Warning: *privacy not included with this product
Lexus is a luxury car brand owned by Japanese car maker Toyota. They sell sedans, SUVs, and performance vehicles with rather uninspiring alphabet soup names like NX, UX, RZ, LX, ES, IS, and LS Hybrid. Lexus is probably best known for being reliable (they are owned by Toyota, after all), comfortable, and for their holiday ads where Lexuses show up in front of houses at Christmas time with giant red bows on them while surprised people smile in the snow. The Lexus app does all the same things the Toyota app does -- remote start/stop, lock/unlock, find your lost car in the parking lot, set privileges for guest drivers and notify you when they break them, and monitor your driving habits so it can tell you if you're a bad driver. You know, all the fun stuff. So, how is Lexus at privacy? Well, they are exactly like Toyota (they basically share privacy policies and the app), so nothing to put a big red bow on.
What could happen if something goes wrong?
Where to start with our concerns about Lexus' privacy practices? Maybe with the fact that Toyota/Lexus promotes itself as very privacy friendly while doing too many things that are anything but. For example, on Toyota's Privacy Hub, they mention right off the top that they "play a key role in the development and adoption of the Automotive Consumer Privacy Protection Principles." This sounds great, right? Well, it does until you look at it more closely. Those privacy principles were created by the automakers themselves back in 2014 to show they were taking privacy seriously.
However, if you look closely, you'll see that Toyota/Lexus, and nearly all the automakers we reviewed, don't actually follow their own principles for privacy. Those include things like "Data Minimization" (the idea they collected only what data is needed), "Data Security" (securing the data they do collect), "Transparency" (providing users clear, meaningful privacy information), and "Choice" (offering users choice in how their data use and collecting, and "Respect for Context" (using and sharing information only for what it was collected). Our research shows that Toyota/Lexus (and pretty much every other car maker we reviewed who signed onto these principles) absolutely do not follow these promises at all. Toyota/Lexus collects a ton of data -- way more than is likely necessary, they admit to sharing and even selling some of it with third parties for their own marketing purposes, they've had security lapses that put their users' personal information at risk, and they continue to expand their data collect to make more money off of the treasure trove of data they collect. Toyota/Lexus isn't alone in this, but they are the ones bragging about playing a key role in setting up automotive privacy principles that they themselves don't seem to follow.
That being said, we do give Toyota/Lexus a thumbs up for granting all people in the US, not just those covered by California's strong CCPA privacy law, the same rights to do things like have their data deleted or opt out of having some of their data sold. These are good rights that we feel should absolutely be granted to everyone, regardless of whether the live under stronger privacy laws like California's CCPA or the EU's GDPR. We can't confirm if Toyota grants everyone, everywhere the sames rights to access, delete, and control there data though, which is not good. We would love to see them step up and clearly say they will do this.
Toyota/Lexus says they can collect a whole heap of personal information on you through your car, the Lexus app, and their connected services. This includes everything from personally identifying information such as name, address, phone number, email, online identifier, social media ID, and demographic information such as your age, to driving behavior such as acceleration and speed, steering, and breaking functionality, and travel direction, to lots of information about your car including VIN (Vehicle Identification Number), interior and exterior image data from cameras and sensors in your car, facial geometric features. They even can collect sensitive personal information such as precise geolocation data, biometric information. On top of all this, they say they can collect lots of information about you from other sources such as social media, public sources, data brokers, data providers, your friends, and more. Toyota/Lexus is collecting a whole lot of information on you. Oh, and if you use any of those mobile services like SiriusXM radio, wi-fi connectivity, navigation, or even let your insurance track your usage, well, those places can all collect your personal information too.
So, what does Toyota/Lexus say they can do with this treasure trove of information? Well, some of it they seem to treat responsibly. Like the facial geometric features they get when they scan your face to identify your for your driver profile they say will only be processed and stored on your car. That is good. Unfortunately, Toyota/Lexus says they can do lots more with so much of all that other information they collect on you. For one, they say they can share or sell your personal information to third parties for targeted advertising purposes. Even worse, they don't 100% commit to not processing or potentially even sharing your sensitive personal information -- things like your precise geolocation data, biometric information for the purpose of uniquely identifying an individual, and financial information. In fact, they qualify the use of that sensitive information in ways that leave us uncomfortable. They say, "Where required by law, we will obtain your consent before processing your sensitive Personal Information. We will also generally use your sensitive Personal Information for limited purposes..." This vague, qualifying language about how they say they can handle and share your sensitive personal information does not leave us feeling good about Toyota's overall privacy practices.
