Which smart cars have the most privacy concerns?

Despite their many benefits, the rise of smart cars brings forth a new set of challenges, particularly in terms of driver privacy. A recent Mozilla Foundation study has placed these vehicles under scrutiny, revealing startling privacy lapses. 

From Tesla’s controversial data collection methods to Nissan’s concerning privacy policy, the findings are a wake-up call for both consumers and regulators. Smart cars, while innovative, are becoming data troves, often collecting more information than necessary and sharing it with third parties. 

Building on our previous discussion in the article How your smart car tracks you, this analysis takes a deeper dive into the privacy practices of leading smart car manufacturers. We scrutinize how these companies handle user data, focusing on key areas like data usage, control, security measures, and AI technology. 

Our investigation aims to provide a comprehensive overview of the privacy landscape in the automotive industry, highlighting areas where car companies need to improve to better protect driver privacy.

What makes a car smart?

Gone are the days of purely mechanical cars. Modern vehicles are a hub of microprocessors and sensors, steering the shift towards digitalization in automotive technology. Today’s cars, especially the luxury ones, boast up to 100 microprocessors. These tiny brains control everything from your airbags to the car’s cruise control, all feeding off data from a myriad of sensors. 

Here’s a closer look at what makes a car “intelligent”:

• Sensors and cameras: Smart cars utilize sensors and cameras as their eyes and ears, constantly collecting data about their surroundings, including other vehicles, pedestrians, and road signs.
• Data processing: The car’s computer processes data from these sensors and cameras to make informed driving decisions, controlling steering, speed, and braking.
• Autonomous driving: This feature allows the car to drive itself by analyzing road conditions and traffic, making real-time decisions for a safer driving experience.
• Adaptive cruise control and GPS: These ensure smoother and smarter navigation, offering precise location tracking and efficient route planning.
• Connectivity: Links the car to smartphones and other devices for remote control and monitoring.
• Smart parking and traffic prediction: Assists in finding and maneuvering into parking spots, and uses real-time data to avoid congestion and suggest alternate routes.
• Safety features: Automatic emergency brakes and more, for a safer drive.
• In-car entertainment: Connects to apps and streaming services for a more entertaining travel experience.
• Eco-friendly tech: Especially in electric models, reducing emissions and boosting efficiency.
• Car-to-car communication: Smart cars share information with other vehicles about traffic and road conditions.
• Smart city integration: Interacts with urban infrastructure like smart traffic lights for smoother travel​.

The double-edged sword of smart car technology 

While the advanced features of smart cars offer convenience and enhanced driving experience, they also usher in significant privacy concerns. These innovations, though impressive, pave the way for extensive data collection about drivers.

Data collection 

Smart cars, equipped with their myriad of sensors, cameras, and connectivity features, are constantly gathering data. This includes not just basic vehicle operation data but also personal information like driving habits, location history, and even preferences in entertainment. The interconnected nature of these systems means that this data can be vast and detailed, offering a comprehensive profile of the driver’s behavior and preferences.

Connectivity and surveillance risks

The very features that make smart cars convenient—GPS tracking, autonomous driving, and car-to-car communication—also open up avenues for constant surveillance. This isn’t just about tracking where the vehicle is; it’s about monitoring how it’s being used, who’s using it, and in some cases, even what’s being said inside it.

Implications for user privacy 

While smart cars can make our lives easier, they also pose a risk to our privacy. This data, if not properly secured and managed, can be misused by companies for targeted advertising, by hackers for malicious purposes, or even by authorities for surveillance. The challenge lies in balancing the benefits of these advanced technologies with the need to protect the privacy and security of the individuals using them.

15+ car brands under the spotlight 

So which car companies stand out for their concerning privacy practices? While Tesla is known for its revolutionary electric vehicles, its data collection practices are questionable. Kia’s privacy policy is also problematic, and Nissan’s is probably the worst. 

Here’s what you need to know about a few of the top car brands, ranked from bad to worse in terms of user privacy:

Source: Mozilla Foundation 

1. Renault 

Renault, a prominent French car company, boasts a long history in Europe and Latin America, though it withdrew from the U.S. market in 1992. While it complies with European privacy laws, there’s some uncertainty about its data collection practices, including personal and driving information. The company seeks consent for geolocation data, as per GDPR guidelines, and refrains from selling personal data, but invests in data ventures, raising some privacy queries. Its association with Nissan, known for privacy issues, adds to these concerns.

2. BMW

BMW, while not the worst in privacy among car brands, aligns with a low industry standard. It amasses a wide range of personal and driving data, including contact details, driving habits, and multimedia usage. BMW extends data collection to third-party sources, like data brokers and social media networks. There’s also uncertainty about the extent of data sharing for advertising, as its privacy policy doesn’t explicitly clarify this.

3. Jeep

Jeep, an iconic American brand known for rugged vehicles, has faced criticism for its user-unfriendly privacy policy. Navigating its website for privacy information is challenging. Jeep, along with parent company Fiat Chrysler Automotive (FCA), collects a broad range of data, from personal details to vehicle information. Third-party data sources are also tapped for targeted marketing, resulting in extensive data sharing and privacy concerns.

