Cars collect massive amounts of driving and personal data

While cars are a major part of life for most Americans, data privacy is not top of mind when it comes to owning or driving a car. In many cases, privacy is not even on the list of features most people will consider when buying a vehicle.

Candace Boyd Simmons is a working mom and wife. She’s in her Mazda CX-9 almost daily.

"I love my car,” Simmons said with a smile and laugh, “because it's a small SUV, and I'm short."

Boyd Simmons enjoys how connected the vehicle is. She also likes that an app will notify her when she needs service or if there’s a flat tire. The Indy mom is OK with her automaker collecting some data, especially if it improves safety and makes the vehicle easier to use.

However, she never considered the issue when buying. Simmons sat down with 13 Investigates and reviewed one of Mazda’s privacy policies for the first time.

A few minutes into reading, Simmons said, "This is scary. This is scary.”

Simmons learned her automaker could collect information about her social media use, as well as internet and network activity.

“It feels overwhelming," Simmons said.

Most all car manufacturers have one or multiple privacy policies. While most people may not be surprised to learn a vehicle is tracking your driving – including acceleration, speed and braking activity – many people we spoke to were surprised by how much information automakers say they do and may collect. It’s unclear exactly how much information and how often they collect that data.

Policies detail that automakers are collecting your precise location and geolocation data. Cameras are collecting images inside and outside of vehicles. Companies can also figure out what you like by drawing inferences from everything they hoard. Some automakers also collect sensitive personal information, which may include text messages, as well as information about your health, as well as religious or philosophical beliefs. One of Kia's privacy policies – updated Jan. 1, 2024 – states it may also collect information about a user’s sex life or sexual orientation, but that's not listed in the company's Kia Connect Privacy Policy — which deals with multiple products often connected to the vehicle. 

"We think of our cars as an extension of us,” said Jen Caltrider, with the Mozilla Foundation. “We're Americans. It's our independence. It's a private space for us a lot of times, and if you're used to that being a private space, and now suddenly it's not … that's worrisome. And you just might not even think about it because it's not obvious like phone or a computer is.”

The Mozilla Foundation is a tech-focused nonprofit. Caltrider is the program director for the foundation’s *Privacy Not Included team, which ranks products based on privacy and security features.

Last year, the team reviewed 25 car privacy policies and reported “cars are the worst product category we have ever reviewed for privacy.”

“Oh, by far,” Caltrider said. “By far …We never had a category where we couldn't find something good that we could recommend to somebody to choose over something bad."

Caltrider and Raymond both told 13 Investigates current policies are too vague and allow for the collection of too much data, which can be at risk of hackers and misuse.

The experts say companies collect vast amounts of data because it’s profitable. They say car companies can use the information to make better products or better market those products. In some cases, the data is sold. Data is big business. 

"Trillions, the data ecosystem is trillions of dollars without any question whatsoever," Raymond said. 

Some automakers explicitly say they do not sell this information but may still share the information with third parties, which may include dealerships, other companies within an ownership group, business partners and law enforcement.

The privacy experts 13 Investigates consulted did not know exactly how the automakers collect all that information. However, they suspect some of the information is likely gathered when someone connects their phone to the vehicle or its application. Modern vehicles also have lots of sensors and cameras that have the potential to collect key information about what happens both inside and outside of the vehicle.

"There are a total of nine cameras in the car, including one inside like that watches you,” Tesla owner Luke Zhang said. “I think that that's probably the biggest data privacy concern.” 

Zhang owns a Tesla Model 3 Long Range and loves the high-tech features in his car. 

"I work in tech as a data scientist,” Zhang said. “I don't see this as a car. I see it more as an adult toy." 

Many Tesla owners are tech-savvy and realize they bought a giant computer on wheels. The company also makes it relatively easy for owners to opt-out of some data collection.

However, while reviewing the policy with 13 Investigates, Zhang noticed choosing to opt-out may have serious consequences.

