Kia

Warning: *privacy not included with this product

Kia

Kia Corporation
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
|

Mozilla says

|
People voted: Super creepy

Kia is a South Korean car company founded in 1944 as a maker of bike parts. Today Kia -- owned in part by the other major South Korean car maker, Hyundai -- is known as one of the most reliable car brands in the world. Models include the Sportage, Soul, Sorento, Forte, Rio, and EVs the Niro and EV6. Their Kia Access app and Kia Connect connected services all owners to do remote things like lock/unlock the car, find your car, set your car's cabin temperature, send locations to your cars navigation system, check your EVs charing status, find charging stations, and even pair the app with your smartwatch. So, how is happy little Kia at privacy? Holy cow, they are terrible! That makes us anything but happy.

What could happen if something goes wrong?

Kia’s approach to privacy is all over the map. But mostly, it’s bad. Let’s cut to the chase: Kia says they can collect a lot of sensitive and personal information they have no business collecting. The list is long and includes some of the creepiest data categories we have ever seen (since reviewing Nissan, at least) like your “genetic information” and “sex life.” Could there be a “good” reason for your car maker to have that information? Probably not. If there is, we definitely didn’t find it in Kia’s privacy policy. We did learn that they may use your personal information to “deliver advertising or marketing communications based on your interests.” Boooo.

Kia can also collect, according to their US Privacy Policy, information about your “medical condition, physical or mental disability,” “racial or ethnic origin,” and “religious or philosophical beliefs.” They even say they can collect “the contents of certain mail, emails, and text messages.” Huh? We can only assume that means your communications with Kia, but that’s such a weird and vague way to put that. We have so many questions. Like, how? But also, why?

Now, Kia does say that they don’t collect sensory data (like audio and visual data). Phew! That is a relief since it’s pretty common for car makers to collect the data created by vehicle features that use microphones and cameras. They also say that they do not collect biometric data (like your face and fingerprints). That’s another load off, since sharing that information comes with certain risks. But wait, “unique biometric information” is listed as an example of “Sensitive Personal Information” that they do collect. Hmm. It seems like some of Kia’s data-collecting disclosures were written to cast as wide a data-catching net as possible. That is a technique we privacy researchers really hate to see when we read privacy policies. Their policy even mentions “Personal information described in California Civil Code Section 1798.80(e)” which we learned from reviewing Honda and others car companies, means just about any personal information under the sun “capable of being associated with you.” Yikes!

In their Kia Connected Services privacy policy, Kia says they can collect many of the same categories of personal information listed in their US Privacy Policy, including the creepy ones we mentioned earlier. That’s especially uncool since connected services can open up a third-party can o’ worms. Here’s what we mean: Even though the connected services you get through your Kia are provided by Kia, they sometimes rely on third-party providers who may need “access to user information to carry out the services they are performing for you or for [them].” Which services and which service providers? We can’t be sure of all of them because Kia only lists the categories of companies with a few examples.

Another thing about Kia’s connected services: some of them are a bit creepy. Kia’s “My Car Zone” lets you set alerts that log other drivers’ behavior in your car. Called “Curfew Alerts, Geo-Fence, & Speed Watch,” car-owners can create settings that collect information about other drivers’ habits, “such as when the Vehicle is being driven and whether the Vehicle is being driven beyond a pre-determined speed limit or boundary location.” This feature is pitched with a parent-child relationship in mind but it’s ripe for abuse by controlling partners or family members.

And it’s not just your car’s connected services that can give away access to your data. Kia has apparently no control over how the third-party apps available through your car’s dashboard treat your information. That’s why they suggest in their privacy policy that you “review any available policies” for those apps before interacting with them in your car. Cool cool cool, thanks for the tip! We will definitely consider doing that in all our free time. It's got to be only like, what, another 5 or 6 or 10 privacy policies, right?

