A recent Mozilla Foundation study reveals some shocking facts, and 25 car manufacturers deserve the ‘Privacy Not Included’ warning label in the United States. According to the study, cars have become data-gobbling machines that watch, listen, and collect information about what you do and where you go. While we worry that our connected doorbells or watches are spying on us, it is the car we have to fear the most. Cars are a ‘privacy nightmare’.
In their privacy policies, car manufacturers ask permission to collect highly personal data from their consumers: from social security numbers and migration status to ‘philosophical beliefs’ and ‘genetic information’.
The American Kia and Nissan branches even learn about sexual orientation and sexual activity. But also in the European Union, car manufacturers can and want to obtain personal data via GPS navigation systems, smartphone connections, and integrated cameras.
The Mozilla researchers analyzed 25 car brands and discovered that they all collect more personal information than necessary and use it for a reason other than to operate the vehicle.
Most intimate information
Car companies have many more data-collecting opportunities than other products and apps we use – more than even smart devices in our homes or cell phones we take wherever we go. They can collect personal information from how you interact with your car, the connected services you use in your car, the car’s app, etc.
They can find out where you drive, how fast you drive, and what songs you play in your car, but they also collect super intimate information about you: from your medical or genetic information to your ‘sex life’ – in huge quantities.
Collecting and selling data
It’s bad enough that all the data car manufacturers have, are used for their own research and marketing. Still, most car brands (84%) share your personal information – with service providers or data brokers – or even sell it. Nineteen of the 25 brands (76%) admitted they sold personal data.
A surprising number (56%) also say they can share your information with the government or law enforcement in response to “an informal request”.
GDPR privacy law
According to the study, only two car brands – Renault and Dacia, two brands owned by the same parent company – say that all drivers have the right to have their personal data deleted. It’s probably no coincidence that these cars are only available in Europe, protected by the robust General Data Protection Regulation (GDPR) privacy law.
In their report, the researchers say that even though the car brands each had several long-winded privacy policies, they couldn’t confirm that any of the brands met the minimum security standards. Most car brands completely ignored the researchers’ request for more clarity, and those who at least responded – Mercedes-Benz, Honda, and Ford – didn’t completely answer the basic security questions.
Some not-so-fun facts
The ranking of the car brands – from bad to worst for privacy – put Renault, Dacia, and BMW in front and Hyundai, Nissan, and Tesla at the tail end.
Unfortunately, as a private individual, you cannot do much about it. People usually don’t ‘comparison-shop’ for cars based on privacy. And they shouldn’t be expected to. That is why the 25 car brands reviewed all earned the researchers’ ‘Privacy Not Included’ warning label.
About the ‘Privacy Not Included’ Guide
In 2017, the Mozilla Foundation launched the first ‘Privacy Not Included’ Guide. It was a guide about the privacy and security of connected products (toys, gadgets, smart home devices).
With this guide, the organization hopes to help consumers navigate the landscape by understanding what questions they should ask and what answers they should expect before buying a connected tech product. The guide comes with a ‘Privacy Not Included’ warning label on products the researchers think consumers should think twice before buying.