Repairer Driven News
« Back « PREV Article  |  NEXT Article »

Vehicle PII collection: Researchers say 25 OEMs cross the line, lack privacy protections

By on
Share This:

All 25 major car brands reviewed in Mozilla Foundation’s latest edition of  *Privacy Not Included (*PNI) received failing marks for consumer privacy —a first in the buyer’s guide’s seven-year history.

According to Mozilla research, popular global brands — including Mercedes-Benz, Nissan, BMW, Ford, Toyota, Tesla, Kia, and Subaru — can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and where you drive.

Other brands evaluated were Chrysler, GMC, Cadillac, Dacia, Jeep, Lincoln, Acura, Fiat, Volkswagen, Dodge, Buick, Lexus, Honda, Audi, Chevrolet, Renault and Hyundai.

None of the brands received Mozilla’s Best Of designation, though researchers identified Renault as the least problematic. However, Mozilla notes that Renault has to comply with the General Data Protection Regulation (GDPR) — a stringent law governing the way in which personal data is used, processed, and stored.

Mozilla researchers found data is gathered by sensors, microphones, cameras, and the phones and other devices drivers connect to their cars, as well as through car apps, company websites, dealerships, and vehicle telematics. Brands can then share or sell the data to third parties. Based on its research, Mozilla says OEMs may also use the data to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.

Consumers and shops also have to think about the third-party companies that are buying the data.

As just one example, your customers’ personally identifiable information (PII) data — everything from full name, home address, email, cell number, VIN, insurance carrier, and more — could be compromised at the hands of a collision industry data aggregation company that’s providing or selling the data to at least one third-party company to sell the information back to the industry.

Society of Collision Repair Specialists (SCRS) Executive Director Aaron Schulenburg shared last July at a Collision Industry Conference (CIC) meeting that the third-party company he spoke to, which he didn’t name, wanted to sell data that they said could be a business opportunity for his member shops so they can contact customers who recently received quotes from other shops, to solicit and capitalize on them having repairs completed at their shop instead.

The company also said they collect 86% of all quoted collision repair data in North America whether the quote is taken through a body shop or an insurance carrier within 24 hours.

Twenty-two of the car brands included in Mozilla’s research signed on to abide by a list of Consumer Protection Principles from the Alliance for Automotive Innovation (Auto Innovators). Tesla, Renault, and Dacia haven’t agreed to the principles, according to Mozilla.

Established in 2014 and last reviewed in March 2022, the document lists data collection and use in vehicles as a means to enhance safety, reduce environmental impacts, diagnose malfunctions, call for emergency assistance, detect and prevent theft, reduce traffic congestion, improve efficiency and performance, deliver navigation services, provide valuable information services, and more.

It states, “Many of these technologies and services are based upon information obtained from a variety of vehicle systems and involve the collection of information about a vehicle’s location or a driver’s use of a vehicle. Consumer trust is essential to the success of vehicle technologies and services.

“Auto Innovators and their members understand that consumers want to know how these vehicle technologies and services can deliver benefits to them while respecting their privacy. Privacy is important to consumers, and it is important to us.”

A webpage on Auto Innovators’ site that contains any updates to the principles states that participating automakers commit to “providing customers with clear, meaningful information about the types of information collected and how it is used and obtaining affirmative consent before using geolocation, biometric, or driver behavior information for marketing and before sharing such information with unaffiliated third parties for their own use.”

*PNL Researcher Jen Caltrider told Repairer Driven news data collection, use, and sharing isn’t always an obvious, or even known, opt-in or opt-out action.

“Some car companies seem to consider something as simple as just being a passenger in a car saying you’ve consented to their privacy policies, which feels like a bit of a stretch… it seems suspicious,” she said. “When people buy cars, privacy isn’t something they can think about. First and foremost, people are limited by how much a car costs, or whether it’s reliable or not, or whether it fits their needs with size or all-wheel drive features.”

Consent to the privacy policy comes at the end of the buying process, which is a little late to take privacy into consideration, Caltrider added.

“Not that there are really any good choices out there,” she said. “A number of them [privacy policies] said, ‘you as the car owner of this connected car, it’s your responsibility to tell any passenger that gets in your car of our data collection and sharing practices.’ I just chuckle at that because… nobody reads somebody a privacy policy when they pick them up to go to the mountains or to the movies. It’s just kind of ridiculous.”

Opting out could also mean losing the full functionality of connected services — if they work at all without data use consent. There is sometimes the option to have your PII deleted but not every state in the U.S. gives consumers that right.

