When Honda ran afoul of California’s privacy laws in March, it not only sparked the automaker to make rapid improvements into how it protects its customers’ data, it got Privacy4Cars wondering about what the privacy user experience of the industry as a whole looks like.

Well, according to Privacy4Cars’ research, not very good.

The privacy tech firm’s white paper, Privacy UX Crash Test: How 49 Auto Brands Handle California Consumer Data Rights, Gaps, & How to Improve, evaluated the privacy practices of 49 automotive brands using 12 objective criteria and corresponding best practices that inspired by the California Privacy Protection Agency’s $632,500 settlement with American Honda Motor Company.

Not surprisingly, then, Honda and its sister brand Acura ranked highest, earning 4.6 on the report’s five-point scale for its post-settlement practices. But the rest of the industry fell far short, with an average score of 1.9 and a median of 1.7, meaning half of the brands evaluated scored equal to or lower than that.

Subaru was a distant third behind the Honda brands at 3.8 followed by Polestar and Rivian at 3.3. No other brand reached 3.0.

The report noted Honda and Acura’s privacy program scored 0.8 before the settlement, which Privacy4Cars founder and CEO Andrea Amico said is an encouraging sign.

“We have three reasons to be optimistic,” he said. “First, we watched Acura and Honda introduce changes after their settlement with CPPA in just 6-8 weeks and achieve the industry’s top score at 4.6 out of 5.0 by adopting 11 out of 12 market best practices. Second, all the necessary best practices are already in the market — simply nobody classified, identified, consolidated and recognized them until this research was conducted.

“And third, after meeting with the privacy teams of six auto manufacturers representing 12 brands included in the benchmark, we were told changes will be underway — and in fact some already have an improved score, recognizing progress the brands already made in less than three weeks.”

The report noted that the score does not necessarily indicate that a brand is or is not compliant with California or any other law. Rather, it shows whether or not brands are adopting the privacy UX best practices the Privacy4Cars identified in the market.

The 12 criteria used in the quantitative benchmark analysis report included six evaluating the UX of the privacy portals consumers and agents can use to file privacy requests, such as how many fields of data they require consumers to submit when they file a request, and six for evaluating the UX of brands’ consumer-facing websites, such as how many clicks it takes to accept versus rejecting cookies and adoption of Global Privacy Control.

Privacy4Cars said the 1,800-page white paper was a joint effort between the company’s network of in-house counsel and privacy experts and is the product of more than 1,000 hours of research, quantitative analysis and editing.

“Privacy4Cars’ goal in publishing this benchmark report is to create a common rating system and shared goals,” Amico said, “so privacy can be put on a trajectory of continuous improvement, investment and opportunity — as it happened when safety ratings were made visible to consumers a generation ago. This is why we ‘crash tested’ the UX and processes of privacy portals, cookie management tools, links and more, using the now-established precedent of Honda’s settlement as the yardstick.

“Our findings indicate that while most brands have significant room to improve, stronger privacy practices can be within reach in a matter of weeks — not years — when prioritized.”

The full report is available for purchase and a summary can be downloaded free. Both are available here.