Keep in mind all the data collected about you is in addition to detailed information about your car and what you do in it: how fast you drive, when you pump the brakes and buckle your seatbelts. Also, your geolocation, which can include “physical location or movements.” Hm? That’s a new one. Anyway, it’s a whole lot! But Kia doesn’t stop at drivers’ car, phone, and connected services in their quest to “Learn more about [their] customers and their [customers’] experiences” (that’s another thing that Kia says they can do with your information). They also collect information about you from “affiliates,” “partners,” “service providers,” “advertising and social networks,” as well as “data analytics, data enhancement, and market research providers” -- which sounds to us like a wordier way of saying data brokers.

What does Kia do with all that info? Ugh, we’d really like to know. Aside from marketing purposes, getting to know you better, and some other purposes that actually do sound legitimate, Kia lists a couple vague ones, like “Conduct[ing] internal research” and “Support[ing] our internal business operations.” Alrighty.

Kia also uses this mountain of data to create more data about you, called “inferences.” Practically all the car makers we looked at do. Poor form, everyone! Those inferences or assumed facts about you can be created from any of the personal information Kia has on you, reflecting your “preferences, characteristics, predispositions, behavior, attitudes, or similar behavioral information.” That’s extra creepy when you consider that they know some very intimate things about you, like everywhere you go.

One other thing that Kia does seem to do with your data is sell it. Yuck! We really hate that because they collect so much data and then say they can sell it to make more money. Nearly all the car companies we reviewed did this as well, and it sucks with everyone. They also share it with a lot of the same places they collect your data from. That list includes (once again) “affiliates,” “partners,” “service providers,” “advertising and social networks,” as well as “data analytics, data enhancement, and market research providers.” Kia might also comply with “governmental requests” for your data. Ugh, that word! At Mozilla, we believe your personal information should only be shared with the government and law enforcement when there is a legal obligation to do it. And, even then, as minimally as possible. Kia, please help yourself to our verbiage and do better. Governments shouldn't simply be able to "request" people's precise location data and information about their "sex life".

One unique line that we saw in Kia's privacy policy that we don't recall seeing in other car companies privacy policies was this one, "Moreover, we reserve the right to disclose and transfer the information we collect: (i) to a subsequent owner, co-owner, or operator of the Services or associated databases." We're not actually really sure what to make of that line. We can see instances where transfering some car data might be useful for a future owner, but potentially sharing your personal information with a future owner just seems weird to us. And what the heck does "associated databases" mean? Seriously people, we read privacy policies for a living and way too often they leave us scratching our heads in dismay and confusion.

So, what control do drivers have over their data and can they ask Kia to delete it? Unfortunately, unless you won the location-based privacy lottery, then probably not. Residents of strong-privacy-law states in the US (California, Colorado, Connecticut, Virginia and Utah) have the special right to request that their data be deleted. People living in Europe under GDPR have the right to delete their data too. But call us crazy, we think everyone should have the right to get their data deleted, not just the lucky ones who live under strong privacy laws.

Speaking of having control of your data, Kia… doesn’t always. Earlier this year, the car brand went viral for the worst reason. The “Kia Challenge” on TikTok led to hundreds of car thefts, including 14 reported crashes and eight fatalities, according to the United States’ National Highway Traffic Safety Administration. Thieves known as “The Kia Boyz” posted instructional videos about how to bypass the vehicles’ security system using only a USB cable. Kia ended up having to patch eight million cars to fix it. Dang, that is really not good. Call us a tough customer, but we believe taking control of someone else’s car should be more challenging than charging your phone.

Then there was the security researchers who discovered a security vulnerability in Kia (and Honda, Infiniti, Nissan, Acura), that he said could allow hackers to do things like use the vehicle's VIN number to remotely lock/unlock the car, start/stop the car, flash the lights, honk the horn, take over the user's account, disclose personal information, lock the user out of managing their vehicle, change ownership, and "for Kia’s specifically, we could remotely access the 360-view camera and view live images from the car." Not good.

