Cars are becoming more reliant on computers and the internet with each passing year, providing convenience to drivers and harmony with the rest of consumers’ technology-dependent lives.

But with each upgrade, automakers are garnering deeper access into, and more profit off of, the lives of their customers, a new study from an internet watchdog shows.

The Mozilla Foundation, the nonprofit behind the Firefox internet browser, analyzed 25 car brands and concluded 84% share and sell customer data acquired through drivers’ use of their cars, third-party apps on the car's computer, and the car’s app itself, which can give the companies access to data on your phone.


What You Need To Know

  • The Mozilla Foundation, the nonprofit behind the Firefox internet browser, analyzed 25 car brands and concluded 84% share and sell customer data acquired through drivers’ use of their cars, third-party apps on the car's computer, and the car’s app itself 

  • The brands studied were Acura, Audi, BMW, Buick, Cadillac, Chevrolet, Chrysler, Dacia, Dodge, Fiat, Ford, GMC, Honda, Hyundai, Jeep, Kia, Lexus, Lincoln, Mercedes-Benz, Nissan, Renault, Subaru, Tesla, Toyota and Volkswagen

  • The foundation said cars were the worst category of products they have ever examined within the context of consumer privacy
  • Many of the brands did not return requests for comment, but Kia, Nissan and Stellantis — the parent company of Fiat, Jeep, Chrysler and Dodge — disputed the report's claims and said they take privacy seriously in statements to Spectrum News

“While we worried that our doorbells and watches that connect to the internet might be spying on us, car brands quietly entered the data business by turning their vehicles into powerful data-gobbling machines,” the report’s authors wrote. “Machines that, because of all those brag-worthy bells and whistles, have an unmatched power to watch, listen, and collect information about what you do and where you go in your car.”

None of the 25 brands were spared Mozilla’s warning label for collecting “more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you.”

The brands studied were Acura, Audi, BMW, Buick, Cadillac, Chevrolet, Chrysler, Dacia, Dodge, Fiat, Ford, GMC, Honda, Hyundai, Jeep, Kia, Lexus, Lincoln, Mercedes-Benz, Nissan, Renault, Subaru, Tesla, Toyota and Volkswagen.

The foundation said cars were the worst category of products they have ever examined within the context of consumer privacy and that the investigation, which took over 600 hours, “was one of the hardest undertakings we as privacy researchers have ever had” because of the opaque policies and companies’ incentives to obscure the nature of their relationships with customer data.

“The gist is: they can collect super intimate information about you — from your medical information, your genetic information, to your ‘sex life’ (seriously), to how fast you drive, where you drive, and what songs you play in your car — in huge quantities,” the researchers wrote. “They then use it to invent more data about you through ‘inferences’ about things like your intelligence, abilities, and interests.”

At least two of the brands analyzed do in fact collect information on drivers' sex lives. Nissan uses it for marketing, internal analytics, and for other, unspecified purposes, according to their privacy policy published on their website and updated in July of 2023.

In the relevant category of personal data they note they collect, Nissan says customers can expect their “sensitive personal information, including driver’s license number, national or state identification number, citizenship status, immigration status, race, national origin, religious or philosophical beliefs, sexual orientation, sexual activity, precise geolocation, health diagnosis data, and genetic information” to be shared with the car company.

There are nine other categories of data Nissan collects, according to their privacy policy, including geolocation data, financial information, internet activity and consumers’ “psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.” And they are certainly not the only brand to retain the right to obtain and keep information on their customers in those and similar areas. 

In a statement, Nissan North America insisted they only list such categories to be in compliance with “the growing patchwork of evolving state privacy laws,” some of which require they notify customers of personal information that the company may collect inadvertently. They specifically denied intentionally collecting data on sexual activity.

Kia also says in their privacy policy, updated in January, that they can collect data on customers’ “sex life” and Mozilla reported that six of the 25 brands list “genetic information” or “genetic characteristics” as acceptable data to harvest.

