A Choice analysis of carmaker privacy policies has found some of the biggest car sellers in Australia collect and share a range of driver data, including in some cases video and biometric data, with third parties.
The consumer group analysed the privacy policies of Toyota, Ford, MG, Mazda, Kia, Hyundai, Tesla, Subaru, Isuzu and Mitsubishi to determine the extent that modern vehicles are collecting data on their customers, as vehicles become more and more digital.
Kia, Hyundai and Tesla were found to be the “worst” when it came to protecting the privacy of their customers, Choice’s Rafi Alam said.
“Kia and Hyundai both collect and share voice recognition data with third parties, along with other information,” he said.
“Tesla takes it one step further, collecting short video clips and images captured from the camera inside the vehicle, and shares some data with third parties.”
Alam said the investigation found Toyota, Ford, MG and Mazda also collect and sometimes share customer data, with Toyota collecting information on driver’s acceleration, braking and cornering behaviour.
Mitsubishi, Subaru and Isuzu were found to not collect or share driver data.
Guardian Australia approached Kia, Hyundai and Tesla separately to respond to the study.
A spokesperson for Hyundai told Guardian Australia its Bluelink app collects data in two ways: through in-vehicle activation that collects information on automatic collision notification and voice recognition but no other personal information, and the full enrolment through the Bluelink app which connects an email address and mobile number to create an account.
Customers can deactivate in-vehicle and no more data is saved from that point, and if the Bluelink account is deleted all data is deleted.
The company said voice recognition data is collected on “an aggregate and non-identifying basis” to share with Cerence, a third-party provider of automotive voice and AI products.
Data is shared with third parties for purposes including to deal with customer inquiries, personalise experience, assess the quality of services provided, and to direct market to users where they have consented to Hyundai doing so.
Tesla did not respond to questions, but on the company’s privacy page the company says it does not sell user data and data can be provided to affiliates, subsidiaries, service providers, business partners and companies that are authorised by the user to access the data and, when required, to law enforcement and government.
The company collects information such as speed information, battery use and charging, and camera images, but says it does not link location data with account or identity and does not keep a record of where a driver has been. The company says users can opt out of the collection of data through the touchscreen display in the car.
Kia, which is a subsidiary of Hyundai, pointed to its privacy policy, which indicates its voice recognition data is also shared with the same third-party provider as Hyundai. Some of the other data collected through the Kia Connect app includes location information, which the company said it shares “in pseudonymous form” with Here, a third-party real-time traffic information provider. If people opt out of location-sharing services, GPS location data is still collected for other Kia Connect services, the company states.
Choice said those companies that responded to the organisation’s questions said customers were offered opt-out options from the collection of data, but customers may not know their data is being collected in the first place.
Alam said businesses in the modern era see the need to collect as much data as possible and figure out what to do with it later, including potentially sharing with other parties.
“I think one of the things we found with cars that has been really interesting is that it’s both new and old technology – if you buy an updated Toyota or Hyundai, some of these features might feel like they’d snuck in; not necessarily saying it is malicious, but it’s just coming with the new territory,” he said.
“We just want consumers to have more power over it, and we want the law to make sure that if companies are using these kinds of services that they are being more transparent about it, but also having more obligations for them to use data fairly and safely.”
Alam said the results show the need for the federal government to implement the recommendations of the review of the Privacy Act and give the public more control over the collection and use of their personal information.
“The results of our investigation are a timely reminder that Australia’s privacy laws are woefully out of date, and certainly not fit for purpose in a market where cars are collecting and sharing personal information en masse,” he said.