**Colleen**
Welcome to another episode of the Privacy Huddle. I am here with new to the huddle guests, Mary and Andrea. Welcome you two. Thanks for joining me.
**Andrea**
Thanks for having us.
**Colleen**
Privacy for cars is the first and only tech company focused on identifying and resolving their privacy issues around the automotive ecosystem. I asked Andrea and Mary to join us on this special episode today because they just released this landmark report benchmarking privacy UX across forty nine automotive brands, evaluating how automakers are handling California consumer data rights, the real world user experiences. So they've been talking about this report, sharing it on LinkedIn. It's so impressive just the depth and granularity of the content. And so I've asked them to come on today just to share a little bit about this undertaking with you all. Yeah. I'd love to start with you. Can you share what inspired you all to undertake this extensive benchmarking step?
**Andrea**
Yeah. So grew up as an engineer. So I believe that if you can measure it, you can manage it. And privacy is traditionally been very squishy, and I think a lot of companies thrived in the squishiness. And I don't think it serves actually well either consumers or companies or the government for what matters. We operate in the automotive world. And in automotive world, we're very used to have ratings of things. So you can buy ratings of what car to buy and what's the safety rating and what's the miles per gallon. Right? Everything is boiled down to numbers. And so we thought, why don't we do exactly the same? When we saw the opportunity to really do it, it's because of the settlement with Honda on CPPA. And so what we thought is, let's read the text of that, and let's turn that into a scorecard so we can make privacy measurable. So what we wanted to do was to turn privacy into a number that consumers can much more easily understand because nobody really understands the fine point of the law and nobody has the time to read the privacy policies. And so that's what we did.
**Colleen**
It's an often nebulous topic, UX. And so I think it's fascinating that y'all really tried to make it more material in the context of this report. Mary, start to talk to us a little bit about the findings. How did you break it down? What was most surprising and interesting? Tell me more.
**Mary**
So we had twelve overarching criteria in the benchmark study. Six of them were about the privacy portal or the privacy center experience, how a user can actually submit those requests. And then six were related to the web experience, like the privacy notice. Are the right links there? Do they honor GPC and things of that nature. There were two surprising things I wanted to share. The first is that GPC was the only criteria where all forty nine brands that we studied. Every single one of them got it right. And so that was so great to see. It was interesting also because from a technical level, they got it right, but a third of the brands did not mention it in their privacy notices at all. So there was a disconnect between the privacy notice and what is stated and what's actually happening, the website. So I'd like to see more of these types of best practices emerge. GPC is a standard that a lot of people recognize, including California regulators and other states. So that was very heartwarming. The second thing I wanted to share was just a little bit bold. So as you said, we went very granular in this study. We literally read privacy notices. We went through the actual experiences and took screenshots, and we have them in the report. And there was this one part of a brand's privacy notice that stated that if you do not wish to provide your data under their terms, they may simply choose not to purchase the car, operate the car, or use its technologies, which I thought was a pretty surprisingly narrow way to address consumer privacy concerns. There are other ways to do it, and a lot of brands do. And there are tons of best practices that we got out of this after reviewing so many, and that's what the report shows. What does good look like?
**Andrea**
I think that another thing that is hopefully heartwarming for the people who are watching this is that we read the the settlement of Honda, and we started getting to work with building the entire methodology with these twelve criteria. And then in a matter of seven weeks, Honda went from one of the worst scoring brands to the absolutely best scoring one, Honda and Acura. They belong to the same manufacturer. And so I think there's two lessons here. One is that regulation matters, right, enforcement matters. But I think the better one is that it is very possible to make a lot of progress with very limited resources if you know what to work on. My hope is that more companies will learn from this. It's amazing to see the dramatic improvements that Honda made in such a short amount of time and also makes me think that often this is just an overlooked area. Privacy UX, if you're not intentional about improving something, it won't improve. I don't think that most lawyers or privacy professionals have been trained in UX. A big takeaway of this study is build a bigger tent. You gotta work with the people that actually understand what the consumer experience is. And by the way, that's also how you take privacy from being, check the box exercise that the lawyers can do arguing the fine point of rule seven b point c as opposed to what do we wanna deliver to our customers? Why should they choose our products and services versus our competitors? And I think if we think more about privacy as an experience, everybody wins.
**Colleen**
Yet another reason for privacy to stretch across the aisle to their marketing friends. It's not just the trackers and pixels and beacons on the site, but it's also the consumer experience and how we're building these things together. Mary, I'd love to hear more about what you want consumers, media, regulators would take away from this report.
