Jeep

Warning: *Privacy Not Included with this product

Jeep

Fiat Chrysler Automotive
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Super creepy

Jeep is an iconic American car brand know for their rugged, off-road, vehicles. The first Jeeps rolled onto the road in the 1940s and have been on and off-roading ever since. Jeep models include the Wrangler, Grand Cherokee, Compass, Renegade, the funky half-SUV half-truck Gladiator, and the Wagoneer by Jeep. The Jeep app lets you do all the remote things with your Jeep with UConnect connected services like remote start/stop, lock/unlock, honk the horn, flash your lights, and access navigation and entertainment options. How's Jeep at privacy? Well, you might be able to get away from it all in your Jeep, but they'll be tracking you as you do. Jeep, and their parent company FCA, aren't great at privacy.

What could happen if something goes wrong?

If we had an award to give out for the worst privacy policy website, we would bestow that dubious honor to Jeep and parent company FCA's US privacy policy site (which also covers the privacy for Chrysler, Dodge, Ram, and Fiat). Holy cow is it a nightmare to navigate and read. Teeny, tiny font, the most frustrating navigation, no way to search through the privacy policy for keywords, no way to download the full privacy policy to keep a record of it. Basically, Jeep/FCA's privacy policy site is a privacy researcher's nightmare. OK, rant over.

Now onto our next rant because it seems their actual privacy policies aren't much better. We found this line in the California Privacy Supplement (reminder, California's strong privacy law called CCPA gives residents of California better privacy protections that people who live in other states without strong privacy laws or people who live under the EU's strong privacy law known as GDPR. The US doesn't have, but desperately needs, a national consumer privacy law.) section of their privacy policy that kinda sums it up for us, "We do not sell or share personal information or sensitive personal information about California consumers who we know are younger than 16 years old." So, if you are under 16 and live in California, you might be good for privacy. Otherwise, eh..maybe not so much. For the rest of us they say, "As defined by the CCPA, we may sell or share: identifiers, usage data, customer records, geolocation, commercial information, and inferences to or with affiliates and subsidiaries, dealers, marketing and advertising partners, and analytics providers." Yeah, that's not great.

Jeep/FCA says they can collect a massive amount of personal information and vehicle data on you from your Jeep, the Jeep app, and the UConnect connected services if you use them. So many things like your name, precise geolocation, Vehicle Identification Number (VIN), driver’s license number, and other government identifiers, browsing history, search history, biometric identifiers, such as fingerprints or facial templates, and more. Oh, and then they say they can also collect more data on you from third party sources such as data brokers, social media, and car dealers.

They also say they can collect a lot of data about you and your car. Things like "performance data, and other sensor data generated by your Vehicle, images, and event data generated in connection with certain Connected Services (such as autonomous driving and distracted driver features), data from third-party account services that you link to your Connected Services account (e.g., Amazon Alexa), and images captured in connection with vehicle camera record." Then there's all the driving data they say they can collect on you. Things like, "speed, acceleration and braking data; direction of travel; trip data (e.g., mileage, date, time, weather conditions, location, route taken); ignition events; steering events; cruise control data; seatbelt status; information about Vehicle incidents or events; other information about how you drive a Vehicle; and associated date/time stamps for such information."

And then they go on to say they can use much of this personal information and car data to draw inferences about you "to create a profile reflecting an individual’s preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities or aptitudes." They want those profiles on you so they can do things like market products to you based on those inferences and interests and your location, target you with what they call relevant ads, and personalize content to you to keep you using, and paying for, their services. That profile they create on you from all this data is quite valuable to them, and to other third parties, who want to know as much about you to try and sell you more stuff. In that vein, Jeep/FCA say they can share -- or even sell -- that information to a large number of service providers, business affiliates, subsidiaries, marketing partners, data brokers, car dealers, etc etc on and on and on. None of this is good for you (or your passengers) privacy.

And don't hold your breath that you'll be able to get all that data Jeep/FCA collects on you deleted. Their privacy policy doesn't clearly state that users who don't live under strong privacy laws like California's CCPA or Europe's GDPR can get their data deleted. And their Google Play Store Jeep App page where they list their Data Safety information, Jeep clearly states, "Data can’t be deleted: The developer doesn’t provide a way for you to request that your data be deleted."