Kia's stakeholder company, the Hyundai Motor Group also suffered a data breach that exposed the personal information of French and Italian car owners who booked a test drive. And last year the company made (another) pretty embarrassing misstep when they used an encryption key that was copied from an example, allowing a software developer to “hack” a Hyundai’s software with a simple Google search. Ouf. Finally, we couldn't confirm whether Kia meets our Minimum Security Standards because we're not sure if all the data that sits on the car is encrypted. We asked, but Kia didn't answer any of our emails.

Kia’s slogan is “Movement that inspires” but after reading their privacy policies all we’re feeling inspired to do is take the bus. What could happen if something goes wrong? We don’t have to think too hard because of the ways Kia’s poor privacy and security practices have already impacted drivers. Kia’s stores of ultra-private information about you could get into worse hands because of their sloppy security. Or, TikTokers might find another embarrassingly simple way to take control of Kia owners’ cars that puts drivers' lives at risk. Kia, the next time you go to workshop your logo, we suggest you take another stab at your privacy policies instead. Until then, you should know that Kia comes with *Privacy Not Included.

Tips to protect yourself

  • Be mindful that Kia Connect Services may contain content that is supplied by third parties. For example, a link may take you away from a Kia Connect Services page and onto a third party's website or application. These other websites and applications are subject to different privacy policies.
  • When presented with an option on Kia Connect Services to receive certain information and/or marketing offers directly from third parties or to have Kia send certain information to third parties or give them access to it, say NO.
  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product it says it has shared/sold personal information with third parties and it may collect data from data resellers, combine it with data collected on you and used for advertisement including personalized advertisement,

Kia Connect Services Privacy Policy
"Depending on how you use the available Kia Connect Services, we may have collected the following categories of Personal Information from you in the last twelve (12) months, which we may have also shared with or sold or otherwise disclosed to third parties for the purposes outlined in this Privacy Policy."

"We incorporate commercially reasonable security procedures and practices to help protect and secure your Personal Information. However, no data transmission over the Internet, wireless transmission, or electronic storage of information can be guaranteed to be 100% secure. Please note that we cannot ensure the security of any information that we collect, and you use Kia Connect Services provide us with your information at your own risk."

"We do not disclose your Personal Information that we have collected directly from you on our Kia Connect Services to third parties for those third parties' marketing purposes unless you consent to such sharing at the time you provide your Personal Information. In addition, we may disclose the information we have collected about you, including Personal Information and Vehicle Information, as disclosed at the time you provide your information."

"Kia Connect Services may contain content that is supplied by third parties, including our Partners. Those third parties may collect information about your use of Kia Connect Services, and they may be able to track your online activities over time and across various websites. In addition, when you are using Kia Connect Services you may be directed to other services that are operated by third parties that we do not control. We are not responsible for the privacy practices employed by any of these third parties. For example, a link may take you away from a Kia Connect Services page and onto a third party's website or application. These other websites and applications may send their own cookies to you, independently collect data, or solicit Personal Information. We encourage you to note when you leave Kia Connect Services and to read the privacy policies of all third party websites or applications before submitting any Personal Information to third parties. "

"Some Kia Connect Services use GPS (or other location-based services) to locate you so that we may verify your exact location, deliver relevant content based on your location, and provide certain Kia Connect Services (more fully described below)."

"We may use the information we collect in order to: ...
- Customize and personalize your experience with Kia Connect Services;
- To understand you and your preferences to enhance and personalize your experience; ...
- Send you special offers or promotional materials on behalf of us or third parties;
- Learn more about our customers and their experiences and to monitor your satisfaction with Kia products and Kia Connect Services provided to you; ...
- Process information as disclosed at the time we collect the information or as otherwise set forth in this Privacy Policy or in any other document made available to you."

US Privacy Policy
"Depending on how you have interacted with us, we may have collected the following categories of Personal Information from you in the last twelve (12) months, which we may have also shared with or sold or otherwise disclosed to third parties for the purposes outlined in this Privacy Policy."

"We may disclose your information to third parties including our Affiliates and Partners and their service providers. We may also disclose information to advertising and social networks, our marketing and promotional service providers that assist with marketing campaigns and other outreach efforts aimed at prospective Kia vehicle owners, or our data analytic, data enhancement, and market research providers that assist in keeping our contact information up to date, understanding our audiences, and reaching prospective owners."

