Warning: *privacy not included with this product
Famous for the happy little VW Beetle and the iconic VW Bus, Volkswagen is a German car manufacturer with a worldwide reach. Current models include the Jetta, Passat, Golf, Rabbit, Tiguan, Taos, and electric vehicles like the ID.4 and the ID Buzz. Volkswagen's myVW app lets users of VWs built since 2020 (VW says they are working on adding functionality for vehicles 2019 and older) connect to their suite of connected car services either called Car-Net or We Connect (depending on where you live). Through the myVW app you can do things like remote start, lock, and unlock the car, honk your horn from afar to scare the pants off your friends, find your car in the parking lot when you can't remember where you parked it, and even keep tabs (read; spy) on your car when someone else is driving it. Handy! And maybe a little creepy. So, how does VW fair at privacy? Well, let's just say their privacy practices aren't nearly as cute as those little VW Beetle's were.
What could happen if something goes wrong?
Here's the deal: Privacy at Volkswagen doesn't look very good to us. VW earns all three of our privacy dings for how they use data, for how people can control their data, and for their track record at protecting the data they collect and we could not confirm them meet our Minimum Security Standards. Not good. Our privacy worries are even more concerning when you consider the vast ecosystem of things VW uses to collect your personal information -- from your car, to the Car-Net or We Connect connected services, to the myVW app users can use to interact with the car, to the personal information your VW dealer can collect on you, even during a test drive, to the additional information they can gather or buy on you from outside sources like data brokers, to the inferences they can draw about your when they combine all this data.
And then VW says they can share that personal information in lots of places, including throughout their large Volkswagen Group of companies. And VW freely admits in their privacy policies they share this information for lots of targeted advertising and marketing purposes -- both that VW does and that they share with other third parties for their own advertising purposes as well. And, don't forget, nearly all privacy policies mention how personal information can be shared with governments, law enforcement, and with any company that buys them in a merger or sale. So, yeah, when you drive a VW (or honestly, just about any car we review), lots and lots of your personal information is collected, stored, shared, used for targeted advertising, and open to being leaked or abused. Keep on reading if you'd like to look a deeper the privacy concerns we have about VW.
About those people in your car. It's probably good for you to know they put the responsibility on you to tell anyone in your car all about this huge amount of data collection. Yup, they say, "If you are the vehicle owner, you must notify any additional drivers about the privacy practices described in this Statement and if you are the Primary Driver for this vehicle’s Car-Net Services, you must notify any additional drivers of the vehicle about the Car-Net specific privacy practices described herein." Nice...because that's what we all do when we pick our friends up for a road trip, start with a privacy notice sermon to get the good times rolling! Uhg...lawyers.
What does VW say they can do with this vast treasure trove of personal information, car data, and inferences they collect on you? Well, they use it to make more money, of course. Because selling cars isn't a big enough business these days, now, your personal information is another gold mine for all car companies to tap into. And tap into it they do. VW says they can use it for their own personalized and targeted advertising purposes or those or their affiliates, business partners, or other third parties. They can share it with third parties who can use it for the commercial purpose of marketing their products and services to you. They also say they can use or disclose your de-identified data for "any purpose." Which is OK, as long as they do a good job actually de-identifying it. Remember, it's been found to be relatively easy to re-identify de-identified personal information.
VW also says they can share your personal information lots and lots of places. They can share your personal information within their Volkswagen Group family of companies which includes "Volkswagen Group parents, corporate affiliates, subsidiaries, business units, and other companies that share common ownership". That's a lot of sharing right there. But the list goes on (and on and on). They also say they can share personal information with VW Dealers, to third parties for their own marketing purposes, to third parties that provide online advertising, with integrated content providers for their Car-Net/We Connect services, and other vaguely describe entities such as "optional third parties" and "to other companies in connection with a VW corporate transaction" (meaning if some other company buys or merges with VW, they get your personal information as part of that business transaction).
So, VW collects a TON of data, uses this data for lots of things including combining it with even more data they can collect on your from data brokers, social media sites, and more to build a big old profile of you, so they can then target you with ads and share your information so others can target you with ads. That's pretty bad for your privacy. But that's not all. VW also has a bit of a spotty track record at respecting and protecting all that personal information they collect on their users. From reports of security concerns from a respected consumer watchdog to firing employees for serious cyber security concerns, to a big old data breach that saw the personal information of 3.3 million users compromised and then offered up for sale by hackers resulting in a $3.5 million class action settlement, to major fines for privacy violations during test drives, VW's track record for privacy is not great. If fact, it's pretty bad. (And dare we even mention VW's black eye for lying about their vehicle emissions a few years back? Yes, it's not privacy related, however, it is still kinda relevant to the company's ethics).
