Cadillac

Warning: *Privacy Not Included with this product

Cadillac

General Motors
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Super creepy

Cadillac is an famous American luxury car brand owned by parent company General Motors. Founded in 1902, Cadillac is one of the US's oldest car brands with quite an interesting history. Driving a Cadillac -- often loving called a Caddy -- has a long pop culture reference to having made it in life. If you could drive a Caddy, you were somebody. Today's Cadillac models include the legendary Escalade, and lesser know models such as the XT5, XT6, CT5, and the electric Lyric. The myCadillac app and their OnStar Connected services lets users do remote car things like start and stop, lock and unlock your car, honk the horn, and check and see how much gas you have left in the tank. OnStar is the OG connected car service, first offered way back in 1996 and has offered services like automatic crash response and stole vehicle assistance for years. So, how is Cadillac, OnStar, and General Motors at privacy? Dare we say, crappy? Yes, they are crappy at privacy.

What could happen if something goes wrong?

If your idea of a good time is to search out and read many, many, many various privacy statements, well, Cadillac's parent company General Motors' privacy landscape is for you! (At least for folks in the US, you Europeans have it a bit easier). At least six separate privacy statements for folks in the US was our count. That includes their General Privacy Statement, their OnStar Privacy Statement, their US Connected Services Privacy Statement, their Privacy Statement for Application Services, the OnStar Guardian Privacy Statement, and their California Privacy Statement (which, pro tip for folks who don't read privacy policies for a living: if you only have time to read one privacy statement, read the California one as California's strong privacy law known as CCPA, requires companies to disclose more of what they are collecting on you, who they are sharing it with, and for what purposes than anywhere else). Yeesh GM! Maybe take a little of that money you have and build folks a nice, easy to navigate privacy hub. Just a suggestion. (Also, we linked to all these privacy documents below so you don't have to search for them)

Anyway, after reading though all those lovely privacy statements, what did we learn about GM's privacy? Well, we learned it's not great.

Here's the thing. GM really, really wants you to connect to their cars with your phone and use their connected services. It makes them money, so of course they want that. In fact, earlier in 2023 they started adding $1,500 onto the sticker price of some GM cars for three years of their OnStar and Connected Services Premium Plan. They call this an "option" on the sticker, but turns out, it's really not much of an option. Car buyers don't have a choice but to pay that $1,500 for the OnStar connected services "option" and even if they choose not connect and use the OnStar connected service, they still have to pay that $1,500. One article we read called this a "forced option" and well, that doesn't sound like much of an option to us. On top of that, OnStar's privacy policy says they collect a whole lot of personal information and car data on you and use it for things like marketing and more. Even worse, it seems GM and OnStar have a fairly close relationship with law enforcement and government, including the US's ICE (Immigration Customs Enforcement) agency. It has been reported they turn over location data to law enforcement often.

And GM does say they can collect a whole lot of data on your through your car, the myCadillac app, and those OnStar connected services. Their privacy policies say they can collect everything from your name, address, geolocation data, characteristics such as age, race, color religion, medical conditions, physical or mental disabilities, sex, gender identify, pregnancy, medical conditions, sexual orientation, genetic, physiological, behavioral, and biological characteristics such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data, audio, electronic, visual, thermal, olfactory, or similar information. Sooo much information. And that's just the information they say they might collect about you. Then there's the information they say they can collect on your car and driving habits, including license plate number, vehicle identification number (VIN), geolocation, route history, driving schedule, speed, vehicle direction (heading), audio or video information such as information collected from camera images and sensor data, voice command information, and infotainment (including radio and rear-seat infotainment) system and WiFi data usage. Like we said, sooo much information.

But wait! There's more (there's always more). They add (as nearly all car companies do) that they can take the personal information they collect on you and us it to draw inferences about you "reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes" for things like marketing purposes. Yikes! Do we really need GM drawing inferences about our intelligence and abilities to determine how to market things to us? Sounds like a bad idea.

Another thing that concerns us is the issue of consent. Just when do you consent for GM to collect all this data? Is it when you buy the car (because we're pretty sure no one is reading privacy policies then). Perhaps when you connect your phone to your car? Yeah, most people probably aren't reading privacy policies then either. We read an article where a GM executive states, "Nothing happens without customer consent." But what does that consent really look like? Remember, it took your intrepid privacy researchers a full day to try and sort through GM's many, many privacy policies. Are consumers really understanding what they sign up for when the buy a car with OnStar or download and connect the app? We'd sure like to see GM (and all car companies) make sure consumers actually understand all the personal information and car data they are collecting and give consumers more ways to. opt-out, control, and change what data is collected on them from these connected computers on wheels.

