Hyundai

Warning: *privacy not included with this product

Hyundai

Hyundai Motor Company
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Super creepy

Hyundai is a South Korean car company founded in 1967. Once knocked for building cheap, unreliable cars, Hyundai has improved their reputation over the past few decades and is now pretty popular around the world. Newer models inculde the Elantra, Kona, Sonata, Santa Fe, and EVs Ioniq 5 and Nexo. Their MyHyundai app and Bluelink connected servcies lets owners do lots of remote things like start the vehicle, lock and unlock the car, honk the horn and flash the lights, check your EV's charging status, and even connect your WearOS watch for voice commands do remote car things as well. So, how is Hyundai at privacy? Well, they are pretty yucky to be honest.

What could happen if something goes wrong?

Hyundai nooooooo! We loved your wholesome Kevin Bacon commercial. But your privacy policies? They seem like they were written in a tiny town where privacy is illegal (that was a Kevin Bacon/Footloose movie joke for you young'uns). We did not enjoy reading them. Here’s what gave us the willies: Hyundai collects a massive amount of detailed and sensitive data about you and what you do. And we don’t like how they treat it: When they’re not sharing or selling it (two things we feel they do too much of) they fail to keep it safe. Oh, and their position on sharing all that data and personal information with law enforcement and governments is not great at all.

Like all the cars we looked at, Hyundai collects a ton of information about what you do in your car, through the app, using those Bluelink connected services, and more Things like your geolocation, how fast you drive, whether you’re using the seatbelts, your presets and use of your car’s features, and when exactly you do these things. They also collect “sensor data” that’s created by your vehicle, which can include “images and event data.” OK so basically everything you do in your car. What else? Well, they collect information about the world around your car, like “images from exterior cameras” and “weather, temperature and other driving conditions.”

Back to you, Hyundai can also collect information about stuff you buy (“purchase history”) and sites you browse online (“browsing history”). Beyond things you do, they collect a lot of information about you; Information about your identity, like your driver’s license number, your IP address, insurance policy number, and other “unique identifiers.” So far, they’re about tied with most of the car companies we looked at, but they don’t stop there.

In their Hyundai Motor America Privacy Policy, they flip-flop from pretty specific examples of data they collect, like “disability status” and “citizenship” to waaay more broad ones like “medical information,” and “audio, electronic, visual, thermal, olfactory, or similar information.” Olfactory, if you’re (also) wondering, relates to your sense of smell. Hmm. We don’t think that Hyundai cars are equipped with smell-o-vision (yet) but it does seem like they’re keeping their options open to collect as much data as possible.

Broad and vague language is common in privacy policies, but it still annoys us every time. Like when Hyundai says, in their California Privacy Supplement, under biometric information collected, that they might collect “[p]physiological, biological or behavioral characteristics.” The example they provide is “fingerprint or facial recognition” that you might use to enroll for certain features. But since that’s technically just an example, that could also give them permission to collect a lot more.

If you connect your phone to your Hyundai, download the MyHyundai with Bluelink App, or use the connected services, the car maker collects even more information about you. The Hyundai Motor America Mobile and Wearable App Privacy Notice and the Vehicle Technologies and Services Privacy Notice link back to their main privacy policy’s California Privacy Supplement for more detail, which suggests all the same information we already talked about can be collected from the app and services too. Plus, a little more. The app privacy policy adds app usage data, account information, information from third parties, and the location of your phone. The technologies and services privacy policy says other drivers and passengers may have access to your personal data if you let them use your car’s connected services. Oh, and! Don’t forget to “inform any such individuals of this Notice and the applicable settings” before they do -- a totally normal chat to have before you let anyone change the radio station.

There’s more! Not all of the information that Hyundai learns and stores about you is taken from your car, what you tell them, or even from your phone. Hyundai can collect information about you from “dealers,” “public sources,” “affiliates and partners,” “data aggregators and brokers,” and “government entities.” Crikey!