**Mary**
Well, what we want is good outcomes for everyone. As Andrea mentioned, consumers and the companies that they do business with. There were a number of different constituencies that we talked to in this report. Number one is consumers. Privacy is power. Right? So use your voice. Use your privacy rights. The more that consumers demand better privacy, the faster that becomes a real reality. For the auto brands that were reading the report, to underscore what Andrea said, Honda and Acura rapidly improved, and they went from one of the worst scoring brands to literally the top. And that was within just a handful of weeks. So when you put the focus in it, when you are following industry best practices, you can turn that around very rapidly. Another constituency we'd like to speak to are privacy professionals. Consumer experience is here now. This is not just about privacy notices or check boxes. It's really about what the consumer experiences. And so building those cross functional relationships is very important. If not just improving your own skills, or if you don't have those skills, work with companies that do, whether those are consultants or there are defaults in the providers that you use, follow the best practices because they're out there. And lastly, for governments or regulators, showing or asking exactly for what you want, showing us what good looks like, raising the bar is important because companies can meet it. They can do it when they know what is expected. So let's do more of that. Ask for what you want. And I also am a believer that in frequent, consistent enforcement is going to drive the outcomes that we want instead of the big blockbuster infrequent enforcement. So let's do this step by step and raise the bar.
**Colleen**
What kind of lessons or are there lessons here for industries beyond automakers?
**Andrea**
Well, I think that this is extremely applicable. There's nothing about what we do that is necessarily applicable to to automotive companies. We're looking at how many data fields you collect in a form, how many clicks does it say for you to say yes to the cookies versus not to the cookie. This is a little bit universal. Right? Any company that does those things can use the very same methodology and score themselves. And in fact, one of the things that we suggest to to companies, whether it's the companies themselves, whether it's technology companies, whether it's consultants in the space, is actually do the exercise. Pick a sample of companies within a cohort that competes and see who does what better. All the best practices necessary to achieve a perfect score are out there in the market. But for whatever reason, they have not coalesced into and so this is what good looks like until we actually take a look at it. And I think if more people started to take a look of what is actually out there, how can we make things measurable, how can we assign a score? I think it really, really helps focusing attention on what drives better outcomes for companies and consumers at the same time. And if we all do more of that, then I think we're all winning.
**Colleen**
As you talk to that, Andrea, it occurs to me when you think about the evaluations across the forty nine automakers, were there similarities when it came to the tools they were using? Privacy tech vendors, for example, did that correlate pretty directly to scores and kind of patterns, or was there a nuance just due to how that brand implemented that particular vendor?
**Andrea**
Well, yes and no. At the same time, some companies, it appeared that they did everything in house or at least we were not being able to identify a vendor. There is a very big vendor out there where implementation range from pretty good scores to very low scores, which underlines the fact that just going to a vendor and expect a standard list in the case of this big vendor, That's just not what's happening there. There was only one vendor that achieved a perfect score in what they were doing. I think it's good for also vendors to rate their own work, talking to their customers about about are you implementing our tools in the best possible ways. I think it's good for companies to also look at what other vendors are doing because maybe there's an opportunity to go and talk to those companies and say, look. Looks to us that your score is not that great. Normalizing by offering a score is a good way to drive competitiveness and innovation in the space, I think.
**Mary**
I'm gonna also just add to that. Having defaults within software can also save a lot of heartache because in some cases, for example, we studied the size, placement, and color of the accept or reject button if it existed at all. And so for vendors, if you understand the differences of that UX choice and what that means, you can offer that. And then if your clients choose not to accept the best practice default, that's their choice, but offering that upfront, I think, will help a lot of customers have a better consumer privacy user experience.
**Colleen**
It's an interesting topic, especially from the vendor side. Right? When we at Ketch think about the suite of tools we wanna deliver to our customers and give them to create different kinds of experiences, we prioritize nearly unlimited customization, four hundred different ways to change up your banners and your models and such. But we also wanna tow the right line and find the balance between offering so much potential for customization, but then also offering best practice so that we're not encouraging our customers to design dark patterns or whatever that kind of thing. So it is an interesting balance of customization versus guidelines for brands.
**Andrea**
Well, whatever you did with Raybium, you and Raybium did it right because it's it's the best scoring we've seen. So good job.
**Colleen**
Thank you, Andrea. It's a pleasure. Yes. It was exciting to see Ketch named in the reports. Really appreciate the call out. I also wanna put that there are a number of companies that were not subject to investigations as far as we know, at least of the California Privacy Protection Agency, but they have obviously been spending time thinking about what is the experience we want to deliver to consumers. And we've seen this in two ways. Right? Some companies just outright were scoring better than others. Right? So they obviously had the discussion upfront. And some, we were able to engage with prior to publication, and they reacted really well. They understood that there were opportunities to do things that they thought they were doing good to make them great. And we've seen a lot of changes. In fact, throughout throughout this process of publishing, we actually changed the scores a number of times. Some of these companies we talked to, they managed to rise up all the way to the podium. So I think it's also, again, another way to show that having the right combination of tools and mindset and a score to shoot for can be extremely productive, extremely productive. And I frankly, I think that also highlights that almost always these gaps are not nefarious. Privacy is a broad and complex topic, and it's just a matter of prioritizing what makes sense. Well, pleasure to talk to you both. Folks, we will make sure to drop the link in the comments so you can access the report and see what the proxy requires team has been up to. But thank you both so much for spending time with me, and we'll talk again soon.
