Nissan

Warning: *Privacy Not Included with this product

Cars

Nissan

Nissan
Wi-Fi Bluetooth

Review date: Aug. 15, 2023

|
Mozilla researched 24 hours
|

Mozilla says

|
People voted: Super creepy

Nissan is a Japanese headquartered global car company that traces its roots back to the early 1900s and the Datsun name. Today, they manufacture cars like the Rogue, Pathfinder, Murano, Versa, Sentra, Altima, the Titan truck, and their electric LEAF. Their MyNissan app lets owners remotely start and stop, lock and unlock their car, as well as hock the horn, flash the lights, check your fuel and tire pressure, keep tabs on where you car is, if it's in the boundaries you set up or going over the speed limit you set for it, and access other NissanConnect connected services. So, how is Nissan at privacy? We're not going to mince words here: THEY STINK AT PRIVACY! They are probably the worst car company we reviewed and that says something because all car companies are really bad at privacy.

What could happen if something goes wrong?

Believe us when we say this: Nissan's privacy policy is probably the most mind boggling creepy, scary, sad, messed up privacy policy we have ever read. And we here at *Privacy Not Included read a LOT of privacy policies. Please people, if you care even a little about privacy, please stay as far away from Nissan's cars, apps, and connected services as you possibly can.

Here's why: They come right out and say they can collect and share your sexual activity, health diagnosis data, and genetic information and other sensitive personal information for targeted marketing purposes. We absolutely aren't making that up. It says so in their Nissan USA privacy notice. And that's not all! They also say they can share and even sell "Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" to others for targeted marketing purposes. Yes, Nissan says they can infer things like how smart you are, if you have a predisposition to drink, if you are acting depressed, and if you are any good at chess (we're guessing that's what they can infer..it could be even worse than that), and then they say they can make as much money off that very personal information as they can. Nissan, you suck.

Whoo! That was a lot. But there is another point we'd like to make about this bonkers language in Nissan's privacy policy. Yes, Nissan sucks for saying they can collect, share, and even in some cases sell all this super intimate personal information. Here's the thing though, there is a pretty high probability other car companies are also collecting, sharing, and selling this exact same stuff. They just aren't as open and honest about it in their privacy policies. Too often we read privacy policies that say things like, "We will share your personal information, for example, your birth date or favorite ice cream flavor, with third parties for targeted advertising purposes." We see lots of lines like, "for example," "might include" and "as well as other information" in privacy policies and this vague language could very well be hiding the fact that these companies also collect personal information like your sexual activities and your genetic information. We too often just don't know. So yes, while Nissan absolutely sucks for claiming this bonkers level of data collection, sharing, and selling in the name of profit, we'll give them this: At least they are honest.

Is there more bad about Nissan? Well of course there is. If you decided to download the MyNissan app to do things like remotely honk your horn at your neighbor's kid whenever they get too close to your car while outside playing, you might stumble upon the Data Safety Information they provide on their MyNissan Google Play Store app page. And when you read the self-reported data safety information Nissan provides you might see a couple things jump out at you. First, Nissan claims, "No data shared with third parties: The developer says this app doesn't share user data with other companies or organizations." Well, we can certainly confirm that this is not true. Nissan clearly states in their privacy policy they share your personal information, car usage data, and other information with lots of marketing and promotional partners, car dealers, business affiliates, service providers and more. That's not good. Bad on Nissan for not being fully honest in their self-reporting of this data safety information. And bad on Google for not doing a better job requiring accurate information and policing this data safety content. (We did some research earlier in 2023 that shows just how big a problem the Data Safety Information is in the Google Play Store. You can read it here. TL;DR: Don't trust it!). The other thing that jumped out at us on the Data Safety page was this statement, "Data can’t be deleted. The developer doesn't provide a way for you to request that your data be deleted." Yeah, that's really bad. Not being able to delete the huge amounts of data this app could collect on you is bad news.

Oh yeah, here's something else you should know about Nissan (although Nissan isn't the only company to say things similar to this). If you use their connected services, you better be prepared to tell every single person who gets in your car all about how much data they collect and why. Yup, Nissan puts all that on you. Their privacy policy specifically states that, "By activating, registering, subscribing, or using any of the services offered by NissanConnect, or by operating or occupying a vehicle that is utilizing such services you agree to Nissan collecting and using the information collected for various purposes as described in this Privacy Notice and in the NissanConnect Services Subscriber Terms and Conditions." Yes, just by sitting in a vehicle that uses NissanConnect services, you agree to have your data collected by Nissan.