Bet you’re wondering what they do with that mountain of data. For one, they use it to make up even more data about you. Hyundai collects “inferences drawn from any of the information identified above to create a profile reflecting a resident’s preferences, characteristics, behavior or attitudes.” There’s that too-broad “characteristics” word again. We’d say more about how we feel about this, Hyundai, but you should be able to ~infer~ our attitude from this review.

More upsetting news: Hyundai does a whole lotta sharing and selling of your data, sometimes for “marketing and promotional purposes.” Specifically, they “may ‘sell’ or ‘share’ identifiers [like your Social Security number in the United States], customer records [which can include “medical information”], commercial information, internet or other electronic network usage data [“search history”], and profiles and inferences to or with affiliates and subsidiaries, marketing partners, third party ad companies and other marketing and advertising partners; and analytics providers.” Affiliates and marketers and partners -- oh my! It’s starting to feel like selling cars is secondary to your data biz, Hyundai.

It also seems like they may share your information with law enforcement without too much arm-twisting, since their privacy policy says they comply with “lawful requests, whether formal or informal.” Does that mean the police don’t even have to say please? Seriously, this really concerns us. Hyundai collects a ton of personal and car information on you, including tracking your precise location. The bar to share that information with law enforcement or governments should be very high, requiring a court order and only sharing the minimum data necessary to comply with that order is what we like to see. The fact that Hyundai says they can share your personal, car, and precise location information with law enforcement and governments based solely on an "informal request" is truly frightening. The potential for abuse here is sky high.

Moving on. Like most connected products, Hyundai can also “collect, use, and disclose” aggregate and anonymized data however they like, which, we do like to point out, especially with large volumes of sensitive information, can be relatively easy to re-identify.

Ouff. OK but since it looks like data’s an important asset to Hyundai, surely they have nailed down how to properly protect it? No, they have not. Another thing that Hyundai does with your data is accidentally give it away. In April, Hyundai suffered a data breach that exposed the personal information of French and Italian car owners who booked a test drive. Worse, in February Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on TikTok led to hundreds of car thefts, including 14 reported crashes and eight fatalities, according to the United States’ National Highway Traffic Safety Administration. Thieves known as “The Kia Boyz” posted instructional videos about how to bypass the vehicles’ security system using only a USB cable and a screwdriver. Dang, that is really not good. And initial fixes for the problem didn't actually seem to, you know, fix the problem. We did get a good chuckle of Kia's solution to this security problem leaning heavily into trying to take down the TikTok videos showing people how to exploit the problem and maybe not enough into actually fixing the security problem. ""Ira Gabriel, a spokesman for Hyundai, said the company has tried to remove from social media the instructional videos that show how to steal the cars .But as new ones surface,” he said, “there have been additional waves of thefts.”" Call us a tough customer, but we believe taking control of someone else’s car should be more challenging than charging your phone.

Last year, Hyundai made (another) pretty embarrassing misstep when they used an encryption key that was copied from an example listed in a public document, allowing a software developer to “hack” their own car’s software with a simple Google search. That boneheaded oopsie also gave us a good chuckle, but we also don't know if we should laugh or cry and Hyundai's struggle to security their stuff.

So what are your options? Can you at least opt out of some or any of this? Not really. If you opt out of data collection from the technologies and services, then “most Vehicle Technologies and Services will not be available to you.” And if you try to opt out of the collection, sales, or sharing (of information collected through the app or your car) through the Personal Information Request Portal, Hyundai will only “respond to your request as required by state law” which means only Californians and residents of states with similar privacy laws have that right. Oh, and lucky people living in Europe under their stronger GDPR privacy laws will be good too. The rest of us, well, we're probably out of luck. Ugh!

Clearly, bad stuff’s already happening with Hyundai’s privacy practices. But it could get worse. Hyundai could goof up again and expose the absolute avalanche of private data (plus inferences) that they have collected about you. Or they could drop the data security ball (again) by giving away control of your car to folks with more sinister intentions than teenagers on TikTok.

