Need to know
- Mathew ordered a $68,000 Toyota Hilux that came with tracking features he wasn't told about and couldn't fully remove without repercussions
- For months the car dealer refused to return his $2000 deposit after he refused to pick up the vehicle because of privacy concerns
- Connected cars are everywhere now, and a review of 25 major brands found concerning data practices amongst all of them
Mathew has been a Toyota man for a very long time. Over the years he has bought five of their cars.
But the Queensland father says his latest experience with the company has left him questioning his loyalty. He struggled to get a deposit of $2000 returned, and has vowed to steer clear of Toyota from now on.
"I'm just really disappointed," he says. "You should have a choice not to be dictated to, I really believe that."
Mathew's concerns centered on the invasive tracking and data sharing practices that came with his new Toyota, services he says he was never told about when buying the car.
Toyota's tracking technology
In July last year, Mathew paid a deposit and arranged finance for a $68,000 Toyota Hilux. He was told by the dealer there would be several months' wait for the vehicle to arrive. When the car finally arrived at the dealership, he began getting emails from Toyota telling him to sign up for 'Toyota Connected Services'.
"I'd never heard about it, and the dealer never told me about it at all," he says.
Toyota describes Connected Services as "a suite of technology focused on safety and security, convenience and a better driving experience".
I'd never heard about it, and the dealer never told me about it at all
Toyota customer Matthew
Rollout started in late 2020, with vehicle movement tracking and driving data collection later added to Connected Services across the Toyota range. The more Mathew researched the privacy policies and read about how his data would be collected and shared, the less comfortable he became with having it in the car.
He asked the dealer if Connected Services could be removed before he took ownership of the car. He was told Toyota could temporarily deactivate the features, but they could be reactivated remotely.
"I was told if you remove it you will void your warranty and you'll likely put your insurance at risk as well. And that was when I said, 'you guys can keep your vehicle'," says Mathew.
The more Mathew researched the privacy policies and read about how his data would be collected and shared, the less comfortable he became
Mathew canceled his finance and never picked up the vehicle, but the Toyota dealership refused to repay the $2000 deposit. He lodged complaints with the Queensland Office of Fair Trading and the Queensland Ombudsman.
The Toyota dealership did not respond to our questions about refusing to return Mathew's deposit. In an email the dealer told Matthew: "If you failed to do your own in depth research on a vehicle you're purchasing then that's on you."
What kind of data is being collected and how is it used?
Cars are changing. Almost every new car released today has some form of tracking. The car companies say it increases driver safety, but in a surveillance world of data hacks, data broking and sharing, it's yet another way for companies to gain valuable insights on you, whether you want it or not.
Toyota Australia's privacy policy says the Connected Services features will collect data such as fuel levels, odometer reading, vehicle location and driving data, as well as personal information like phone numbers and email addresses.
The policy says if you don't opt out of Connected Services it will collect, hold, use and disclose vehicle data for research, product development and data analysis purposes.
Connected Services features will collect data such as fuel levels, odometer reading, vehicle location and driving data
It goes on to say Toyota may share collected data with third parties with your consent, such as finance and insurance companies, promotions and market research organisations, debt collection agencies and information technology service providers.
Despite the excessive reach, in response to our queries in January Toyota Australia told CHOICE that it took customer privacy seriously and was assessing Mathew's complaint about not getting his deposit back.
The dealership later rang Mathew and told him he would be getting his full $2000 refund.
Dealerships supposed to tell customers about tracking
It seems the dealership was supposed to tell Mathew about Connected Services.
"The standard process is to inform customers of the Connected Services feature as part of the sales contract, which includes information about Connected Services and to ask them to sign confirmation they have been informed and agree to those services being activated," the Toyota spokesperson says.
Toyota Australia says disconnection of the SIM card does not void the vehicle's warranty
Despite what Mathew says the Toyota dealer told him, Toyota Australia says disconnection of the SIM card does not void the vehicle's warranty, but having a non-Toyota repairer remove the system carries risks.
They add that when modification by a non-Toyota repairer causes a problem with another part of the vehicle, the warranty won't cover it, but the rest of the warranty won't be affected. Things like the car's Bluetooth and speaker systems may not work when the Connected Services system is removed.
A Mozilla Foundation report states that 84% of the 25 car manufacturers reviewed share or sell data to third parties.
Most car brands have privacy problems
According to a report released in September 2023, cars are one of the worst product categories when it comes to privacy protections.
The US-based Mozilla Foundation came to that conclusion, after an in-depth review of 25 major car brands.
Jen Caltrider from Mozilla says Toyota has a "vast business empire" and rather than sell collected car data to data brokers, they have created their own data broker which they charge other people to access.
Consumers don't have a real choice. It's have a car and have no privacy, or don't have a car
Jen Caltrider, Mozilla Foundation
Toyota has a bad track record of keeping their customers' data safe. A series of leaks in 2022 and 2023 accidentally revealed the data they held on more than two million customers.
But privacy concerns are not limited to Toyota.
The Mozilla report says all 25 car brands they reviewed in the American market collect more personal data than necessary, and 84% of them share or sell data to third parties. Only two companies, Renault and Dacia, gave the drivers the option of having their data deleted.
"Consumers don't have a real choice. It's have a car and have no privacy, or don't have a car. It's not a real choice," says Caltrider. "This is a big issue and it's only going to keep growing."
Car companies abusing data
Last year, Reuters reported that between 2019 and 2022, a group of Tesla employees shared among themselves images and videos captured from customers' car cameras and connected systems, including images of people naked.
Ibrahim Khalil, professor of cloud systems and security at RMIT University, says the issue of privacy protection is only getting more challenging.
"These manufacturers are saying we're collecting data to make sure driving is safe and they are applying AI techniques to improve lots of different things like situational awareness, but of course that's not the whole story," says Khalil. "We are exchanging data that they can actually abuse."
We are exchanging data that they can actually abuse
Ibrahim Khalil, RMIT University
Rafi Alam from the CHOICE consumer data team says while some people may enjoy the benefits of car connectivity, consumers should be informed about the associated risks.
"It seems like every product is getting a 'smart' connection, and cars have joined the trend," he says.
"The government has a role to put strong safeguards – and even prohibitions – on the use of this data once it's collected, to ensure it's in the best interests of the consumer."
Mathew shouldn't have had to choose between losing $2000 or giving up his privacy rights
Alam adds that Mathew shouldn't have had to choose between losing $2000 or giving up his privacy rights.
Mathew says the most important thing is having the option as a consumer.
"I'm sure some people think all this stuff is a great thing. But I just think it's something that really needs to be brought to people's attention, because I'm sure I'm not the only person who thinks this isn't a good idea," he says.
If you have a story about a connected car you would like to share, email CHOICE investigative journalist Jarni Blakkarly at jblakkarly@choice.com.au.
Stock images: Getty, unless otherwise stated.