The Toyota/Lexus ecosystem of parent companies and affiliates, dealers and distributors is also vast. These include things like Lexus Financial Services and your local "dealer advertising associations." These are all places Toyota/Lexus says they can share your personal information. We also found Toyota Connected Europe, which seems to be a Toyota-affiliated data business that uses all the vast amounts of data cars, car apps, and car mobile services can collect to develop better connected cars, understand driver behavior better, make cars safer (yay!), help drivers develop more energy efficient driving behavior, and more. Some of these things are very useful and beneficial to society. Some of them might not be. And remember, Toyota/Lexus is in the business of selling more cars, and thus, collecting more data to sell more cars. Toyota Connected Europe describe data as follows: "It’s the lifeblood of our business and powers everything we do." We share this as a reminder that for car companies like Toyota/Lexus, data is a huge and growing business as cars become ever more connected (Toyota Connected Europe describe themselves on their web page as a "young business".) Guess what, we've got another Toyota slogan that applies here! "You are what drives us." Another way of saying your data is what drives our business (to be fair, data is what drives most businesses these days..unfortunately for privacy it's the way the world now works).
What's the worst that could happen in your Lexus with your Lexus app and Connected Services and on-board cameras sharing data with their parent companies, business affiliate, car dealers, third party advertisers, and more? Well, Toyota/Lexus could know everywhere you drive (they probably do) and know where you like to shop and when and then you could have "relevant to your location" ads follow you all around targeting you to buy more stuff. That could be OK. It also could suck if you're trying to drink less alcohol and every time you drive near a liquor store you get an ad for beer. OK, maybe that's not the worst things that could happen. We can actually think of many worse things. But this is something that could way too easily happen and it is bad enough. Hey Toyota/Lexus, maybe we can ask you to be "Inspired by what's possible" and collect way less personal information on your car owners and give people more of an ability to protect their privacy when driving your cars. Now that would be privacy "Built for how you live." Unfortunately we have a slogan of our own for Toyota/Lexus: *Privacy Not Included.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
Name, address, phone number, email address, language preference and other information linked or directly related to you, location, inferred preferences. Vehicle-and driving-related data: vehicle’s make, model, year, body type, VIN and other information linked to your vehicle so we can verify your vehicle type and provide Connected Services, driving behavior data (“Driving Data”) which includes the acceleration and speed at which your vehicle is driven, travel direction, and use of the steering and breaking functionality in your vehicle.
Facial Geometric Features, Voice Recordings. "Your Facial Geometric Features will only be stored on your vehicle."
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
Toyota leaked data of 2.15 million users over 10 years between 2013 and 2023. The information exposed in the misconfigured database includes:
- the in-vehicle GPS navigation terminal ID number,
- the chassis number, and
- vehicle location information with time data.
Another possible leak that affected 300,000 users was revealed by Toyota in 2022. Toyota discovered that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
In 2020, a major vulnerability has been revealed that affected the encryption systems used by Toyota, Hyundai, and Kia.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Lexus -- owned by Toyota -- has a vast and confusing number of privacy policies, notices, statements for their vehicles.
Links to privacy information
- Toyota Motor North America Privacy Hub
- Toyota & Lexus Privacy Rights FAQ
- Lexus Privacy Notice
- Lexus Notice of PERSONAL INFORMATION PRACTICES FOR 2022 (EFFECTIVE AS OF JANUARY 1, 2023)
- Toyota Europe Data Recipeints
- Toyota Privacy Notice for Data Collection in the EU Through ON-Board Cameras
- Toyota Connected EU
- Lexus Connect Servcies Privacy Statement
- "ALLGEMEINE LEXUS DATENSCHUTZERKLÄRUNG"
Does this product meet our Minimum Security Standards?
Toyota/Lexus says it "employs layers of defense to drive strong safeguarding practices, such as, where appropriate, code and design reviews, security testing, firewalls, intrusion detection systems, signing and encryption." However, we cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Toyota runs a bug bounty program on HackerOne.
Lexus Safety System+ A is a package of features, incl. Front Cross-Traffic Alert, Road Sign Assist, pre-collision systems, etc. These features are enabled by numerous cameras, sensors and radars on the car.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Toyota Reveals Data Leak of 300,000 CustomersInfosecurity Magazine
Toyota Discloses Decade-Long Data Leak Exposing 2.15M Customers' DataDark Reading
Hackers Can Clone Millions of Toyota, Hyundai, and Kia KeysWired
Toyota, Mercedes, BMW API flaws exposed owners’ personal infoBleeping Computer
Toyota: Car location data of 2 million customers exposed for ten yearsBleeping Computer
Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and MoreSam Curry
Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your DataNewsweek
Got a comment? Let us hear it.