Car Company CEOs Answer Tough Questions About Cars and Privacy… Kinda

Have you ever heard the advice, “Don’t answer the question you were asked. Answer the question you wish you were asked”? Well, it seems like certain United States car company executives have.

Let’s back up. Last year, we raised the flag on cars and privacy when we called them the worst product category we have ever reviewed for privacy. Even though what we found out from reading cars’ privacy policies was awful, we had more concerns about what we couldn’t find. Our research left us with so many questions! Questions that the car companies ignored when we asked. So we were so excited when US Senator Ed Markey followed up with carmaker CEOs asking the same questions we had, pointing to our research as a cause for concern. He also promised to publish their answers, which he then did! We read those 84 pages for you. But sadly, their answers were pretty vague, incomplete, and dodgy as ever. Here’s the highlights.

Do car companies sell your personal data -- and for how much?

Our research showed that many car-makers say they can sell your personal data. But do they? Yes, they absolutely do.

Senator Markey asked:

General Motors, one of the largest US automakers, said:

By now, you might have heard that GM sold personal driving data to data brokers who used it to create “risk scores” for insurance companies. Some drivers only found out this was happening when their premiums skyrocketed. They weren’t happy. In fact, it caused such an outrage among drivers (including a class-action lawsuit!) that GM had to promise to stop (at least as far as selling that specific data to those specific data brokers goes).

So it’s interesting that GM doesn’t mention its relationship with LexisNexis or Verisk -- the two data brokers in question -- at all in their response to the senator. (This is why we have trust issues when it comes to companies’ public statements on privacy!) GM also doesn’t share that “opting in” could reportedly involve a salesperson at the dealership opting in on your behalf without your knowledge or consent -- and receiving a bonus for doing so. Yeesh.

Oh, and in case you’re wondering, “de minimis” (as in the stated impact on GM’s revenue) to anyone (else) who assumed that was a typo, means a small or unimportant amount. What counts as not a lot to a billion-dollar company? It was reported to be in the “low millions”. We’re not sure if we’d feel better or worse if GM earned more money from selling drivers’ data. Hmm… Is it better to be sold out for a penny or a dollar?

Hyundai said:

So Hyundai does mention a relationship with data broker Verisk. And just like GM, they say that the program is opt in only. They also say drivers who have opted in can turn off data-sharing with Verisk through their MyHyundai account (just in case anyone’s opted in who doesn’t want to be). As for what they get in exchange for the data, “Hyundai may receive a fee per lead for insurance discount offers sent to drivers who have opted in to receive these offers and when a driver requests a UBI quote from an insurer and expressly authorizes and directs Verisk to provide their UBI data to the insurer.”

Toyota (and Lexus) said:

Toyota is the only car company that confirms they “sell” consumers’ personal information -- and at this point, we’re grateful for the honesty. They say they sell it to a satellite radio subscription service so that they can offer you a free trial and market their service to you afterwards.

Do car companies share drivers’ personal data with law enforcement?

All of the car-makers we researched said they can share driver data with law enforcement in certain situations. That’s true of pretty much any company that has your data, but what we like to see spelled out in the privacy policy is strict limits on that sharing and a commitment to push back on overly broad requests. That is something we didn’t find in cars’ many privacy policies. And that worried us since they can have soooo much of your personal information, including your precise geolocation as well as data from in-car cameras and microphones.

Senator Markey asked:

Here’s what the car companies (who bothered to answer the question) said about the number of requests for personal data they receive from law enforcement:

Volkswagen broke down the number of requests by year. They said there were “fewer than 20” in 2021, “fewer than 25” in 2022, and “fewer than 45” in 2023. That means the requests from law enforcement doubled in the last three years. Interesting! Hyundai and Kia also shared the total number of requests they responded to, which was 50 (86%) and 25 (83%) respectively. Honda said they don’t track these requests but guessed they get about one per month. Tesla said they do track requests but decided not to share the numbers with us. They were also the only car brand to say outright that they may sometimes challenge or reject requests.

You might remember Hyundai’s privacy policy said they may respond to an “informal request” for your data from law enforcement or government (yikes). But in their response to Senator Markey, they were a lot more specific, saying Hyundai will only provide data in response to “exigent circumstances, search warrants, customer consent, and subpoenas''. Most of the car companies’ answers were stricter or more specific than what we found in their privacy policies last year. Hopefully that means they’ve made changes to their official policies too, where it really counts. For Hyundai at least, the “informal request” line seems to be missing from the latest version of their privacy policy, which seems like a good start!

Do car companies inform drivers when their information is shared?

Another thing we didn’t find in car companies’ pretty vague sharing-with-law-enforcement statements in their privacy policies is whether or not they give drivers a heads up when their information is shared.

