An evaluation of 25 vehicle brands’ consumer privacy policies found that none of them offer adequate protection, according to Mozilla’s “*Privacy Not Included” survey. Each brand collects too much data, can share or sell data too widely and fails to grant drivers control over their data, Mozilla said in its survey released Tuesday.

The “*Privacy Not Included” survey, launched in 2017, found that all 25 car brands reviewed collect more personal data than necessary and use that information beyond operating the vehicle. Some brands even collect data about drivers’ sex lives and genetics. Automakers harvest personal information through sensors, microphones, cameras, connected phones and other devices, company websites, dealerships and vehicle telematics, Mozilla said.

“There are no good choices for consumers because pretty much all car companies are a privacy nightmare,” said Jen Caltrider, the survey’s program director. “People are not talking about this enough. It seems to be flying under the radar, and it’s time for policymakers and regulators to get involved.”

Mozilla comprises a nonprofit and a corporation owned by that nonprofit. It runs the Firefox web browser and operates a virtual private network, email software and other privacy-oriented products.

“*Privacy Not Included” has reviewed smart speakers, dating apps, robot vacuums and even sex toys. This is the first time the survey has reviewed car brands.

The paper’s authors stressed that cars were “the worst product category” ever to have been reviewed in the survey and that researchers spent 600 hours researching privacy practices — three times the normal amount for product policy review. All of the brands had more than one privacy policy and some had several — Toyota Motor Corp. had 12 — which can be hard for consumers to navigate, Mozilla said.

“Somebody discovered money was to be made here, and they went all-in without any thought about ethics or care about consumers,” said Caltrider.

Vehicles from automakers including Ford Motor Co., Volkswagen, Toyota and Tesla Inc. collect data through the vehicle, connected services, phone applications and third-party sources such as Google Maps. Most of the brands reviewed retain the right to share and sell personal data. Nearly 60 percent of the brands surveyed said they could share information with the government or law enforcement in response to a “request” — not a court order or subpoena.

Hyundai Motor Group, for example, said it would comply with “lawful requests, whether formal or informal.”

Mozilla said it was unable to confirm whether any of the brands encrypt all the collected personal information. Most did not respond to researchers, and those that did declined to fully answer specific security questions. Mercedes-Benz, for example, confirmed the encryption of some information but not all.

The survey also found that during the past three years, 17 of the 25 brands had experienced leaks, hacks and breaches. Just two of the brands gave drivers the right to have their personal data deleted.

Researchers found that Nissan Motor Co. was the worst offender for consumer privacy because it admitted to collecting reams of information about sexual activity, health diagnoses and genetics but did not explain how. The company retained the right to share and sell data about consumer preferences, “psychological trends,” “intelligence” and other metrics to data brokers, law enforcement and others.

Researchers identified Renault as the least problematic because it complied with the General Data Protection Regulation, a European law governing using and storing personal data. Still, researchers found that Renault collected “data related to your personal and/or professional situation (family situation, socio-professional category, etc.),” and ultimately the brand fell short in Mozilla’s evaluation.

The Alliance for Automotive Innovation, representing several major U.S. automakers, sent a letter to congressional leaders Tuesday urging Congress to accelerate its efforts to enact a single, comprehensive federal consumer privacy law.

The alliance “recognizes that the best way to protect consumers is through a single, national privacy law that provides consistent protections to consumers across the United States,” John Bozzella, the group’s CEO, wrote in the letter.

The alliance published a set of consumer privacy principles in 2014. They are enforceable by the Federal Trade Commission. To date, 20 automakers have committed to meeting or exceeding the principles, according to the alliance.

The principles, reviewed in 2018 and 2022, are centered on transparency, choice and context of data collection, use and sharing. They also ensure that members commit to collecting covered information only as needed for legitimate business purposes and retaining that data only as long as deemed necessary for legitimate business purposes. Members must implement reasonable measures to protect covered information against loss and unauthorized access or use. They also must take measures to maintain accuracy of the data and give consumers the opportunity to review and correct it.

Covered information is identifiable information that vehicles collect, generate, record or store in an electronic form or personal subscription information. Data that automakers collect and then alter or combine so that the data can no longer be reasonably linked to a certain vehicle or individual is not covered information.

All but three of the brands reviewed in the Mozilla survey had signed onto the alliance’s consumer protection principles, which the survey authors said was evidence of “privacy washing” in a press release.