And what if you want to get all that data GM has on you deleted? Well, you're probably out of luck. Unless you live somewhere with strong privacy laws like California's CCPA or Europe's GDPR. If you don't live there, you probably won't have much success getting GM to delete your data. In fact, on the myCadillac app Google Play Store Data Safety page, they admit, "Data can’t be deleted: The developer doesn't provide a way for you to request that your data be deleted." Not cool GM, not cool.

All this, and GM's track record of protecting and respecting all that personal information isn't exactly spotless (which you kinda want to see when a company collects so much personal information on you). In 2022, GM reported a significant data breach that exposed the personal information, including name, address, saved favorite location, and search and destination information, of some of their customers. So yeah, they collect a ton of data, might not let you delete that data they collect on your, hold onto that data for likely as long as they want, and then might not even do a great job of protecting that data. Nice!

What's the worst that could happen as you drive around in your Cadillac with OnStar and the myCadillac app? Well, based on reports of how OnStar location and other information is shared with law enforcement and government to track people, that gets kinda scary to think about if you live in a US state that bans abortion and wants to track people traveling to other states for their reproductive health care. That's bad. Or if you live in a country where the government could decide they want to track you down for any reason at all. That's also bad. Thinking about the potential for government tracking and controlling of any connected car -- not just GM's -- can get scary fast. Here's hoping regulators step up soon and work to put measures in place to protect people from all this data collection and potential tracking.

Tips to protect yourself

  • Opt out of the 'Sale' of your personal information. To do it, visit consumerprivacy.gm.com
  • Opt out of the “Sharing” of Your Personal Information for cross-contextual
    behavior advertising. To do it, visit consumerprivacy.gm.com
  • Opt out of Automated Decision-Making Technology. To do it, visit consumerprivacy.gm.com
  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: Yes

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product as it sells and shares personal data with third parties for marketing purposes.

OnStar Privacy Statement
"We may collect information about you when you access or use the Connected Services and otherwise with your consent. We may also collect your information from automotive dealers, licensees, service providers, other independent third party sources, and companies we do business with."

"We may use your information in order to: ...
perform marketing, including interest-based marketing and advertising across your devices (with necessary consents)
customize and improve communication content and your experience with GM
comply with legal, regulatory or contractual requirements
protect our rights, or to detect, investigate, and prevent fraud or other illegal activity
develop new Connected Services, including autonomous vehicle and car-sharing Connected Services"

"We may de-identify your information in a way that it can't reasonably be associated with you or your vehicle,
and maintain and use such de-identified information or share it with third parties for any legitimate business purpose. When we maintain or use information that has been de-identified, we take reasonable steps to ensure that such information is maintained and used only in de-identified form, and will not attempt to re-identify such information unless required or permitted by law."

"We may share the categories of your information described above as follows: ...
Within the GM family of companies (for example, including OnStar)

With business that GM enters into business relationships, such as SiriusXM, in connection with their products and services; research institutes, for research and development purposes (for example, improving highway safety); or dealers, fleet, or rental car companies, for service or maintenance of your vehicle. We may also share data with third parties for marketing activities (with necessary consents)

Where Required or Permitted by Law: As required or permitted by law, such as in conjunction with a subpoena, government inquiry, litigation, dispute resolution, or similar legal process, when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to detect, investigate and prevent fraud or other illegal activity, or to conduct screening to ensure you are not on any government list of restricted parties."

"The nature of our Connected Services means that there may be circumstances where you might let someone else use a product or service that we provide to you (for example, you enrolled your vehicle in Connected Services services and then let someone else drive the vehicle). It is important that if you do let someone else use one of our products or services that you inform them of this Privacy Statement and of the privacy choices that you have made."

"If you sell or otherwise transfer your vehicle, it is your responsibility to delete all information (such as contacts, address look-ups, saved map addresses, or preferences) from the vehicle and contact us to transfer or cancel your account. If you do not delete this information, it may remain in the vehicle and may be accessible to future users of the vehicle. For instructions on how to delete information from your vehicle, please refer to your vehicle owner’s manual."

