US data privacy landscape for autonomous and connected vehicles

Autonomous and connected vehicles, and the data they collect, process and store, place high demands on strict data privacy and security policies. Accordingly, the corporate lawyer must define holistic data privacy best practices for consumer and B2B autonomous vehicles, balancing compliance, safety, consumer protection and opportunities for commercial success against a patchwork of federal and state regulations.

Understanding key best practices related to data collection, use, storage, and disposal will help corporate lawyers formulate a balanced privacy policy for autonomous vehicles and consumers. This is the first article in our series on privacy policy best practices covering:

  1. Data collection

  2. Data Privacy

  3. data security

  4. Monetizing data

Autonomous and Connected Vehicles: Data Protection and Privacy Issues

The spirit of America is closely intertwined with the concept of personal freedom, including the freedom to hop in a car and go… wherever the road takes you. As the famous song claims, you can “get a kick out of Route 66”. But today you don’t just get your kicks. You also get terabytes of data about where you went, when you left and arrived, how fast you traveled to get there, and more.

Today’s connected and semi-autonomous vehicles are actively collecting 100x more data than a personal smartphone, revolutionizing not only automotive manufacturing, but also our culture, economy, infrastructure, legal and regulatory landscapes.

As our cars become computers, the volume and specificity of the data collected continues to increase. The future is now. Or at least very close. Global Management Consultant McKinsey estimates “full autonomy with Level 5 technology – working anytime, anywhere” within the next decade.

This short-term future isn’t just for consumer cars and ride-sharing robotic axis. B2B industries, including logistics and delivery, agriculture, mining, waste management and more, are pushing for connected and autonomous vehicle deployments.

Corporate lawyers must strike a balance between changing regulations at the federal and state levels and consider cross-border and international regulations for global technologies. In the United States, the Federal Trade Commission (FTC) is the regulatory body that regulates data privacy, alongside individual states developing their own regulations, with the California Consumer Privacy Act (CCPA) to give directions. Virginia and Colorado have new laws that will go into effect in 2022, the California Privacy Rights Act will come into effect in 2023, and half a dozen more states are expected to enact new privacy laws in the near future.

As federal and state regulations continue to evolve, mobility companies in the consumer and B2B mobility sectors must make decisions Today on their own data privacy and security policies to optimize compliance and consumer protection with opportunities for commercial success.

Understanding types of connected and autonomous vehicles

Autonomous, semi-autonomous, self-driving, connected and networked cars; in this evolving category, these descriptions are often used interchangeably in leading business and industry publications. B2B International defines “connected vehicles (CVs) [as those that] use the latest technology to communicate with each other and the world around them” while “autonomous vehicles (AVs)… are able to recognize their surroundings through the use of on-board sensors and global positioning systems to navigate with little or no human beings input. Examples of autonomous vehicle technology that is already being used in many modern cars are self-parking systems and car collision avoidance.”

But SAE International and the National Highway Traffic Safety Administration (NHTSA) go further and define five levels of automation in self-driving cars.

Levels of Driving Automation™ in Self-Driving Cars

Level 3 and above autonomous driving moves closer to reality every day thanks to a range of technologies including: sensors, radar, sonar, lidar, biometrics, artificial intelligence and advanced computing power.

Approaching a data privacy policy for connected and autonomous vehicles

Because the mobility tech ecosystem is so dynamic, many companies, while well-intentioned, are unintentionally starting with inadequate data privacy and security policies for their autonomous vehicle technology. The focus for these early and second stage companies is on bringing a product to market, and as sales accelerate, there is an urgent need to ensure that their data privacy policies are comprehensive and compliant.

Whether companies are drafting initial policies or revising existing ones, there are general data principles that can guide policy development throughout the data lifecycle:




throw away

Only collect the data you need

Only use data for which you have informed the consumer

Ensure reasonable data security safeguards are in place

Discard the data when it is no longer needed

In addition, for many companies it can help to frame autonomous and connected vehicle data protection and privacy issues through a security lens in determining the optimal approach to formulating policies that support the company’s goals while complying with federal and state regulations.

For example, a company that monitors driver alertness (critical to safety in today’s level 2 AV environment) through biometrics, would collect data about every driver using the car by design. This scenario clearly supports vehicle and driver safety, while at the same time implying US data privacy laws.

In the emerging regulatory landscape, corporate lawyers will continue to face the challenge of balancing security and privacy. Biometrics will become even more common in connection with identification and authentication, along with other driver monitoring technologies for all connected and autonomous vehicles, but especially with regard to the deployment of commercial fleets.

Develop best practices for data privacy policies

Corporate lawyers at autonomous driving companies are responsible for drafting their company’s data privacy and security policies. Best practices should be established around:

  • What data do you collect and when?

  • How the collected data is used

  • How to securely store collected data

  • Data Ownership and Monetization

Today, the CCPA sets the standard for strict consumer protections regarding data ownership and privacy. However, in this changing environment, counsel will need to monitor and adapt their company’s practices and policies to comply with the new regulations as they continue to evolve in the US and countries around the world.

Keeping in mind best practices related to the collection, use, storage, and disposal of data will help corporate attorneys formulate policies that balance consumer protection and safety with the commercial objectives of their organizations.

A parting recital can be opportunistic, albeit extralegal: Companies that choose to vigorously advocate for customer protection may be given a powerful, positive opportunity to position themselves as responsible corporate citizens.