Navigating the Road of Data Privacy: What Your Car Knows About You
What is this all about?
Discover the new frontier of data privacy in the automotive industry. Explore what your car knows about you and how to safeguard your personal information on the road.
In an era of digital transformation, our cars have become more than just modes of transportation. They have evolved into rolling data hubs with sensors, computer systems, and connectivity features. While this technological advancement has undoubtedly enhanced our driving experience, it has also raised significant concerns about data privacy. In this blog, we'll delve into the data privacy concerns surrounding cars and educate you on the types of information your vehicle may be collecting.
Table of Contents:
What Your Car Knows About You
Cars can collect a vast amount of data about us, including our whereabouts, driving behaviors, voice interactions, and even biometric details, essentially evolving into powerful snooping machines that we engage with on a daily basis. This data is valuable to car manufacturers, who can use it to improve their products and services, but it also raises major data privacy concerns.
Location Data | Your car can track your location, which can include information about where you go, how often you go there, and how long you stay. |
Voice Recordings | Some cars have voice recognition systems that can record your voice when you use voice commands or interact with in-car systems. |
Financial Data | Your car may collect information related to your financial status, such as your income and spending habits. |
Personal Data | Car manufacturers may collect personal information about you, including your immigration status, race, genetic information, and even information about your sexual activity. |
Personal Photos & Images | If you use in-car infotainment systems or connect your phone, your car may have access to your personal photos. Your car may also capture images, although the specific details about what images are captured are often not clear. |
Calendar and Activities | Some cars can access and store your calendar events and to-do lists. |
Route History | Your car may record information about the routes you take, helping to build a picture of your travel habits. |
Employment Information | Information about your workplace and commuting habits may be gathered. |
Related blog: Personal data and GDPR
How Your Car Collects Your Information
At the heart of this relentless data collection process are the onboard computer systems of modern cars. These systems serve as the vehicle's digital brain, carefully recording your every interaction. Whether it's adjusting settings or engaging with advanced features through buttons, touchscreens, or voice commands, these systems are always at work. According to Mozilla, Consulting firm McKinsey predicts that 95% of new vehicles sold globally will be connected ones by 2030.
Connectivity is another key factor of this data gathering. Internet-connected cars have the ability to compile real-time data about your location, traffic conditions, and even how you interact with the infotainment system. For some, the ordeal doesn't end there as telematics devices come into play. These plug-in devices are employed to transmit data on driving behavior, often to insurance companies. They keep a vigilant eye on your speed, braking habits, and acceleration patterns.
Furthermore, should you opt to synchronize your car with a manufacturer's app, be prepared for another violation of privacy. These seemingly harmless applications quietly collect data about your every move – your usage patterns, your exact whereabouts, and your unique preferences – all neatly packaged and handed over to the car manufacturer. Car companies often seek additional insights about you from car brokers, who specialize in collecting and selling data from diverse sources, ranging from your social media profiles to government records.
Unfortunately, even the simple act of taking a test drive is not immune to data collection. Dealerships have the capability to discreetly gather information during these test drives, including your contact details and your driving preferences. Government records also play a role, occasionally providing data such as vehicle registration and licensing information.
Data Destination: Where Does Your Information Go
Car companies often share and sometimes sell the data they collect to third-party businesses. These third parties can include a wide range of entities, such as service providers, data brokers, and other companies. The privacy policies tend to use vague language when describing the recipients of the data, making it unclear who exactly is receiving the data. Car manufacturers may combine the data they collect from your car with personal information obtained from third parties leading to a more comprehensive profile of you, which is often used for marketing and other purposes.
Many car companies explicitly state in their privacy policies that they have the right to sell your personal data. This data may include a wide range of information, from driving behavior to personal preferences. Some data collected from your car may be aggregated and anonymized before it is shared or sold. In many jurisdictions, privacy laws do not apply to such data, making it difficult to determine how this information is handled and who has access to it. According to Mozilla’s report on car rankings, Subaru's policy dictates that by being a passenger, you are considered a user – and by being a user, you have consented to their privacy policy.
Unsure about data protection for your startup?
Get our free white paper and learn tips and tricks.
Car companies may also partner with data brokers or automotive data hubs, which act as intermediaries that collect, aggregate, and distribute vehicle data. These data brokers may sell the data to various businesses, including insurance companies, advertisers, and researchers.
Automotive Companies with Data Privacy Breaches
Toyota has revealed a significant data breach exposing the data of more than 2.15 million customers from November 2013 to April 2023 due to a misconfigured cloud bucket. The breach affected sensitive information from Toyota's cloud-based Connected services, which were accessible without authorization from November 2013 to April 2023. While the breach only impacted customers in Japan, Toyota emphasized that individual customers' identities were not compromised, and there have been no reports of third-party misuse of the exposed data. This incident surprisingly comes after a separate security incident earlier in the year involving a hacker exploiting a flaw in Toyota's customer relationship management software.