While some may choose to read their privacy policy it could lead down a rabbit hole of trudging through other policies because automakers often state in theirs that data collected by the connected services, apps, and/or components in their vehicles are managed by the OEMs.

While Mozilla says the list provides great privacy-preserving principles, like data minimization (collecting only data that’s necessary), transparency, and choice; none of the 25 automakers follow it.

“It’s interesting if only because it means the car companies do clearly know what they should be doing to respect your privacy even though they absolutely don’t do it,” *PNI researchers wrote.

In another first for Mozilla’s *Privacy Not Included research, none of the brands meet its Minimum Security Standards on encryption, security updates, strong passwords, vulnerability management, and privacy policy. Specifically, researchers couldn’t confirm whether any of the OEMs encrypt all of the personal information they store on vehicles. Mercedes was the only automaker that replied to Mozilla’s questions about encryption.

The newest edition of *PNI examines the privacy and security flaws of car brands in the U.S., Germany, Japan, France, and South Korea. Mozilla says researchers spent 600 hours reading privacy policies, downloading apps, and corresponding with brands.

Nissan was determined to be the worst offender.

“The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data but doesn’t specify how,” Mozilla said. “They say they can share and sell consumers’ ‘preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes’ to data brokers, law enforcement, and other third parties.”

But Nissan isn’t alone, and Tesla isn’t much better.

Mozilla says Tesla is only the second product they’ve reviewed that received all of their privacy “dings.” The first was an AI chatbot reviewed earlier this year. What set Tesla apart was earning the “untrustworthy AI” ding, Mozilla said. The brand’s AI-powered autopilot was reportedly involved in 17 deaths and 736 crashes and is currently the subject of multiple government investigations.

Others that stood out to Mozilla are Volkswagen and Kia. Volkswagen collects demographic data such as age and gender as well as driving behaviors for targeted marketing. Kia states in its privacy policy it can collect information about your “sex life” and “sexual activity.”

Mozilla noted its concerns, too, that Toyota has 12 “near-incomprehensible” privacy policy documents and Mercedes pre-installs TikTok, which “has its own privacy issues.”

The most recent research estimates from McKinsey & Co. on profit made off car data state that by 2030, the industry could be worth $450 billion to $750 billion.

Mozilla’s research boils down to four points:

    1. The 25 automakers that were evaluated collect too much personal data;
    2. 84% share or sell the data they collect;
    3. 92% give drivers little to no control over their personal data; and
    4. Researchers couldn’t confirm if any of them meet Mozilla’s Minimum Security Standards.

“This isn’t the first time Mozilla has uncovered an industry with terrible privacy practices,” said Misha Rykov, *PNI researcher. “But cars are unique — their privacy flaws impact not just the driver, but also passengers and sometimes even nearby pedestrians. They can hear you, see you, and track you. Today, sitting in someone’s car is a lot like handing your phone over to the auto manufacturer.”

Keep in mind that data breaches are common, like when Tesla employees viewed and shared photos and videos captured by consumers’ cars or when Volkswagen and Toyota leaked the personal information of millions of customers.

Other key findings include:

    • Many car brands engage in “privacy washing” — the act of pretending to protect consumers’ privacy while not actually doing so, Mozilla said.
    • Meaningful consent is nonexistent. Often, “consent” to collect personal data is presumed by simply being a passenger in the car. For example, Subaru states that by being a passenger, you are considered a user — and by being a user, you have consented to their privacy policy. Several car brands also note that it is a driver’s responsibility to tell passengers about the vehicle’s privacy policies.
    • Twelve companies representing 20 car brands didn’t respond to emails from Mozilla researchers to discuss data privacy concerns.
    • Car brands share personal information with law enforcement and governments, such as Hyundai, which states in its privacy policy that it can share data with law enforcement and governments based on “formal or informal” requests. Kia’s policy says it can share data in many scenarios “if, in our good faith opinion, such is required or permitted by law.”

So what does Mozilla hope automakers will do to address the data privacy concerns they found?

“I think limiting data collection is always No. 1,” Caltrider said. “We understand data is important and companies need it to run their businesses but… to what’s actually needed to provide the service.

“…giving consumers the option to opt out of as much data collection as possible without it impacting those services… giving all consumers the same right to access and [to] delete their data are things we’d love to see. A big one is limiting the sharing with law enforcement to only when a court order is given and even then, limiting the amount of data that is shared under a court order to the minimum possible. These are all things that we do at Mozilla and we like to see other companies do as well.”


Featured image: Stock photo of in-vehicle infotainment and connected services screen. (Credit: Fabio Principe/iStock)

More information

Get the details on 2 solutions to protect consumer PII & shop repair data

Share This: