Carmakers can sell your data – even your sex life

Unless you’re driving something older than a Toyota Corona or a Holden HQ, you are likely sharing your personal information with car companies on a large scale.

A recent study in the US has shown the scale and complexity of the growing issue, including the revelation some car companies will collect data on owner’s sexual activity, among other personal details.

What’s more, the problem is just as prevalent in Australia, thanks to our piecemeal privacy laws.

The Mozilla Foundation, which looks at data security across the digital sphere (and makes the Firefox web browser), has released a report [↗] that examined the data collection behaviour of 25 global car makers.

It found every single one displayed at least one form of what it considers questionable behaviour when it comes to data collection and harvesting.

“Modern cars are a privacy nightmare and it seems that the Fords, Audis, and Toyotas of the world have shifted their focus from selling cars to selling data,” said Misha Rykov, a researcher at Mozilla’s *Privacy Not Included sub-site.

2

Data-hungry cars feed companies

Essentially, the modern car can generate reams of personal data about its users through a battery of sensors, cameras and on-board apps – as well as through the user’s mobile phone.

It can also collect environmental data – including location, weather conditions and even street-sign information – to create a more holistic picture of the user and their preferences.

This data is then collected by the car maker either at the dealership level during a service visit, or by over-the-air relay.

The Mozilla report suggests 84 per cent of the car makers reviewed, including Volkswagen, Ford, Mercedes-Benz, Honda and Kia, on-sell the data to third parties, including to dealerships and financial institutions.

Of those 84 per cent, 76 per cent specify a right to sell the data, and 56 per cent note they are prepared to share data with government and law enforcement agencies as requested.

Tech darling Tesla ranked worst of all, pinged in every one of the study's categories on data privacy concerns.

The Mozilla report suggests 84 per cent of the car makers reviewed on-sell the data to third parties

Research into each car maker’s privacy statements by Mozilla revealed the eye-opening scale of data collection, which – unlike in many facets of digital life – is almost impossible to opt out of, other than simply not driving the car in question. Not pairing your phone with the car would also reduce the amount of data collected.

Nissan USA’s privacy statement, for example, reveals in plain English that it has the ability to collect and share the most personal data, including but not limited to religious beliefs and sexual activity.

Nissan has also sold data that includes a person’s real name, alias, postal address, records of personal property, products or services, purchased, obtained, or considered, as well as browsing history, search history, and information regarding a consumer’s interaction with a website, application, or advertisements.

The company does, at least, offer an opt-out option via a website form on its US page.

Kia [↗] also openly collects information about “your race or ethnicity, religious or philosophical beliefs, sexual orientation, sex life and political opinions”.

Neither Nissan Australia nor Kia Australia’s privacy policy website pages make reference to these clauses.

Data breaches a real risk

While the packaging and on-selling of third-party data is nothing new, many of the companies reviewed had experienced large-scale data breaches in recent years.

In 2021, more than three million VW and Audi customer’s details were stolen in the US, and more than two million customer’s details were lost by Toyota over the decade 2013-2023.

In 2022, Mercedes-Benz admitted to a data leak on the part of a third-party vendor that exposed the personal information of up to 1.6 million prospective and current customers, including names, email and street addresses, and phone numbers.

“The detailed data collected by car companies is a data broker’s dream. Indeed, Vehicle Data Hubs are rich with that information. Yet we still know so little about how they obtain, process, and sell it,” said Rykov.

Australian privacy laws are a “patchwork”

The issue is just as relevant here, thanks to a “patchwork” of state/territory and Commonwealth laws pertaining to privacy, according to senior lawmakers.

As well, a recent court case between the Australian Government and Telstra ruled that Australian law does not recognise personal data information unless it is contained within a single data stream.

This ruling means that data obtained from a vehicle – which is multi-stream by default – is essentially exempt from legislative oversight.

“Australia needs a legislative definition of privacy, or the reasonable expectation of privacy, and this must include data generated by automated vehicles,” said Mark Brady BA, LLB (Hons), a lecturer at Adelaide Law School, in an article [↗] for the Monash University Law Review called Data Privacy And Automated Vehicles: Navigating The Privacy Continuum.

“Australia will benefit from a national overarching automated vehicle regulation, or at the very least specific legislation protecting the privacy of data produced by automated vehicles.”

The full Mozilla report is a deep-dive with heavy detail on its findings. Read it here. [↗]

Mike Stevens contributed to this story.