A new call to action has empowered vehicle owners seeking to control their data access and privacy.

It compels automakers to be more forthcoming and cooperate with vehicle buyers in protecting their data.   

Privacy4Cars recently released the first quantitative benchmark of interfaces consumers use to make privacy choices online, titled “Privacy UX Crash Test: How 49 Auto Brands Handle California Consumer Data Rights, Gaps, & How to Improve.”

The new resource furthers the global B2B privacy-tech firm’s focus on solving privacy and data security issues and questions in the automotive industry.

Agency Lays Groundwork For Report

The report spans over 1,800 pages, and required over 1,000 hours of research, quantitative analysis, and editing conducted as a joint effort between Privacy4Cars’ network of in-house counsel and privacy experts.

This first-of-its-kind report, inspired by the March 2025 California Privacy Protection Agency's settlement with American Honda Motor Company, numerically scored auto brands by making unbiased measurements of their actual practices between April and July.

Privacy4Cars identified and established an industry set of best practices across 12 areas and scored each auto brand based on how many of those UX best practices they implemented and made available to consumers.

[An Online UX (User Experience) Interface refers to the visual elements and interactive components of a website or application that users connect with directly. It encompasses everything a user sees and touches, like buttons, icons, menus, and the overall layout, aiming to create a positive and intuitive experience].

Vehicle Owners Get Results

For vehicle owners, the risks of exposure and misuse of their personal information are multiplying. Data accumulated in a vehicle can be traced back to individuals and households via cookies and trackers, including geolocations, financial transactions, and biometrics. Companies collect data online through the car and via data brokers. It's the same concept as not wanting to be tracked, hacked, or subjected to advertisements on a desktop computer.

By offering this standardized consumer privacy UX scorecard, Privacy4Cars aims to spur more transparency and create a blueprint that benefits everyone, including consumers, automotive brands and manufacturers, and privacy tech providers, privacy professionals, the broader industry (automotive and non-automotive), regulators, and lawmakers in California and beyond.

“The Honda settlement is about the controls that they give to vehicle owners to decide about their data and privacy,” Privacy4Cars founder and CEO Andrea Amico said in an interview with Automotive Fleet. “The California regulatory body is like a mini-Federal Trade Commission. Its interfaces and processes for Honda were not compliant and they were fined $632,500. This is a watershed because it is the first enforcement decision in the U.S. where a regulator spells out principles of consumer and vehicle owner violations.”

The California Privacy Protection Agency victory sets a precedent easy to apply because it centers on practices, Amico said. “We took those principles, came up with criteria, and applied them as closely as we could to everybody else.”

How The Benchmarks Work

The benchmarking study evaluated the processes offered by auto brands to California consumers requesting to make privacy-related choices, including request accessibility, identity verification, agent authorization, opt-out mechanisms, and cookie controls.

A total of 49 auto brands are included in the groundbreaking report: Acura (pre and post changes driven by enforcement), Afeela, Alfa Romeo, Audi, Bentley, BMW, Buick, Cadillac, Chevrolet, Chrysler, Dodge, Ferrari, Fiat, Ford, Genesis, GMC, Honda (pre and post changes driven by enforcement), Hyundai, INEOS, Infiniti, Jaguar, Jeep, Karma, KIA, Lamborghini, Land Rover, Lexus, Lincoln, Lucid, Maserati, Mazda, Mercedes-Benz, Mini, Mitsubishi, Nissan, Polaris, Polestar, Porsche, RAM, Rivian, Rolls Royce, Scout, Smart, Subaru, Tesla, Toyota, Vinfast, Volkswagen, and Volvo.

“During the last three weeks, we talked to manufacturers representing brands and rescored those companies,” Amico said. “We decided to make changes. It’s not a static score. It’s inspired by the settlement, and every year the technology improves and becomes safer.”

Privacy4Cars also examined how brands build privacy-related processes and compared outcomes between in-house tools versus using one or more of the six external vendors it could identify: Evidon, Ketch, OneTrust, Salesforce, TrustArc, and Usercentrics.

Privacy4Cars scored each brand by using 12 criteria and corresponding best practices already adopted by industry members: Six for evaluating the UX of the privacy portals consumers and agents may use to file privacy requests, such as how many fields of data they require consumers to submit when they file a privacy request, and six for evaluating the UX of brands’ consumer-facing websites, such as how many clicks it takes to accept versus reject cookies and adoption of Global Privacy Control.

Common Uses Of Privacy Report

The 86-page benchmark summary includes a score and ranking table by brand and is available for free download. 

Among its features: 

• Privacy professionals, auto businesses, and other companies with a large California customer base can purchase the full report, the most detailed document of its kind, which includes in-depth, criterion-by-criterion screenshots, analyses, and explanations of what was scored and how it was evaluated. 

• Each brand’s detailed analysis offers actionable insights on how to rapidly improve. The full report also details the effects and lessons from using in-house versus external privacy-tech vendors.

• Qualified members of government, media, non-profits, and academia may request a complimentary version of the full report. 

• Both the summary and full report are available for download here.

Report Spurs Potential Improvements

“While only five brands scored 3.0 or above on our 5.0-point scale, i.e. adopted at least 60% of the 12 best practices we identified, we have three reasons to be optimistic,” Amico said in an Aug. 6 news release.

Those reasons:

1. First, Acura and Honda introduced changes after their settlement with CPPA in just 6-8 weeks and achieve the industry’s top score at 4.6 out of 5 by adopting 11 out of 12 market best practices

2. Second, all the necessary best practices are already in the market — simply nobody classified, identified, consolidated, and recognized them until this research was conducted.

3. Third, after meeting with the privacy teams of six auto manufacturers representing 12 brands included in the benchmark, some indicated they are making changes. “In fact, some already have an improved score, recognizing progress these brands already made in less than three weeks,” Amico said.

Amico told Automotive Fleet that Privacy4Cars is not committed to a schedule in updating the scoring criteria and benchmarks. The report would be revised based on the precedents of more decisions from regulatory bodies. Other states set their own sets of rules, with owners having fewer controls than in California.

How Privacy Findings Affect Fleets

Amico advised that fleet operators, as owners of vehicles, can influence decisions about data generated about and from their fleet vehicles. “Most fleet managers do not understand that they can improve the management of data about their vehicles. An important lesson. Laying down what controls consumers in California have can provide and important lesson and broader implications for fleets.”

Privacy4Cars is building new tools to help fleets make data more accessible and how to do that in a friendly manner, Amico said. “This study proved it’s not very friendly. There are some good practices out there, but it’s not as easy as it should be, and it’s even harder for businesses because the laws are written to protect consumers but not a local fleet.”

Fleets also should be able to protect their vehicle data as owners of those vehicles, he added. 

“Companies purchase the metal but are losing more control over software and data. If you are a fleet manager, you are mini CISO (chief information security officer in your fleet. The job is changing. It used to be more about mechanical things and management of physical assets. Now we have rolling computers on the road and need to manage the security and privacy of any data generated. It’s an asset to your company.”