Hyundai, Kia, Honda and Toyota all scored a “super creepy” in Mozilla’s Privacy Not Included guide that assesses privacy measures of 25 global car brands. While all 25 brands failed in terms of privacy protection, these four brands were among the top companies collecting data as sensitive as sexual activity, genetic information, geolocation and sharing it with marketing companies or law enforcement agencies.
Why it matters: Hyundai, Kia, Honda and Toyota are among the most popular car brands in India. In today’s cab-hailing world, these cars and their privacy policies are not only restricted to a single driver, but extend to the passengers and nearby pedestrians as well. As pointed out by Mozilla in a press release, these cars can hear, see and track individuals. While the guide in question does not specifically look at India, it is still important to understand the ways in which these companies attempt to collect data.
Mozilla found brands gathered data via sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as through car apps, company websites, dealerships, and vehicle telematics. Aside from the car and its connected devices, Mozilla has found these companies to also collect information about an individual from public sources, data brokers, data providers, affiliates, partners, service providers, advertising and social networks, data aggregators and brokers, dealers, marketing agencies and government entities.
Article continues below ⬇, you might also want to read:
- Ola Shuts Down Used Cars And Q-Commerce Verticals: Why?
- Govt Isn’t Considering Ordering Private Companies To Delete Vehicle Registration, Drivers’ License Data They Bought
- Google To Put Android Systems In Cars With Renault-Nissan-Mitsubishi
- Ministry Of Road Transport And Highways’ Bulk Data Sharing Policy Allows It To Sell Drivers License And Vehicle Registration Data
Moreover, only those customers within the jurisdiction of US privacy laws or the GDPR enjoy the right to request that their data be deleted. However, there are exceptions to this rule. MediaNama has taken a look at the individual assessments of Toyota, Kia, Honda and Hyundai to list the exact concerns with each brand.
Hyundai
Using the car, app and Bluelink connected services, Hyundai collects information like geolocation, a driver’s speed, use of seatbelts, individual presets and use of car’s features, and the time-stamps related to all these data points. It also collects “sensor data” that’s created by the vehicle, including “images and event data.” It also collects “images from exterior cameras” and “weather, temperature and other driving conditions.” The company also collects information on a person’s purchase and browsing history. Other collected information includes driver’s license number, IP address, insurance policy number, and other “unique identifiers.” This data can then be used to make “inferences… to create a profile reflecting a resident’s preferences, characteristics, behavior or attitudes.”
Like most connected products, Hyundai can also “collect, use, and disclose” aggregate and anonymized data which, according to Mozilla, can be re-identified with large volumes of sensitive information.
Data shared with third parties and or law enforcement agencies: Hyundai at times shares data like identifiers, customer records, commercial information, internet or other network usage data, profiles and inferences for “marketing and promotional purposes.” It will share this information with affiliates and subsidiaries, marketing partners, third party ad companies and other marketing and advertising partners; and analytics providers.
Further, it may share individual information with law enforcement agencies since Hyundai’s privacy policy says it comply with “lawful requests, whether formal or informal.”
Kia
Mozilla found Kia collects “genetic information” and data about a person’s “sex life.” This information may be used to “deliver advertising or marketing communications based on your interests.” In the US, it can collect information about one’s “medical condition, physical or mental disability,” “racial or ethnic origin,” and “religious or philosophical beliefs.” Kia even claims it can collect “the contents of certain mail, emails, and text messages.”
Car records speed, location, movement, etc.: Kia collects detailed information about the car and the owner’s activity in it: “how fast you drive, when you pump the brakes and buckle your seatbelts. Also, your geolocation, which can include “physical location or movements.”” Its ‘My Car Zone’ feature sets an alerts that logs other drivers’ behavior in the car. It also has a feature called ‘Curfew Alerts, Geo-Fence, & Speed Watch,’ that collects information about other drivers’ habits, “such as when the Vehicle is being driven and whether the Vehicle is being driven beyond a pre-determined speed limit or boundary location.” Such features can raise concerns around domestic violence.
Sensitive personal information up for grabs: Kia says it doesn’t collect sensory data, biometric data but lists “unique biometric information” as an example of “Sensitive Personal Information” that it does collect. Mozilla said such disclosures allows the company to cast a wide data-catching net. Its policy even mentions “Personal information described in California Civil Code Section 1798.80(e)” which to Mozilla “means just about any personal information under the sun “capable of being associated with you.”” Moreover, Kia’s privacy policy says that it reserves “the right to disclose and transfer the information we collect: (i) to a subsequent owner, co-owner, or operator of the Services or associated databases.”
