The Mozilla Foundation recently investigated the privacy practices of 25 major car brands through its ongoing series, *Privacy Not Included. The research uncovered the automotive industry as the worst category the group has looked into yet when it comes to protecting consumer privacy.
Across all manufacturers reviewed, excessive collection and misuse of personal data was rampant, with car brands systematically ignoring driver consent. Vehicles now contain numerous sensors and constant connectivity, enabling persistent tracking of location, driving habits, in-car activities, and more. Data collected encompasses highly sensitive details like medical history, sexual activity, and music taste.
Car manufacturers claim to use this trove of information internally for purposes like research and marketing. However, most also admit to sharing or selling data to third parties such as data brokers. Despite industry principles advocating “data minimization” and “choice,” the report claims car companies act in blatant disregard of users’ privacy.
Compounding the risks, an alarming majority of brands had a history of security failures, with hacks and breaches exposing driver data. The researchers investigating the privacy practices of auto makers were unable to confirm even basic functions like full encryption of personal information on vehicles.
The most disturbing findings the report lists are:
- Tesla is only the second product we have ever reviewed to receive all of our privacy “dings.” (The first was an AI chatbot we reviewed earlier this year.) What set them apart was earning the “untrustworthy AI” ding. The brand’s AI-powered autopilot was reportedly involved in 17 deaths and 736 crashes and is currently the subject of multiple government investigations.
- Nissan earned its second-to-last spot for collecting some of the creepiest categories of data we have ever seen. It’s worth reading the review in full, but you should know it includes your “sexual activity.” Not to be out done, Kia also mentions they can collect information about your “sex life” in their privacy policy. Oh, and six car companies say they can collect your “genetic information” or “genetic characteristics.” Yes, reading car privacy policies is a scary endeavor.
- None of the car brands use language that meets Mozilla’s privacy standard about sharing information with the government or law enforcement, but Hyundai goes above and beyond. In their privacy policy, it says they will comply with “lawful requests, whether formal or informal.” That’s a serious red flag.
- All of the car brands on this list except for Tesla, Renault, and Dacia signed on to a list of Consumer Protection Principles from the US automotive industry group ALLIANCE FOR AUTOMOTIVE INNOVATION, INC. The list includes great privacy-preserving principles such as “data minimization,” “transparency,” and “choice.” But the number of car brands that follow these principles? Zero. It’s interesting if only because it means the car companies do clearly know what they should be doing to respect your privacy even though they absolutely don’t do it.
With few reasonable alternatives, car brands, the report notes, manipulate the notion of consent. Policies presume agreement to data practices simply through vehicle use, while opt-outs break essential functionality. Drivers cannot feasibly shop for privacy when all options present risks.
The report goes on to argue that the burden should not fall solely on consumers to address these practices. Instead, the investigators authoring the reports say that manufacturers must reform data collection itself, limiting scope to operational needs and obtaining meaningful consent. In the meantime, drivers have few options beyond minimizing app usage and taking basic security precautions.
By publicizing these findings, The Mozilla Foundation says it aims to raise awareness of what it calls the pervasive disregard for privacy across the automotive sector. Through its advocacy efforts, Mozilla seeks to spur collective action holding car brands accountable, through consumer pressure as well as policy change.
At the end of the report, readers are offered the opportunity to sign a petition asking carmakers to change their practices.
Founded in 1998, Mozilla is a global non-profit organization dedicated to promoting openness, innovation, and participation on the internet. perhaps best known as the developer behind the Firefox web browser, Mozilla has long been an influential force in developing key internet technologies and advocating digital rights.
The *Privacy Not Included series’ investigation into the data collections by cars and their manufacturers was led by Jen Caltrider, Misha Rykov, and Zoë MacDonald. Caltrider created and leads the program to fight for better privacy protections. Rykov is an advocate for stronger regulations and safer internet use. MacDonald is a writer focused on cybersecurity and digital rights. Through their research, the authors say they hope to compel the automotive industry to finally respect consumer privacy.
– – –
Christina Botteri is the executive editor and CTO of The Tennessee Star and The Star News Network. Christina’s robot assistant Claude contributed to this article.