Volkswagen and its subsidiary Audi suffered a data breach affecting 3.3 million customers, primarily in the United States and Canada. The breach, which occurred between August 2019 and May 2021, exposed customer data used for sales and marketing purposes, including names, addresses, email addresses, and phone numbers, as well as details about vehicles purchased or inquired about. While most records contained basic contact information, approximately 90,000 Audi customers in the US had more sensitive data compromised, including driving license numbers and Social Security numbers. The breach was traced back to an unnamed associate vendor.
Related blog: Understanding and Implementing Data Protection Basics – Get Informed with heyData
As a data protection advocate, I can't help but be deeply troubled by the automobile industry’s relentless appetite for our personal data. It’s as if our vehicles have become confessional booths, whispering our secrets to data brokers. It’s a disheartening paradox: they profit off our private information leaving us in the dark about their methods.
Miloš Djurvedic Founder & CEO at heyData
Car Privacy Best Practices
It’s important to be aware of the risks associated with data collection and to take steps to protect your privacy. Always review your car's privacy policy to learn more about the data that is being collected and how it is being used. You may also be able to opt out of certain data collection practices. Recent research by Mozilla Foundation has exposed concerning practices within the automotive industry as some car manufacturers shockingly fail to obtain explicit consent before gathering data. Opting out of specific data collection practices also may not be a viable option, resulting in limited control over your personal data.
As an honorable data protection company, we strongly urge consumers to examine their vehicle's privacy policies. Here are some tips for protecting your privacy when using a connected car:
Know your car's privacy policy
- The privacy policy outlines what data your car collects and how it is used. It's essential to understand this information thoroughly before using any connected features.
- Pay attention to details about data retention, sharing with third parties, and the purpose of data collection.
Limit Data Collection
- Most modern cars have settings that allow you to control what data is collected. Review these settings and disable any features that you are uncomfortable with, such as, GPS tracking, voice recognition, or automatic data sharing.
It's worth noting that in some cases, certain car companies may put the burden on consumers to make “better choices”, as seen with Tesla, where opting out of data collection could potentially impact certain vehicle functionalities. For instance, Tesla's privacy notice outlines that while you can choose to opt out of vehicle data collection, it may affect features like over-the-air updates, remote services, and in-car capabilities. Therefore, it's crucial to carefully assess the trade-offs involved in limiting data collection and make informed decisions about your data. The option to opt-out should be transparent and should never be used as a tool to manipulate consumers.
Be Cautious with Third-Party Apps
Connecting third-party apps to your car's infotainment system can provide convenience, but it can also introduce privacy risks. One of the most significant “apps” is your own personal phone. Therefore, exercising caution is particularly crucial when linking these two data hubs – your car and your smartphone. Ensure that you trust the apps you connect and only grant permissions to apps that genuinely need your location or vehicle diagnostics for its intended purpose.
Secure Your Personal Information
Be mindful of the personal information you share through your car's communication systems, such as phone calls or text messages.
Questions about data protection? We are here to help!
Get in touch!Final Notes
As our vehicles become increasingly connected and smarter, understanding the data they collect and how it's used is paramount. It's essential to stay informed and make informed choices about sharing your data with car manufacturers and third parties, all while advocating for robust data privacy regulations to protect your information on the road. Your data privacy is just as important as your safety behind the wheel.
Don’t forget to subscribe to our email newsletter to get more data protection and compliance updates and latest blogs delivered right to your inbox
More articles
Webinar Recap: GDPR and Marketing
Are compliance regulations turning your marketing strategies into a headache? Our latest webinar, led by Arthur Almeida, LL.M., Privacy Success Manager at heyData, is designed to help you tackle these challenges head-on. Focused on addressing your specific concerns, this live Q&A session provided direct access to an expert who understands the nuances of GDPR compliance in the marketing world.
Learn moreA day in the life: Michael Head of Demand Gen
Meet Michael, Head of Demand Gen heyData! He shares his journey, passion for privacy and tech, and how he tackles challenges while driving team success.
Learn more8 Steps to Ensure GDPR Compliance for SaaS Companies
GDPR compliance is essential for SaaS companies operating in the EU, protecting personal data and building trust. Non-compliance risks include fines up to €20 million, reputational damage, slower product development, and legal issues. To ensure compliance, businesses should conduct data audits, appoint a Data Protection Officer, adopt privacy-by-design principles, implement consent management systems, manage data subject requests effectively, strengthen security, review vendor agreements, and prepare a breach response plan. These steps enhance trust, ensure compliance, and provide a competitive advantage.
Learn more