All 25 major car brands reviewed in Mozilla’s latest edition of *Privacy Not Included (*PNI) received failing marks for consumer privacy.
According to Mozilla research, popular global brands — including BMW, Ford, Toyota, Tesla, Kia, and Subaru — can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, and driving routes.
Researchers found data is being gathered via sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as through car apps, company websites, dealerships, and vehicle telematics. Brands can then share or sell this data to third parties.
Car brands can also take much of this data and use it to develop inferences about a driver’s intelligence, abilities, characteristics, preferences, and more.
None of the brands meet Mozilla’s Minimum Security Standards. Specifically, researchers couldn’t confirm whether any of the brands encrypt all of the personal information they store on vehicles, and only one of the brands (Mercedes) even replied to Mozilla’s questions about encryption.
The newest edition of *PNI examines the privacy and security flaws of car brands spanning five countries: the U.S., Germany, Japan, France, and South Korea. Researchers spent 600 hours reading privacy policies, downloading apps, and corresponding with brands.
The very worst offender is Nissan. The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data — but doesn’t specify how. It says it can share and sell consumers’ “preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.
Other top offenders include Volkswagen, which collects demographic data (like age and gender) and driving behaviours (like your seatbelt and braking habits) for targeted marketing purposes. Toyota, features a near-incomprehensible galaxy of 12 privacy policy documents and Kia who collects information about your “sex life.”
Mercedes-Benz, which manufactures certain models with TikTok (which has its own privacy issues) pre-installed. Analysts estimate that by 2030, car data monetisation could be an industry worth $750 billion.
Not a single brand received Mozilla’s Best Of designation, though researchers identified Renault as the least problematic. The European brand must comply with General Data Protection Regulation (GDPR), a stringent law governing the way in which personal data is used, processed, and stored.
Says Jen Caltrider, *PNI Program Director: “Many people think of their car as a private space — somewhere to call your doctor, have a personal conversation with your kid on the way to school, cry your eyes out over a break-up, or drive places you might not want the world to know about. But that perception no longer matches reality. All new cars today are privacy nightmares on wheels that collect huge amounts of personal information.”
Says Misha Rykov, *PNI Researcher: “This isn’t the first time Mozilla has uncovered an industry with terrible privacy practices. But cars are unique — their privacy flaws impact not just the driver, but also passengers and sometimes even nearby pedestrians. They can hear you, see you, and track you. Today, sitting in someone’s car is a lot like handing your phone over to the auto manufacturer.”