In a statement, Kia denied they collect specific data on customer’s sex life or sexual orientation “from vehicles or consumers in the context of providing the Kia Connect Services.” The company noted they do not collect data on all the categories listed in their policies — many of which they said they included to be in compliance with the California Consumer Privacy Act, one of the strongest privacy laws in the country.

“Not all types of personal or sensitive personal information are collected by us––as stated in our privacy policy.  Whether certain information is collected by us depends on the context in which a consumer interacts with us,” a spokesperson wrote in an email. 

The authors of the Mozilla report noted that 18,000 Nissan customers likely had their data accessed by an unauthorized person last year. Nissan discovered the breach in June, but did not notify customers until December, according to the Maine attorney general’s office. The carmaker said there was no evidence that the data, which Nissan stored with a third-party company, was misused and a spokesperson told Spectrum News they “worked to notify impacted individuals as quickly as possible” after concluding their investigation in September 2022.

Among the 25 brands in the report, 17 earned a “bad track record” rating from Mozilla, meaning they had major security vulnerabilities or data leaks within the last three years and failed to adequately respond to them.

Many of the brands did not return requests for comment, but Kia, Nissan and Stellantis — the parent company of Fiat, Jeep, Chrysler and Dodge — disputed the report's claims and said they take privacy seriously in statements to Spectrum News.

“Multiple claims in this document are incorrect as they relate to Stellantis brands. We carefully and diligently consider data privacy and act accordingly,” Eric Mayne, a Stellantis spokesperson, wrote in an email. “Customers with questions may call our Customer Care center.”

Volkswagen and Hyundai directed requests to an industry trade group, the Alliance for Automotive Innovation, whose spokesperson Tonya Parish said they had not read the full paper yet, but pointed Spectrum News to the association’s privacy principles, updated as recently as March 2022 and signed onto by many brands included in the report. Parish also pointed to a Sept. 5 letter to congressional leadership calling for lawmakers to adopt the auto industry’s privacy principles into a federal law. 

But while the Mozilla researchers praise the principles, they say zero of the brands they examined actually adhere to them. 

“Car companies do clearly know what they should be doing to respect your privacy even though they absolutely don’t do it,” the researchers wrote.

Consumers consent to giving their data over to companies often unknowingly, or are simply not given the option to opt out. Even passengers are susceptible by merely entering the car. Nissan requires drivers to “promise to educate and inform all users and occupants” of the car’s privacy policy.

The most recent edition of Nissan’s privacy policy is nearly 10,000 words long, which the Mozilla authors argue is too long for passengers to review before entering a car.

At least 56% of brands looked at in the study also said they can share private information with government and law enforcement agencies without a court order.

The researchers found 84% of brands share personal data with service providers, data brokers and other businesses. And 76% said they withhold the right to sell customers’ data to any entity they please.

While laws in the European Union heavily regulate data collection and give consumers more autonomy over how and when their data is harvested, carmakers in the U.S. largely do not give the same discretion to Americans. Only two of the 25 car brands examined by Mozilla explicitly state drivers can have their personal data deleted: Renault and Dacia, which share a parent company.

Tesla was the only car maker to receive Mozilla’s demerits in every category: data use, consumers’ data control, companies’ data protection track record, security standards and whether a car brand uses untrustworthy artificial intelligence. It’s only the second product analyzed by the foundation to ever get “dings” in each category, the study's authors wrote.

The foundation also warned that data collected by cars — including features like outward-facing cameras that record — could be used for mass surveillance efforts, targeted surveillance of communities disproportionately policed by law enforcement, and tracking of undocumented immigrants or asylum seekers and those seeking gender-affirming care or abortions in the growing number of states where such medical practices are banned or heavily restricted.

The Mozilla Foundation is encouraging consumers to use their tool to examine the positives and negatives of each car brands’ privacy policies. The watchdog also set up a petition calling on the car industry to rein in their data collection and selling efforts.

“What we are saying is that it’s not fair for the burden to be on consumers to make ‘better choices’ that in this case don’t exist,” the authors wrote. “And we don’t want to take a page from car companies’ books by asking you to do things no reasonable person would ever do — like reciting a 9,461-word privacy policy to everyone who opens your car’s doors.”