BriefCASE: Can data privacy concerns spoil the connected-car party?

“Data is the new oil,” as the adage goes. This is remarkably
true for the automotive industry, where always-connected,
software-defined vehicles are constantly exchanging data, updating
in real time over the air. The mobility ecosystem is increasingly
employing big-data analytics to gather actionable insights on
customer behavior, understand product performance and gain
competitive advantages.

Where there's data, there could be data
theft

As cars transform into rolling data repositories, more lingering
concerns over data privacy and security are beginning to hinder the
full potential of connected cars, which collect a lot more data
than expected. A typical connected vehicle can generate nearly 25
GB of data per hour and collect information from more than 100
different datapoints, thanks to embedded features including
geolocation and navigation, companion apps, biometrics, voice
recognition, on-board diagnostics and driver assistance.

Additionally, cars can collect data in the background via
cameras, microphones, sensors and connected phones and apps.
Sensitive data captured from connected vehicles can include
personal identifiable information (PII), location, behavior and
financial data from customers, as well as intellectual property
related to the vehicle and services provided.

Data is also collected from users' browsing habits, test drives
at dealerships, and from third parties such as marketing agencies
and data collection providers to develop inferences about a
driver's intelligence, abilities, characteristics, preferences and
more. This sensitive data flows through many environments and
platforms, both on-premises and in the cloud, and is susceptible to
cyberattacks.

Protecting the privacy of consumers

Mozilla Foundation, a US-based nonprofit internet research
organization, revealed startling findings on how automotive
stakeholders are dealing with data privacy and protection. Mozilla
researchers looked at the privacy terms of 25 global car brands and
concluded that their cars were “the official worst category of products for
privacy” they had ever reviewed. Also, according to a
2023 report from Upstream Security, data breaches account for 37%
of all cybersecurity incidents and backend server attacks make up
40% of all cyberattacks in the automotive industry.

Automakers have recently been exposed to numerous data-privacy
and data-breach incidents, as underscored below:

• In March 2024, a Florida resident alleged that General Motors
  captured and shared his driving data, including information about
  his speeding, braking and acceleration, with LexisNexis, which
  shared the data with insurers.
• In 2022, Mercedes-Benz disclosed a data leak on the part of a
  third-party vendor that exposed the personal information of up to
  1.6 million prospective and actual customers, including names,
  street addresses, email addresses and phone numbers.
• In 2021, Volkswagen and its subsidiary Audi suffered a data
  breach affecting 3.3 million users.

Most automakers provide options to opt out of unnecessary
data-sharing, but these settings are often buried within menus.
Moreover, opting out of data-sharing often comes with trade-offs,
mostly requiring disabling useful or desirable features.

Consumers think data sharing is risky

More original equipment manufacturers are rolling out smart
vehicles, putting hardware and software behind a paywall. Though
there is a growing consumer appetite for software-defined vehicles
that offer smart infotainment and advanced driver assistance
systems features, buyers of new cars might not opt for features
that require them to share personal data due to data security
concerns.

The sentiment was evident in the 2024 S&P Global Connected
Car Consumer Survey. It revealed that over 70% of respondents are
“very likely” or “likely” to share vehicle data for free services,
however 69% of respondents attributed issues around data security
and misuse as the two most important reasons why they may not be
comfortable sharing data.

As the automotive industry progresses rapidly toward
software-defined vehicles, data privacy and cybersecurity have
emerged as critical areas for automakers to harness the potential
of such vehicles. With cyberattacks on the rise in the market, the
success of a brand will depend heavily on ensuring a healthy
balance between user data protection and data monetization. OEMs
that move slowly on building expertise on secured data processing,
either in-house or through partnerships, will find it difficult to
navigate the complex landscape of vehicle cybersecurity.

Author: Vivek Beriwal, Senior Research Analyst, Supply
Chain & Technology, S&P Global Mobility

Subscribe to BriefCASE: Our
weekly AutoTechInsight newsletter featuring innovative automotive
insights and expert analysis