• UX Design
  • Privacy

The Struggle to Find Out How Cars Manage Your Personal Data

June, 2021 - Casper Kessels

bannerthumbnail

today collect more than 200 different data points. Most of these data points are not only interesting to car manufacturers themselves. Research done by McKinsey shows a potential $450 billion to $750 billion industry for automotive data by 2030. In fact, some car companies are already selling data to third parties and governments. Otonomo, an Israeli startup, collects and sells the anonymized location data of cars all over the world (which journalists have easily been able to de-anonymize ).
Since I am in the market for a new car, I don't want to buy a car from a manufacturer that profits from selling my personal data. I visited the websites of different brands to find how my potential new car treats my personal data. For each brand, I documented that process and how long it took. You would think that car companies inform their customers about how they treat their data but the results are shocking.

Volkswagen

The first contender for my next car is the Volkswagen Golf. I start my timer and visit volkswagen.co.uk. First, I navigate to the specific page for the Golf. This page is incredibly long and contains all the features, specs, versions, and more. I expect to find some information under the technology section but each feature has only a little explanatory text.

The technology section on the Volkswagen Golf page
The technology section on the Volkswagen Golf page

I keep scrolling until I reach the bottom. I figure that I am not going to find the information here. Next, I try to find the privacy policy on other pages on the website such as the extensive 'connected services' section, which is so important to Volkswagen, they placed it in the main menu. But like the Golf model page, it is basically a glossary explaining all the different services Volkswagen created with 'connected' in the name.

The connected services section
The connected services section

I spent 11 minutes trying to find a sign of a privacy policy on the Volkswagen website when I give up. My next strategy is to open Google and search for relevant queries like 'Volkswagen Golf privacy policy' and 'Volkswagen Golf data collection'. I end up finding the privacy statements of the Volkswagen Group public websites. These privacy policies are located in the footer of each website. But they relate to the websites and not the products.

I keep on searching for a while but after 21 minutes, I decide to open a chat on the website and ask if the customer service agent can point me in the right direction. In the meantime, I keep searching. The only results related to privacy and Volkswagen are news articles with negative customer stories about how personal data is being managed by Volkswagen.

When my timer passes 32 minutes, my chat with the support agent ends with him referring me to the general privacy policy page of the Volkswagen website, which I visited before and does not relate to the products. Refusing to believe that Volkswagen hasn't got a document somewhere explaining how they treat my personal data, I keep looking. But after 47 minutes I have to give up. My last option is to send an email to the customer service and hope for the best.

While waiting for a reply to my email, I just couldn't put this topic to rest. I decided to check the Volkswagen website of other countries. Interestingly, the French, Dutch, and Belgian websites each have different designs and content, but they show no trace of a privacy policy. The German website does, however. It is placed together with the privacy policy of the public website. It is not specific to a model but to certain connected features that Volkswagen offers in the German market.

The privacy section on the German website
The privacy section on the German website

These are features that are not available in the other countries so it made me think about whether the car collects data at all? If it doesn't, it would have been great to mention that somewhere. But judging by features like Parking Position, Area Alert, and other connected services that rely on sensor data, I can't believe that Volkswagen does not collect and process personal data outside of the US and Germany.

In the meantime, I receive regular updates from the customer service agent, stating that my case is under investigation. After more than two weeks I finally receive an answer: "I have contacted our internal Brand Support Team who have now received a response from Product. Unfortunately Volkswagen UK would be unable to comment on this query."

The reply from Volkswagen customer service
The reply from Volkswagen customer service

Incredible. Volkswagen, a manufacturer that sells more than 10 million vehicles per year, either can't or won't tell me what personal data its products collect.

Mercedes

I have more hope for Mercedes, as an expensive, innovative brand, I expect them to be further ahead. Mercedes is mentioned as one of the partners on a slide deck of Otonomo, so I expect them to be transparent about how they share my data with third parties. Unfortunately, my story is not too different from Volkswagen's.

I spend the first 6 minutes browsing most pages on the website, starting with the model page. After that, I start searching on Google and find the website privacy policy and various other marketing articles that relate to data privacy. As it turns out, the set of connected features fall under the Mercedes Me brand. It seems that once you are a customer, you get access to a privacy portal where you can manage how your personal data is being collected. This is great! But I am not a customer so I can't access the privacy portal.

After 11 minutes, I ask a customer service agent in the chat and it takes him 9 minutes to send me a link to the marketing page I already found. He then refers me to the customer service email address so I sent an email.

The Mercedes website
The Mercedes website

After 2 weeks of waiting, I receive a reply with a link to the Mercedes Me Privacy Portal. Where I can't log in. Because I am not a customer. sigh

Toyota

Much like Mercedes and Volkswagen, Toyota only has very basic information on their website explaining the tech features of their cars. Similar to Mercedes and Volkswagen, there is no trace of any information related to data privacy on the UK website.

The absence of the privacy policy leads to ironic moments like this
The absence of the privacy policy leads to ironic moments like this

When I start searching on Google, I do find the US privacy policy which contains the information I need, but not for the UK or other European countries. Changing the URL from .com to .co.uk doesn't work, as do other attempts to find this page on the UK website.

Again, after more than half an hour I give up. But this time, I can't even find a customer service department to reach out to as everything goes via the dealership network at Toyota. I also try the Dutch, German, and Belgian websites but without success.

