Car manufacturers are collecting troves of data on drivers and passengers — some even tracking drivers’ sexual activity — according to a new report.
In a review of 25 car brands and 15 car companies published by Mozilla Foundation on Wednesday, researchers found that Japanese car manufacturer Nissan said it could sell information about drivers and passengers’ sexual activity, intelligence and health diagnosis to data brokers, law enforcement agencies and other companies. German manufacturer Volkswagen said it could record drivers’ voices to profile them for targeted ads.
“The amount of data that these car companies blatantly said that they could collect was shocking,” said Jen Caltrider, lead researcher at Mozilla Foundation, the nonprofit owner of the company running the Firefox Browser. “It’s like nobody’s ever challenged them or asked them questions about privacy, and so they just include everything.”
Europeans are — in principle — more protected against abuse by their landmark privacy law, the General Data Protection Regulation (GDPR), but Mozilla’s Caltrider suggested the law was poorly enforced with car companies. A look at enforcement action across Europe showed few national regulators had taken action against car companies’ data gathering since the law came into force.
Caltrider and other researchers looked at car companies’ privacy policies and downloaded their apps in Germany, France, the U.S., Japan and South Korea. They found that the industry hoovered up massive amounts of data through dozens of sensors and technology built into newer car models that calculate people’s weight as they sit down, filmed the car inside and outside with cameras, listened to conversations through microphones and tracked users via connected apps on smartphones.
“It’s not just about selling cars to make money anymore. It’s about collecting data, and then using that data to make money,” said Caltrider, adding cars seemed to have worse privacy practices than mental health apps, smart home devices and wearables like connected headphones and fitness trackers.
Researchers also found that 84 percent of the car brands reviewed could share and sell data to other companies like data brokers, a market estimated in the hundreds of billions of euros according to some estimates. Just over half of the brands said they can share data with government and law enforcement when requested, rather than when receiving a court order.
In some cases, European regulators have cracked down on the automotive industry. Tesla, which has its EU headquarters in the Netherlands, had to make changes to its cameras filming their surroundings in March at the request of the Dutch data protection regulator. Volkswagen was fined just over €1 million since the GDPR came into force, according to an online list of GDPR fines. The list did not include fines for the other car manufacturers in the report (Nissan, Toyota, Subaru, Kia, Chrysler, Fiat, Renault, General Motors, Mercedes-Benz, Honda and BMW).
Volkswagen’s spokesperson for digital issues, Kamila Joanna Laures, said in a statement that the company collects, processes, uses and stores personal data “only in accordance with legal requirements.”
Nissan and Subaru did not immediately reply to submitted questions.