The internet and privacy watchdog has issued a warning: your car is tracking you, gathering far more information than it needs just to get you where you’re going.
Mozilla, the nonprofit that develops the Firefox browser, released a report on Wednesday detailing how the policies of more than two dozen car manufacturers allow the collection, storage and sale of a wide range of sensitive information about car owners.
The researchers behind the report said cars now routinely collect data on par with tech companies, providing few details about how that data is stored and used, and giving drivers no meaningful way to opt out.
“Cars are such a massive privacy nightmare that no one seems to notice,” said Gene Caltrader, who runs Mozilla’s Consumer Privacy Guide. And they get away with it. It really needs to change because it’s only going to get worse as the cars get more and more connected.
And unlike Europe, the US has few meaningful regulations on how companies handle and store personal data. This has created a bustling industry of companies buying and selling people’s information, often without their knowledge.
Automakers have a long list of personal information they say they may track, including employment and purchase history, education, internet browsing history, location data, music and podcast listening habits, immigration status, religious and philosophical beliefs, and health information.
Six of the manufacturers say they can collect “genetic information” or “genetic characteristics”, and they think it is not clear how. All but four of the automakers say they can sell at least some of their customer data, or are already selling some.
Nissan’s policy states that “sexual activity” is an example of the type of sensitive information it can collect. Kia mentions “sexuality or sexual orientation”.
Nissan did not respond to a request for comment.
A Kia spokesperson said the company does not in fact collect information about the sexual lives of its users, and that it includes such language in its privacy policy because it was part of a list of examples of “sensitive information” under California law. The spokesperson did not respond to a request for a complete list of the types of sensitive personal information Kia collects.
Other manufacturers have indicated that they have lower standards than is legally necessary for sharing users’ information with the police.
As a general rule, US companies turn over information to the police if they have to do so under a warrant or court order, and automakers are no exception. But Hyundai’s explanation of its policies goes much further, saying it may hand over customer data simply because a police officer or government official requests it.
Hyundai says it can share user information “as part of an investigation or request, whether formal or informal, from law enforcement or a government official.”
It’s unclear how much money car companies make selling or trading their users’ personal information. But the privacy policies reflect an industry that has become inundated with user data — particularly location data, which can be incredibly useful to companies looking to track people’s habits — but ill-equipped to handle all of it, Caltrader said.
“These car companies have become like technology companies, but they have no idea what they’re doing,” she said. “They say, ‘Data, let’s get it all.'”
It’s also practically impossible for the vehicle’s owner not to be part of the practice, Caltrader said. For example, Tesla is the only manufacturer surveyed that gives customers a meaningful option not to share their data. But Tesla’s data opt-out policy warns users that doing so could result in termination of many features and “may result in your vehicle suffering reduced functionality, serious damage, or inoperability.”
“Consumers can’t do anything,” Caltrader said. “Usually we would tell consumers to shop with their dollars. Now I’m going to shout to policymakers and regulators to act because it’s already too late.