It gets even better though! Be prepared to have some awkward conversations with your passengers about how Nissan says they can collect data on things like their sexual activities and intelligence, because when you agree to the NissanConnect Terms of Service you agree to promise (yes, promise, but hey, at least they didn't make you pinky swear!) to tell people all about how Nissan can and will collect their data when they are in your car. Indeed their TOS actually says, "You promise to educate and inform all users and occupants of your Vehicle about the Services and System features and limitations, the terms of the Agreement, including terms concerning data collection and use and privacy, and the Nissan Privacy Policy." So Nissan owners, get to work reading all these privacy and legal documents so you are prepared to "educate and inform" every single passenger in your car all about the data collection and privacy...because remember, you PROMISED! Sign...we laugh...but we also cry.

So, Nissan says they can collect a metric ton of data, share it widely, and then expect you to promise to tell all your passengers that the moment they get in your car, they agree to have their data collected too. Not good. Something else that isn't great with Nissan is their track record at protecting and respecting all this data. To be fair, Nissan doesn't have the worst track record of any of the car companies we reviewed. Still, they aren't perfect, and if you're going to collect data on people's sexual activity, genetic characteristics, and intelligence, yeah, you better be perfect at protecting all that data.

In 2022, one of Nissan's third party service providers they shared some of their users' information with suffered a data breach. Nissan disclosed this data breach a few months later in January, 2023. This is a great reminder that all that data companies collect and then share, you have to trust every link in that collecting/sharing chain to keep your information safe and security. As Nissan themselves say in their privacy policy, "...even well thought out security measures cannot guarantee that data will never be inappropriately accessed.." Speaking of, in January, 2023 a security researcher reported a security vulnerability in Nissan (and Honda and Kia as well) that could allow someone with the technical know how to exploit a bug in the Sirius XM connected service to "unlock the car remotely and start the vehicle with a laptop from anywhere in the world."

With Nissan, there seems to be nothing but bad news. What's the worst that could happen if you buy a Nissan, download their MyNissan app, and use their NissanConnect services? Well, not to be crude, but it would probably really suck have Nissan drawn inferences about you that lead them to believe you are a not so smart, sexually promiscuous, depressed alcoholic who likes to drive really fast on Fridays and Sundays and then sell those inferences to goodness knows who for targeted marketing purposes. We're not even sure what that targeted marketing would look like and we also really don't want to know. But holy hell, this is terrible. And if very sensitive personal data they collect on you about your sexual activity, sexual orientation, medical diagnosis, and genetic information were to ever leak, well, that could get embarrassing (and dangerous!) real fast. We can't say this loud enough. Nissan comes with *PRIVACY NOT INCLUDED.

Also, side note: government regulators and policy makers, if this one example of a car company laughing in the face of their users' privacy isn't enough to jump start you to action, we don't know what will. Please, please, please do something to protect people from this predatory and frightening abuse of personal information in the name of making money!

Tips to protect yourself

  • Do not give consent to tailored advertisement.
  • Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
  • Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
  • Before reselling your car, make sure to notify the company
  • When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
  • Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
  • Only give access to your data to trusted third-parties
  • When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
  • Opt out from your mobile device's location sharing.
  • Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
  • mobile

Can it snoop on me? information

Camera

Device: Yes

App: Yes

Microphone

Device: Yes

App: No

Tracks location

Device: Yes

App: Yes

What can be used to sign up?

What data does the company collect?

How does the company use this data?

We ding this product as it has sold/shared personal information to third parties incl. data brokers for marketing purposes.

NissanUSA Privacy Notice

"Nissan may disclose information about you, your vehicle, and its use for commercial purposes with our marketing partners, data brokers, service providers, business affiliates and vendors contracted to do business on our behalf, for example, when you sign up for certain services and offers on our websites, we may disclose your name and other contact information necessary for our vendors to provide these services to you and we may also disclose information to vendors who send emails on our behalf, operate our websites, serve ads on our behalf, or run promotions for us"

Nissan has sold the following information in the last 12 months: Geolocation data; Identifiers such as: a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers; Commercial information, including: records of personal property, products or services, purchased, obtained, or considered, or records of other purchasing or consuming histories or tendencies; Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisement; "Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."

Types of Personal Information Collected include:
"Sensitive personal information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information."
For the purpose:
"To provide connected vehicle services that might utilize or rely on geolocation data, facilitate more targeted marketing, as well as for internal reporting and analytics purposes..."
Third parties disclosed to:
"Service Providers or affiliates (including relevant Service Providers) where permitted or with consent, including Nissan’s operational or direct marketing purposes."

"Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes."
For the purpose:
"in order to facilitate more targeted marketing, as well as for internal reporting and analytics purposes."
Third parties disclosed to:
"Service providers, marketing and promotional partners, and third parties for operational purposes (e.g., dealers)"

Information collected directly from vehicles can be used for marketing purposes.
"By activating, registering, subscribing, or using any of the services offered by NissanConnect, or by operating or occupying a vehicle that is utilizing such services you agree to Nissan collecting and using the information collected for various purposes as described in this Privacy Notice and in the NissanConnect Services Subscriber Terms and Conditions. Nissan may ask for additional consent in some situations."