"They warn you, if you turn it off, this might result in your vehicle suffering from reduced functionality, serious damage,” Zhang said. 

The policy says opting out may also make the vehicle "inoperable." 

“As a consumer, I think when I bought the car, I should have the right to use all the functionalities this car provided, regardless of what I choose to do with my data privacy," Zhang said.

However, that’s not necessarily the case. Current law allows policies that link safety and other features to opting into data collection. It also allows companies to update or change their privacy policy whenever they like. Companies do not have to actively reach out to consumers that they’ve made a change.

“I have spoken very loudly about that being a massive error in the law,” Raymond said.

As a result, car manufacturers can, in essence, change the terms of service when it comes to privacy issues. Raymond says any good lawyer or businessperson would encourage them to follow what is allowed by the law.

“It doesn't make it OK,” Raymond said.

The automakers' privacy policies can be difficult for the average person to understand. However, most policies put the onus on car owners to understand and share this information with passengers. In other words, it’s up to owners to tell their friends and family their data is or may be collected.

Raymond drives a Subaru and was surprised to read that just sitting in the vehicle could be seen as consent to have data collected.

"I think it's egregious, quite honestly, that they even sort of hint at that being consent," Raymond said.

Some policies state a vehicle owner “must notify any additional drivers about the privacy practices.” 

“Companies need to do better,” Caltrider said.

“Consumers shouldn't be expected to read privacy policies all day long,” Caltrider said. “That's what I do for a living, and I understand how incredibly complicating and frustrating it is, and it’s my job. If I were a regular person with another job and a family, there's just no way it would be possible. So, no, companies should not put the responsibility on consumers to read these privacy policies and understand them, and then try and understand any measure that they might be able to take to protect their privacy.”

What’s more concerning to Caltrider is that there are not many ways for consumers to limit what is being collected.

“Consumers don't have options right now,” Caltrider said. “Unless you're mechanically inclined and can buy an old car and maintain it, you just don't have a lot of good options. So, it is time to put pressure on the government to do better, and hopefully this (report) will help.”

Tesla is one of a few companies that make it easy for vehicle owners to opt-out of some data collection with a simple swipe.

Following the Mozilla Foundation’s research, U.S. Sen. Ed Markey (D-Massachusetts) sent a letter to 14 automakers to learn more about what they collect and to encourage additional protections for consumers. On Feb. 28, the senator called on the Federal Trade Commission to investigate the automakers for "invasive data privacy practices." It came after he received written responses from all 14 automakers. The senator said the companies "largely failed to answer important questions." 

Thirteen states have passed legislation that put in place some additional data privacy protections, according to the International Association of Privacy Professionals. Five of those laws are currently in effect, eight more will go into effect at a later date. For example, California’s law requires companies to provide a way for consumers to opt out of some data collection or have their information deleted. Some companies like Tesla and Subaru provide those options to consumers in every state.

In 2023, Indiana lawmakers passed the Indiana Data Protection Act, that will allow consumers to review, correct and delete their information. It will also allow people to opt out of some data collection. The law goes into effect in 2026. It will allow the Indiana Attorney General to sue companies that do not abide by the new laws. However, lawmakers stopped short of allowing individual consumers the right to sue.

“I’m of the opinion that anytime you make law, tied to political will, you put in place a barrier that maybe shouldn't be there," Raymond said.

Raymond says there are times when the attorney general’s office may sue a company, but it doesn’t happen very often.

“It's very difficult to gather enough momentum to get attorney generals to do things,” Raymond said. “It takes a ton of time. It's incredibly expensive.”

Raymond and Caltrider say state laws are helpful, but a strong national law is needed. Some car companies tell 13 Investigates they would support change. Stellantis wrote, “We take very seriously the issue of data privacy and we welcome and support efforts by Congress to enact a comprehensive federal consumer privacy law.”

Zhang believes before any changes are made, people need to educate themselves — both consumers and lawmakers.

"If we don't understand it, how do we regulate it?" Zhang said.

