BMW has said it takes data privacy and security “very seriously” in response to the Mozilla Foundation’s recent research findings that claim vehicles are the worst threat to data privacy that consumers currently face.

According to Mozilla, OEMs can collect sexual activity, immigration status, race, facial expression, weight, health, and genetic data as well as where customers drive.

The brands evaluated were Mercedes-Benz, Nissan, BMW, Ford, Toyota, Tesla, Kia, Subaru, Chrysler, GMC, Cadillac, Dacia, Jeep, Lincoln, Acura, Fiat, Volkswagen, Dodge, Buick, Lexus, Honda, Audi, Chevrolet, Renault and Hyundai.

While customers may be able to opt out, doing so could mean losing the full functionality of connected services — if they work at all without data use consent, according to Mozilla. There is sometimes the option to have personally identifiable information (PII) deleted but not every state in the U.S. gives consumers that right.

Nissan was determined to be the worst offender. BMW was considered one of the best.

“BMW isn’t actually the worst car company we reviewed,” Mozilla wrote. “Don’t get us wrong, they are far from great. But compared to many of the other car companies’ privacy and security we’ve reviewed, they are better than most. Yes, the bar is low. But alas, we’re looking for something we can point to that isn’t terrible in this bleak landscape. BMW is it.”

However, according to Mozilla, data collected by BMW include:

• • Name
  • Email
  • Phone number
  • Address
  • VIN
  • Location data on the user and their car
  • Contacts’ names and phone numbers (if you give them access to them)
  • Vehicle images, including 3D images around the car
  • Environmental information like the temperature and if it is raining
  • Sensor information which they describe as “e.g. radar, ultrasonic devices, gestures, voice, etc.,” as well as vehicle speed and where the driver goes

“They [car companies] collect your personal information, build a big profile on you, and then make money giving other companies access to that personal information to target you with ads,” Mozilla said. “From our reading of BMW’s privacy policy, they might not do this. But we’re also not 100% sure they don’t — their privacy policy left us some concerns that we haven’t been able to clarify. And unfortunately, BMW didn’t respond to our emailed requests to answer our privacy questions, so we just don’t know.”

They added that many car brands engage in “privacy washing” — the act of pretending to protect consumers’ privacy while not actually doing so.

“BMW does seem to have had fewer serious security breaches and data leaks than some of the other car companies we’ve reviewed,” Mozilla said.

There have been at least two data breaches, one in 2015 and another in 2018, according to Mozilla. Despite that, BMW’s Data Safety page states that data cannot be deleted.

BMW stated in a Sept. 14 news release that customers are provided with comprehensive data privacy notices that inform them about the collection of their personal information, which allows vehicle drivers “to make granular choices regarding the collection and processing of their personal information.”

“Further, we allow our customers to delete their data whether on their apps, vehicles, or online,” BMW said. “BMW NA [North America] does not sell our customer’s in-vehicle personal information and provides our customers the opportunity to opt out of BMW targeted behavioral advertising on the Internet.

“With that, we would also like to clarify a few of the allegations made by Mozilla Foundation in their recent ‘Privacy Not Included’ survey.  While the story published on September 6, 2023, includes several inaccuracies, we wanted to address and correct five important points:

1. “All BMW vehicle interfaces permit consumers to opt in or out of various types of data collection and processing that may happen on their vehicles. If they choose, BMW customers may opt out of ALL optional data collection relating to their vehicles at any time by visiting the BMW iDrive screen in their vehicle.
2. “BMW’s collection of data relates to BMW’s own marketing efforts, legal compliance obligations, law enforcement issues, and related items. Using commonly available web browser controls, BMW NA customers may opt out of data collection used to make inferences about drivers’ preferences and habits and to opt out of receiving marketing communications at any time.
3. “The report expresses concerns over BMW sharing customer data within our ‘family of companies’ and ‘with third party dealers, service providers, and business partners.’ BMW centralizes data collection and processing activities to create efficiencies and to better secure its systems. Additionally, BMW NA shares personal information with authorized dealers to better service our customers, and BMW NA customers choose which dealers they interact with. Much like any other company in the world, BMW NA uses service providers to accomplish certain tasks… These providers are contractually obligated to keep confidential any information BMW provides to them. They are also not permitted to use that information for their own purposes. Finally, we only share personal information with business partners when our customers request that we do so.
4. “Contrary to Mozilla’s report, BMW NA provides multiple avenues for every customer to completely delete their data,” which includes through an online portal, iDrive, and within the My BMW app. “Furthermore, BMW NA voluntarily complies with every individual’s privacy requests in the US regardless of the customer residing in a state where consumer privacy laws allow for such rights (whether relating to access, correction, deletion, or opting out of sale with respect to online behavioral advertising) exist.
5. “With regard to Mozilla’s warning to drivers that ‘you might not want your insurance company to know about your lead foot…. except, there’s a pretty high likelihood they already do,’ BMW NA operates a permission and consent-based CarData program that is available to each customer on their My Garage feature within BMWusa.com. Each BMW customer can specifically select any business partner with whom they would like to share data from their vehicles and can revoke these permissions at any time. BMW NA does not share customer’s personal information with insurance companies without consent.”

BMW also said drivers can, at any time, disable the embedded SIM on their vehicles, which will disable the transfer of any data, by contacting BMW and filling out a form.

“However, many customers voluntarily enable this feature, given that eCall and SoS calls would not be possible after the cellular connection to the vehicle is disabled,” BMW said.

It also said customers’ data is not sold by BMW NA.

Images

Featured image: BMW headquarters in Munich, Bavaria. (Credit: pwmotion/iStock)