What did I learn in researching the privacy and security of 25 of the top car brands in the world? Modern cars are a privacy nightmare and it seems that the Fords, Audis, and Toyotas of the world have shifted their focus from selling cars to selling data.
Misha Rykov, Researcher @ *Privacy Not Included
When all of the 25 car brands we reviewed earn our *Privacy Not Included warning label for failing to respect and protect their customers’ privacy, something is seriously wrong. Car companies, are you hard up on cash? Your swan dive into the data biz is worrying us. It’s just that… Drivers are already paying you for their cars so why are you taking their privacy too? Ugh.
When we first started looking into cars and privacy, only one thing was clear: It’s complicated. Even to the car-markers! In response to a standard set of privacy and security questions we ask companies by email, Mercedes-Benz told us that it wasn’t possible to give us “universal answers.” And they’re kinda right. It is so difficult to get a clear picture of the data comings and goings between vehicles, their apps, their connected services, and more. But did your privacy-researching team take “it’s too complicated” for an answer? Heck no! Determined to help consumers get to the bottom of the privacy and security of cars, here’s what we learned after combing through 25 of the most popular car brands’ (many) privacy policies.
How does my car collect data about me?
Cars have had some kind of computer in them since the 1970’s. What’s new is the number of them and the amount of things they control. If you had the pleasure of driving during the El Camino era before the mid-eighties, you might remember literally rolling down a car window -- by turning a crank. (A clunky move that makes it even harder to look cool hanging out the passenger side of your best friend’s ride.)
Nowadays, it takes just a press of a button to “roll down” your car’s windows as more and more of cars’ features are powered by computer systems that also connect to the internet. And we’re not just talking about state-of-the-art future-cars. Consulting firm McKinsey predicts that 95% of new vehicles sold globally will be connected ones by 2030. “Basic vehicles,” the report says, will bring the most value from data because of their popularity. So if it doesn’t yet, calling a car “smart” will soon feel as retro as saying “smart phone.”
Cars with more advanced features and commands barely even need buttons. There’s touch-sensors and screens that work with barely a boop of the finger, a wave of the foot, or even by asking nicely. The future is now! But having all those microphones, cameras, and sensors sending signals through your car’s computers also means that whenever you interact with your car you create a tiny record of what you just did. Like when you turn the steering wheel or unlock the doors. And usually all that information is collected and stored by the car company.
Other bits of information about you and your passengers can be collected automatically, when you’re just sitting there. Because while your car is waiting to respond to your command, its sensors are, uh, “sensing”. That’s probably why vehicle data hubs, the data brokers of the car industry, can brag about having so many data points like driver fatigue -- which monitors head and eye position -- and heart rate.
Cars’ new bells and whistles mean the potential for more data-collecting sensors, cameras, and microphones. But unlike with apps or smart home devices, most drivers aren’t even aware this data is being collected -- let alone have the power to turn it off.
Misha Rykov, Researcher @ *Privacy Not Included
Another way your car collects data is from the connected services you use from your car’s dashboard, like satellite radio or a GPS route planner. Then there’s the devices you connect to it, like a telematics device: a plug-in that sends information about your driving behavior to your insurance company, or your phone. Car companies can also get data about you from your phone when you download the car’s app.
Finally, there’s the old-fashioned way. Just like (way too many) other products that connect to the internet do, car companies often collect extra information about you on their own from data brokers, car dealers (yes, they know all about you from those test drives), social media, the government, and more places we’ll talk about below.
What data does my car collect about me?
There’s probably no other product that can collect as much information about what you do, where you go, what you say, and even how you move your body (“gestures”) than your car. And that’s an opportunity that ever-industrious car-makers aren’t letting go to waste. Buckle up. From your philosophical beliefs to recordings of your voice, your car can collect a whole lotta information about you.
What you do in your car is more than enough information to paint a detailed picture of you. But your car-maker wants more. They can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!). Heck, they’ll even help themselves to your photos, your calendar, and your to-do list if you’ll let them.
… But wait, there’s more data car companies collect about you
Thirteen (52%) of the cars we looked at also collect information about the world around your car. Apparently, sensors can record information about the weather, the road surface conditions, traffic signs, and “other surroundings,” whatever that means.
Ugh, that pesky “other” category. As creepy and detailed as these data points are, we’re more worried about what’s not in the fine print. As usual, a lot of the privacy policies use vague language. Six companies mention “demographic data” which is about as descriptive as saying “characteristics” -- another word that popped up a few times. We have similar worries about “sensor data,” because, like we talked about before, sensors can be high tech enough to measure private stuff, like stress level. Also, “images.” Please, car brands, tell us more.
Using broad language is a classic tool that companies use to leave the door open for collecting more data than they’re spelling out in their policies. It makes it pretty much impossible to know all of the information that’s being gathered about you.
“Practically all of the privacy policies we looked at used qualifying language when listing the data points they collect. Words like ‘such as,’ ‘including,’ or ‘etc.’ tell us we are only getting a sample of what is collected and not the full picture.”
Misha Rykov, Researcher @ *Privacy Not Included
They use other cheeky little tactics to gloss over the amount of data they collect, like this Easter egg we found in Honda’s privacy policy. At the end of a long list of categories of personal information they collect, they put “Personal information as described in Cal. Civ. Code § 1798.80(e).” Huh? It turns out that that’s short for just about anything that “identifies, relates to, describes, or is capable of being associated with a particular individual.” Yowza!