Raymond and Caltrider both agree more education is needed, and a conversation about change needs to include a lot of different voices including companies like automakers, as well as lawmakers and consumers. Raymond thinks both older and younger people should be part of the conversation since they may have different views on privacy.

After talking with 13 Investigates Zhang chose to let Tesla collect more of his data.

"So that they can improve faster,” Zhang said.

He believes he made an informed decision, and he accepts the risks that come with the collection of that data.

Simmons says discussing the privacy issue with 13 Investigates opened her eyes to what’s being collected, and she says she would like to see change as well.

"I want to keep the technology, but I want the protections,” Simmons said. “Like, I want to make sure that we're being fair and equitable to everybody involved."

So, companies can get what they need to innovate but with guardrails, to better protect the public.

As part of this reporting, 13 Investigates reached out to 14 automakers. We’ve included below a link to their policies and statements from the automakers who responded to our inquiry. Our questions included asking about their policy regarding sharing data with law enforcement, insurance companies and the possibility of opting out of information sharing.

• American Honda Motor Co
• BMW of North America, LLC

Here is a link to our statement in response to the Mozilla survey.

• Ford

Ford is committed to being a trusted steward of the personal information our customers choose to share with us. We utilize connected vehicle data to improve quality, minimize environmental impact, and make our vehicles safer and more enjoyable to drive and own. For more information, we recommend that our customers visit https://www.ford.com/help/privacy/ to read our Connected Vehicle Privacy Notice.

• General Motors
  • OnStar

Vehicle connectivity brings safety and convenience. We keep customers in control of their connectivity, maintain transparency in our data practices, and safeguard personal information. GM’s US Connected Services Privacy Statement describes how GM collects, uses, and discloses vehicle data obtained from GM vehicles through a customer’s use of GM connected services.

GM is supportive of ambitious, comprehensive federal privacy legislation to standardize consumer rights to access, delete, and correct information across the country, enhances consumer privacy protections, and fosters US competitiveness and innovation.

(Link to GM’s US Connected Services Privacy Statement: https://www.onstar.com/privacy)

Our privacy statement describes categories of third parties who we share data with, along with examples. Specific names of third parties are case-dependent. As an example, vehicle location data for an Indianapolis-based customer in need of emergency services would be shared with local responders that are different than those for customers in Los Angeles (i.e. the Indianapolis Fire Department versus the L.A. Fire Department.) Here are the categories we describe:

GM Family of Companies: Within the GM family of companies (for example, including OnStar) for the above uses.

Emergency Service Providers: With emergency service providers, such as law enforcement, roadside assistance providers, and ambulance providers, to protect your safety or the safety of others, and to deliver related services (for example, Stolen Vehicle Assistance Services).

Third-Party Business Relationships:  With business that GM enters into business relationships, such as SiriusXM, in connection with their products and services; research institutes, for research and development purposes (for example, improving highway safety); or dealers, fleet, or rental car companies, for service or maintenance of your vehicle. We may also share data with third parties for marketing activities (with necessary consents) or where you have elected to receive a service from them and/or authorized them to request data from GM (for example, financial organizations who offer financing for the purchase or lease of GM vehicles or usage based insurance providers).

Service Providers:  With our product and service providers who work on our behalf in connection with the uses described in the preceding section, such as dealer managed service providers, wireless service providers (e.g. AT&T), companies that administer our contests and promotions, host and/or operate our websites, send communications, perform data analytics, process, store, or manage credit card, information (we will not otherwise share your credit card information).

Where Required or Permitted by Law: As required or permitted by law, such as in conjunction with a subpoena, government inquiry, litigation, dispute resolution, or similar legal process, when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to detect, investigate and prevent fraud or other illegal activity, or to conduct screening to ensure you are not on any government list of restricted parties.

Business Transfers:  With a prospective or completed sale, transfer, or financing of a part of a GM business or its assets.