Shoot, even if you decide to deactivate those connected services for privacy reasons it might not mean Jeep/FCA actually stops collecting your data for those connected services. Indeed, their UConnect connect services privacy policy says, "Expiration or termination of your Connected Services subscription does not automatically stop all collection of Covered Data from your Vehicle." They go on to say, if you actually want them to stop collecting your data for privacy reasons you have to jump through even more hoops like calling both SiriusXM and the vehicle connected services department separately and directly to have your connected services stop sending Jeep/FCA your data. And then they add this little gem, "If you cancel for privacy reasons, wireless transmission network service will be deactivated for your Vehicle once your request has been processed, which means that: (i) remote transmission and collection of Covered Data from your Vehicle will be stopped; (ii) most Connected Services will not be available to you, including emergency and roadside services and Wi-Fi-enabled services; and (iii) your Vehicle will no longer receive updates to your in-vehicle manual or other over-the-air updates." So yeah, basically you can jump through many hoops to have Jeep/FCA stop collecting your data for privacy reasons, but that means your Jeep's emergency and roadside services will no longer work and you'll no longer receive updates to your car's software, which we're assuming means it could stop functioning correctly or fix security vulnerabilities as they come up. Not cool FCA, not cool. People should be able to opt out of data collection and still keep their security features if they want.

Speaking of security vulnerabilities. While Jeep/FCA's track record at protecting and securing all that data and connected services seems better now, back in 2015, they became the first car company forced to issue a recall of their vehicles based on a cybersecurity threat. Then, Wired first reported how two hackers were able to exploit vulnerabilities in a Jeep Cherokee entertainment system to take remote control of the car. Then they could do everything from mess with the air conditioning to turn the radio on and off, to stop the car's acceleration. That report eventually resulted in Jeep/FCA issuing a recall of 1.4 million vehicles to fix the security vulnerability. That's the bad news. The good news is, we couldn't find any recent news of security vulnerabilities, data breaches or leaks from FCA.

One other thing we'd like to note about Jeep/FCA (and this applies to every company that says they de-identify your data, not just Jeep/FCA). The Jeep/FCA privacy policy states, "We may collect, use, and disclose aggregate, anonymous, and other non-identifiable data about users for marketing, advertising, research, compliance, or other purposes. Where we use, disclose, or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal device), we will maintain and use the information in de-identified form and not to attempt to re identify the information, except as permitted by applicable privacy laws (such as to confirm whether our de-identification processes are reasonable and adequate)." It is fairly common to see lines in company privacy policies that say similar things to this -- the company can collect data, de-identify it, and then use it however they want and keep it for as long as they like. Generally, this can be OK. However, we would like to warn that researchers have found it can be relatively easy to re-identify some personal data that has been de-identified, especially if location data is involved. What can you do about this? Well, you can ask for your data to be deleted frequently, that could help. But not everyone has the same rights to that. So the best option is to limit the personal information and location data a company collects on you as much as possible. We know this is easier said than done, especially with cars. Which is why we sure hope policy makers and regulators will step in soon to help consumers better protect their privacy.

So, what's the worst that could happen as you're off-roading in your Jeep while using your Jeep app and those UConnect connected services to stay online in your off-road world? Well, we're sure glad they fixed those security vulnerabilities they had back in 2015 that allowed hackers to take control of your car and stop it and more through UConnect system. That's pretty much a worse case scenario if that could happen again. Other than that, well, Jeep/FCA knowing way more about you than they should, sharing that with data brokers who can then sell that to who knows who for who knows what purpose, well, that gets pretty scary too. Especially if they learn you like to take your Jeep mudding on Saturdays while listening to Taylor Swift on the radio and looking up news articles on the latest quantum computing findings. That might confuse those inferences Jeep says they can make about you and well, maybe that's actually not such a bad thing at all.

Tips to protect yourself

  • Opt out from sharing or selling your Covered Data with third parties.
  • If you are from California, opt out from selling of your personal information.
  • Do not give consent to tailored advertisement.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product as it collects information from data brokers, shares personal and geolocation data with third parties, including to marketing and advertising partners.

FCA US Privacy Policy

"In some cases (such as where required by law), we ask for your consent, or give you certain privacy choices as described in this Policy, regarding our collection, use, and disclosure of certain personal information."