4. Chrysler (Dodge)

Chrysler and Dodge, which fall under the same parent company FCA, share a complex and challenging-to-navigate privacy policy with Jeep. They gather extensive personal and vehicle information, creating detailed user profiles for targeted marketing and ad personalization. While security has improved since a 2015 incident that saw 1.4 vehicles being recalled after a hacking incident, concerns remain about potential identification risks with de-identified data (data that has had all of the personally identifiable information removed), especially if it includes location information.

5. Volkswagen 

Volkswagen’s privacy practices regarding data usage, control, and security are also problematic. The company engages in extensive data collection across cars and connected services, encompassing a wealth of personal and vehicle data. VW’s disclosure policy indicates broad sharing, often for targeted advertising. Even de-identified data is not immune to usage, with potential re-identification risks. Security concerns, data breaches, and privacy violations further mar VW’s privacy track record, posing considerable risks to personal and location data.

6. Toyota (Lexus)

Toyota, a Japanese brand and global leader in car sales, also owns Lexus—which shares the same privacy policy. Despite the company’s stature, Toyota’s privacy practices raise concerns. It collects an extensive amount of data, often more than necessary, and shares or sells it to third parties for marketing purposes. 

Its privacy landscape is complex, with numerous policies covering different aspects, making it challenging for users to navigate and comprehend. Data collection encompasses personal, demographic, driving behavior, vehicle, and sensitive information. Toyota claims to process facial geometric features exclusively within the car but concedes that this sensitive information may be shared under legal requirements. On the plus side, Toyota does grant individuals in the U.S. certain rights to control their data.

7. Ford

Ford, arguably the best-known American car brand, has a long history in the automotive industry. However, its privacy track record raises concerns. It amasses substantial personal and vehicle data, ranging from names and emails to location data and driving behavior. This information is used to create detailed user profiles for marketing purposes. Ford also shares or potentially sells this data to various third parties, including dealers, social media platforms, advertising companies, and law enforcement. Its privacy policies are complex, making it hard for users to understand the extent of data collection. In terms of security, Ford has had some publicized incidents, which raises doubts about its ability to protect the personal information they collect.

8. Audi

Audi, the renowned German car manufacturer, known for its luxury vehicles, presents a challenge in understanding its privacy policies, particularly for U.S. consumers. Policies vary based on the car’s model year and selected services, with an additional privacy page for Volkswagen Group of America, Audi’s parent company, accessible only in select U.S. states with stringent privacy laws.

In terms of data collection, Audi accumulates a wide range of personal, car-related, and other information, which includes names, contact details, GPS-derived location data, in-car voice commands, and extensive vehicle usage data. It also extracts information from connected services like navigation and streaming. Audi is capable of creating detailed user profiles based on this data, reflecting individual preferences and traits. This information not only remains within Audi but is also shared, and potentially sold, to third parties for advertising purposes.

Coupled with a track record of data protection issues, as seen in the 2021 incident mentioned above, not all consumers have equal rights to request data deletion or to opt out of data sharing for marketing.

9. Mercedes-Benz

Mercedes-Benz cars are known for luxury, but the company’s privacy practices raise serious concerns. It collects a lot of personal data, including sensitive info like location and biometrics. It also admits to sharing or selling some of this data for targeted ads. The company’s track record isn’t perfect either, with the significant data leak in 2022. Integrating the privacy-sensitive TikTok app into its cars in 2023 doesn’t inspire confidence either. The company’s privacy notice even acknowledges that no information system is completely secure. The German manufacturer admits to sharing sensory data with law enforcement, posing a potential threat to individual privacy.

10. Honda

Honda’s privacy policy raises concerns. While the company claims to prioritize privacy, its policy allows for extensive data collection, potential sharing, and even selling, of personal information. Its interpretation of “data minimization” is broad, enabling substantial collection for “legitimate business purposes.” It also lists a wide range of potentially gathered information, including sensitive data. 

While Honda states it won’t share geolocation info without consent, the terms of this consent are unclear, leaving customers potentially exposed. Additionally, it mentions acquiring data from various sources and using a wide array of personal information for targeted marketing. While Honda’s privacy and security record isn’t the worst, reported vulnerabilities, like a keyless entry system flaw, raise concerns about their reporting mechanisms.

11. Kia 

Kia’s approach to privacy is bizarre. Like Nissan, it claims the right to collect sensitive data like genetic information and details about one’s sex life without providing clear justification. It also has a broad definition of personal information, which means private and sensitive data could fall under this category. 

Kia also collects a wealth of information about driving habits, geolocation, and movements, and may share or sell this information. Past security incidents and vulnerabilities also raise doubts about the company’s commitment to user safety. 

Additionally, its connected services also likely involve third-party providers, possibly exposing user information. Concerningly, Kia also has a “My Car Zone” feature that lets you set alerts to monitor how others drive your car, like curfew violations and speed limits. While it’s designed for parents to keep an eye on their kids, it could also be abused by controlling family members or partners.