Senator Markey asked:

None of the car companies who answered this question said they have a policy of informing drivers. Hyundai came the closest, saying “Hyundai reserves the right to notify our customers when it complies with such requests” unless giving notice is “explicitly prohibited by the legal process itself.” That’s as generous as it gets, which isn’t great.

Most other car companies said they’re not allowed to tell drivers. For example, Nissan said “where Nissan is responding to [a] valid compulsory process to provide customer vehicle data, Nissan is precluded from notifying a customer of such requests by statute or court order.” BMW went as far as saying they won’t tell the vehicle owner unless law enforcement tells them to. “If we are instructed by law enforcement to notify the vehicle owner when we comply with a request, we will do so.” And that seems pretty unlikely to happen since GM said that “[l]aw enforcement routinely directs GM not to notify the vehicle owner”.

Can drivers get their personal data deleted?

At the time of our research last year, the only brands we could confirm would let customers delete their personal information were two European car brands (Renault and Dacia) who have to give drivers that right because it’s the law in the EU, according to the privacy law GDPR.

Senator Markey asked:

Toyota, Subaru, BMW, Tesla, and Ford said that all drivers in the US do have this right or will soon. Well, that’s new and good! We hope to see that commitment in their privacy policies -- where it matters. So far, Toyota is the only company to make that promise official with a change to their privacy policy.

But other car-makers doubled down, saying it’s not possible to commit to deleting their customers’ data or that they’re waiting for a law to force them to. Yeah, we don’t really believe that. And hey! Here's an idea. Car-makers, you’re officially invited to join our fight for federal privacy legislation in the USA. Until then, how about you apply the strictest state privacy law (generally, California’s CCPA) to all US states? That way you don’t, like Nissan worries, have to use an “arbitrary standard” in the meantime. You can do it!

What about data breaches, leaks, and hacks?

Most (68%) of the car brands we researched earned a bad track record “ding” for having had data breaches, leaks, or hacks that threatened their customers' privacy in just the last three years.

Senator Markey asked:

Volkswagen is the only car company that answered “yes”. And even then, they only told half the story -- acknowledging one major breach in 2021, but leaving out three other security and privacy incidents since 2020.

Even Kia, who had to patch eight million cars because of a security vulnerability that allowed them to be hacked -- resulting in hundreds of thefts, 14 crashes, and eight fatalities -- only mentioned cybersecurity to describe the “important steps” they take which are “designed to maintain the confidentiality, integrity, and availability of vehicle data”. So, yeah. We’re not at all confident that we’re getting the best answers from these car companies. (Neither were Senator Markey and his team.)

More than answers, we want change

It seems like the kind of answers we hoped for from these car company CEOs probably aren’t coming any time soon. It is funny though (but not ha-ha funny) that so many of the car-makers responded to Senator Markey’s questions by saying to look for answers in their privacy policies… Since reading those privacy policies raised these questions for us and Senator Markey in the first place. “Boooo” in particular to BMW, Mazda, Mercedes-Benz, Stellantis (and to a lesser extent Ford, Kia, Subaru, and Tesla) who responded with essays that didn’t address each of the questions directly. If we were grading these as homework, you all would get an “incomplete”.

The good news is that we don’t have to wait for car companies to be honest with us or to do the right thing on their own. Since we sounded the alarm on cars and privacy last September -- change is already happening:

• Toyota and Lexus now grant all US consumers the right to delete their personal data.
• Thanks to public pressure, GM (which includes Chevrolet, Buick, GMC, and Cadillac) said they’ll stop selling some OnStar data to data brokers LexisNexis and Verisk.
• The Bidden-Harris administration in the US is looking into connected cars’ privacy due to national security concerns.
• The FCC is proposing applying the US’ Safe Connections Act to cars, making it harder for domestic abusers to stalk survivors using cars’ tracking systems (one of our privacy nightmares).
• California legislators also proposed a bill that would make car-makers disconnect abusers’ remote access to cars when that access is being used to “stalk, harass, surveil, and intimidate survivors.”
• US Senators Markey and Wyden are asking the FTC to take action against Toyota, Nissan, Subaru, Volkswagen, BMW, Mazda, Mercedes-Benz, and Kia -- and their executives -- for sharing drivers’ location data with government agencies without a warrant, violating the industry’s own “privacy principles”.

And even the car companies’ noodly answers are helpful in driving change. Because car companies’ responses gave Senator Markey “little comfort” and “ignor[ed] the real privacy risks their data practices create,” he’s urging the US Federal Trade Commission (FTC), the federal agency charged with protecting consumers’ rights, to investigate all US car-makers’ privacy practices. And it’s not just US legislators who are paying attention. Members of the European parliament pointed to our research to flag a lack of privacy protections for drivers to the European Commission on three occasions. And another MEP (member of European Parliament) recently suggested more laws are needed to prevent cars from being misused to spy on drivers -- again, citing our research. We love to see it! You can help us keep the ball rolling.