"As defined by the CCPA, we may sell or share: identifiers, usage data, customer records, geolocation, commercial information, and inferences to or with affiliates and subsidiaries, dealers, marketing and advertising partners, and analytics providers. We do not sell or share personal information or sensitive personal information about California consumers who we know are younger than 16 years old. California residents may opt out of sales of their personal information by us as set forth below."

"We may share personal information with dealers and other select third parties, for marketing, research and analytics purposes.
- Dealers: we may share personal information, such as name, contact information, and other data about your vehicles or interests, with our authorized dealers in your area so that they may contact you about your vehicle needs and purchase plans, or otherwise reach out to you for marketing purposes.
- Marketing and advertising partners: we may share your personal information with third parties that provide advertising, campaign measurement, analytics, and related services to us. These third parties may receive or access usage data, and other personal information in order to help us better reach individuals with relevant ads and measure our ad campaigns, or to better understand how individuals interact with our Websites and Services.
- Programs and offers: we may invite you to participate in co-sponsored or third-party promotional offers and programs. If you choose to participate in one of these programs or third-party offers or indicate your interest in receiving information about the third-party offer, we may share your personal information with that third party to facilitate your request. For example, if you elect to receive information on insurance rates and offers available to you, we may share your information with insurance companies or others so that they may provide you with personalized insurance offers. The use of your personal information by these third parties is subject to their respective privacy policies. For more information on how we share information with respect to the Connected Services, please see the FCA Connected Services Privacy Notice.
- Others: we may disclose certain information to select third parties who may use this data for their own research, development, analytics, and marketing purposes, such as to better understand aggregate driving and traffic patterns, update maps and route details, and analyze road conditions, analyze vehicle usage data, driving data, and trip data. We also may share your personal information with certain third parties so that they may send you offers and other information we think you may be interested in."

"We may collect personal information from the following sources:
- Directly from the individual
- Advertising networks and marketing partners
- Data analytics providers
- Social networks
- Internet service providers
- Operating systems and platforms
- Government entities
- Data brokers/aggregators
- Business and enterprise customers (e.g., fleet services)
- Dealers
- Platform providers
- Telecom provider"

"Information We Collect from Third Parties. We may also collect personal information about you and your vehicle from third parties and other sources, such as:
FCA dealers: FCA authorized dealers (independently owned and operated businesses) may provide us with purchase, payment, and finance information (when you purchase or lease one of our vehicles from them), information about vehicle maintenance, services, repairs, warranty claims, quality, and customer support, as well as data about prospective buyers.
Third-party data: such as vehicle sales records and motor vehicle records, as well as third-party data providers that provide us with information to update and enhance our customer records and provide us with leads including lists of potential vehicle purchasers, current, or former owners.
Affiliates and partners: including third-party providers of certain features or portions of the Services or Connected Services. Also, if you take advantage of a third party or affiliate offer through the Services, we may receive information from that third party about your interaction with them."

"PURPOSES OF USE AND PROCESSING OF PERSONAL INFORMATION
While the purposes for which we may process personal information will vary depending upon the circumstances, in general, FCA collects, uses, discloses, and otherwise process personal information we collect as set forth below or otherwise directed or authorized by you: ...
Personalizing content and experiences: to personalize content for you, to offer location customization and personalized help and instructions, and to otherwise personalize your experiences.
Advertising, marketing and promotional purposes: to contact you about our products or services or send you newsletters, offers, or other information we think may interest you; to administer promotions and contests; to reach you with more relevant ads; and to measure and improve our advertising and marketing campaigns. ...
Complying with legal obligations: to comply with the law or legal proceedings. For example, we may disclose information in response to subpoenas, court orders, and other lawful requests by regulators and law enforcement, including responding to national security or law enforcement disclosure requirements."

"AGGREGATE AND NON-IDENTIFIABLE INFORMATION
We may collect, use, and disclose aggregate, anonymous, and other non-identifiable data about users for marketing, advertising, research, compliance, or other purposes. Where we use, disclose, or process de-identified data (data that is no longer reasonably linked or linkable to an identified or identifiable natural person, household, or personal device), we will maintain and use the information in de-identified form and not to attempt to reidentify the information, except as permitted by applicable privacy laws (such as to confirm whether our de-identification processes are reasonable and adequate)."

