Navigating the Road of Data Privacy: What Your Car Knows About You

Cars can collect a vast amount of data about us, including our whereabouts, driving behaviors, voice interactions, and even biometric details, essentially evolving into powerful snooping machines that we engage with on a daily basis. This data is valuable to car manufacturers, who can use it to improve their products and services, but it also raises major data privacy concerns.

Related blog: Personal data and GDPR

At the heart of this relentless data collection process are the onboard computer systems of modern cars. These systems serve as the vehicle's digital brain, carefully recording your every interaction. Whether it's adjusting settings or engaging with advanced features through buttons, touchscreens, or voice commands, these systems are always at work. According to Mozilla, Consulting firm McKinsey predicts that 95% of new vehicles sold globally will be connected ones by 2030. 

Furthermore, should you opt to synchronize your car with a manufacturer's app, be prepared for another violation of privacy. These seemingly harmless applications quietly collect data about your every move – your usage patterns, your exact whereabouts, and your unique preferences – all neatly packaged and handed over to the car manufacturer. Car companies often seek additional insights about you from car brokers, who specialize in collecting and selling data from diverse sources, ranging from your social media profiles to government records. 

Unfortunately, even the simple act of taking a test drive is not immune to data collection. Dealerships have the capability to discreetly gather information during these test drives, including your contact details and your driving preferences. Government records also play a role, occasionally providing data such as vehicle registration and licensing information.

Car companies often share and sometimes sell the data they collect to third-party businesses. These third parties can include a wide range of entities, such as service providers, data brokers, and other companies. The privacy policies tend to use vague language when describing the recipients of the data, making it unclear who exactly is receiving the data. Car manufacturers may combine the data they collect from your car with personal information obtained from third parties leading to a more comprehensive profile of you, which is often used for marketing and other purposes.

Many car companies explicitly state in their privacy policies that they have the right to sell your personal data. This data may include a wide range of information, from driving behavior to personal preferences. Some data collected from your car may be aggregated and anonymized before it is shared or sold. In many jurisdictions, privacy laws do not apply to such data, making it difficult to determine how this information is handled and who has access to it. According to Mozilla’s report on car rankings, Subaru's policy dictates that by being a passenger, you are considered a user – and by being a user, you have consented to their privacy policy.

Car companies may also partner with data brokers or automotive data hubs, which act as intermediaries that collect, aggregate, and distribute vehicle data. These data brokers may sell the data to various businesses, including insurance companies, advertisers, and researchers.

Toyota has revealed a significant data breach exposing the data of more than 2.15 million customers from November 2013 to April 2023 due to a misconfigured cloud bucket. The breach affected sensitive information from Toyota's cloud-based Connected services, which were accessible without authorization from November 2013 to April 2023. While the breach only impacted customers in Japan, Toyota emphasized that individual customers' identities were not compromised, and there have been no reports of third-party misuse of the exposed data. This incident surprisingly comes after a separate security incident earlier in the year involving a hacker exploiting a flaw in Toyota's customer relationship management software.

Volkswagen and its subsidiary Audi suffered a data breach affecting 3.3 million customers, primarily in the United States and Canada. The breach, which occurred between August 2019 and May 2021, exposed customer data used for sales and marketing purposes, including names, addresses, email addresses, and phone numbers, as well as details about vehicles purchased or inquired about. While most records contained basic contact information, approximately 90,000 Audi customers in the US had more sensitive data compromised, including driving license numbers and Social Security numbers. The breach was traced back to an unnamed associate vendor. 

Related blog: Understanding and Implementing Data Protection Basics – Get Informed with heyData

It’s important to be aware of the risks associated with data collection and to take steps to protect your privacy. Always review your car's privacy policy to learn more about the data that is being collected and how it is being used. You may also be able to opt out of certain data collection practices. Recent research by Mozilla Foundation has exposed concerning practices within the automotive industry as some car manufacturers shockingly fail to obtain explicit consent before gathering data. Opting out of specific data collection practices also may not be a viable option, resulting in limited control over your personal data. 

As an honorable data protection company, we strongly urge consumers to examine their vehicle's privacy policies. Here are some tips for protecting your privacy when using a connected car:

Know your car's privacy policy

• The privacy policy outlines what data your car collects and how it is used. It's essential to understand this information thoroughly before using any connected features.
• Pay attention to details about data retention, sharing with third parties, and the purpose of data collection.

Limit Data Collection

• Most modern cars have settings that allow you to control what data is collected. Review these settings and disable any features that you are uncomfortable with, such as, GPS tracking, voice recognition, or automatic data sharing. 

It's worth noting that in some cases, certain car companies may put the burden on consumers to make “better choices”, as seen with Tesla, where opting out of data collection could potentially impact certain vehicle functionalities. For instance, Tesla's privacy notice outlines that while you can choose to opt out of vehicle data collection, it may affect features like over-the-air updates, remote services, and in-car capabilities. Therefore, it's crucial to carefully assess the trade-offs involved in limiting data collection and make informed decisions about your data. The option to opt-out should be transparent and should never be used as a tool to manipulate consumers.

Source

Be Cautious with Third-Party Apps

Connecting third-party apps to your car's infotainment system can provide convenience, but it can also introduce privacy risks. One of the most significant “apps” is your own personal phone. Therefore, exercising caution is particularly crucial when linking these two data hubs – your car and your smartphone. Ensure that you trust the apps you connect and only grant permissions to apps that genuinely need your location or vehicle diagnostics for its intended purpose.

Secure Your Personal Information

Be mindful of the personal information you share through your car's communication systems, such as phone calls or text messages.

As our vehicles become increasingly connected and smarter, understanding the data they collect and how it's used is paramount. It's essential to stay informed and make informed choices about sharing your data with car manufacturers and third parties, all while advocating for robust data privacy regulations to protect your information on the road. Your data privacy is just as important as your safety behind the wheel.

Don’t forget to subscribe to our email newsletter to get more data protection and compliance updates and latest blogs delivered right to your inbox