Driving data: Your car could be invading your privacy
Last updated on December 11th, 2023
Did you know you could be driving a privacy nightmare? The computer on wheels that enables you to find your way and navigate traffic hazards is sharing information you never thought possible, including your sexual activity.
According to new research from the Mozilla Foundation, an internet-focused non-profit, 84 percent of car companies review, sell or share the data collected from car owners.
Researchers looked at the privacy terms of 25 car manufacturers and found that not only were many impossibly dense - some were up to 9000 pages long - all collected more personal data than necessary. And to add insult to injury, that data was then farmed for use unrelated to the car’s operation.
All the brands researched earned Mozilla’s Privacy Not Included warning label, with the foundation describing cars as “the worst product category we have ever reviewed for privacy”.
While this research was looking at the car brands’ privacy terms in the United States, it’s even harder to determine what they are sharing with others in Australia because our privacy laws do not require specific disclosures.
So how do car brands access your information, and is there anything you can do to prevent them from doing so, or sharing it with third parties?
How do cars collect sensitive data?
It's quite a list, actually. From how you brake and accelerate to your favourite destinations and the music you love, your car is keeping tabs on everything. And it's not just about our driving habits. Some cars are savvy enough to pick up on our facial expressions and, believe it or not, even aspects of our personal lives.
According to the Mozilla Foundation, the list can be categorised into the following:
-
- Driving behaviour - Information on how, when and where we drive, including speed, steering, brake, and accelerator pedal usage
- Personal details - Data such as facial expressions and, in some extreme cases, even sexual activity
- Infotainment interactions - What you play on your car's entertainment system, phone contacts, and navigation destinations
- Environmental data - Information about your location, surroundings, and even footage from cameras equipped in the car
How do our cars manage this feat of espionage? It's all thanks to a suite of high-tech gadgets. Cameras and microphones, for instance, are not just there for safety; they double as data gatherers.
Then, there are sensors all over the place, tracking everything from our seatbelt usage to how we handle the steering wheel.
And let's not forget the car’s infotainment system – often linked to our personal devices like smartphones, accessing our contacts, favourite routes, and what we like to listen to.
Essentially, when we sync our phones with our cars, we inadvertently allow access to a plethora of personal data.
Initially, all this information is stored in your car, but with connected cars, this data can take a journey of its own. It's wirelessly transmitted to places far beyond your garage. Car manufacturers, third-party service providers, and sometimes even data brokers get a piece of this pie. They're using it for everything from improving car designs to more commercial purposes.
How do car manufacturers use our data?
To improve the driving experience
Car manufacturers use some of this data to make driving safer and more enjoyable - developing smart features that adjust your car's settings to just how you like them or safety systems that learn from your driving patterns to keep you safe on the road. This data helps manufacturers understand what drivers want and need, leading to better car designs and features in the future.
For marketing and personalised ads
Have you ever wondered why those online car ads seem to know exactly what you're looking for? That’s primarily thanks to your car. By understanding your driving habits and preferences, car companies can tailor their marketing campaigns to be more relevant to you.
For sharing with third parties
Some car manufacturers share your data with third parties. This could be for reasons such as providing connected services (think navigation, music streaming, or roadside assistance). It could also be for less obvious reasons, such as targeted advertising or even research.
Car manufacturers can also make money from your data. While not all manufacturers sell data directly, some share it with data brokers or other businesses that can use it for their own commercial purposes. This could include insurance companies tailoring premiums based on your driving habits and entertainment providers personalising content for you.
The potential for monetising car data is huge; we're just seeing the tip of the iceberg. As cars get more connected and autonomous driving becomes a reality, the amount and value of data cars collect will only increase.
Problem with car brands' privacy policy
Now, you might be wondering, “What happened to privacy policies? Aren’t they supposed to protect us?” While each car brand has privacy policies, some are longer than some of the greatest novels in history. Reports have shown that certain major car brand policies extend over 9,000 pages. This makes it practically impossible for the average consumer to sift through. The result? Most of us agree to terms we haven't thoroughly read or understood.
Besides lengthy pages, there are questionable policies, too. Here are some of them:
-
- Nissan collects (and shares!) your “sexual activity, health diagnosis data, and genetic information and other sensitive personal information for targeted marketing purposes”.
- Hyundai stretches into areas like “disability status, citizenship and medical information, including physiological, biological or behavioural characteristics”.
- Kia gathers details about your "sex life, medical condition, physical or mental disability,” and even your “racial or ethnic origin”, plus “religious or philosophical beliefs”.