Kia draws inferences on collected data: The company creates more data on an individual based on already collected data. Kia then sells these “inferences” or shares it with many of the same places they collect the data from. This includes the “affiliates,” “partners,” “service providers,” “advertising and social networks,” and “data analytics, data enhancement, and market research providers.” Kia might also comply with “governmental requests” for individual’s data.
No control over third party access: Kia has “apparently no control over how the third-party apps available through your car’s dashboard treat your information.” The company privacy policy asks owners to “review any available policies” for those apps before interacting with them in the car.
Honda
As per Honda’s privacy statements, it can collect, share, even sell a huge amount of personal information. This comes despite the company being one among many automobile companies to sign the privacy principles document. For example, the ‘data minimization’ is listed among the principles to ensure privacy. However, Honda says it “commits to collecting Covered Information only as needed for legitimate business purposes,” with a very broad definition of “legitimate business purposes.” Such information is shared with third parties for marketing, interest-based advertising, market research, with law enforcement and governments, and more.
Covered Information disclosed with Third Parties: Such information may include all or some of the following: Personal Identifiers; Audio electronic, visual, or similar information; Commercial Information; Geolocation Information; Personal information as described in Cal. Civ. Code § 1798.80(e). The latter is a line in California’s set of regulations that defines personal information as, “any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, his or her name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.”
Car also records trip details and fuel consumed: Honda can collect information about your trips including the start and end time, trip start and end location, trip distance, and fuel consumed. It can also record how fast your drive, search content, geolocation information meaning the exact location of the vehicle at a specific point in time or over a period of time.
Read the fine print for consent: While Honda says it won’t disclose data without consent it also says that a car-owner consents to the collection, use, storage, and disclosure of information as explained in this Vehicle Privacy Notice, when they: “Purchase or lease a vehicle equipped with Connected Vehicle Technologies and Services; Use Connected Vehicle Technologies and Services; Subscribe, register, or provide any information to us in connection with an attempt to subscribe or register for any Connected Vehicle Technologies and Services; Agree to the terms & conditions of any Connected Vehicle Technologies and Services; or Accept or enable data transmission, collection, or analytic services on a vehicle or connected smart device.”
No way to flag all this to Honda: Mozilla said it did not find any means to report security issues to the company to confirm whether Honda meets Mozilla’s Minimum Security Standards. This is because Honda “does not have a department to deal with security-related issues for their products” as per Mozilla’s findings. This despite the fact that Honda charges a subscription fee to access the Security feature through the Honda app that allows for personal data wipe to restore audio and navigation system to factory defaults.
Toyota
Toyota brags about playing a key role in setting up automotive privacy principles but collects, shares a ton of data and even sells some of it to third parties for marketing or targeted advertising purposes. Through its car, app and connected services, Toyota collects:
- personally identifying information like name, address, phone number, email, online identifier, social media ID.
- demographic information like age and driving behavior like acceleration and speed, steering, and breaking functionality, and travel direction.
- sensitive personal information like precise geolocation data, biometric information.
Specific to the car, it collects the Vehicle Identification Number (VIN), interior and exterior image data from cameras and sensors in your car, facial geometric features. Toyota can even collect information about an individual from other sources like social media, friends, etc.
Multiple privacy policies affecting informed consent: Mozilla said that the company has far too many privacy policies, notices, statements, etc. for all of their cars, connected services, apps, on-board cameras, etc. This creates unnecessary confusion when trying to understand the company’s privacy documentation. For example, Toyota Supra, one of the company’s cars, has its own app that links to BMW’s privacy policy.
Toyota says it cannot ensure data security: As per Toyota’s Connected Services privacy policy, “Please note, however, that we cannot completely ensure or warrant the security of any information transmitted to us by you or your vehicle. Your use of your vehicle’s Connected Services and App Suite is at your own risk.”
What Toyota got right (sort of): Mozilla observed that Toyota grants all US citizens the right to have their data deleted, or opt-out of having some of their data sold. However, it is unclear if this courtesy extends outside of the US. Toyota also has a North American Privacy Hub where consumers can more easily track down some of the many privacy policies Toyota has that covers their cars, apps, connected services, and more. Further, the facial geometric features Toyota collects when its scans a face to identify a driver is only processed and stored on the car.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