GM produces vehicle data to law enforcement only in response to:

A warrant or court order supported by a showing of probable cause

A court order issued under 18 U.S.C. Section 2703(d)

Exigent circumstances

A customer consent such as in aiding and recovering a stolen vehicle.

This information is available in GM’s US Connected Services Privacy Statement and further explained on a dedicated law enforcement webpage on the OnStar website. GM individually reviews law enforcement requests for customer data in compliance with our policies.

Link to law enforcement page: OnStar Public Safety Emergency Services | Public Safety

For vehicle owners, no data is shared to auto insurance companies without two layers of consent. With those steps, customers can leverage their driving data and take advantage of usage-based insurance programs. GM does not share medical data with any insurance companies.

Yes, customers can opt out of some or all data collection.

Safety is our top priority. Opting out of the collection of data does not impact any of the core vehicle safety and operational functions.

• Hyundai Motor America, Inc.
• Kia Motors America, Inc.
• Mazda Motor of America, Inc.
• Mercedes-Benz USA, LLC
• Nissan North America, Inc.

Nissan takes privacy and data protection for our customers very seriously. When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency. 

Nissan North America’s Privacy Notice is available at nissanusa.com/privacy, and we have clear methods for consumers to opt out of data collection and disclosure, which can be found at: nissanusa.com/privacy.html#your-choices.

• Stellantis North America 

Multiple claims regarding Stellantis brands are incorrect or based on outdated information.

Any data collection we conduct is done in accordance with applicable state privacy laws. We take very seriously the issue of data privacy and we welcome and support efforts by Congress to enact a comprehensive federal consumer privacy law.

• Subaru

At Subaru, we take customer data privacy and security very seriously and are committed to safeguarding the vehicle data that we collect. We have implemented strong practices to protect vehicle-generated data from privacy harms and utilize an “opt-in” approach to data collection in which the customer remains in control. 

Before any vehicle-generated data is collected by Subaru, customers must voluntarily enroll their vehicle in the Starlink telematics subscription service (“Starlink”). No vehicle data is collected if customers decide not to enroll in Starlink. Customers can also cancel their Starlink subscription at any time, which would immediately stop Subaru’s collection of telematics data.

Starlink is an optional service, and a customer’s decision whether to enroll has no impact on their ability to operate the vehicle safely or to avail themselves of the many safety features for which Subaru is known.

Further, customers can exercise the right to delete their personal/vehicle information (including in states where Subaru is not legally required to do so) by calling a toll-free number or submitting a “Right to be Forgotten” request through an easy-to-use online form.Subaru will then process that request subject to any exceptions provided by law.

Data transmitted from the vehicle to third-party infotainment application providers like SiriusXM, Apple CarPlay, and Android Auto is not accessible by Subaru and is subject to the third party’s respective terms and conditions and privacy policies. Furthermore, Subaru does not share vehicle data with insurance companies unless the customer affirmatively consents to the sharing. 

Other than certain carjacking scenarios that involve an imminent risk to human life, Subaru requires a search warrant, subpoena or court order from law enforcement before disclosing any vehicle data. 

• Tesla, Inc.
• Toyota Motor North America, Inc.

The Toyota Motor North American privacy notice can be found here: https://www.toyota.com/privacyvts/

This is an ongoing industry topic and we recommend contacting the Alliance for Automotive Innovation for further assistance.

• Volkswagen Group of America, Inc.
  

The Volkswagen Group protects the personal data of customers, employees, former employees, suppliers and others. We collect, gather, use and store personal data only in accordance with legal requirements. The basis for any data processing is always a legal basis, such as the express consent of the customer, or the fulfillment of a contract concluded with him. A detailed list of the data processed in each case can be found in the privacy policy. In case of consent, the customer can revoke it at any time with a few clicks. Only data that can be used as a basis for providing customer-relevant services and products, improving services, products and services or developing new ones is collected. For the development of driver assistance and automated driving functions, we aggregate and anonymize data in order to be able to train algorithms and develop automated driving functions on this basis.