"Targeted Advertising. We may work with third-party ad networks, channel partners, measurement services, and others (“third-party ad companies”) to personalize content and advertising on our Services, and to manage our advertising on third-party sites, mobile apps, and online services. We and these third-party ad companies may use cookies, pixels tags, and other tools to collect activity information, IP address, device ID, advertising IDs, and other identifiers, and location information within our Services (as well as on third-party sites and services). We and these third-party ad companies use this information to provide you more relevant ads and content within our Services and on third-party sites and services, as well as to improve and evaluate the success of such ads and content.
We also may share certain customer list information (such as your email address) with third-party ad companies so that we can better target these customers and others with similar interests on third-party sites and platforms."

"Connected Services. As part of the Connected Services, we collect, use, disclose, and process certain personal information from and about you, your vehicle, and your use of the Connected Services (“Covered Data”). You can request that we do not share or sell your Covered Data to or with third parties by submitting a request here. Please note that this opt out does not limit (i) disclosures to our vendors, agents and service providers that process this data to provide services to us; (ii) disclosures to others where necessary to provide the Connected Services to you, to respond to your requests, or as otherwise directed by you; (iii) disclosures that are necessary to comply with our legal obligations or to protect or defend our rights; or (iv) disclosures that are necessary to protect the security and integrity of the Services, or the health or safety of others. Further, opting out doesn’t apply to prior disclosures of your Covered Data."

FCA CONNECTED SERVICES PRIVACY NOTICE, 2023

"In providing the Connected Services, we collect location information, including your Vehicle’s GPS location, as well as your mobile device’s location information with your consent. If Connected Services are enabled, geolocation data is transmitted from your Vehicle to FCA, and in some cases, to third parties in order to enable certain Connected Services. If you use Connected Services, such as our mobile apps or in-vehicle apps, geolocation may also be collected through these apps."

"We may share (as defined under the CCPA) identifiers, customer records, commercial information, internet or other electronic network activity data, and profiles and inferences, with dealers and other third parties as described in this Notice."

"Some of the Connected Services are provided or supported by non-affiliated entities and service providers (“Third-Party Providers”), who may collect and receive personal information about you as part of their provision of the particular feature, service or application, or in order to respond to a request you make via the Connected Services (collectively “Third-Party Services”), including satellite radio and roadside assistance providers, and platform providers and app stores through which we make our Apps and certain features (such as digital key) available. For example, certain Vehicles include SiriusXM Guardian services, provided by Sirius XM Connected Vehicle Services Inc. (“Sirius XM”)—see the SiriusXM Guardian Privacy Notice for more information about how Sirius XM uses your personal information."

"Other Drivers. If you permit another driver to drive your Vehicle and/or access or use your Connected Services account, then you acknowledge and agree that we may collect Covered Data during their use."

"Deactivate Connected Services and Stop Collection of Covered Data. Expiration or termination of your Connected Services subscription does not automatically stop all collection of Covered Data from your Vehicle. If you want to stop remote transmission and collection of Covered Data from your Vehicle, you must contact us as follows and request to “Cancel for Privacy Reasons:”
SiriusXM Guardian Subscribers: call 844-796-4827 (toll free) and request to cancel for privacy reasons.
Vehicle Connect Subscribers (including Jeep® Connect, Ram® Connect, Wagoneer® Connect, Alfa® Connect, Chrysler® Connect, and Dodge® Connect): call 800-777-3600 and request to cancel for privacy reasons.
If you cancel for privacy reasons, wireless transmission network service will be deactivated for your Vehicle once your request has been processed, which means that: (i) remote transmission and collection of Covered Data from your Vehicle will be stopped; (ii) most Connected Services will not be available to you, including emergency and roadside services and Wi-Fi-enabled services; and (iii) your Vehicle will no longer receive updates to your in-vehicle manual or other over-the-air updates. Certain in-vehicle safety, diagnostic and other systems may continue to generate and store performance, safety and diagnostic information, which may be accessed by independent dealers and others who service your Vehicle and shared with FCA and others for performance, safety, warranty and related purposes."

How can you control your data?

We ding this product as it is unclear if all users regardless of location can get their data be deleted. Also, you can only opt out from sales of your personal information if you are in certain US states or Europe.