Hyundai’s tagline is “New thinking, new possibilities” but we’d humbly suggest they pump the brakes until they master the fundamentals -- like keeping their cars and customer data secure. Hey, actually, we found a document that summarizes our other suggestions for you pretty well, Hyundai. It mentions the importance of privacy and advocates for data minimization, data security, choice, transparency, and more! Hang on, it looks like you agreed to these principles! Perhaps you should give it another gander. and do better Until then, we’d suggest drivers keep at least six degrees of separation from a Hyundai -- they come with *privacy not included.

Tips to protect yourself

  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product as it shared/sold personal information with third parties including advertisement companies.

Hyundai Motor America Privacy Policy:

"We may collect personal information directly from individuals as well as from third parties (such as social networks, platform providers, payment processors, data providers, and operators of certain third- party services that we use). In addition, we may automatically collect or derive information about your use of our Services or interactions with us. "

"In some cases (such as where required by law), we ask for your consent, or give you certain privacy choices as described in this Policy, regarding our collection, use and disclosure of certain personal information."

"Hyundai may also obtain personal information about you and your vehicle from third parties and other sources, such as:
Vehicle sales records and other public sources, third party data providers we work with to update and enhance our customer records, and third parties that provide us leads including lists of potential vehicle purchasers or current or former owners.
Affiliates and partners, including providers of certain Vehicle and Technology Services, such as satellite radio and roadside assistance providers, and platform providers and app stores through which we make our Apps and certain features (such as Digital Key) available.
Hyundai dealers
If you log in through or integrate a third-party account (such as Google, Amazon, Apple) with our Services, we access and obtain certain information (as authorized by you and subject the applicable terms of the third-party platform)."

"in general Hyundai collects, uses, discloses and otherwise processes personal information as set forth below or otherwise directed or authorized by you: ...
• Personalizing content and experiences: to tailor content we send or display on the Services in order to offer location customization and personalized help and instructions and to otherwise personalize your experiences; to reach you with more relevant ads and to measure and improve our ad campaigns.
• Marketing and promotional purposes: to send you newsletters, offers or other information we think may interest you; to contact you about our products, services or information we think may interest you; to administer promotions and contests; and to promote other services we offer. ...
• Complying with legal requests and obligations: to comply with the law or legal proceedings. For example, we may disclose information in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements."

"We may also collect, use and disclose aggregate, anonymous, and other non-identifiable data related to our business and the Services for quality control, analytics, research, development and other purposes. Where we use, disclose or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal device) we will maintain and use the information in deidentified form and not to attempt to reidentify the information, except as permitted by applicable privacy laws (such as to confirm whether our deidentification processes are reasonable and adequate)."

"We may share or make available certain customer list information (such as your name, email address and other contact information) with third parties with third parties so that we can better target ads and content to our customers, and others with similar interests, on third party sites, platforms and services. In some cases, these third parties may also help us to enhance our customer lists with additional demographic or other information. We do not permit them to use or share the data we submit on behalf of other third-party advertisers."

"However, the security of information transmitted through the Internet can never be guaranteed regardless of the level of security. We are not responsible for any interception or interruption of any communications through the Internet or for changes to or losses of data."

California CCPA Privacy Supplement

"As defined by the CCPA, we may “sell” or “share” identifiers, customer records, commercial information, internet or other electronic network usage data, and profiles and inferences to or with affiliates and subsidiaries, marketing partners, third party ad companies and other marketing and advertising partners; and analytics providers. We do not sell or share sensitive personal information, nor do we sell or share any personal information about individuals who we know are under sixteen (16) years old."

