Update: Added official statements from automaker representatives.
Cars today are like computers on wheels, providing access to apps, entertainment, and even the internet. Like most smart tech, modern vehicles have the ability to collect information about what people do and where they go in their cars. But a new study from the Mozilla Foundation suggests automakers provide little protection when it comes to securing the privacy of that data.
The non-profit group recently published a series of articles about personal data and privacy in cars. It researched 25 brands, all of which earned the foundation's Privacy Not Included warning label, meaning the automakers did a poor job of managing data and providing security. In fact, Mozilla found that cars ranked as the worst category of products it had ever reviewed.
According to the study, all of the car brands surveyed collect too much personal data. In addition to the information required to operate a vehicle, details on how people use their vehicles, how fast they drive, where they go, and other tidbits are mentioned as being collected. Auto companies also pull info through the connected services used in the car, including third-party sources from companies like Google, Meta, or Sirius XM.
The study determined that 84 percent of car companies share or sell customer data to third parties, including service providers, data brokers, and other businesses. Additionally, 56 percent of automakers say they share information with government or law enforcement officials in response to court orders, warrants, or informal requests.
Mozilla Foundation concluded most car companies also provide little or no control over personal data. 92 percent of companies surveyed allegedly don't allow or make it extremely difficult for people to delete their personal information. Renault and Dacia are listed as exceptions, though the study notes these two brands fall under the purview of Europe's General Data Protection Regulation (GDPR) privacy laws.
The Mozilla Foundation spent over 600 hours researching the car brands’ privacy practices and was unable to determine the full picture of how consumer data is used or shared. It also reached out to all of the car companies in its survey but only received responses from Ford, Honda, and Mercedes-Benz, and apparently, those responses still didn't answer all of the group's questions.
Motor1.com contacted automakers and automotive groups mentioned in the study, requesting a comment. Hyundai and Volkswagen deferred to Autos Drive America, on which we're awaiting a response. Toyota declined our request for a comment. Other comments are available below; we will update as we receive more comments.
Stellantis:
Multiple claims in this document are incorrect as they relate to Stellantis brands. We carefully and diligently consider data privacy and act accordingly. Customers with questions may call our Customer Care center.
Nissan:
Nissan takes privacy and data protection for our consumers and employees very seriously. When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency. Nissan North America’s Privacy Policy incorporates a broad definition of Personal Information and Sensitive Personal Information, as expressly listed in the growing patchwork of evolving state privacy laws in the U.S., and is inclusive of types of data it may receive through incidental means.
In accordance with certain state privacy laws, Nissan discloses both consumer and employee data privacy details in the same report. Our privacy policy is written as broadly as possible to comply with federal and state laws, as well as to provide consumers and employees a full picture of data privacy at Nissan.
Nissan does not knowingly collect or disclose consumer information on sexual activity or sexual orientation. Some state laws require us to account for inadvertent data collection or information that could be inferred from other data, such as geolocation. For employees, some voluntarily disclose information such as sexual orientation, but it is not required and we do not disclose it without consent.
We have clear methods for consumers to opt out of data collection and disclosure, which can be found at: https://www.nissanusa.com/privacy.html#your-choices.
General Motors:
GM takes data privacy very seriously and are committed to safeguarding personal information. For every GM vehicle, before any connected vehicle services are activated and before any data is ever collected, the vehicle owner must accept the OnStar Terms & Conditions and Privacy Statement. These detail our data practices and are available online for consumers to review before they even walk into a dealership. Here is a link to GM’s U.S. Connected Services privacy statement: https://www.onstar.com/us/en/privacy_statement
Ford:
Ford is committed to being a trusted steward of the personal information our customers choose to share with us. We utilize connected vehicle data to improve quality, minimize environmental impact, and make our vehicles safer and more enjoyable to drive and own. For more information, we recommend that our customers visit: https://www.ford.com/help/privacy/ to read our Connected Vehicle Privacy Notice.
We think it's really important to guide customers to the original source of information, being our Connected Vehicle Privacy Notice, to find out any answers to questions they may have about our connected vehicle data capabilities, policies and procedures.
Also, please note that we have followed the Alliance for Automotive Innovation's Consumer Privacy Protection Principles since they were initially published.
BMW:
BMW NA takes data privacy and data security of our customers very seriously. For transparency, BMW NA provides our customers with comprehensive data privacy notices regarding the collection of their personal information. For individual control, BMW NA allows vehicle drivers to make granular choices regarding the collection and processing of their personal information. We voluntarily comply with a customer’s data privacy requests (for example, request for access, deletion, correction) even in states where we are not required to do so.
Further, we allow our customers to delete their data whether on their apps, vehicles or online. BMW NA does not sell our customer’s in-vehicle personal information. BMW NA provides our customers the opportunity to opt out of BMW targeted behavioral advertising on the Internet. With respect to data security, we take comprehensive measures to protect our customers’ data.
Subaru:
Subaru does not collect any connected vehicle data unless the owner voluntarily enrolls in Subaru’s telematics service, and customers can cancel at any time.
