A Deep Dive into Data Collection by Major Brands
A couple of news stories caught my eye this week: a report published by the Mozilla Foundation, makers of the popular web browser, and a report published by consumer champions Which?
The common thread with these reports is that major brands are collecting and using a vast array of personal information about people who use their internet-connected products.
Mozilla surveyed 25 of the world’s most popular car brands and found that car makers including BMW, Ford, Toyota, and Tesla can collect deeply personal data such as sexual activity, immigration status, race, facial expressions, weight, health and genetic information, as well as information about where and how you drive.
I spent an hour or so looking at Kia. The privacy notice for Kia Connect (https://owners.kia.com/content/owners/en/privacy-policy.html) states that Kia collects information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The categories of personal data Kia says that it collects includes racial or ethnic origin, religious or philosophical beliefs; union membership; genetic data; unique biometric information; contents of certain mail, emails, and text messages; or health, sex life or sexual orientation information. It’s not clear if this privacy notice relates to the UK or the US but the list of data being collected is large and the uses numerous.
Mozilla report that researchers found data is being gathered by sensors, microphones, cameras, and the phones and devices drivers connect to their cars, as well as by car apps, company websites, dealerships, and vehicle telematics.
Kia’s privacy notice relating to Kia Connect in the EU and UK (https://connect.kia.com/ie/kia-connect-privacy-notice/) is over 12,500 words. It’s not layered or nested – just an extremely long block of small, hard to read text. It lists a range of processing activities such as remote climate control, remote door and window control, and speed alert, all of which state the processing is necessary for the performance of the contract that you have entered into with Kia.
There is a lot that does not add up here. How has the principle of minimisation been embraced by Kia in all of the data it collects? What is the nature of the contract and who are the parties? If the buyer is a party to the contract, how does the lawful basis for processing stand up for other users of the vehicle? And how does a privacy notice that is longer than the average undergraduate dissertation meet transparency obligations?
The Guardian reported this week that consumer champion Which? found some companies appear to be gathering far more data than is needed for their products to function. The Guardian reported that smart TVs that ask for users’ viewing habits and a smart washing machine that requires people’s date of birth.
It strikes me that while everyone has been voicing concerns about Ring doorbell and other such services, there are some big questions for both the suppliers of domestic goods and car manufacturers to answer – I just wonder who is likely to pick this up and scrutinise the data handling practices of these global players?