"Sources of Personal Information. In general, we may collect personal information from the following categories of sources:
• Directly from the individual
• Dealers
• Advertising networks and marketing partners
• Data analytics providers
• Social networks
• Internet service providers
• Operating systems and platforms
• Government entities
• Data aggregators and brokers"

Hyundai Vehicle Technologies and Services Privacy Notice

"Generally, we use Covered Information for the following purposes: <...>
• Marketing and promotional purposes: to communicate with you about your account and use of our Vehicle Technologies and Services via email and push notification, including to send you product updates; to respond to your inquiries; to provide you with news and newsletters, special offers, promotions, and other information we think may interest you, including information about third party products and services; and for other informational, marketing, or promotional purposes.
• Personalizing content and experiences: to personalize the information and content we display to you, including marketing, promotional and sponsored content, as well as providing you with more relevant ads (if applicable).
• Complying with legal requests and obligations: to comply with applicable legal or regulatory obligations, including as part of a judicial proceeding; to respond to a subpoena, warrant, court order, or other legal process; or as part of an investigation or request, whether formal or informal, from law enforcement or a governmental authority.

"We may share Covered Information, including vehicle, performance and driving data, as well as geolocation data, with authorized dealers and select third parties.
• Dealers: we may share certain Covered Information with dealers so that they and we may better respond to your requests, send your relevant and personalized offers and information, and respond to your requests.
• Marketing and advertising partners: we may make certain Covered Information available to third parties (such as analytics providers and ad companies) in support of our marketing, analytics, advertising and campaign management. We may also make available certain third party offers that we think may interest you. If you click an offer or otherwise choose to take advantage of a third-party offer, we may share Covered Information, including personal information, with that third party to facilitate your interaction with them.
• Legal compliance and lawful requests: Covered Information may be disclosed in order to comply with applicable legal or regulatory obligations, including as part of a judicial proceeding, in response to a subpoena, warrant, court order, or other legal process, or as part of an investigation or request, whether formal or informal, from law enforcement or a government official."

"We may obtain Covered Information about you from dealers and other non-affiliated entities and service providers, such as those that provide certain features, functionality or other services as part of the Vehicle Technologies and Services, including information related to the performance and use of such third-party services, such as:
• Affiliates and partners, including providers of certain Vehicle and Technology Services, such as satellite radio and roadside assistance providers, and platform providers and app stores through which we make our Apps and certain features (such as Digital Key) available.
• Hyundai dealers (which are all independently owned and operated) who may provide us with data and records related to vehicle sales, service, repair, scheduling, warranty claims, and quality and customer support.
• If you log in through or integrate a third-party account (such as Google, Amazon, Apple) with our Services, we access and obtain certain information from that third-party platform (subject the applicable terms of the third-party platform). For information about sharing by a third-party platform and revoking access to your account or content, you should consult the respective privacy notices and terms and review your privacy settings for such third-party account."

"We also may collect, use and disclose aggregate, anonymous, and other non-identifiable information about users for marketing, advertising, research, compliance, or other purposes. For example, we may disclose aggregate and non-identifiable trip data to select third parties who may use this data to better understand aggregate driving and traffic patterns, update maps and route details, analyze road conditions, and for other own research, development and analytics purposes. Where we use, disclose or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal device) we will maintain and use the information in deidentified form and not to attempt to reidentify the information, except as permitted by applicable privacy laws (such as to confirm whether our deidentification processes are reasonable and adequate)."

HYUNDAI MOTOR AMERICA MOBILE AND WEARABLE APP PRIVACY NOTICE

"Generally, we use the information we collect (including personal information) for the following purposes: <...>
- Marketing. To communicate with you about your account and use of our mobile or wearable app via email and push notification, including to send you product updates; to respond to your inquiries; to provide you with news and newsletters, special offers, promotions, and other information we think may interest you, including information about third party products and services; and for other informational, marketing, or promotional purposes. Please see the Your Rights and Choices section for more information about how to change your communications preferences. We may also send you notifications by text message if you have opted in to receive them.
- Personalization. To personalize the information and content we display to you, including marketing, promotional and sponsored content, as well as providing you with more relevant ads (if applicable). "

"We may share information, including geolocation data, with authorized dealers and select third parties.
Dealers. We may share certain information with dealers so that they and we may better respond to your requests, send your relevant and personalized offers and information, and respond to your requests.
Third-Party Offers. If you click an offer or otherwise choose to take advantage of a third-party offer, we may share information, including personal information, with that partner to facilitate your interaction with them. "

How can you control your data?