"Where you have provided us with your consent to receive direct marketing communications (as described above) by email, we may share your email address with our social media and advertising placement partners (such as Facebook and Google) to send you online targeted advertisements and offers on their platforms. This processing is based on our legitimate interest."

"Nissan uses Personal Data in various ways, such as to:
--use your contact information, location information, account and order history, vehicle performance data, and clickstream data to deliver marketing messages and offer you new or additional products or services (these marketing messages might be for third party offers or products we think you might find interesting) ...
--help us customize and serve targeted advertising based on the needs and interests of our customers ...
--undertake other purposes if we anonymize information so that it no longer reasonably identifies you or your vehicle"

"However, even well thought out security measures cannot guarantee that data will never be inappropriately accessed. For example, certain communications and information collected from your vehicle are provided through wireless and satellite networks, and Nissan cannot promise or fully guarantee that such communications will not be intercepted by unauthorized individuals despite our best efforts. You agree that Nissan will not be liable for any damages for any loss of privacy by you occurring in connection with communication over wireless or satellite networks. "

NissanConnect USA Terms of Service

"You promise to educate and inform all users and occupants of your Vehicle about the Services and System features and limitations, the terms of the Agreement, including terms concerning data collection and use and privacy, and the Nissan Privacy Policy. Neither we nor any Service Provider has any obligation to inquire about the authority of anyone using your Vehicle."

"We may share non-public information about you, your vehicle, and its use to third parties, including data brokers, insurance carriers, marketing partners, and other service providers, for commercial purposes."

"You agree we may release your information, including location data, when we are required to do so to comply with the law, in legal proceedings, to respond to subpoenas or court orders, in cooperation with law enforcement agencies, and to enforce the terms of this Agreement and any agreement related to the lease or financing of your Vehicle."

"YOU UNDERSTAND AND AGREE THAT THE SERVICES UTILIZE A CELLULAR PHONE NETWORK TO PROVIDE SERVICE, AS DESCRIBED IN SECTIONS 7 AND 9 ABOVE. NEITHER WE NOR THE WIRELESS CARRIER CAN GUARANTY THE PRIVACY OR SECURITY OF WIRELESS TRANSMISSIONS. NEITHER WE NOR THE WIRELESS CARRIER WILL BE LIABLE FOR ANY LACK OF SECURITY RELATING THE USE OF THE DEVICE OR THE SERVICES, OR FOR ANY DAMAGES ARISING FROM OR RELATED TO THE LACK OF PRIVACY OR SECURITY OF WIRELESS
TRANSMISSIONS."

Nissan GDPR Notice
"Here is how we use your personal data:
Sending you online targeted advertisements about our vehicles, products, and services, through our social media and advertising placement partners.
We will use profiling, including segmentation tools to improve our customer and market knowledge."

"The personal data that we collect includes:
- contact details (such as first name, surname, postal address, email address and phone number);
- vehicle identification data (such as vehicle model, registration, registration number, vehicle identification number -VIN-, service reminders and warranty information);
- data relating to our interactions (such as call recordings between you and Nissan and you and the Dealer);
- data from your connected services (such as geolocation data);
- data relating to the use of the vehicle (such as mileage, journey, use of multimedia);
- where you have a connected vehicle, data allowing control of the vehicle and, where applicable, its battery (such as locking/unlocking, pre-conditioning, battery charge programming), relating to driving mode (such as use of controls, acceleration, breaking) or to the provision of connected services or on-board applications;
- GPS location (where you have permitted access to this);
• Special category of personal data in very limited circumstances only (such as medical personal data which you may have provided to us during a complaint or an enquiry) – please note that such special category of personal data shall only be processed where strictly necessary, and we will take appropriate measures to ensure the adequate protection of such special category of personal data."

NissanConnnct EU Privacy Policy
"It is your responsibility to inform all Vehicle drivers and passengers who wish to use the NissanConnect Services regarding the terms and conditions of this Agreement, including the aspects related to data privacy. "

" If you sell your Vehicle or end its lease or if your Vehicle is scrapped or destroyed while you own or hold it prior to the expiration of the Initial Service Period, we ask you to notify us by contacting Nissan Customer Service or by removing directly the Vehicle from your account on the Website.

If you sell or transfer your Vehicle and fail to notify us, we will have no way of knowing that the Vehicle is sold and may continue to collect data in the belief that it is data concerning you. In addition, you will remain responsible for any liability incurred under this Agreement based on the use or misuse of the NissanConnect Services. We are not responsible for any privacy-related damages you may suffer if you fail to notify us of your end of lease or sale of your Vehicle. Whether or not you notify us of your end of lease or sale of your Vehicle, you agree that you shall not, nor attempt to, access or use the NissanConnect Services or any of the data relating to your Vehicle following the sale, transfer or end of lease of your Vehicle."