"We may also collect information about you from our Affiliates, our Partners and their service providers, consumer data resellers, advertising and social networks, and our service providers, including marketing and promotional service, data analytics, data enhancement, and market research providers that assist in keeping our contact information up to date, understanding our audiences, and reaching prospective owners."

"We may use third-party advertising companies to target advertisements to you on our Services, across the web, on your mobile Device and on any of your other Devices, based on the information we have collected from and about you, as well as information relating to your and other users’ visits to this and other websites and online services. To do so, these companies may place or recognize a unique cookie on your browser (including through the use of pixel tags) or recognize an identifier associated with your mobile device. These companies may also use these technologies, along with Personal Information they or we collect on the different devices you use, to recognize you across the Devices you use, such as a mobile device and a laptop or other computer."

"We may also disclose your information to satisfy any applicable law, regulation, subpoenas, court orders, warrants, governmental requests, or legal process if in our good faith opinion such is required or permitted by law. We may also disclose your information to a third party performing audit, legal, operational, or other similar services for or on behalf of Kia. Moreover, we reserve the right to disclose and transfer the information we collect: (i) to a subsequent owner, co-owner, or operator of the Services or associated databases; or (ii) in connection with the negotiation, planning, or completion of a corporate merger, consolidation, restructure, sale of substantially all of our shares or assets, or other corporate change."

"Please note that if you opt out of targeted advertising, you may still receive online advertising from Kia and others while you are browsing online. However, the advertisements you see may be less relevant to you and your interests."

Privacy Notice, Europe

"In some cases, we may also process your personal data for purposes that are not mentioned in this Privacy Notice. Where this is the case, we will inform you separately about the relevant processing, purposes and legal bases.

Generally, you have the right not to provide your personal data to us. However, in some cases (e.g., for entering into a contract with us, to purchase our services or goods, to visit our premises), we may require certain personal data from you to be able to process your enquiry. We will inform you about the required personal data accordingly. Please also note that the use of our websites is not possible without us receiving certain Technical Data."

How can you control your data?

We could not confirm if all users, regardless of location, can get their data deleted.

Kia Connect Services Privacy Policy
"You also have the right to request that we delete Personal Information that we have collected from and maintain about you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will conduct a reasonable search of our records in order to locate any Personal Information we have collected from you that is eligible for deletion, and delete such Personal Information. To the extent we have disclosed any Personal Information collected about you to service providers or contractors that is eligible for deletion, we will direct those service providers or contractors to delete that Personal Information as well. For the sake of clarity, however, Kia may not be able to comply entirely with your request to delete all of your Personal Information as set forth under California Law. "

"Following a deletion request, any Personal Information about you that was not deleted from our systems due to the above exceptions will only be used for the purposes provided for by the applicable exceptions. Thus, all Personal Information about you that is not subject to a deletion exception will either be (1) permanently deleted on our existing systems (with the exception of archived or back-up systems maintained for emergency disaster recovery and business continuity purposes); (2) de-identified; or (3) aggregated so as to not be personal to you."

"Kia is committed to only retaining Personal and Vehicle Information for only the period of time in which retention is necessary to fulfill a legitimate business purpose and deleting or de-identifying the information thereafter. The legitimate business purposes for which we retain information are described in Section 3 above and throughout this Privacy Policy. In certain instances, this may potentially include retaining Personal Information and Vehicle Information in perpetuity provided we have a legitimate business purpose for needing to retain the information forever. Once we determine there is no longer a legitimate business purpose for retaining either Personal Information or Vehicle Information, we will delete or de-identify such information, as determined in our sole discretion and is permitted by law.

