Last week, the Mozilla Foundation widened many eyes when it revealed that almost every modern car is a "privacy nightmare on wheels." Mozilla's findings illustrated how car manufacturers are permitted to collect huge amounts of their customers' private information, even including "sexual orientation" and "sexual activity" data. BMW North America saw Mozilla's report and decided to defend itself with a recent statement.
According to BMW NA, there are five supposed inaccuracies in Mozilla's report that required clarification. Mainly, however, BMW NA stressed that customers have the choice to opt out of certain data acquisition.
"All BMW vehicle interfaces permit consumers to opt in or out of various types of data collection and processing that may happen on their vehicles," BMW NA said in its statement. "If they choose, BMW customers may opt out of ALL optional data [emphasis BMW's] collection relating to their vehicles at any time by visiting the BMW iDrive screen in their vehicle."
The key piece there is opt out. Not opt in. In other words, all of the optional data collection in BMW's vehicles is happening by default. Customers—many of which understandably struggle to fully understand modern infotainment systems—have to go into their Bimmer's iDrive settings and tell the car to stop spying on them, rather than tell the car it's allowed to spy on them. What about the other stuff?
"In addition, BMW drivers may, at any time, completely disable the transfer of any data from BMW vehicles to BMW services by disabling their eSIM on their vehicles via contacting BMW and completing a form." That sounds like an annoying process, but at least a way exists to turn off data collection entirely. There's a caveat, though: If you disable the car's eSIM to stop any data transfer to BMW, you also deactivate all of the connected services you may have paid for by extension. According to BMW, customers voluntarily will enable the eSIM and its transference of data, "given that eCall and SoS calls would not be possible after the cellular connection to the vehicle is disabled." So you can shut it all down, but if you crash and need emergency responders on the line and can't locate your phone, you're toast.
BMW NA does say in its privacy policies that it "does not sell its customers personal information, such as their names, addresses, driving habits, Vehicle Identification Numbers, or other information that is tied to the customers or their vehicles." It does, however, share personal information with dealerships and business partners, but only to the latter extent when customers "request that we do so." Behavioral advertising data is said to be collected for its own products, and BMW says it doesn't send that stuff to third-party companies for their own marketing.
The automaker adds that customers can delete all of their own data via an online portal, as well as delete their MyBMW app data. BMW NA also claims that it will voluntarily comply with every customer's privacy request, regardless of their state's laws. That's good news, because Mozilla's team said it was "pretty sure you can't get your data deleted if you don't live somewhere that right is protected by law" in its report.
As for insurance data collection and how fast or recklessly you may or may not drive, BMW says it operates a "permission and consent" program. Customers can select specific businesses they want to share their data with through the MyBMW app. Any data shared with insurance companies is solely the customer's choice, according to BMW.
It is encouraging that BMW provides avenues for customers to opt out of certain data collections and even delete their own data, but that doesn't allay every valid concern raised in Mozilla's research. BMW NA, along with its peers, collects a massive amount of personal data and puts the onus on customers to specifically prevent it, meaning data collection is happening under the noses of countless owners. And while it's nice to hear that BMW doesn't sell any personal data—such as names, addresses, or VINs—to any third parties, that hardly means your data is completely safe with the company. Carmakers have leaked troves of this information before, after all.
Got tips? Send 'em to firstname.lastname@example.org