(e) “Personal information” means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. “Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
California Civil Code 1798.80 (e)
Through inferences, car companies also create new data about you
Twenty two of the car brands (88% of the ones we looked at) mentioned creating inferences -- assumptions about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties. Hmm. Car companies’ love for inferences might explain why they seem to want to collect as much information about you as possible, even when those data points seem meaningless on their own. Like what “title,” “artist,” and “genre” you listen to in your car. Whether you listen to christian rock, show tunes, or The Joe Rogan Experience podcast on your way to work might not say that much about you… Or maybe it does? Either way, when you combine it with where you work (“employment information”) and all the places you go (“route history”), your track list can probably help fill in some blanks about your “preferences.”
Where does all the data go?
Welp, there’s more not-so-great news, folks. Most of the car companies we looked at commit many of the biggest data privacy no-nos in our books. We already talked about how, according to our standards, they collect too much data about you and how they sell inferences. There’s more. Car brands might combine information collected about you from your car with personal information they get from third parties. Then, they often share (and sometimes sell) that information (plus the “inferences” they created based on it) to all kinds of businesses. Over-collecting, combining, sharing, and selling are all things we do not like to see in privacy policies.
When it comes to disclosing who your car shares and sells your data to, vague language strikes again! The privacy policies we read usually only listed the categories of businesses they share with, like “service providers.” When they did name companies, the privacy policies often used more qualifying language like “such as,” “etc.” “and others,” “or similar” to make it clear that they’re only sharing a sample. Other times, the privacy policies only said that data would be shared or sold without saying to who.
After over 600 hours of research, we’re still confused about who car companies are sharing your data with and selling it to. But we do have a pretty good guess about why they’re doing it. Your data is a valuable business asset to these companies. And cars, like we mentioned earlier, can collect more and more detailed personal data than almost any other device or company can. So of course car companies are keen to cash in on that. Nineteen (76%) of the car companies we looked at say they can sell your personal data.
We know this about personal data because of data privacy laws like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the United States. Both laws say that if a company plans to sell or share your personal data, they have to let you know. So even though the information isn’t as detailed as we’d like it to be, it is listed in the privacy policy.
On the other hand, even the strongest privacy laws don’t apply to so-called “aggregated and anonymized” data. So we can’t know how that information is handled. What we do know is that there’s a booming industry based on selling data from cars. On their website, automotive data broker (or “vehicle data hub”) High Mobility advertises their wide range of data products that include precise location, those two we mentioned earlier (“heart rate” and “driver fatigue”) and 57 other categories. Oh, and! They have a partnership with nine (36%) of the car brands we researched.
“The detailed data collected by car companies is a data broker’s dream. Indeed, Vehicle Data Hubs are rich with that information. Yet we still know so little about how they obtain, process, and sell it. That is the sad irony about the data broker business: they make billions off of our essentially stolen private information while revealing next to nothing about how they operate.”
Misha Rykov, Researcher @ *Privacy Not Included
The more we try to learn about cars and privacy, the more questions we have. Like, what happens to your personal data after it’s shared? And how can time-stamped, precise location data ever be anonymous?
… And where does the data end up?
Even though it might not sound like it, our research at *Privacy Not Included is based on the best case scenario. We can only really report on what companies say they’ll do with your data in their privacy policies. That’s why we take security standards and track record into account when handing out warning labels. And on that point, it’s a “yikes” across the board for car brands. Seventeen (68%) of the car companies earned our “bad track record” ding for failing to protect and respect their users’ privacy with a leak, breach, or hack recently. Among the greatest hits to their customers’ privacy:
- Volkswagen and its daughter company Audi suffered a data breach affecting 3.3 million users.
- Toyota leaked data of 2.15M users over 10 years between 2013 and 2023.
- In June 2022 Mercedes-Benz disclosed a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and actual customers, including names, street addresses, email addresses and phone numbers.
With all the mysterious sharing and selling on top of these epic-level oopsie daisies, we’re worried about all that super personal and detailed information getting into even wrong-er hands than your car’s parent company. Like law enforcement, hackers, or just about anyone who can purchase from a data broker.
Want to learn more about what could happen if something goes wrong? We’re not done talking about cars and privacy. Sign up for our newsletter to get our latest delivered to your inbox.
Jen Caltrider
During a rather unplanned stint working on my Master’s degree in Artificial Intelligence, I quickly discovered I’m much better at telling stories than writing code. This discovery led to an interesting career as a journalist covering technology at CNN. My true passion in life has always been to leave the world a little better than I found it. Which is why I created and lead Mozilla's *Privacy Not Included work to fight for better privacy for us all.
Misha Rykov
Kyiv-native and Berlin-based, Misha worked in big tech and security consulting, before joining Mozilla's privacy effort. Misha loves investigative storytelling and hates messy privacy policies. Misha is an advocate for stronger and smarter privacy regulations, as well as for safer Internet.
Zoë MacDonald
Zoë is a writer and digital strategist based in Toronto, Canada. Before her passion for digital rights led her to Mozilla and *Privacy Not Included, she wrote about cybersecurity and e-commerce. When she’s not being a privacy nerd at work, she’s side-eyeing smart devices at home.