GENERAL MOTORS PRIVACY STATEMENT

"GM may share the information it collects about you, your vehicle, or your connected devices (including the categories of information listed above) in the following instances and with the following categories of third parties:

within GM, with our GM controlled subsidiaries and affiliates, with GM dealers, with service providers we or our dealers use to deliver products and services to you, and with GM licensees. However, transaction information regarding your GM Card will not be shared with GM dealers
with our services providers who work on our behalf and who do not have an independent right to use the information to which they have access or that we disclose to them
with companies we enter into business or marketing arrangements with, such as arrangements supporting services we offer to you and our GM card program
with third parties for research and development purposes (such as university research institutes for improving highway safety)
in connection with the sale, transfer or financing of a significant part of a GM business or its assets, including any such activities associated with a bankruptcy proceeding
when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, detect, investigate and prevent fraud or other illegal activity, or respond to a law enforcement request
as required or permitted by law, such as in conjunction with a subpoena, government inquiry, litigation, dispute resolution or similar legal process"

"GM and dealers that sell GM vehicles are separate legal entities with their own privacy practices. This Privacy Statement does not apply to a dealer’s collection, use, or sharing of your information. For questions about your dealer's privacy practices including opting out of marketing communications from your dealer, please contact your dealer directly."

"We may also collect information that is publicly available. For example, we may collect publicly available information you submit to a blog, a chat room, or a social media platform, and we may use your information for the purposes set out in this Privacy Statement. "

CALIFORNIA PRIVACY STATEMENT

GM may sell or share given types of data for marketing purposes:
- "Identifiers, such as name, postal address, unique personal identifier, internet protocol address, signature, email address, account name, or other similar identifiers."
- "Internet or other electronic network activity information, including, browsing history, search history, and information regarding Your interaction with an internet website, application, or advertisement."

GENERAL MOTORS U.S. CONNECTED SERVICES PRIVACY STATEMENT

"We may use your information in order to:
<...> perform marketing, including interest-based marketing and advertising across your devices (with necessary consents)"

"We may also share data with third parties for marketing activities (with necessary consents) or where you have elected to receive a service from them and/or authorized them to request data from GM (for example, financial organizations who offer financing for the purchase or lease of GM vehicles or usage based insurance providers)."

"We may share your information within GM, with automotive dealers, licensees, and companies with whom we enter into business relationships, in order to develop, enhance, provide, service, maintain, and improve the safety, security, and quality of our products, programs, and services, to respond to your requests, to allow recipients to use it for marketing, and as required or permitted by law. In some instances, we may ask you for consent or de-identify your information before sharing it."

"We may share the categories of your information described above as follows:
<...>
- Third-Party Business Relationships: With business that GM enters into business relationships, such as SiriusXM, in connection with their products and services; research institutes, for research and development purposes (for example, improving highway safety); or dealers, fleet, or rental car companies, for service or maintenance of your vehicle. We may also share data with third parties for marketing activities (with necessary consents) or where you have elected to receive a service from them and/or authorized them to request data from GM (for example, financial organizations who offer financing for the purchase or lease of GM vehicles or usage based insurance providers).
- Service Providers: With our product and service providers who work on our behalf in connection with the uses described in the preceding section, such as dealer managed service providers, wireless service providers (e.g. AT&T), companies that administer our contests and promotions, host and/or operate our websites, send communications, perform data analytics, process, store, or manage credit card, information (we will not otherwise share your credit card information)."

"Certain third party services or applications (for example, your carrier data plan, navigation services) you download, that are pre-installed, or which you may sign up for may have separate user terms and privacy statements, which are independent of our Privacy Statement. GM is not responsible for the personal information practices of these third party services or applications and your use is subject to the user terms and privacy statement for those third party services or applications. We recommend that you carefully review the user terms and privacy statement of each third party service or application before using that service or application. Similarly, our websites may contain links to independent sites outside of and not controlled by GM, such as those belonging to GM dealers, GM licensees, or independent product review sites. GM is not responsible for these sites or the omissions, policies, or content of these sites, and GM is not responsible for the personal information practices of such third parties. We recommend that you read the privacy policies of these third parties before providing them any personal information and before using their sites."

Privacy Statement for OnStar Guardian

"By using the Application, other members of your “My Family”, now or in the future, may have access to your account information, phone number, device information, driving status, and the location of your Device, even when your Device is outside of the United States or Canada. You can restrict the sharing of your information with you “My Family” members by turning off Location Sharing in the Application Settings menu."