- Honda seems to have an “everything but the kitchen sink” approach. They mention that "Covered Information disclosed with Third Parties may include all or some of the following: Personal Identifiers; Audio electronic, visual, or similar information; Commercial Information; Geolocation Information; Personal information as described in Cal. Civ. Code § 1798.80(e).” Cal. Civ. Code is a section in the state of California that defines what personal information is. It includes pretty much everything about a person! Name, signature, social security number, physical description, address, phone number, passport number, driver's licence details, financial info like bank and credit card numbers, and even medical and health insurance information.
- Toyota’s policies are similar to other brands above but they're not just keeping this data to themselves. Toyota openly admits to sharing and even selling some of this data with third parties for marketing purposes.
Can you opt out of sharing your data?
The good news is, in many cases, you can. Car brands offer the ability to opt out of certain data collection practices. This could be through your car's settings, an account associated with your vehicle, or directly through customer service.
The bad news is opting out of all data collection entirely might not be possible. Some data is essential for the basic functioning of the car, especially if it's a connected or smart vehicle.
Take Tesla, for example. They say you can opt out of data collection, but there's a catch. Their privacy notice explicitly states that opting out of data collection can reduce functionality and prevent the car from receiving real-time updates and notifications about issues. This puts car owners in a tough spot – choose privacy and risk your car's functionality. Or accept extensive data collection to keep all features running smoothly.
Also, “consent” in connected cars has a vague meaning. According to Mozilla’s research, car companies often manipulate the concept of consent to their advantage. They typically assume that by using their cars, you've automatically agreed to their privacy policies. This assumption extends even to passengers in the case of Subaru, whose policy states that just by being in a car using connected services, passengers have "consented" to using and potentially selling their personal information.
Some car companies take this a step further. Nissan, for instance, puts the onus on you to inform other users and occupants of your vehicle about its privacy policies and data collection practices. This approach not only assumes your consent but also makes you responsible for obtaining consent from others.
Australia’s privacy laws
While these concerning privacy policies are in the US, Australia is not immune to these risks. Especially when our privacy laws do not offer enough protection. For instance, Australian privacy laws fall short of providing transparency about how personal information collected by companies is used and by whom.
Previously, we wrote about a mum whose ex-husband, despite having a domestic violence order against him, was able to cancel her and her children's flight bookings without her knowledge or consent. This incident, facilitated by inadequate data protection measures, highlights a serious gap in our privacy laws and underscores the urgent need for more stringent regulations to safeguard personal information.
Australia's Federal Chamber of Automotive Industries (FCAI) has proposed a Voluntary Code of Conduct for Automotive Data and Privacy Protection. However, this code is criticised for being weak and not adding any substantial privacy protections beyond existing legal obligations. It lacks enforceability, with no penalties for ignoring the code, and relies on voluntary compliance by the signatories.
What we need is Privacy Law reform. The government has already proposed an updated definition of "personal information" in the Privacy Act. This change could protect consumers from intrusive and manipulative data practices. As it provides a clearer scope of what constitutes personal information.
Another proposed change is improving the standards for consent. This would ensure that consent is not just a formality but a meaningful choice made by the consumer. So companies cannot assume consent or manipulate it in their favour.
There’s also the "fair and reasonable" test. This test would assess whether a practice is substantively fair, moving beyond the mere legality of a practice based on obtained consent. In Tesla’s case, for instance, when the car would practically be inoperable without consent for data collection, this test could challenge the fairness of such a condition. It raises the question: Is it reasonable to expect a consumer to choose between their privacy and the full functionality of their vehicle?
Where to complain
Contact the car manufacturer or service provider
The car manufacturer should have a privacy policy or terms of service that outlines how to lodge a complaint. It's important to document this communication for future reference.
File a complaint with the OAIC
If you're not satisfied with the response from the company, or if the issue is more serious, you can file a complaint with the Office of the Australian Information Commissioner (OAIC). They handle issues related to privacy and the misuse of personal data under the Australian Privacy Act. You can lodge a complaint online through their website.
Seek legal advice
If the breach is severe or you feel your rights have been significantly infringed upon, seeking legal advice might be a good step. A lawyer specialising in privacy law can advise you on your rights and the best action.
Report to consumer protection agencies
You can also report the issue to consumer protection agencies like the Australian Competition and Consumer Commission (ACCC). They can provide advice and investigate broader consumer rights and data privacy issues.
Engage with privacy advocacy groups
Privacy advocacy groups can offer support, advice, and sometimes even legal assistance. They can also raise public awareness about your case, putting additional pressure on the company to resolve the issue.
Use social media and public platforms
Voicing your concerns on social media or public forums can sometimes lead to quick resolutions. Companies often want to avoid negative publicity and may act swiftly to address your concerns. The Toyota peeling paint issue is a testament to this.
Now you know that all that interconnectivity comes at a cost, take a closer look at your car brand’s privacy terms. If you have an issue with your information being used without your knowledge or permission, get in touch with us and we’ll help you handle it.