It is unclear if all users regardless of location can get their data deleted.

US Privacy Policy

"Residents of certain U.S. states (including Virginia) may have additional rights under applicable privacy laws, subject to certain limitations and exceptions. These rights may include:
• Correction: to request that we correct inaccuracies in their personal information, taking into account the nature and purposes of the processing of the personal information.
• Deletion: to request deletion of certain personal information.
• Access: to confirm whether we are processing their personal information and to obtain a copy of their personal information in a portable and, to the extent technically feasible, readily usable format.
• Opt-Out: to opt out of certain types of processing, including:
o to opt out of the “sale” of their personal information.
o to opt out of “targeted advertising” by us.
o to opt out of any processing of personal information for purposes of making decisions that produce legal or similarly significant effects."

Hyundai Vehicle Technologies and Services Privacy Notice

"You have certain rights and choices regarding your Covered Information and the Vehicle Technologies and Services, as described in this section. For additional information about the rights and choices you have regarding Hyundai’s information practices, including your rights to opt out of marketing and targeting, generally, please review our Privacy Policy.

Reviewing, Updating and Deleting Your Information. If you register for a MyHyundai account to access and use the Vehicle Technologies and Services, you can access and update certain information we have relating to your account within your account settings. For Blue Link® services, this can be done on the My Account page of MyHyundai.com⁠
.⁠ You may also update or delete your contact information by submitting a request at our Contact Us page. Please note that we may maintain copies of information that you have updated, modified or deleted, as permitted, in our business records and in the normal course of our business operations."

"Hyundai offers you the opportunity to opt-out from marketing communications from Hyundai, and to opt out of certain disclosures of personal information to third parties."

What is the company’s known track record of protecting users’ data?

Bad

In April 2023, Hyundai disclosed a data breach impacting Italian and French car owners and those who booked a test drive, warning that hackers gained access to personal data.

In 2022, a software developer cracked Hyundai car security with a simple Google search. The vehicle’s manufacturer had secured its system using keys that were not only publicly known but had been lifted from programming examples.

In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable."

Child Privacy Information

"We do not knowingly collect or maintain personal information from any person under the age of thirteen (13). No parts of our products or services are directed to or designed to attract anyone under the age of thirteen (13)."

"The Vehicle Technologies and Services are not directed at children and we do not knowingly collect any personal information from children under the age of 16."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Hyundai has confusing to navigate privacy policy ecosystem with many privacy policies, notices, and supplements that are tedious and confusing to navigate and understand.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

While Hyundai has encryption on its products, there was evidence of this encryption has been weak. Also, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

N/A

Security updates

Yes

Manages vulnerabilities

Yes

You can report vulnerabilities here.

Privacy policy

Yes

Does the product use AI? information

Yes

Highway driving assist includes such features as lane following assist, smart cruise control, etc. It is available in the newest cars. These features are enabled by numerous cameras, sensors and radars on the car.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*privacy not included

Dive Deeper

  • SiriusXM Software Flaw Let Researchers Unlock And Start Cars Remotely
    Motor 1 Link opens in a new tab
  • Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challenge
    The Verge Link opens in a new tab
  • Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
    Wired Link opens in a new tab
  • Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your Data
    Newsweek Link opens in a new tab
  • Hyundai data breach exposes owner details in France and Italy
    Bleeping Computer Link opens in a new tab
  • Software developer cracks Hyundai car security with Google search
    The Register Link opens in a new tab
  • Hyundai Uses Example Keys for Encryption System
    Schneier on Security Link opens in a new tab
  • Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    Sam Curry Link opens in a new tab
  • Hyundai and Kia thefts keep rising despite security fix
    AP Link opens in a new tab
  • Kia, Hyundai are easy targets for thieves, insurance data confirms
    CNN Link opens in a new tab

Comments

Got a comment? Let us hear it.