"Additional Privacy Information for Certain States. Residents of certain U.S. states (including Virginia) may have additional rights under applicable privacy laws, subject to certain limitations and exceptions. These rights may include:
Correction: to request that we correct inaccuracies in their personal information, taking into account the nature and purposes of the processing of the personal information.
Deletion: to request deletion of certain personal information.
Access: to confirm whether we are processing their personal information and to obtain a copy of their personal information in a portable and, to the extent technically feasible, readily usable format.
Opt out: to opt out of certain types of processing by us, including:
the sale of their personal information.
the processing of their personal information for purposes of targeted advertising (i.e., advertising based on personal information obtained over time and across nonaffiliated websites or online applications).
the processing of personal information for purposes of making decisions that produce legal or similarly significant effects (if applicable)."

"If you are a California resident, please review our California Privacy Supplement for additional information about your California privacy rights, including your rights to opt out of sales and sharing of your personal information and to limit certain uses and disclosures of your sensitive personal information."

"You can request that we do not share or sell your Covered Data with third parties by submitting a request here. Please note that this opt out does not apply to (i) disclosures to our agents and service providers that process this data to provide services to us; (ii) disclosures to others where necessary to provide the Connected Services to you, to respond to your requests, or as otherwise directed by you; (iii) disclosures that are necessary to comply with our legal obligations or to protect or defend our rights; (iv) disclosures that are necessary to protect the security and integrity of the Connected Services, other FCA products and services, or the health or safety of others; or (v) disclosures of de-identified or aggregate data that do not identify you or your Vehicle."

If you are based in EU/EEA, the larger policy applies:
"Users have the right to:
• know if any Data is being processed by us and, where applicable, have access to it;
• rectify any inaccurate information we have or to have it erased when the request is legitimate;
• restrict the processing of the Data when the request is legitimate;
• portability, where applicable so that the Data can be obtained in a structured,, ordinarily used and readable format, as well as the right to transfer the Data to other controllers;
• object to the processing of the Data when the request is legitimate; and
• lodge a complaint with a supervisory authority in case of unlawful processing of Data."

What is the company’s known track record of protecting users’ data?

Average

In 2015, Fiat Chrysler issued a safety recall affecting 1.4m vehicles in the US, after security researchers showed that one of its cars could be hacked. The problem was fixed in a 2015 recall.

Child Privacy Information

"Our Services are not targeted and directed at children under age 16 and we do not knowingly collect any personal information from a child under 16. If you believe we have inadvertently collected personal information about a child, please contact us and we will take steps to delete this information."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Jeep and parent company FCA have a complicated group of privacy policies that are not easy to navigate (seriously, their privacy policy site is a nightmare to navigate!), read, and understand.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

N/A

Security updates

Yes

Manages vulnerabilities

Yes

FCA runs a bug bounty on BugCrowd.

Privacy policy

Yes

Does the product use AI? information

Yes

Jeep is developing off-road autonomous driving. Stellantis also recently announced its upcoming vehicle-to-everything (V2X) project to warn drivers of impending hazardous situations, such as an immobilized vehicle or auto incident. In 2020, Fiat Chrysler signed an exclusive deal with Waymo (former Google self-driving project) to develop autonomous driving technology.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*Privacy Not Included

Dive Deeper

  • Supreme Court foregoes hearing Fiat Chrysler appeal in cybersecurity case
    Cyber Talk Link opens in a new tab
  • Fiat Chrysler recalls 1.4 million cars after Jeep hack
    BBC Link opens in a new tab
  • Fiat Chrysler and Peugeot shareholders vote to merge, creating world's fourth-largest car maker
    NBC News Link opens in a new tab
  • Jeep Testing Autonomous Driving Tech for Off Road Use
    Motor Authority Link opens in a new tab
  • Off-road autonomous driving vehicles now showcased at Jeep
    Florida Insider Link opens in a new tab
  • Fiat Chrysler and Waymo sign exclusive deal on self-driving commercial vehicles
    CNBC Link opens in a new tab
  • Hackers Remotely Kill a Jeep on the Highway—With Me in It
    Wired Link opens in a new tab
  • Fiat Chrysler Issues Recall Over Hacking
    The New York Times Link opens in a new tab

Comments

Got a comment? Let us hear it.