Privacy Statement for Application Services

"We may share information we collect about you as described in the OnStar Privacy Statement. For example, we share information with necessary third parties when you use the Application to make requests for third party or related services available through the Application, such as for dealer maintenance appointments or roadside assistance. We may share the location of your Device in the same manner as we share location and speed of your Vehicle. For example, we may share the location of your Device with:
• third party service providers working on our behalf,
• emergency service providers,
• others when required by law, and
• those you ask us to share this information with.
We may also share the location of your Device when necessary to provide the Application Services to you; to comply with legal obligations; to protect the safety and rights of you and others; for product safety and security purposes; and for the purposes described in the OnStar Privacy State"

How can you control your data?

We ding this product as it is unclear if all users regardless of location can get their data deleted.

"Other than as required by law, we do not respond to signals or mechanisms enabled in web browsers indicating a preference to exercise the rights listed above."

"Residents of certain states, such as California and Virginia, may have the right to submit a privacy request in accordance with their local laws. Depending on where you live, you may have the right under your local laws to request that we,
- provide access to the personal information that we collect about you – to do so, submit a request to Access My Personal Information,
- delete the personal information that we collect about you – to do so, submit a request to Delete My Personal Information, or
- correct inaccuracies in the personal information that we collect about you – to do so, submit a request to Correct My Personal Information.
You may also have the right under your local laws to opt-out of certain ways that we use and share your personal information, such as to opt-out of:
- the sale of your personal information to third parties, which may include, for example, where we share your personal information with third parties for their own independent uses – to do so, submit a request to Do Not Sell My Personal Information,
- to opt-out of certain types of targeted advertising based on your activity across other sites – to do so, submit a request to Opt-out of Targeted Advertising (for California residents, Do Not Share My Personal Information); please note, after opting out of targeted advertising, you may still see advertising from us on other sites based on your current visits to those sites, or
- to opt-out of certain types of automated processing of your personal information – to do so, submit a request to Opt-out of Profiling."

"We may keep the information we collect for as long as necessary to provide products or services to you, to operate our business, to enable us to communicate with you, for our safety, research, evaluation of use, or troubleshooting purposes, or to satisfy our legal or contractual obligations. Where required, we will de-identify or dispose of the information we collect when we no longer need it for the uses described in this Privacy Statement. "

What is the company’s known track record of protecting users’ data?

Needs Improvement

In April 2022, GM suffered a credential stuffing attack.

"The personal information of affected customers included first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile pictures and search and destination information. Other information available to hackers included car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords). Apart from resetting their passwords, GM advised affected individuals to request credit reports from their banks and place a security freeze if required."

Child Privacy Information

"GM websites, in-vehicle applications, and other online services do not target or knowingly collect any information from children under the age of 13."

Can this product be used offline?

Yes

User-friendly privacy information?

No

General Motors has a long list of various privacy policies to sort through and decipher.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

N/A

Security updates

Yes

Manages vulnerabilities

Yes

GM runs a bug bounty on HackerOne.

Privacy policy

Yes

Does the product use AI? information

Yes

GM offers Super Cruise i- hands-free driver assistance technology for compatible roads. Select 2023 vehicles will include additional features plus an expansion of compatible roads.

It was reported in 2023 that GM is studying artificial intelligence assistant that could answer driver questions.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*Privacy Not Included

Dive Deeper

  • GM calls $1,500 OnStar plan optional — but new car buyers are being forced into it
    Detroit Free Press Link opens in a new tab
  • Car buyers balk at monthly fees for add-on features
    Axios Link opens in a new tab
  • GM confirms it’s dropping Apple CarPlay and Android Auto from 2024 EVs
    Ars Technica Link opens in a new tab
  • GM Confirms It's Making $1500 Option Mandatory on Some New Models
    Car and Driver Link opens in a new tab
  • GM Vowed To Make Money Out of Connected Services and It Now Forces OnStar on Its Customers
    AutoEvolution Link opens in a new tab
  • This California agency wants to know what happens to all that connected car data
    TechCrunch Link opens in a new tab
  • What does your car know about you? We hacked a Chevy to find out.
    The Washington Post Link opens in a new tab
  • GM studying artificial intelligence assistant that could answer driver questions
    Detroit Free Press Link opens in a new tab
  • General Motors credential stuffing attack exposes car owners info
    Bleeping Computer Link opens in a new tab
  • US Car Giant General Motors Hit by Cyber-Attack Exposing Car Owners' Personal Info
    Infosecurity Magazine Link opens in a new tab
  • Privacy Battles: OnStar Says GM May Record Car's Use, Even if You Cancel Service
    ABC News Link opens in a new tab
  • Hackers Accessed Car Owners’ Personal Information in General Motors Credential Stuffing Attack
    CPO Magazine Link opens in a new tab

Comments

Got a comment? Let us hear it.