12. Chevrolet (GMC & Cadillac)

Chevrolet, GMC, and Cadillac share a privacy policy as they’re all owned by General Motors. They have a complicated privacy setup with at least six separate privacy policies in the U.S. The car manufacturer is really keen on connecting driver’s phones to their cars, even adding a mandatory 1,500 USD fee for its OnStar and Connected Services Premium Plan. This doesn’t leave much choice for buyers. 

OnStar’s policy reveals that the company gathers a lot of personal and car data, and it’s closely linked with law enforcement and government agencies. The service can collect a vast range of information about you and your car, and even draw conclusions about your traits and habits for marketing. It’s not clear when you actually give consent for all this data collection. GM’s track record on data protection isn’t perfect either, with a major data breach in 2022. 

13. Hyundai 

Hyundai, a well-known South Korean car maker, has significantly improved its global reputation since its early days. However, its privacy policy raises particular concerns. It states the company’s readiness to comply with “lawful requests, whether formal or informal,” a statement that goes beyond the language of many other car brands. This gives rise to serious questions about the potential extent of data sharing with government or law enforcement agencies.

What’s particularly worrisome is Hyundai’s extensive data collection practices. The company collects a host of detailed and sensitive information about users’ activities, both within their vehicles and through connected services. This includes geolocation, driving habits, and even sensor data generated by the vehicle. Moreover, Hyundai’s definition of personal information is exceptionally broad, potentially encompassing a wide range of sensitive data.

Hyundai’s privacy policies also show a lack of clarity and transparency. The language is often vague, leaving room for broad interpretation. For example, the policy references collecting “physiological, biological or behavioral characteristics” under biometric information, a term open to wide-ranging interpretation.

Additionally, Hyundai’s data handling practices raise questions about security. Recent incidents, including a data breach affecting car owners in France and Italy, and a vulnerability that could potentially allow unauthorized access and control of vehicles, underscore concerns about data safety and user privacy.

In terms of user control, options to opt out of certain data collection practices are limited, and some functionalities may be restricted as a result. Only residents of select U.S. states and those under GDPR protection in Europe have the option to request certain data-related actions.

14. Tesla

Tesla, led by Elon Musk, is known for its high-tech electric cars. As of 2023, it stands as the world’s most valuable car manufacturer. However, its AI-powered autopilot has raised serious concerns due to its association with a troubling number of accidents and fatalities. This has prompted heightened government scrutiny.

There have also been incidents, like the internal sharing of videos from Tesla’s cameras, that included highly sensitive content, raising serious questions about user privacy. Moreover, a whistleblower leaked multiple confidential files alleging a cover-up of Autopilot system issues, containing extensive personal data. This event is currently under investigation for potential GDPR privacy law violations.

Tesla’s privacy policy also outlines extensive data collection, covering details from personal information to various aspects of vehicle use. While some data processing is done locally on the car, certain elements, like cabin camera footage, are shared with Tesla if data sharing is enabled. Additionally, the opt-out process for data sharing may have unintended consequences, potentially impacting the functionality of the Tesla vehicle.

15. Nissan

Nissan’s approach to privacy is deeply unsettling as it openly admits to collecting and sharing highly sensitive personal information, including details about sexual activity, health conditions, and genetic data—all for targeted marketing purposes. While the company’s transparency is notable, it underscores a troubling approach to handling user data.

The company’s MyNissan app also raises red flags. The Data Safety Information on the app’s Google Play Store page contradicts its privacy policy. Nissan asserts that no data is shared with third parties, directly conflicting with its policy that clearly states personal information is shared with various partners. The issue of data collection also extends to passengers who use Nissan’s connective services while in one of their smart cars. Additionally, the app’s inability to delete collected data leaves users potentially exposed to data mishandling.

Nissan’s data protection track record, while not the worst among car companies, falls short. A 2022 data breach involving a third-party service provider raises serious questions about the overall security of their data-sharing practices. A security vulnerability in January 2023 also exposed a potential loophole for unauthorized remote access to vehicles, emphasizing the urgent need for improved security measures. 

The road ahead

As smart cars continue to evolve and advance, it’s clear that the current state of car data privacy calls for urgent action. The technological prowess that makes cars smarter also makes them potent tools for data collection, far beyond what is necessary for vehicle operation. This excess data gathering, ranging from driving patterns to personal preferences, can potentially be exploited, underscoring the need for more stringent privacy regulations.

This juncture demands a forward-thinking approach to regulation. Legislators and industry stakeholders need to collaborate to develop clear, enforceable guidelines that ensure data collection is transparent, secure, and respectful of user privacy. These regulations should give users meaningful control over their data, including the right to know what is collected and the power to opt out.

The path forward should also encompass stringent security measures to protect against data breaches and unauthorized access, ensuring that the advancements in automotive technology do not come at the expense of personal privacy. As we embrace the future of smart cars, ensuring robust privacy protections will be key to maintaining user trust and advancing technological innovation responsibly.

Learn more about how you can safeguard your personal data from smart car manufacturers.