Report analyzes the data your car may be collecting and sharing
(CBS DETROIT) – If you've ever felt your cellphone, smart speaker, or camera was spying on you, it turns out your vehicle may be collecting even more personal data.
That data could be sold or shared, in some cases, to insurance companies who could raise your rates based on your driving data.
Jen Caltrider, program director at the Mozilla Foundation's Privacy Not Included, called cars a privacy nightmare. The group investigates and reviews privacy policies for devices, apps, and, most recently, cars.
They looked into the privacy and security of 25 car brands across 15 car companies. Caltrider said everyone earned their privacy warning label.
"We're privacy researchers, we see crazy stuff all the time, and we're like, 'Holy cow, this is nuts.'"
Caltrider said every vehicle you buy today, or bought in the past ten years, is a smart car. They are built with sensors that may be tracking much more than you may think.
"That can track your speed, your location, how many people are in the car, how hard you brake, whether you're wearing your seatbelt, on and on and on. They also come with microphones in the car, cameras in the car, and outside of the car. They come with connected services, things like SiriusXM Radio, or OnStar, or your mapping apps, things like that," Caltrider said. "So, there's just a massive amount of ways that car companies are able to collect data on you with modern cars. I'm not even sure we completely understand it all."
She said the sheer scope of the data alarmed her and her team when they began digging through the privacy policies, but some of it was extremely personal.
"I think there were four car companies that said they could collect your genetic information. Things like whether you're in a union or not, your medical histories. There was a lot of very personal information they said they could collect. And that's on top of the car usage data."
She said hard to know exactly how they are collecting that data, or even if they are, but said drivers may be consenting to these policies without knowing the fine print.
"I've read the privacy policies. To say that people understood what they were consenting to when they clicked 'Yes, I accept your privacy policy' is nuts."
She said some of the policies she read even state that becoming a passenger in a car means you consent to the privacy policy, and it's up to the driver to let you know that.
"We all know that people read their passengers' privacy policies when they go to pick them up on a date, right?"
While some of the data collected is for safety reasons, Caltrider said some is collected to make money off of consumers. She said the data can be sold or shared with advertising companies, data brokers, dealers, or even insurance companies, which could, in turn, impact your insurance costs.
"What was it, a decade or so ago, the insurance companies came out and said, 'Hey, we'll have this safe driver rate.' And you would sign up, they'd send you a little dongle, you'd plug into your car. And you would opt into that tracking," Caltrider said. "Now car companies can just track you, and you may not even realize it."
She added that the data your car collects can also be shared with law enforcement.
"What you want to see as a consumer, if you're looking for that, is the company saying we will share your data with law enforcement only with a court order, and even then, we'll notify you, and we'll only share a limited amount of data necessary for this court order. That is not what we saw for car companies. Car companies had some of the most permissive sharing with law enforcement notes in their privacy policies that we'd ever seen. One company said they could share your personal information based on formal or informal requests."
Caltrider said consumers now have to trust the people and companies that end up with our data, which can be a tall order in a time with data leaks and hacks.
Consumers can read their car's privacy policy on the company website.
In response to Privacy Not Included's report, a representative from Nissan said:
"Nissan takes privacy and data protection for our consumers very seriously. When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency to allow our consumers to make informed decisions about their data.
"We have clear methods for consumers to opt out of collection, use and sharing of personal data, which can be found at here."
Nissan's full privacy notice is available on its website.
A representative from Stellantis said that multiple claims in Privacy Not Included's report were incorrect as they relate to Stellantis brands.
"We carefully and diligently consider data privacy and act accordingly. Customers with questions may call our Customer Care Center.
"Any data collection we conduct is done in accordance with applicable state privacy laws. We take very seriously the issue of data privacy and we welcome and support efforts by Congress to enact a comprehensive federal consumer privacy law."