Warning: *privacy not included with this product
Renault (owned by the Renault Group) is a France-based car company that's been around since 1899. While Renault cars haven't been sold in the US since 1992, their cars are big in Europe, South and Central America. Models include the ZOE, CLIO, CAPTUR, MEGANE, ARKANA, and the AUSTRAL (we're not really sure why they shout their model names in all caps, but hey, you do you Renault). Their My Renault app let's owners of Renault cars with connected services like their EASY LINK, OpenR Link or a Renault Connect system do things like turn the air conditioning on, find your car, flash the lights to find that missing car in the crowded parking lot, send that route to the new restaurant in town to your car's navigation system, and see your EV's battery range. So, how is Renault at privacy? Well, being a France-based car company covered by Europe's stronger privacy laws and not selling cars in the US sure seems to help. As far as we can tell, they aren't so bad. Our biggest worry is that we couldn't confirm if they encrypt all the personal data stored on their cars.
What could happen if something goes wrong?
What? A car company that doesn't seem completely terrible at privacy? Could it be? Could it be because it's a French-based car company that is governed by stricter European GDPR privacy laws and doesn't sell cars in North America where privacy laws are much more lax? We're guessing that is probably it.
Our biggest concern with Renault is that we couldn't confirm if all the data the car collects is encrypted as it sits on the car. It could well be, we just couldn't confirm that and multiple emails to the privacy contact at Renault went unanswered, so we just don't know.
They do, like the rest of the car brands, collect a lot of personal information about you like your name, address, and your vehicle’s VIN number. They also collect data about your driving and what you do in your car: When you accelerate, pump the brakes, or use multimedia. They also record all your interactions and conversations with them. Again, for car companies, this level of data collection seems pretty standard.
They're a bit more vague than some of the other car-makers about the actual data points they collect. In their UK Privacy Notice, they list the categories of personal data they can collect with a few examples usually followed by “etc.” We don't love that tiny word because it lets us know that we're only getting a sample and not a complete list. And, as privacy researchers, we're nosy as heck -- it’s our job! So for example, Renault collects “Data related to your personal and/or professional situation (family situation, socio-professional category, etc.)” Pretty vague! But also, c’est la vie (with most privacy policies)!
They do say that they will ask for your consent when your geolocation is collected. Great! But that’s something Renault must do to comply with Europe’s General Data Protection Regulation (GDPR). It’s the law. And that’s the thing about reviewing a European car brand. Like we mentioned, because the GDPR offers pretty strong privacy protections, any car company focused on Europe is going to have better privacy practices by default than brands serving countries, like the United States, with no federal data protection. On that note, you do have the right to get access to and delete your data. Woohoo! Thanks again, GDPR!
We feel that all that data Renault can collect about you when you communicate with them, sign up for their services, and purchase or drive their vehicles is more than enough. So we don't like that they can collect even more information about you “through other companies in our group or partners” even if they say they'll get your consent when they have to. That doesn't feel super in line with your commitment to data minimization, Renault. More on those commitments, Renault sometimes shares your personal information in ways that don't seem totally necessary, or in their words, for "explicit, legitimate and determined purposes." For example, they say then can share it with “[a]ny associated or connected motor manufacturer from whom we purchase or hire goods (and their group companies)” and "partners." It’s also not clear to us whether they will only share your personal data with law enforcement when they are legally obligated to, according to the language they use in their UK Privacy Notice.
We learned that some of the information Renault asks for is mandatory and some isn’t. The second kind is collected in the interest of “getting to know you better especially in order to send you personalized marketing information.” So if you're not interested in letting Renault get to know you like that, only fill in form fields marked “mandatory.”
In another tip of the hat to the protections of GDPR, Renault won't sell your personal data, like so many other car makers do. But that doesn't mean they're not in the data business. We can tell they're investing in big data and digital transformation through their partnerships with Google and IT consultancy, Atos. It does mean that they probably trade in aggregated and anonymised data which is not covered by the GDPR. We also like to point out that it can be relatively easy to de-anonymize those kinds of data sets.
Renault says that “Protecting your personal data is central to Renault’s values.” Aww, we love to hear it! Except we're not seeing too much to back that up besides obeying the law. It’s not looking amazing for one of the “good ones,” we know. Yet we still have one last beef (or should we say beouf?) with Renault. They're part of a strategic alliance with privacy-monster Nissan, one of the worst car companies we reviewed a privacy. What does that mean exactly for the fate of your personal data? Well, probably not much thanks to the strong legal protections in place. Still, given these companies’ cozy relationship, we’ll take it as a cautionary tale for what Renault might do if they could. Bravo, privacy laws! Finally, even though we're getting déja-vue writing this, it’s our duty to tell you that Renault, like all of the other car brands we looked at, comes with *Privacy Not Included.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"Your identity and contact details (surname, first name, postal address, email address, telephone, etc.), data related to your personal and/or professional situation (family situation, socio-professional category, etc.), your payment and transaction data (payment type, discount granted, etc.), data relating to our commercial relationship, in particular our interactions and contracts (order history, after-sales operations, service agreements, games, interaction with our call centre, etc.), your vehicle identification data (brand, model, registration, VIN number, etc.), your geolocation data (your consent is obtained when required by regulations), data related to the use of the vehicle (mileage, journey, use of multimedia, etc.) and, where applicable, its battery (charge level, etc.), Vehicle- and driving-related data: data allowing control of the vehicle and, where applicable, its battery (locking/unlocking, pre-conditioning, battery charge programming, etc.), relating to driving mode (use of controls, acceleration, breaking, etc.) or to the provision of connected services or on-board applications; data needed to carry out loyalty, direct marketing, market research or survey actions (e.g. your vehicle preferences); data relating to your digital profiles (online accounts); data concerning the use of our websites and mobile apps, as well as our communications (number of visits, page visited, messages opened, etc.)."
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In 2017, Renault was hit by a ransomware attack.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Renault Group's privacy policies are lengthy and somewhat complicated.
Links to privacy information
Does this product meet our Minimum Security Standards?
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Renault has a public vulnerability disclosure policy.
The recent cars by Renault Group include advanced driver assistance systems on its vehicles.
The recent Megane E-TECH Electric comes with 26 Advanced Driver Assistance Systems (ADASs). These systems are divided into three categories – driving, parking and safety. It has a context camera, three environment cameras, a blind spot sensor, and ultrasound sensors in the front and rear bumpers.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Got a comment? Let us hear it.