
Every modern car is a data machine. It records where you go, when you go, how you drive, and often, who is with you. This information flows quietly from vehicle to manufacturer.
In California, the law is clear. The California Consumer Privacy Act (CCPA) has been in effect since 2020, giving people the right to see, limit, and delete personal data. But a right is only as strong as the tools that allow you to use it. And in the automotive industry, those tools are often hard to find, hard to use, and harder still to understand.
That is the starting point of Privacy4Cars’ 2025 Privacy UX Benchmarking Study. The group examined how 49 automotive brands in California present and manage privacy controls. The results paint a picture of an industry still learning how to put consumers at the center of its privacy experience.
The Honda Turning Point
In March 2025, the California Privacy Protection Agency made its first enforcement move against an automaker. American Honda Motor Company agreed to a $632,500 settlement. The number is notable, but the reason is more so. The agency required Honda to overhaul its privacy interfaces, using twelve specific design criteria to make privacy requests easier.
The case was not about the data itself. It was about access. About whether an ordinary driver, without legal or technical knowledge, could opt out of data sales, limit the use of sensitive information, or allow an authorized agent to act on their behalf.
Honda responded quickly. The company redesigned its privacy portals and website experiences, proving that meaningful change can happen fast when leadership decides it matters. In doing so, it set a precedent that others can follow.
The Benchmarking Study
Privacy4Cars used those same twelve criteria from the Honda case as the basis for its study. The criteria were split into two categories.
The first was Portal Ratings: how easy it is to submit privacy-related requests. Could someone opt out with minimal effort? Could they do it with only a name and email address? Were there clear, separate paths for verifiable and non-verifiable requests?
The second was Web Browser Ratings: how brands handled cookies, privacy notices, opt-out signals, and the fairness of consent experiences. If accepting cookies took one click, did rejecting them take the same? Or did it require navigating multiple screens in what regulators call “dark patterns”?
Brands earned one point for each fully met criterion, then scores were converted to a five-point scale.
A Low Median Rating
Across 44 scored brands, the median rating was only 1.7 out of 5. That means most automakers are far from providing a smooth, user-friendly privacy experience.
Honda and its luxury sibling Acura led the rankings with 4.6. Subaru came next with 3.8, followed by Rivian and Polestar at 3.3.
Many lagged well behind. Some brands lacked privacy portals entirely, including Afeela, INEOS, Karma, Rolls Royce, and Scout, and were excluded from overall rankings. Portal scores were generally lower than browser-based scores, showing that submitting requests is harder than managing cookies.
Volkswagen Group brands often showed inconsistencies. One brand might handle authorized agent requests cleanly, while another, under the same corporate umbrella, might bury the option or omit it altogether.
Where Brands Struggle
The study called out several areas where brands struggle.
Minimal Data Requirements: Honda now requires only two data points for non-verifiable requests. Privacy4Cars argues this should be the standard. Many brands still ask for more, adding unnecessary friction.
Limiting Use of Sensitive Personal Information: Only 34 percent of brands offer this choice. Sensitive data includes social security numbers, driver’s license information, location data, racial or ethnic details, and health information. Automakers often claim they do not collect such data or are exempt. Yet vehicles do collect sensitive information, and the option should be visible and easy to use.
Symmetry in Cookie Consent: Just 11 percent of brands make rejecting cookies as easy as accepting them. Many require extra steps to opt out, a design practice regulators discourage. Some brands have even moved backwards, making it harder to reject cookies.
Global Privacy Control (GPC): This universal browser-based opt-out signal is honored by all brands, but a third fail to mention it in their privacy policies.
The Role of Vendors
Automakers often rely on third-party privacy tech vendors like OneTrust, Ketch, Salesforce, Evidon, TrustArc, and Usercentrics. Yet the study found large differences in how these tools are implemented. Two brands using the same vendor could offer very different experiences.
Vendors can help by setting privacy-friendly defaults and discouraging dark patterns. They can also share insights from the most successful implementations to raise the industry standard.
Recommendations for Stakeholders
The study ends with clear advice.
For Consumers: Use your rights. Enable Global Privacy Control in your browser. Ask questions of not just manufacturers, but also dealerships, rental companies, insurers, and lenders.
For Automakers: Leadership matters. Honda’s example shows rapid improvement is possible. Share best practices internally. Invest in UX that builds trust.
For Vendors: Implementation matters as much as the tool itself. Set strong defaults. Support universal opt-out signals across platforms.
For Regulators: Enforcement works, but consistency matters. Clear, measurable standards can push the whole industry forward. Include vehicles and IoT devices explicitly in privacy rules.
A Matter of Design, Usability, and Trust
Privacy in the automotive world is moving from fine print to front page. What was once a matter of compliance is becoming a matter of design, usability, and trust.
The Privacy4Cars study is the first to score automotive privacy UX in this way. It gives the industry a starting point, a benchmark, and a reminder that good privacy is not just about protecting data. It is about making control possible, accessible, and fair.
The road ahead is long. But the route is now mapped.
Break the Attack Chain with Fortra®
Advanced offensive and defensive security solutions. Complete attack chain coverage. Shared threat intel and analytics. Add Fortra® to your arsenal.