Nico De Pasquale Photography | Moment | Getty Images
So-called connected cars, vehicles equipped with internet access, are becoming the norm, and their proliferation is sounding the alarm for consumer data privacy advocates.
By 2030, more than 95% of the passenger cars sold are likely to have embedded connectivity, according to Counterpoint Technology Market Research. This allows car manufacturers to offer functions related to safety and security, predictive maintenance and prognostics. But it also opens the door for companies to collect, share or sell data related to driving habits and other personal information that people may not want shared.
Most car manufacturers provide options to opt out of unnecessary data sharing, but as with many other consumer technologies where there is money to be made from the sale of data, these settings are often buried within menus, according to Counterpoint senior analyst Parv Sharma. A McKinsey report from 2021 predicted that various use cases for car-data monetization could deliver $250 billion to $400 billion in annual revenue for industry players by 2030.
To be sure, there can be valid reasons to collect driver and car data for safety and functionality purposes, and some essential services, such as emergency and security-related data sharing, may be difficult or impossible to opt out of. Predictive maintenance is among the reasons for more data sharing, allowing manufacturers to determine that a part used in its fleet is failing sooner than expected in order to issue a recall, said James Hodgson, smart mobility and automotive research director at global technology intelligence firm ABI Research.
But there are growing privacy concerns as reports proliferate about car companies sharing driver data with insurers, and as car companies get into the insurance business themselves. One is that driving habits and car-usage details could be reported to data collectors and shared with insurance carriers for rate decisions. That’s not to be confused with the new model of usage-based insurance, offered by companies from Progressive to Root, that offers drivers the potential to earn lower rates if they specifically allow insurers to install devices in cars that track their behavior.
There’s also a concern that sensitive personal information will be shared or sold to advertising companies, or inadvertently leaked in a way that bad actors can use it.
“The amount of personal and car information that car companies collect, share and sometimes sell is beyond what is necessary to get someone from Point A to Point B safely. And it’s just getting worse,” said Jen Caltrider, a privacy researcher at Mozilla Foundation. A September report from Mozilla gave 25 major car brands failing marks for consumer privacy. The report was headlined: “It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy.”
Many consumers simply don’t know how their data is being used, or that it’s being used at all. A Salesforce survey of more than 2,000 car owners and lessors in the U.S. found that few drivers understand the definition of a connected car and what data is being collected. And while drivers may be willing to trade personal data for connected car benefits — like advanced personalization and cheaper insurance — not knowing how data is being used could leave consumers vulnerable, industry professionals said.
There’s no easy answer for customers looking to bolster their data privacy behind the wheel. One option, that is becoming increasingly less practical, is to buy an older car that can’t collect your data.
Another option is to research a carmaker’s privacy protections before you buy. This information can often be found on a carmaker’s website or by searching online using keywords such as the company name, privacy and connected car. Several companies, for example, say in their privacy policies that they don’t sell customer data, but that doesn’t mean they aren’t sharing it with third parties. What’s more, the definition of selling can be nuanced, depending on factors such as a state’s privacy laws, Caltrider said.
What Ford, Hyundai, Nissan and BMW say
Before downloading the carmaker’s app for your vehicle or signing up for the free trial of its connected services, see what your options are for opting out. Ford, for example, said it provides customers with a choice regarding any sharing of connected vehicle data. Hyundai said it allows owners and lessees the choice of whether to enroll in its connected services by accepting the terms and conditions at any point during their use of the vehicle. Nissan also said it allows consumers to opt out of data collection. For its part, BMW said in a September release that it “allows vehicle drivers to make granular choices regarding the collection and processing of their personal information. Further, we allow our customers to delete their data whether on their apps, vehicles or online.”
If you’ve already downloaded the app or signed up for connected services, ask your car manufacturer what options exist for opting out. Additionally, in some states like California, Colorado and Connecticut, consumers can submit requests to their car company regarding the personal information that’s been collected and how they are sharing it, said Cobun Zweifel-Keegan, managing director for D.C. at the International Association of Privacy Professionals. A handful of states allow consumers to opt out of having their personal information sold and more are moving in this direction, he added.
Just keep in mind what you may be giving up in return for greater privacy protections. Opting out of data-sharing comes with trade-offs, since it often requires disabling useful or desirable features, said Mo Al-Bodour, a consulting manager at SBD Automotive. These features can include navigation, remote unlock and the ability to receive service-related updates.
Consumers should be sure to review their privacy settings periodically, Caltrider said.
The government is looking at car privacy regulations
There are various regulatory efforts afoot to understand carmakers’ data-sharing practices and reign in potential privacy violations. For its part, the enforcement division of the California Privacy Protection Agency announced a review of the connected vehicle industry during its July 2023 board meeting. That review is underway, a spokesperson said, declining further comment.
Carmakers’ data-sharing practices could become fodder for federal action as well. Basic disclosure of data practices is not necessarily enough to avoid enforcement by the Federal Trade Commission, Zweifel-Keegan said.
The issue is gaining broader attention. Senator Edward J. Markey (D-Mass.), a member of the Senate Commerce, Science, and Transportation Committee, sent letters in December to 14 car manufacturers urging them to implement and enforce stronger privacy protections in their vehicles.
“Cars today are smartphones on wheels,” he wrote in an email. “We cannot allow automakers’ desires to make profits to overrun the need to protect consumer privacy, which is why I demanded answers from 14 companies on their data practices and privacy protections in their vehicles. Self-regulation has failed. The federal government must be a leader in the fight to protect consumers’ right to privacy,” Markey said.
Eric Goldman, associate dean for research and a professor at Santa Clara University School of Law, wrote in an email that “we are in desperate need of a comprehensive federal consumer privacy bill that would address this circumstance and preempt the hodgepodge of state laws.”
Maybe the best-case scenario for automakers and consumers is that the growing attention leads more car companies to use stricter data privacy practices as a marketing tool, similar to how Apple differentiates itself from competitors, Hodgson said. It’s not the case today, but at some point manufacturers may compete on the idea that consumers can easily turn off certain data, he said.