How can you control your data?

We cannot confirm that all users regardless of location can get their data deleted.

"Certain state residents have a right to request the deletion of their Personal Data collected or maintained by Nissan. If you would like information about you to be deleted, you may contact us through our website or customer service. Details on how to make a request in each state are listed in each state’s section below.
- California
- Virginia

When you make a request for deletion, you can expect the following:

a. After you request deletion, you will need to confirm that you want your information deleted.
b. We will verify your identity. You will need to provide us with certain information such as your name, email address, physical address, VIN, or other information, in order for us to confirm that you are who you say you are.
c. We will confirm our receipt of your request within 10 days. If you have not received a response within a few days after that, please let us know by contacting us at the website or phone number listed below.
d. We will respond to your request within 45 days. If necessary, we may need an additional period of time, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
e. In certain cases, a request for deletion may be denied, for example, if we cannot verify your identity, the law requires that we maintain the information (e.g., in case of warranty or recall information) or if we need the information for internal purposes such as to continue to provide you services. If we deny your request, we will explain why we denied it, and delete any other information that is not protected from deletion."

On the MyNissan app page in the Google Play store, Nissan states that, "Data can’t be deleted. The developer doesn't provide a way for you to request that your data be deleted."

What is the company’s known track record of protecting users’ data?

Needs Improvement

In January 2023, Nissan disclosed a data breach at one of the company's third party service providers that affected close to 18,000 of Nissan's clients. The leaked data included the personal information such as usernames, dates of birth, and Nissan Motor Acceptance Company (NMAC) number. Even though Nissan first learned about the breach in late September, 2022, the company only disclosed the breach on January 16, 2023, almost six months later.

In January, 2023 a security researcher reported a serious security vulnerability in Nissan, Honda, and Kia cars that could allow "hackers and law enforcement agencies unlock the car remotely and start the vehicle with a laptop from anywhere in the world." through Sirius XM radio connected service. That was one of three security vulnerabilities the researcher reported.

Child Privacy Information

"Nissan’s Platforms are not intended for children under 13 years of age. Nissan does not knowingly allow anyone under the age of 13 to participate in any services offered on our Platforms that require the submission of user information. If we learn that a user is under 13 and has submitted user information to us, we will delete that information promptly or seek verifiable parental or legal guardian consent to retain such information."

Can this product be used offline?

Yes

User-friendly privacy information?

Yes

Nissan had fewer privacy policies than other companies, with one privacy policy mostly covering the privacy of their cars, apps, connected services, and other data collection. Good on Nissan for making it easy to find out just how bad they are at privacy.

Links to privacy information

Does this product meet our Minimum Security Standards? information

Unknown

Encryption

Can’t Determine

We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.

Strong password

N/A

Security updates

Yes

Manages vulnerabilities

Can’t Determine

We could not find an official way to report vulnerability. However, we found an unpatched vulnerability on OpenBugBounty

Privacy policy

Yes

Does the product use AI? information

Yes

Nissan employs ProPILOT Assist technology in the newest cars. It includes features like keeping you centered in your lane, and maintaining a preset distance from the vehicle ahead. These features are enabled by numerous cameras, sensors and radars on the car.

Is this AI untrustworthy?

Can’t Determine

What kind of decisions does the AI make about you or for you?

Is the company transparent about how the AI works?

Can’t Determine

Does the user have control over the AI features?

Can’t Determine

*Privacy Not Included

Dive Deeper

  • Nissan North America Reports Consumer Data Breach
    Industry Week Link opens in a new tab
  • Nissan suspends NissanConnect EV smartphone app over serious hacking concerns
    CNet Link opens in a new tab
  • Nissan data breach exposed clients' full names and dates of birth
    Cybernews Link opens in a new tab
  • Nissan North America data breach caused by vendor-exposed database
    Bleeping Computer Link opens in a new tab
  • A Third-Party Data Breach Exposed the Personal Information of 18,000 Nissan Customers
    CPO Magazine Link opens in a new tab
  • From Ferrari to Ford, Cybersecurity Bugs Plague Automotive Safety
    Dark Reading Link opens in a new tab
  • Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More
    Sam Curry Link opens in a new tab
  • Critical flaws found in Ferrari, Mercedes, BMW, Porsche, and other carmakers
    Security Affairs Link opens in a new tab
  • SiriusXM Software Flaw Let Researchers Unlock And Start Cars Remotely
    Motor 1 Link opens in a new tab

Comments

Got a comment? Let us hear it.