you probably won't have much success getting GM to delete your data. In fact, on the myCadillac app Google Play Store Data Safety page, they admit, "Data can’t be deleted: The developer doesn't provide a way for you to request that your data be deleted." Not cool GM, not cool.
All this, and GM's track record of protecting and respecting all that personal information isn't exactly spotless (which you kinda want to see when a company collects so much personal information on you). In 2022, GM reported a significant data breach that exposed the personal information, including name, address, saved favorite location, and search and destination information, of some of their customers. So yeah, they collect a ton of data, might not let you delete that data they collect on your, hold onto that data for likely as long as they want, and then might not even do a great job of protecting that data. Nice!
What's the worst that could happen as you drive around in your Cadillac with OnStar and the myCadillac app? Well, based on reports of how OnStar location and other information is shared with law enforcement and government to track people, that gets kinda scary to think about if you live in a US state that bans abortion and wants to track people traveling to other states for their reproductive health care. That's bad. Or if you live in a country where the government could decide they want to track you down for any reason at all. That's also bad. Thinking about the potential for government tracking and controlling of any connected car -- not just GM's -- can get scary fast. Here's hoping regulators step up soon and work to put measures in place to protect people from all this data collection and potential tracking.
Tips to protect yourself
- Opt out of the 'Sale' of your personal information. To do it, visit consumerprivacy.gm.com
- Opt out of the “Sharing” of Your Personal Information for cross-contextual
behavior advertising. To do it, visit consumerprivacy.gm.com - Opt out of Automated Decision-Making Technology. To do it, visit consumerprivacy.gm.com
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Can it snoop on me?
Camera
Device: Yes
App: Yes
Microphone
Device: Yes
App: Yes
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
Yes
Third-party account
N/A
What data does the company collect?
Personal
"Your name, postal address, telephone number, date of birth, e-mail address, screen name, account ID, customer number, login information, demographic data or protected classification information, gender, password, PIN, emergency contact information, information about the acquisition and financing of your vehicle, voice biometric information as described in the Biometric Technology Section below, whether or not you have financed or leased your vehicle, the lease/financing term, and billing information, your credit card number, CVV code and expiration date. We may also collect information related to My Rewards and the My GM Rewards Card Program (“GM Card”) including rewards points, account type, tier status, enrollment, and redemption. In limited circumstances, we may collect a Social Security Number, for example if you win a sweepstakes or receive compensation that must be reported for government tax purposes Vehicle- and driving-related Information: license plate number, vehicle identification number (VIN), mileage, vehicle status (such as oil/battery status, ignition, window, and door/trunk lock status), fuel or charging/discharging history, electrical system function, gear status, battery diagnostic and health, and diagnostic trouble codes, operational and safety related information: such as geolocation, route history, driving schedule, speed, air bag deployments, crash avoidance alerts, impact data, safety system status, breaking and swerving/cornering events, event data recorder (EDR) data, seat belt settings, vehicle direction (heading), audio or video information such as information collected from camera images and sensor data, voice command information, stability control or anti-lock events, security/theft alerts, and infotainment (including radio and rear-seat infotainment) system and WiFi data usage."
Body related
Voice biometric data, voiceprints, physiological or biological characteristics, such as medical information collected to provide OnStar emergency services that you have requested
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In April 2022, GM suffered a credential stuffing attack.
"The personal information of affected customers included first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile pictures and search and destination information. Other information available to hackers included car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords). Apart from resetting their passwords, GM advised affected individuals to request credit reports from their banks and place a security freeze if required."
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
General Motors has a long list of various privacy policies to sort through and decipher.
Links to privacy information
- GM Privacy Statement
- Privacy Statement for Application Services
- Privacy Hub for OnStar
- Privacy Statement for OnStar Guardian
- Legal Notice, Site Terms and Conditions, Privacy & Cookie Policy (Europe)
- General Motors U.S. Connected Services Privacy Statement
- California Privacy Statement
- Cadillac Europe Consumer Privacy Statement
- RECHTLICHE HINWEISE, NUTZUNGSBEDINGUNGEN DER WEBSITE, DATENSCHUTZ- UND COOKIE-RICHTLINIE
Does this product meet our Minimum Security Standards?
Encryption
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Strong password
Security updates
Manages vulnerabilities
GM runs a bug bounty on HackerOne.
Privacy policy
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Dive Deeper
-
GM calls $1,500 OnStar plan optional — but new car buyers are being forced into itDetroit Free Press
-
Car buyers balk at monthly fees for add-on featuresAxios
-
GM confirms it’s dropping Apple CarPlay and Android Auto from 2024 EVsArs Technica
-
GM Confirms It's Making $1500 Option Mandatory on Some New ModelsCar and Driver
-
GM Vowed To Make Money Out of Connected Services and It Now Forces OnStar on Its CustomersAutoEvolution
-
This California agency wants to know what happens to all that connected car dataTechCrunch
-
What does your car know about you? We hacked a Chevy to find out.The Washington Post
-
GM studying artificial intelligence assistant that could answer driver questionsDetroit Free Press
-
General Motors credential stuffing attack exposes car owners infoBleeping Computer
-
US Car Giant General Motors Hit by Cyber-Attack Exposing Car Owners' Personal InfoInfosecurity Magazine
-
Privacy Battles: OnStar Says GM May Record Car's Use, Even if You Cancel ServiceABC News
-
Hackers Accessed Car Owners’ Personal Information in General Motors Credential Stuffing AttackCPO Magazine
Comments
Got a comment? Let us hear it.