Cybersecurity & Risk ManagementData Protection

Navigating the Road of Data Privacy: What Your Car Knows About You

Navigating the Road of Data Privacy: What Your Car Knows About You
252x252-arthur_heydata_882dfef0fd.jpg
Arthur
17.10.2023

What is this all about?

Discover the new frontier of data privacy in the automotive industry. Explore what your car knows about you and how to safeguard your personal information on the road.

In an era of digital transformation, our cars have become more than just modes of transportation. They have evolved into rolling data hubs with sensors, computer systems, and connectivity features. While this technological advancement has undoubtedly enhanced our driving experience, it has also raised significant concerns about data privacy. In this blog, we'll delve into the data privacy concerns surrounding cars and educate you on the types of information your vehicle may be collecting.

Table of Contents:

What Your Car Knows About You

Cars can collect a vast amount of data about us, including our whereabouts, driving behaviors, voice interactions, and even biometric details, essentially evolving into powerful snooping machines that we engage with on a daily basis. This data is valuable to car manufacturers, who can use it to improve their products and services, but it also raises major data privacy concerns.

Location DataYour car can track your location, which can include information about where you go, how often you go there, and how long you stay.
Voice RecordingsSome cars have voice recognition systems that can record your voice when you use voice commands or interact with in-car systems.
Financial DataYour car may collect information related to your financial status, such as your income and spending habits.
Personal DataCar manufacturers may collect personal information about you, including your immigration status, race, genetic information, and even information about your sexual activity.
Personal Photos & Images If you use in-car infotainment systems or connect your phone, your car may have access to your personal photos. Your car may also capture images, although the specific details about what images are captured are often not clear.
Calendar and ActivitiesSome cars can access and store your calendar events and to-do lists.
Route HistoryYour car may record information about the routes you take, helping to build a picture of your travel habits.
Employment InformationInformation about your workplace and commuting habits may be gathered.

Related blog: Personal data and GDPR


How Your Car Collects Your Information

At the heart of this relentless data collection process are the onboard computer systems of modern cars. These systems serve as the vehicle's digital brain, carefully recording your every interaction. Whether it's adjusting settings or engaging with advanced features through buttons, touchscreens, or voice commands, these systems are always at work. According to Mozilla, Consulting firm McKinsey predicts that 95% of new vehicles sold globally will be connected ones by 2030. 

Autos und Data

Connectivity is another key factor of this data gathering. Internet-connected cars have the ability to compile real-time data about your location, traffic conditions, and even how you interact with the infotainment system. For some, the ordeal doesn't end there as telematics devices come into play. These plug-in devices are employed to transmit data on driving behavior, often to insurance companies. They keep a vigilant eye on your speed, braking habits, and acceleration patterns. 

Furthermore, should you opt to synchronize your car with a manufacturer's app, be prepared for another violation of privacy. These seemingly harmless applications quietly collect data about your every move – your usage patterns, your exact whereabouts, and your unique preferences – all neatly packaged and handed over to the car manufacturer. Car companies often seek additional insights about you from car brokers, who specialize in collecting and selling data from diverse sources, ranging from your social media profiles to government records. 

Unfortunately, even the simple act of taking a test drive is not immune to data collection. Dealerships have the capability to discreetly gather information during these test drives, including your contact details and your driving preferences. Government records also play a role, occasionally providing data such as vehicle registration and licensing information.

Data Destination: Where Does Your Information Go

Car companies often share and sometimes sell the data they collect to third-party businesses. These third parties can include a wide range of entities, such as service providers, data brokers, and other companies. The privacy policies tend to use vague language when describing the recipients of the data, making it unclear who exactly is receiving the data. Car manufacturers may combine the data they collect from your car with personal information obtained from third parties leading to a more comprehensive profile of you, which is often used for marketing and other purposes.

Many car companies explicitly state in their privacy policies that they have the right to sell your personal data. This data may include a wide range of information, from driving behavior to personal preferences. Some data collected from your car may be aggregated and anonymized before it is shared or sold. In many jurisdictions, privacy laws do not apply to such data, making it difficult to determine how this information is handled and who has access to it. According to Mozilla’s report on car rankings, Subaru's policy dictates that by being a passenger, you are considered a user – and by being a user, you have consented to their privacy policy.

whitepaper-data-protection-for-startups.png

Unsure about data protection for your startup?

Get our free white paper and learn tips and tricks.

Auto & GDPR
Auto, Daten & GDPR

Car companies may also partner with data brokers or automotive data hubs, which act as intermediaries that collect, aggregate, and distribute vehicle data. These data brokers may sell the data to various businesses, including insurance companies, advertisers, and researchers.

Automotive Companies with Data Privacy Breaches

Toyota has revealed a significant data breach exposing the data of more than 2.15 million customers from November 2013 to April 2023 due to a misconfigured cloud bucket. The breach affected sensitive information from Toyota's cloud-based Connected services, which were accessible without authorization from November 2013 to April 2023. While the breach only impacted customers in Japan, Toyota emphasized that individual customers' identities were not compromised, and there have been no reports of third-party misuse of the exposed data. This incident surprisingly comes after a separate security incident earlier in the year involving a hacker exploiting a flaw in Toyota's customer relationship management software.

