Cars are the worst product “we have ever reviewed for privacy,” the authors wrote, calling them a “privacy nightmare.”
The authors have reviewed at least seven additional product categories, including mental health apps, entertainment electronic devices, smart home devices, wearables and health and exercise products. “Cars is the first category we’ve reviewed where every product earned our *Privacy Not Included warning label,” Kevin Zawacki, a Mozilla spokesman, said in an email.
All of the car brands were deemed as collecting too much personal data, while 84 percent also shared or sold data. More than half “say they can share your information” with government officials upon “informal request.” All except two — Renault and Dacia — gave “drivers little to no control over their personal data,” such as the choice to delete personal data.
The report, published Wednesday, adds weight to concerns that as cars become increasingly connected to each other and to the internet, they are becoming tech products that provide sellers with customer data that can be easily sold and shared without the explicit consent of the product’s end users.
“The gist is: they can collect super intimate information about you — from your medical information, your genetic information, to your ‘sex life’ (seriously), to how fast you drive, where you drive, and what songs you play in your car,” the authors of the report wrote.
Modern automobiles, increasingly equipped with the latest electronic gadgets, can record data automatically. Connect to a car’s GPS navigation system, and it can collect location data and driver habits. Hook up your smartphone, and data stored there can be transmitted to carmakers.
“Vehicle data is a low-hanging fruit that offers many opportunities” for carmakers at low cost, said Uri Gal, a professor of business information systems at the University of Sydney Business School in Australia. Data privacy laws in the United States appear to be “slowly emerging,” while low public awareness about the topic makes it easier for carmakers to collect data, he said.
The Mozilla report assessed what data companies can collect under their own policies — based on companies’ disclosures to government regulators — rather than the data they do collect.
Renault and Dacia came out the best among the 25 carmakers, ranking first and second, respectively. The authors said that the two brands — whose data privacy policies “aren’t so bad” — probably were ranked highest because of Europe’s General Data Protection Regulation, which is seen as much more stringent than U.S. rules governing data privacy.
Renault Group, which oversees the two brands, said it “is strongly committed to respecting the regulations on personal data.” Renault Group will limit data collection to what is “necessary for the provision” of “innovative services linked to connected vehicles” and will respect the user’s choices, it said in a statement.
BMW, the German luxury carmaker, was ranked as the third-best data protector by the authors, who said the company appears to “have had fewer serious security breaches and data leaks than” other automakers. But Mozilla’s researchers also expressed skepticism about BMW’s willingness to give customers the ability to delete their data.
In a statement, BMW said it allows customers to “delete their data whether on their apps, vehicles or online.” The company does not sell customers’ in-vehicle personal information, it added. BMW’s privacy policy describes how customers can delete their data.
Tesla was ranked at the bottom, although the authors praised the brand for promising not to “sell or rent your personal information to third parties” — although that was seen by Mozilla’s authors as “a pretty low bar when it comes to your privacy.”
The Mozilla report’s authors noted allegations of potential privacy violations that resulted from Telsa’s outward-facing cameras, citing previous media stories. “In April, 2023, Reuters reported stories from a number of former Tesla employees that videos taken from cameras in [Tesla vehicles] were regularly shared over internal chat systems within the company.”
The videos allegedly had recordings of people’s children, crashes and road rage incidents, along with a naked man approaching a Tesla, The Post reported, citing a complaint filed in a federal court.
Representatives for Tesla didn’t respond to a request for comment about the Mozilla report.
The report’s authors also expressed concern over Nissan’s policies, which say Nissan can collect sensitive personal information such as “religious or philosophical beliefs, sexual orientation, sexual activity,” among other examples.
Nissan spokesman Brian Brockman said Nissan’s privacy policy includes “a broad definition” of sensitive personal information, “as expressly listed in the growing patchwork of evolving state privacy laws,” and may include data collected “through incidental means.” Nissan doesn’t knowingly collect or disclose data on sexual activity or sexual orientation, he said.
Nissan also has “methods for consumers to opt out of data collection and disclosure,” he added.