Connected cars pose a data privacy nightmare for consumers

New research from Mozilla Foundation has revealed that cars are one of the biggest privacy nightmares out there, harvesting vast amounts of personal data on drivers and passengers.

As cars have got more advanced and more connected, the amount of available information about their drivers and passengers has surged, and brands are not afraid to collect all of it – even the most sensitive of data. After studying 25 auto companies, Mozilla Foundation researchers found all of them collecting, sharing and selling detailed levels of personal data about users. This covered some obvious categories like driving habits, destinations, in-car entertainment, car battery life etc.  More shocking were categories of data that could be gleaned from multiple connections via the car’s app which links up to users’ smartphones. 

Sex lives of drivers amongst the data up for sale

One company explained in their privacy policy that they could collect data that would enable inferences to be made about your sex life, and six car companies say they can collect your genetic information. So much for key data protection principles like privacy by design and default or data minimisation – it’s hard to imagine how any of this is necessary for a car brand to access.

Under the EU’s General Data Protection Regulation, any data that is not collected for the purposes of legitimate interests must be subject to meaningful consent from a consumer. The research showed a complete lack of options for consumers to understand what they were agreeing to or to find any way to opt out. 

One car company even wrote into its privacy policy that the simple action of a passenger taking a ride in a connected car is an indication of consenting to all of the personal data collected about them being packaged up and shared or sold. Companies are making money from people without their clear knowledge, agreement or meaningful value reaching them.

All of these detailed insights about people’s patterns and preferences open them up to exploitation, from influencing their purchase decisions to limiting their ability to choose services from other places.  

Consumers miss valuable data opportunities 

The massively disproportionate amount of data collected, the invasion of privacy and the complete lack of meaningful consent found is shocking. But that’s not the whole story. At  Euroconsumers we are no stranger to the current data mindset where consumers are viewed as massive subjects emitting data to be harvested, packaged and exploited by companies. 

Since we launched our landmark My Data is Mine manifesto in 2021 we have worked to turn the current data system on its head and put the value of data back into the hands and pockets of those who create it – consumers.  Alongside strong protections and limitations on use of data (particularly sensitive information), we want to see people able to easily access and use their data for the things they want to do. In the case of connected cars that might be as simple as transferring technical vehicle data to a cheaper third party repairer instead of being locked into the brand’s own system. 

EU Data Act disappoints, where is car specific regulation?

This type of scenario was one which the recent EU Data Act was designed to unlock for consumers, as a way to offset the way that data and licensing can lock consumers into one brand and its preferred way of doing things.  This can end up costing consumers more to get things fixed or taking up a lot of time and inconvenience if they want to switch services.  It also means that markets become less competitive as the biggest data asset holders entrench their position by directing how and who data can be shared with. 

Similarly to our member organizations, BEUC have been disappointed however with the latest result from the Data Act negotiations, blaming a “myriad of exemptions” that will in effect mean companies can continue to prevent data access and sharing. This will result in consumers finding they still have little control over the access and use of the data from their connected devices. We’d like to see regulation designed specifically for the auto sector to make sure rules are tailored to users and the particular ways in which car data might be taken and used. 

My Data is Mine: connected car data belongs to consumers  

My Data is Mine foresees a more revolutionary scenario than that so far put to paper via various sharing and portability regulations. Consumers deserve direct value from their data. My Data is Mine would see the owners of the data, ie those who create it, able to have full control to decide whether they want to license the flow of their in-car data to car producers, sustainable mobility services, map providers or transport planning authorities in return for financial reward, discounts or premium services. If we can say my car is mine, then surely we can say our car data is mine to do as we wish with?  

Consumers’ use of more and more connected devices and of digitalised services like finance and health mean the potential for rich data created by us is growing. For example, last year, we shared findings from consumer discussion groups on their desire that cheaper medicines are available for the public where people’s health data has been integral to their development. 

This is just one example of how value from data about how people lived their lives can be returned to them. What’s needed is the right framework to free up this potential so it can create value whether it’s cars, health or energy data – this must be given as much attention as the vital focus needed on privacy and cybersecurity.