Volkswagen and its subsidiary Audi suffered a data breach affecting 3.3 million customers, primarily in the United States and Canada. The breach, which occurred between August 2019 and May 2021, exposed customer data used for sales and marketing purposes, including names, addresses, email addresses, and phone numbers, as well as details about vehicles purchased or inquired about. While most records contained basic contact information, approximately 90,000 Audi customers in the US had more sensitive data compromised, including driving license numbers and Social Security numbers. The breach was traced back to an unnamed associate vendor. 


Related blog: Understanding and Implementing Data Protection Basics – Get Informed with heyData


Miloš Djurdjević

As a data protection advocate, I can't help but be deeply troubled by the automobile industry’s relentless appetite for our personal data. It’s as if our vehicles have become confessional booths, whispering our secrets to data brokers. It’s a disheartening paradox: they profit off our private information leaving us in the dark about their methods.

Miloš Djurvedic Founder & CEO at heyData

Car Privacy Best Practices

It’s important to be aware of the risks associated with data collection and to take steps to protect your privacy. Always review your car's privacy policy to learn more about the data that is being collected and how it is being used. You may also be able to opt out of certain data collection practices. Recent research by Mozilla Foundation has exposed concerning practices within the automotive industry as some car manufacturers shockingly fail to obtain explicit consent before gathering data. Opting out of specific data collection practices also may not be a viable option, resulting in limited control over your personal data. 

As an honorable data protection company, we strongly urge consumers to examine their vehicle's privacy policies. Here are some tips for protecting your privacy when using a connected car:

Know your car's privacy policy

  • The privacy policy outlines what data your car collects and how it is used. It's essential to understand this information thoroughly before using any connected features.
  • Pay attention to details about data retention, sharing with third parties, and the purpose of data collection.

Limit Data Collection

  • Most modern cars have settings that allow you to control what data is collected. Review these settings and disable any features that you are uncomfortable with, such as, GPS tracking, voice recognition, or automatic data sharing. 

It's worth noting that in some cases, certain car companies may put the burden on consumers to make “better choices”, as seen with Tesla, where opting out of data collection could potentially impact certain vehicle functionalities. For instance, Tesla's privacy notice outlines that while you can choose to opt out of vehicle data collection, it may affect features like over-the-air updates, remote services, and in-car capabilities. Therefore, it's crucial to carefully assess the trade-offs involved in limiting data collection and make informed decisions about your data. The option to opt-out should be transparent and should never be used as a tool to manipulate consumers.

Tesla Privacy

Source

Be Cautious with Third-Party Apps

Connecting third-party apps to your car's infotainment system can provide convenience, but it can also introduce privacy risks. One of the most significant “apps” is your own personal phone. Therefore, exercising caution is particularly crucial when linking these two data hubs – your car and your smartphone. Ensure that you trust the apps you connect and only grant permissions to apps that genuinely need your location or vehicle diagnostics for its intended purpose.

Secure Your Personal Information

Be mindful of the personal information you share through your car's communication systems, such as phone calls or text messages.

Questions about data protection? We are here to help!

Get in touch!

Final Notes

As our vehicles become increasingly connected and smarter, understanding the data they collect and how it's used is paramount. It's essential to stay informed and make informed choices about sharing your data with car manufacturers and third parties, all while advocating for robust data privacy regulations to protect your information on the road. Your data privacy is just as important as your safety behind the wheel.

Don’t forget to subscribe to our email newsletter to get more data protection and compliance updates and latest blogs delivered right to your inbox

More articles

webinar-gdpr-marketing-eng

Webinar Recap: GDPR and Marketing

Are compliance regulations turning your marketing strategies into a headache? Our latest webinar, led by Arthur Almeida, LL.M., Privacy Success Manager at heyData, is designed to help you tackle these challenges head-on. Focused on addressing your specific concerns, this live Q&A session provided direct access to an expert who understands the nuances of GDPR compliance in the marketing world.

Learn more
A day in the life: Michael Head of Demand Gen

A day in the life: Michael Head of Demand Gen

Meet Michael, Head of Demand Gen heyData! He shares his journey, passion for privacy and tech, and how he tackles challenges while driving team success.

Learn more
8 Steps to Ensure GDPR Compliance for SaaS Companies

8 Steps to Ensure GDPR Compliance for SaaS Companies

GDPR compliance is essential for SaaS companies operating in the EU, protecting personal data and building trust. Non-compliance risks include fines up to €20 million, reputational damage, slower product development, and legal issues. To ensure compliance, businesses should conduct data audits, appoint a Data Protection Officer, adopt privacy-by-design principles, implement consent management systems, manage data subject requests effectively, strengthen security, review vendor agreements, and prepare a breach response plan. These steps enhance trust, ensure compliance, and provide a competitive advantage.

Learn more

Get to know our team today, with no obligations!

Contact us