US Data Privacy Landscape for Autonomous and Connected Vehicles

Autonomous and connected vehicles, and the data they collect, process and store, create high demands on privacy policies and data security. Accordingly, the in-house lawyer should define holistic data privacy best practices for consumer and B2B autonomous vehicles that balance compliance, security, consumer protection and opportunities for business success against a patchwork of federal and state regulations.

Understanding key best practices related to data collection, use, storage, and disposal will help in-house attorneys develop balanced data privacy policies for self-driving vehicles and consumers. This is the first article in our series on privacy policy best practices regarding:

  1. Data gathering

  2. Data privacy

  3. Data security

  4. Data monetization

Autonomous and connected vehicles: data protection and privacy issues

The spirit of America is intertwined with the concept of personal freedom, including the freedom to hop in a car and go… wherever the road takes you. As the famous song claims, you can “have fun on Route 66”. But today you don’t just get your kicks. You also get terabytes of data on where you went, when you left and arrived, how fast you traveled to get there, and more.

Today’s connected and semi-autonomous vehicles are actively collecting 100 times more data than a personal smartphone, precipitating a revolution that will drive change not only in automotive manufacturing, but also in our culture, economy, infrastructure. , our legal and regulatory landscapes.

As our cars become computers, the volume and specificity of data collected continues to grow. The future is now. Or at least very close. Global management consultant McKinsey estimates “full autonomy with Level 5 technology – operating anytime, anywhere” within the next decade.

This near-term future isn’t just about consumer automobiles and ride-sharing robo-taxis. B2B industries including logistics and delivery, agriculture, mining, waste management and many more are continuing to deploy connected and autonomous vehicles.

In-house attorneys must balance evolving federal and state regulations, as well as consider cross-border and international regulations for global technologies. In the United States, the Federal Trade Commission (FTC) is the regulator governing data privacy, alongside individual states developing their own regulations, with the California Consumer Privacy Act (CCPA) leading the way. Virginia and Colorado have new laws that will go into effect in 2022, the California Privacy Rights Act will go into effect in 2023, and half a dozen other states are expected to enact new privacy legislation in the near future.

As federal and state regulations continue to evolve, mobility companies in the consumer and B2B mobility industries must make decisions today on their own privacy and data security policies to maximize compliance and consumer protection with opportunities for business success.

Understand the types of connected and autonomous vehicles

Autonomous, semi-autonomous, autonomous, connected and networked cars; in this developing category, these descriptions are often used interchangeably in major trade and industry publications. B2B International defines “connected vehicles (CV) [as those that] use the latest technologies to communicate with each other and the world around them” while “autonomous vehicles (AV)…are able to recognize their surroundings through the use of on-board sensors and global positioning systems in order to navigate with little or no human grasp. Examples of autonomous vehicle technologies already in action in many modern cars include self-parking and automatic collision avoidance systems.

But SAE International and the National Highway Traffic Safety Administration (NHTSA) go further by defining five levels of automation in self-driving cars.

Driving Automation™ levels in self-driving cars

Level 3 and above autonomous driving is getting closer to reality every day thanks to an array of technologies including: sensors, radar, sonar, lidar, biometrics, artificial intelligence and advanced computing power.

Towards a data privacy policy for connected and autonomous vehicles

Because the mobility technology ecosystem is so dynamic, many well-meaning companies inadvertently start with insufficient privacy and data security policies for their autonomous vehicle technology. The goal of these early and secondary stage companies is to bring a product to market, and as sales ramp up, there is an urgent need to ensure that their data privacy policies are comprehensive and compliant.

Whether companies are writing initial policies or revising existing ones, there are general data principles that can guide policy development throughout the data lifecycle:





Collect only the data you need

Only use the data for the reason you informed the consumer

Ensure reasonable data security protections are in place

Purge data when no longer needed

Additionally, for many companies, framing the data protection and privacy concerns of autonomous and connected vehicles through a security lens can help determine the optimal approach to crafting policies that support business goals. business while meeting federal and state regulations.

For example, a company that monitors driver alertness (critical to security in today’s Level 2 AV environment) through biometrics collects, by design, data about every driver who uses the car. This scenario clearly supports vehicle and driver safety while involving US data privacy law.

In the emerging regulatory landscape, in-house counsel will continue to be challenged to balance security and privacy. Biometrics will become even more prevalent as part of identification and authentication, as well as other driver monitoring technologies for all connected and autonomous vehicles, but particularly for commercial fleet deployments.

Development of best practices for data privacy policies

Self-driving vehicle company in-house lawyers are responsible for developing their company’s privacy and data security policies. Best practices should be defined around:

  • What data to collect and when

  • How the collected data will be used

  • How to store collected data securely

  • Data ownership and monetization

Today, the CCPA sets the standard for strong consumer protections of data ownership and privacy. However, in this evolving space, attorneys will need to monitor and adjust their firm’s practices and policies to comply with new regulations as they continue to develop in the United States and countries around the world.

Keeping in mind best practices related to the collection, use, storage and disposal of data will help in-house attorneys develop policies that balance consumer protection with the security and business goals of their organizations.

A parting consideration can be opportunistic, if extralegal: companies that choose to vigorously advocate for customer protection can be presented with a powerful and positive opportunity to position themselves as responsible corporate citizens.