The criteria used to determine our retention period includes:

- The length of time we have an ongoing relationship with you and provide the Kia Connect Services to you;
- The legitimate business purposes for which we collect and process your Personal Information and Vehicle Information as described in Section 3 above and throughout this Privacy Policy, but may additionally include, without limitation: to provide, develop and improve the products and services we make available through Kia Connect Services, to maintain the security, integrity and operation of Kia Connect Services, to comply with our legal and regulatory obligations and other third party requirements, to resolve disputes, to enforce our agreements, to diagnose and troubleshoot Vehicle systems, to improve Vehicle safety, to communicate with you, to prevent fraud or criminal activity, to maintain warranty and business records and for other purposes we determine in our sole discretion; and
- Whether there is a legal obligation to which we are subject that requires us to keep records before we can delete them."

Kia US Privacy Policy
"You can unsubscribe and opt-out to certain communications and access, or update and delete your contact information, by contacting us at the phone number or address specified below. California, Colorado, Connecticut, Utah, and Virginia consumers have additional rights to learn about what Personal Information a business has collected, shared, sold and disclosed about them, opportunities to opt-out of such sales or sharing, opportunities to request deletion or correction of their Personal Information, and protection from discrimination for exercising their rights."

What is the company’s known track record of protecting users’ data?

Bad

In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable. The problem was so bad, some car insurers stopped insuring the impacted models of Kia and Hyundai cars."

In January 2023, a security researcher released information on security flaws in Kia's cars that could all hackers to use the vehicle's VIN number to do things like remotely lock/unlock the car, start/stop the car, flash the lights, honk the horn, take over the user's account, diclose personal information, lock the user out of managing their vehicle, change ownership, and "for Kia’s specifically, we could remotely access the 360-view camera and view live images from the car."

In February 2021, Kia Motors America suffered a ransomware attack by the DoppelGanger gang, demanding $20 million for a decryptor and not to leak stolen data.

Child Privacy Information

"We do not knowingly collect Personal Information from children younger than the age of thirteen (13) or minors under the age of sixteen (16) nor do we knowingly sell or share the Personal Information of children or minors younger than sixteen (16) years of age. We will delete any Personal Information collected through the Kia Connect Services if it is later determined that the information belongs to a minor younger than the age of sixteen (16). If you are a parent or guardian of a child under the age of sixteen (16) and believe he or she has disclosed Personal Information to us, please contact us at 1-800-333-4542."

Can this product be used offline?

Yes

User-friendly privacy information?

No

Kia's privacy policies too often left us confused and wondering what exactly they meant with many of their privacy policies and practices.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

N/A

Security updates

Can’t Determine

In February 2023, Kia and Hyundai had to patch 8 million cars, after the so-called “Kia Challenge” on the social media platform had led to hundreds of car thefts nationwide, including at least 14 reported crashes and eight fatalities, according to the National Highway Traffic Safety Administration. Thieves known as “the Kia Boyz” would post instructional videos about how to bypass the vehicles’ security system using tools as simple as a USB cable. "

Manages vulnerabilities

Yes

You can report vulnerabilities here.

Privacy policy

Yes

Does the product use AI? information

Yes

Kia Advanced Driving Assistance Systems includes Forward Collision-Avoidance Assist, Blind-Spot Collision Warning, Lane Keeping Assist, etc. These features are enabled by numerous cameras, sensors and radars on the car.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*privacy not included

Dive Deeper

  • Your Car Is Tracking You Just as Much as Your Smartphone Is—and Your Data Is at Risk
    The Drive Link opens in a new tab
  • Hyundai and Kia forced to update software on millions of vehicles because of viral TikTok challenge
    The Verge Link opens in a new tab
  • Kia, Hyundai are easy targets for thieves, insurance data confirms
    CNN Link opens in a new tab
  • Kia Motors America suffers ransomware attack, $20 million ransom
    Bleeping Computer Link opens in a new tab
  • From Ferrari to Ford, Cybersecurity Bugs Plague Automotive Safety
    Dark Reading Link opens in a new tab
  • Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    Sam Curry Link opens in a new tab
  • Hackers Can Clone Millions of Toyota, Hyundai, and Kia Keys
    Wired Link opens in a new tab

Comments

Got a comment? Let us hear it.