Data-Driven: Consumers raise concerns about automakers’ data collection practices
As automobiles grow more advanced, privacy concerns arise over whether car makers use your vehicle’s data for third-party sales
(InvestigateTV) — When recent retiree Thomas Maranda indulged in a red 2023 Volkswagen Golf GTI, convenience was his primary focus.
But his focus shifted after the dealer provided him with a litany of complex legal policies that detailed the personal information his new car would collect.
“It’s got a lot of computerized stuff, a lot of convenience features. I know there’s a lot of data collection going on,” Maranda said.
Vehicle data collection, as well as who has access to that data, has recently caught the attention of both legislators and researchers alike, with tech company Mozilla describing modern cars as a “privacy nightmare” in a recent report.
The company went on to say it ranked vehicles as the worst product category it’s ever reviewed in terms of privacy.
InvestigateTV analyzed privacy policies for 14 major automakers – all of which acknowledge the potential collection of operator data beyond driving habits, such as geolocation, search history, and voice recordings.
That review also discovered that all 14 automakers are prepared to disclose car data to law enforcement agencies under specific legal conditions like warrants, subpoenas, or court orders. They also found that the car makers may be turning over data to car insurance companies.
‘It’s less computerized’
While all manufacturers assert that consumers have the option to opt out of data collection, InvestigateTV found inconsistencies in how this option is implemented across different brands.
In a 2023 press release, BMW said, “We allow our customers to delete their data whether on their apps, vehicle or online. BMW does not sell customers’ in-vehicle information and provides our customers the opportunity to opt out of BMW targeted behavior advertising on the internet.”
But consumers like Maranda worry that not many people have or are taking the time to read these privacy policies in detail.
“They present us with these incredibly complex privacy notes, legal notices, whatever that nobody reads, nobody has the time to read that,” Maranda said. “It’s like there needs to be a sweet spot where they can present that information in a way that’s easier for the consumers to understand.”
In 2023, Mozilla detailed those complexities in its report rating car companies by the company’s privacy standards, finding that 84% of car companies share or sell consumer data.
“Consumers don’t have a lot of control,” Jen Caltrider program director for Mozilla, *Privacy Not Included buyers guide, said.
Caltrider created the consumer guide which evaluates the privacy and security standards of connected apps and devices.
Her team dedicated 600 hours to analyzing the privacy practices of 25 car brands. They found a prevalent issue: many vehicles lack robust privacy protections. For instance, users often cannot disable features without voiding the warranty or may unknowingly opt for data collection.
“People might not have gone out and bought a car in the last ten years, so you might not know that every car right now is a smart car,” Caltrider said. “Every car is connected.”
That’s why Caltrider said she still owns her 2002 truck.
“It’s less computerized,” she said. “I love it because it doesn’t collect any of this, I can get in my car and not worry about somebody tracking where I’m driving or how fast I’m driving and it’s wonderful.”
Mozilla discovered that certain car companies are selling and sharing the data collected from your car with data brokers who then pass it on to insurance companies. Caltrider pointed out that insurance companies are using this information to adjust people’s rates, and many consumers are unaware of this practice.
InvestigateTV discovered several lawsuits, including a class action initiated by consumers against General Motors. The lawsuit claims that GM released its driving data to insurance companies without obtaining their consent.
In response, GM issued a press release in April announcing the termination of partnerships with LexisNexis and Verisk, third-party telematics companies and data brokers. Additionally, Honda and Hyundai dropped Verisk.
‘You have no privacy, that’s their privacy policy’
As advances in car technology continue to cater to convenience for consumers, a U.S. senator has asked manufacturers a series of questions about their privacy policies, noting technology is often ahead of the law. U.S. Sen. Ed Markey’s (D-Massachusetts) questions include:
- Does your company collect user data from its vehicles, including but not limited to the actions, behaviors, or personal information of any owner or user?
- Does your company provide notice to vehicle owners or users of its data practices?
- Does your company provide owners or users an opportunity to exercise consent with respect to data collection in its vehicles?
- Can all users, regardless of where they reside, request the deletion of their data?
- Does your company take steps to anonymize user data when it is used for its own purposes, shared with service providers, or shared with non-service provider third parties?
- Does your company have any privacy standards or contractual restrictions for the third-party software it integrates into its vehicles, such as infotainment apps or operating systems?
- Has your company ever provided law enforcement with personal information collected by a vehicle?
Markey sent these questions in letters to 14 automakers in December. While each manufacturer responded affirming the importance of customer privacy, not all addressed the specific questions posed, the senator said. Some provided general statements, while others answered each question to offer clarity.
“You have no privacy, that’s their privacy policy,” Markey said.
In their responses, General Motors and Kia expressed apprehensions about the existing array of state laws, with Kia noting that “the current patchwork of state laws creates inconsistent or conflicting privacy-related obligations.”
Ford, General Motors, Kia, Nissan and Stellantis said in their letters they strongly support the enactment of a federal privacy law.
In its response, Toyota admitted to collecting a range of personal data from drivers, including their location, facial features similar to phone unlocking methods, and even voice recordings.
Similarly, Honda said it gathers auto, electronic, visuals, searches, call history and voice commands.
In an interview with InvestigateTV, Markey described modern cars as “computers on wheels” that amass vast quantities of personal information. He warned these practices pose a serious risk of privacy breaches affecting drivers, passengers, and others on the road.
InvestigateTV found there are currently no federal requirements requiring automakers to have privacy protections for the owner or their vehicles.
“[Car manufacturers] answers are vague, they’re incomplete, and I think they’re hiding the fact that they want to monetize each and every one of our individual pieces of information as we drive in the next century,” Markey said.
The senator has asked the Federal Trade Commission to investigate the data privacy practices of the automakers, after raising questions concerning whether car makers are transferring data for commercial benefits.
‘I don’t want my rates to go up’
InvestigateTV found that consumers can easily access details about what information their vehicle collects through the Vehicle Privacy Report, which is operated by tech company Privacy4Cars.
In just seconds, InvestigateTV’s producers discovered that her 2019 Jeep Compass, manufactured by Stellantis, was gathering several types of data:
- Location information
- Biometrics (facial recognition and fingerprints)
- Connected services (CarPlay)
- Personal information (for example: social security number, driver’s license number, address, etc.)
Describing her car as “a smartphone on wheels,” the report also highlighted concerns that Jeep may share or sell this data to affiliates, service providers, insurance companies, and even governmental entities.
However, in Stellantis’ response to Markey, the automaker stated it only “collects information as required by law or authorized by customers,” which the producer had not opted into.
Consumers have the option to request a free consumer disclosure report to understand what data is being collected by their vehicle and to manage their preferences for data collection. They can also dispute any findings under the federal Fair Credit Reporting Act.
As for Thomas Maranda, he hopes his insurance company isn’t collecting information about him.
“I don’t think it talks to my insurance company. Hopefully, because this car’s fun to drive and I don’t want to get myself in trouble,” Maranda said. “I don’t want my rates to go up.”
Maranda acknowledged the convenience of connected cars but questioned whether automakers can be trusted to regulate themselves regarding data privacy.
“It’s challenging because it’s a lot of convenience for us as consumers, but at the same time, there’s a sort of line for the companies to find ways to leverage that data for profit,” Maranda said.
As consumers become increasingly aware of these issues, the debate over data privacy in the automotive industry continues to evolve, with implications for both convenience and privacy concerns.
Associate producer Charlie Roth contributed to this report.
Copyright 2024 Gray Media Group, Inc. All rights reserved.
