Need to know
- CHOICE wrote to and analysed the privacy policies of Australia's ten most popular car brands to see how they monitor and track their drivers
- Seven out of the 10 car brands can collect and share some level of driving data with third-party companies
- Experts say reforms to the Privacy Act are needed to better protect drivers from over-reach by car companies
Like many aspects of modern life, driving a vehicle isn't what it used to be.
And while few Australians would want to go back to balancing a book of maps on their lap at the traffic lights, the digital age increasingly comes with a catch. These days, the extent to which cars collect and use data gathered on their drivers would come as a surprise to many.
In February, CHOICE wrote about a Queensland man's battle with Toyota after a dealership refused to give him a full refund for a vehicle he never picked up. He had serious concerns about data privacy and the tracking features he wasn't told about at the point of purchase.
These days, the extent to which cars collect and use data gathered on their drivers would come as a surprise to many
After we published that story we received an avalanche of correspondence from CHOICE readers wanting to know about the policies of various car brands when it comes to collecting, using and sharing driver data and biometric information.
We wrote to the makers of the ten most popular car brands in Australia and asked detailed questions about the data they collect, what they do with it and whether they allow consumers to opt-in or -out of their connected features.
Collecting your data
Seven of the most popular brands collect some level of driving data through a connected services feature and send that data back to the company.
The three brands that don't currently have connected services features enabled on vehicles sold into the Australian market are Mitsubishi, Subaru and Isuzu Ute.
Australia's biggest car brand, Toyota, says it collects vehicle location data and what it calls '"Drive Pulse" data, which scores a driver's acceleration, braking and cornering behaviour during each trip. This data is then shared with Toyota, "related companies", and third-party service providers engaged by Toyota.
Ford also collects and shares driver data with third parties, such as related companies and contractors, though it says it doesn't "sell data to brokers" .
MG says it collects and shares data with a range of "service providers", but says it doesn't share with third parties "other than to provide functionality". We considered that clause vague and MG refused to respond to our repeated requests for clarification.
Mazda says it collects "voice consumption" data and shares it with service providers and undisclosed third parties, but did not respond to our requests for clarification as to what this meant. It also shares data with third parties for advertising purposes
Voice and biometric data
Even more concerning than the tracking and sharing of your driving data are the number of brands that collect your voice recognition data and share that information with third parties.
Voice recognition, like facial recognition, is considered biometric information as it's uniquely identifiable to individual people.
This means it is considered to be "sensitive data" under privacy law, and it's meant to have an enhanced level of consumer protection and consent before it can be gathered and shared.
Kia says it collects data from your use of voice recognition technology and that the company "shares data on an aggregate and on identifying basis (sic) with Cerence, our third-party provider of automotive voice and AI innovation products".
Cerence, a US-based company, says it is a "global industry leader" in AI-powered interactions across transportation.
Hyundai, which has the same parent company as Kia, also shares voice recognition data with Cerence.
What these car companies are doing is totally unacceptable. It should be illegal
Dr Vanessa Teague, Australian National University
Tesla gathers voice command data as well as "short video clips and images" captured from the camera onboard the vehicle. The company also shares some data with third parties and Tesla's privacy policy assures drivers that the data is subject to "privacy preserving techniques" that are "not linked to your identity or account", but doesn't explain what those are.
"De-identified" data
Dr Vanessa Teague from the Australian National University's College of Engineering, Computing and Cybernetics says these companies' assurances that biometric information can somehow be shared in a de-identified manner is "complete baloney".
"The idea that you can de-identify an image, or a voice is de-identified, it's nonsense," she says.
"What these car companies are doing is totally unacceptable. It should be illegal. These practices are good evidence that we need the Privacy Act updated or the Privacy Act enforced, because none of this should be acceptable in our country," Teague adds.
Consumers concerned
Given the number of companies engaging in intrusive data collecting and sharing, it's little wonder that drivers are becoming concerned.
A nationally representative CHOICE survey conducted in June 2024 of more than 1000 consumers found almost three in four respondents disagree or strongly disagree with video or audio recordings from inside the car being collected by the car company.
While support for car companies collecting safety data (such as seatbelt use) was stronger at 39%, only 30% said they supported the collection of driving data such as braking behaviour and speed. Just over one in five respondents said they neither agreed nor disagreed with the collection of driving data.
Giving the option to opt-out isn't enough
All car companies with connected features who responded to us said they offer customers an opt-out function. But drivers are often opted-in automatically when buying the car or downloading the car's app, and would then need to read long and indecipherable privacy policies to know what they have agreed to.
While customers may be able to "deactivate" their connected features, those wanting to remove the connected features devices altogether may find they can't. In some cases, removing the connected features disables other functions of the vehicle, such as maps and weather. In Toyota's case, customers may void part of their warranty by totally removing the data communications module.
Drivers are often opted-in automatically when buying the car or downloading the car's app
Teague says there is a lot of "deliberate deceit" when it comes to car companies and connected features and she questions how many consumers would agree to the terms and conditions of their vehicles if they understood them.
"Opt-out is not the answer; you should have to opt-in to some of these features if you want them. Many of these other features should simply be illegal," she says.
Many drivers aren't aware of what they're agreeing to when they accept the terms and conditions.
Protecting the data
Ibrahim Khalil, professor of cloud systems and security at RMIT University, says it is concerning that raw data from Australian drivers is being transferred to car companies overseas and to the AI machine-learning companies they're partnered with.
"You can use AI systems within the car to build the learning model off the driving data, and then transfer the model," he says. "You don't need to transfer the raw data. If you transfer the raw data, then of course, you expose everything."
"Europeans wouldn't accept this, [but] here in Australia we don't make a fuss, we don't talk about it, we don't complain about anything when it comes to privacy," Khalil adds.
Reforming the Privacy Act
CHOICE senior campaigns and policy adviser Rafi Alam says privacy laws are woefully out of date and not fit for purpose in a market where cars are fitted with biometric scanners and driving data is mass-collected.
"At the moment, businesses are able to write their own rules through their privacy policies. As long as a customer 'consents' in a way the seller decides is sufficient, the business can mostly do what it pleases with our data," he says.
Alam says the government's most recent amendments to the Privacy Act, introduced to parliament in September, don't go far enough to protect drivers from over-reach by car companies.
"Change needs to come from the top. At a minimum, the federal government must implement a fair-and-reasonable-use test to legally require businesses to only collect and use our data in line with customer's expectations," he says.
"We are urging the government to ensure this obligation is included in the second phase of amendments to the Act," Alam adds.
Stock images: Getty, unless otherwise stated.