So, what's the worst that could happen to your privacy with your VW car, myVW app, and VW's Car-Net or We Connect mobile services? Well, dang, let's see. It would really suck if VW leaked that personal and location data they collect on you and hackers on the dark web could buy it and know all the places you like to visit and when you visit them and use that to stalk you. That wouldn't be great. But heck, there's a risk data brokers might be able to collect and sell some of that same information from VW and legally sell it to others who want to target you with all sorts of ads. That's not great either. And shoot, it seems like law enforcement and governments might also be able to get their hands of some of this data too. To be fair, this is a problem with nearly all car brands, not just VW. The fact remains, VW might have a history of making cute cars, but their privacy practices in 2023 are anything but cute. It's probably good to assume your VW comes with *privacy not included.
Tips to protect yourself
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
What can be used to sign up?
What data does the company collect?
"Contact information, date of birth, demographic information, geolocation data, inferences reflecting your preferences, characteristics, demographics and vehicle usage patterns, internet and electronic data, vehicle usage information, such as vehicle data transmitted from your vehicle or collected or inferred from your use of the vehicle or services, including general vehicle status data (such as warning lights, upcoming service schedule, fuel level, battery level, and tire pressure); service history and fault or trouble codes; ambient data (such as outside temperature and brightness); vehicle performance data and other data about your vehicle, including its identification, condition, equipment status, or collision information; vehicle/technology usage data (such as usage of lock/unlock and remote start technology); driver behavior data (such as vehicle speed, seat belt use, and information about breaking habits); information that you provide when using Car-Net Services, including information you send and information you request; and information about your interactions with us, our affiliates, our service providers, Integrated Content Providers, and Optional Third Parties related to your vehicle usage."
Audio, electronic, visual, or similar information including voice command data
Transcripts of conversations you engage in with VW via webchat, messaging apps, or social media.
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In June 2021, Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users. A few days later, hackers put the data stolen from the car maker on sale on a notorious hacking forum. In January 2023, Volkswagen "agreed to a $3.5 million class action lawsuit settlement to resolve claims their customers’ information was stolen in a data breach spanning several years."
In January 2022 it was reported that VW fired a senior employee after they reported cybersecurity concerns.
In April 2020, consumer watchdog Which reported that Volkswagen cars could have serious security flaws that could allow them to be hacked.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
VW has various privacy policies, notices, and statements that are difficult to find, sort through, and understand.
Links to privacy information
Does this product meet our Minimum Security Standards?
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Travel Assist adapts to your driving style and can drive further on the left or right in the lane instead of in the centre. In conjunction with a navigation system, Travel Assist is enhanced with predictive cruise control and a cornering assist function. These features are enabled by numerous cameras, sensors and radars on the car.
Volkswagen starts to test self-driving technology in 2023 with plans for a commercial launch in 2026.
Is this AI untrustworthy?
What kind of decisions does the AI make about you or for you?
Is the company transparent about how the AI works?
Does the user have control over the AI features?
Volkswagen Sued for Not Disclosing Alleged Private Climate Lobbying ActivitiesInsurance Journal
Volkswagen, Audi data breach $3.5M class action settlementTop Class Actions
Volkswagen says a vendor’s security lapse exposed 3.3 million drivers’ detailsTechCrunch
Hackers Are Selling Data Stolen From Audi and VolkswagenVice
VW says data breach at vendor impacted 3.3 million people in North AmericaReuters
VW fired senior employee after they raised cyber security concernsFinancial Times
Volkswagen manager fired after raising cyber security concernsCity A.M.
Popular connected cars from Ford and Volkswagen could put your security, privacy and safety at risk, Which? findsWhich?
Volkswagen Pledges To Follow China’s Data Privacy LawsPYMNTS
Volkswagen fined $1.1M under GDPR for unauthorized data collectionCompliance Week
Former VW owner discovered digital access to her car months after it was soldThe Verge
Got a comment? Let us hear it.