Audi

My next hope is Audi. Like Mercedes, it boasts about its advanced technology so hopefully, it also has an advanced privacy policy. I spent about 2 minutes browsing the model page for the Audi A3 and when I reach the bottom, just like I did for the other brands, I click on the privacy policy in the footer.

The Audi privacy section
The Audi privacy section

In the list, I find 'Audi Connect Terms and Conditions'. Finally! Unfortunately, it only relates to the customer accounts on the website and not the vehicle. Furthermore, multiple privacy statements and pages on the website mention data privacy, and all refer to login.audi.com. It seems that, just like with Mercedes, you need to be a customer before you can find out how Audi treats your personal data.

I give up on the Audi website and go to Google. After searching for "Audi Data Privacy" I actually find the right page! I have never been so happy to find a privacy policy page. It only took over 6 minutes and a search engine.

The privacy policy is a 20,000-word document written in legal language that outlines the data handling of the connected features. Despite its length, it stays quite general. For specific information, I am referred to the manual, which I can only access through my non-existent car's Vehicle Identification Number. I guess having a privacy policy beats having none at all, but there is definitely room for improvement.

BMW

I learned my lesson from Audi when I start researching BMW. After going through the same kind of model page for the 1-series, I go straight to the footer. I click on 'Privacy Policy' but again, it is only for the website. As I am familiar with BMW's marketing terms, I know I should probably look for something related to ConnectedDrive. So in the footer, under 'Legal Information', I find the ConnectedDrive section, and there I find the privacy policy. It took only two and half minutes to find it, a new record!

The BMW privacy policy
The BMW privacy policy

If you know where to look, it is available from the home page with two clicks. However, it only concerns the ConnectedDrive services. I don't know if there are other products or services inside the car that collect my data. Contrary to Audi, BMW has a short document that is easier to read and navigate. But like Audi, it does not go into specifics.

Volvo

Next up is Volvo. My hopes were high for Volvo as in my mind, it is the most user-centric and friendly brand on my list. With its focus on safety, I somehow also expect Volvo to be transparent about data privacy.

Like with the other brands, I start browsing the pages of the specific model for some time without luck. I quite quickly give up and after 3 minutes, I click on 'privacy' in the footer.

I find a clear, long page, written in natural language, explaining how my data is handled by all the different products and services. Unlike the previous brands, Volvo does not relate the privacy policy to a specific product name like ConnectedDrive or Mercedes Me, but for their products in general. Even though it takes a long time to read everything and find the information I need, at least it is there. This is the first privacy policy where I feel that the manufacturer is honest and clear about how it treats my personal data and I am not missing any information.

The Volvo privacy policy
The Volvo privacy policy

Tesla

My story for Tesla is similar to Volvo. On the page for the Model 3, I find no info related to data privacy. But in the footer, I find the privacy policy for all Tesla products and services. Like Volvo, it is written in clear language and I can find the information I need, although it takes a while to go through the entire document.

The Tesla privacy policy
The Tesla privacy policy

I went into this with low expectations, but my experience with Volkswagen, Mercedes, and Toyota was even worse. Considering how important data collection may become in the future, it is depressing to see how hard it is to find anything about how your personal data is collected. There is no excuse for Volkswagen, Mercedes, and Toyota to have no or an unfindable privacy policy for potential customers. Especially considering some do have one in other countries, like Germany.

Audi is only slightly better but finding the hard-to-read policy was too difficult. BMW was the first brand for which I felt some kind of willingness to share information. But Volvo and Tesla were the two brands with the best policies. But it does not mean that the others should follow their example. It should not have to take minutes to read through a boring, long document to find out how a company is treating your personal data.

Brand Time Privacy Policy
Audi 6'20" link
BMW 2'30" link
Mercedes 21' Not found
Tesla 3'10" link
Toyota 16' Not found
Volkswagen 47' Not found
Volvo 2'20" link

Suggestions

The car companies that have a privacy policy often make it hard to find. Each brand places theirs in the footer in a 'privacy' or 'legal' section. To make it even harder, this section often includes just the website privacy policy but other brands include the entire policy so you never know what to expect.

It would be so much better if the privacy information is located on the model page of a car and not in a general footer. And if it is placed there, why not make it specific to that particular model.

Today, each brand gives all the connected features in their cars their own flashy, meaningless marketing names. The privacy policies are related to these features and not to the car. So first you have to look up what ConnectedDrive, Mercedes Me, We Connect, and all other terms mean before you can begin to figure out anything about what data the car collects. The only two brands that did not have this were Tesla and Volvo. Consequently, they were the easiest to read. On top of that, they felt like they were written by humans for humans. The other brands used legal language to describe the privacy policy. It is unreadable.

To make these changes, car companies don't have to reinvent the wheel. A great example of a company that does this right is Apple. Recently, they introduced a dedicated, standardized privacy section in their app stores. It shows in clear language what data is collected and for what purposes.

The privacy report in the Apple App Store
The privacy report in the Apple App Store

Imagine a similar section, but on the specific page of a model, relating to the car as a whole and in clear language. If the car industry will indeed pursue the business model of selling customer data, it will have to make some big changes to set the right expectations for its customers.

Made in Berlin

This website is made from scratch with React, Gatsby, and Tachyons. It is typeset in IBM Plex Serif and IBM Plex Sans. This website stores zero cookies and uses Simple Analytics to guarantee your privacy