CARFAX told the Automotive Service Association it doesn’t mine data directly but instead relies on third-party sources for its information, ASA Executive Director Ray Fisher said last week.
“The information is pushed to them with explicit consent from somebody that provided it,” Fisher said.
The vehicle history reporting company characterized errors as proportionally rare among the millions of pieces of information provided it, Fisher told an ASA media briefing Feb. 9. But CARFAX also told the organization it is open to requests to remove incorrect information and has a team to investigate errors, he said.
“However, it is reactive,” Fisher said of this process. He noted that when something reaches a CARFAX report, “the damage is done.” He also pointed out that if a shop finds erroneous information pushed out to CARFAX, it’s possible other incorrect information is leaking out the repairer doesn’t even know about.
“I’m really concerned about this, and we are determined to find the leak,” Fisher said.
The ASA had written to CARFAX CEO Dick Raines on Oct. 20, 2020, stating that the organization had repeatedly and unsuccessfully requested a conversation on how crash and estimate data reached CARFAX. The ASA told him that independents and dealerships had written estimates for vehicles that that appeared on CARFAX “‘whether the work was done or not’” and without those shops’ permission, Fisher said last fall.
“The confidence of the consumer’s at stake,” Fisher said Feb. 9. Besides jeopardizing the customer-repairer relationship, information reaching CARFAX raises an issue of liability for a perceived data breach, he said.
“There is not a dollar amount that can quantify this,” Fisher said.
CARFAX had since agreed to speak to ASA, and Fisher said the two parties had a “highly informative conversation.” He said CARFAX “was actually very cooperative,” describing them as concerned about a breach and incorrect information.
But it seems there’s still an issue of correct information the consumer doesn’t wish disclosed making it to CARFAX.
“Someone gave ’em that information,” declaring “they had the authorization to do so,” Fisher said.
Fisher observed that hearing CARFAX draws from more than 100,000 sources “can be overwhelming.” He suggested repairers should check their agreements and see if they inadvertently granted permission for such transmissions. Someone the shop does business with might also have agreed to transmit data, he said.
For some customers, anger at a body shop might be misplaced. CARFAX also receives information from sources like a police report from an agency who worked the crash scene.
But Fisher said ASA encountered situations where neither police, municipalities, insurers nor “computer add-ons” were involved. He described at least one situation with a customer and repairer, with “no work being performed or parts being ordered,” though parts were present on the estimate. The vehicle still made CARFAX, according to Fisher.
“Our homework is not over,” he said.
Fisher said ASA also recently talked to a “very large information provider” and was happy to learn it too was concerned about the topic.
The Society of Collision Repair Specialists also has described investigating yet being stymied by the source of leaks to CARFAX.
“Every time we think we know, we find out that we’re wrong or that it’s not the right path,” SCRS Executive Director Aaron Schulenburg told the virtual July 2020 Collision Industry Conference.
SCRS has even used advice from information providers to isolate estimate message files from data pumps, and the information still reaches the vehicle history company, according to Schulenburg. Even test estimates reflecting fake damage that “could never have been reported in any other way” still make their way to CARFAX, he said last year.
“That’s exceptionally concerning,” Schulenburg said then.
As the ASA observed, securing commitments of privacy might be one step repairers can take to head off leaks. The CIC in November 2020 overwhelmingly adopted five data privacy “Golden Rules” the collision repair ecosystem could uphold and demand of business partners:
1. Only use end-users’ data for the service(s) they intended for it to be used; never collect or use their data against them, or for business purposes other than those expressly intended and permitted.
2. Always provide the end-user clarity, transparency, and continuing education on the data you collect, the business purposes for which it is being used.
3. Never misappropriate end users’ data, or knowingly allow any third parties to covertly, dishonestly or unfairly access or take data generated by the end-user, for their own use.
4. Give end-users the choice to determine what data is and isn’t shared, and the opportunity to opt-out of data collection outside of the primary intended purpose.
5. Provide end-users with a clearly published, straightforward process to inquire about data that has been acquired from their business and the immediate chain of custody that data has encountered. (Minor formatting edits.)
As more companies committed that “‘I embrace these,’” it’ll become more obvious which business partners don’t, Schulenburg said at the November 2020. Some companies might be able to commit to four out of the five and have an explanation for the exception, “which again creates transparency,” he said.
The CIC on Feb. 1 said it would compile a list of companies who endorse the rules. As of that email, AutoHouse Technologies, Auto Techcelerators, ClaimsCorp, ComputerLogic, Entegral, Enterprise Rent-A-Car, NuGen IT, Society of Collision Repair Specialists (SCRS) and Tractable had “expressed endorsement,” according to the CIC.
Featured image: An inflatable CARFAX mascot is seen outside of a Sacramento, Calif., dealership in March 2014. (slobo/iStock)