Strong regulation can nudge automakers to improve customers’ privacy, research suggests

New research asserts that while few automakers strongly protect website and customer portal users’ privacy, one company drastically improved its practices after California’s privacy regulator fined it in March for allegedly failing to implement relevant standards required under state law.

A report released Wednesday by the watchdog Privacy4Cars scored 44 car brands on a scale of 0-5. The median ranking was 1.7 for a host of privacy practices, including whether companies easily allow consumers and agents acting on their behalf to file opt-out requests to prevent the sale and sharing of personal data.

The scorecard shows that American Honda Motor Co. scored just 0.8 prior to the California Privacy Protection Agency's crackdown. After the agency issued a $632,500 fine and required the automaker to implement new procedures to allow Californians to more easily assert their privacy rights, Honda’s score skyrocketed to 4.6, considerably ahead of all other vehicle manufacturers, the report shows.

Privacy4Cars founder and CEO Andrea Amico said he hopes the scorecard will push more car companies to improve privacy practices by giving public credit to those which do. He compared it to the advent of crash-test ratings a generation ago, when strong safety ratings made some models more marketable.

“When companies make changes and those changes benefit consumers, they should get credit in this way,” Amico said. “Privacy is taken out of the fog, and it becomes something that companies can compete on — and if they do that, I think that this is going to be an innovation flywheel that keeps improving over time.”

Honda referred comment to vehicle manufacturers’ trade association, the Alliance for Automotive Innovation. 

A spokesperson there noted that Privacy4Cars is a for-profit company. In addition to offering free information about automakers’ privacy practices to consumers, the organization sells its services to car dealers and agents, who request data sharing opt-outs on consumers’ behalf.

“We still have major questions about Privacy4Cars’ methodology and business practices,” the Alliance’s spokesperson said in a statement which noted that the report was not made available to it prior to publication. “The criteria this group used to grade automakers doesn’t reflect the industry’s privacy policies or compliance with California’s privacy law.”

“Automakers are committed to protecting consumer privacy and vehicle data. Full stop.”

The new research only reflects how easy companies make it for consumers to protect their data privacy when interacting with manufacturers’ websites and web portals and does not assess what information manufacturers collect and sell through vehicles themselves.

The Privacy4Cars report says it would be easy for other automakers to follow Honda’s example, pointing out that the company changed its website and web portal privacy practices within eight weeks of the California enforcement action.

In addition to measuring ease of opt-out, the report studied how difficult automakers’ websites and web portals made it for consumers to request their data be deleted and to block cookies.

Top-performing brands other than Honda and its Acura brand were Subaru with a 3.8 rating and Polestar and Rivian with 3.3. All other brands received scores below 60 percent when measured against 12 criteria considered by Privacy4Cars.

Ford, Polestar, Rivian, and Volvo met with Privacy4Cars after learning of the report’s findings and made some privacy improvements within three weeks of the meetings, the report says.

Subaru, Polestar and Rivian did not respond to a request for comment. 

A Ford spokesperson sent a statement saying that privacy is a “priority at Ford. We comply fully with all consumer privacy laws and extend key rights, such as the ability to access and request deletion of personal information, to all our customers in the U.S., regardless of their state's specific laws.” 

A Volvo spokesperson said in a statement that it “is and always will be about safety, including the protection of data. All data is processed in accordance with applicable law.”