Autonomous Vehicles and Data Privacy: Frequently Asked Questions

Navigating the complex world of autonomous vehicles can seem like a daunting task, especially when it comes to data privacy. What types of data do they collect? What are best practices for companies collecting autonomous vehicle data? How should my business implement effective data security? Read on to find answers to these and many other questions in our autonomous vehicle FAQs.

What kinds of data do autonomous and connected vehicles collect?

Autonomous and connected vehicles collect a wide range of data, from image and sensor data to location and driver information.

Image & Sensor Data

Image and sensor data is collected by video cameras, radar, thermal imaging and lidar to help the autonomous vehicle “understand” where it is relative to other objects on the road. Data collection points include driver speed, traffic conditions and surrounding objects such as curbs, trees and pedestrians.

Location Data

Location data, provided by GPS, includes point-in-time and route data. Absent additional safeguards, aggregating this data may indicate frequently visited locations. This data provides significant value to consumers and businesses while also implicating privacy concerns.

Why are data collection issues important to autonomous vehicle companies?

Autonomous vehicles require a vast amount of data to operate safely and answer questions such as where is the vehicle right now, and in what direction is it heading? In order to answer these questions, today’s connected and autonomous vehicles are actively collecting 100x more data than a personal smartphone.

California has led the way in providing consumers with transparency and rights surrounding the personal information their vehicle is gathering about them. Virginia, Colorado, Utah and Connecticut followed suit to develop comprehensive consumer privacy laws, which will also address these issues. California will update its existing consumer privacy law with new regulations covered under the California Privacy Rights Act (CPRA), which will take effect January 1, 2023.

What are some examples of data privacy issues?

Combining sensor and image information with location data can produce a data set that creates individually identifiable information, which the driver may want to keep private. The fact that the CPRA includes geolocation in its definition of ‘sensitive personal information’ and gives consumers the right to limit a business’s ability to use and share the sensitive personal information it collects about them could potentially impact this type of data collection. When considered as a full data set, the information collected by autonomous vehicle companies will likely be impacted by the evolving data privacy regulatory environment.

What are some key considerations when creating privacy policies for autonomous and connected vehicles?

Developing a strong privacy policy includes asking and answering the following questions:

  • What type of personal data is the company collecting?
  • When and how is that personal data being collected?
  • How is that data being used?
  • How is that data being stored?
  • With whom is that data being shared?
  • What elements of that data are being sold, if any?
  • Who owns that data?

Finding answers to these questions is typically not a straightforward or simple exercise. In-house counsel should be prepared to have conversations with individuals in many different departments to fully understand the business’s practices around collecting and handling personal data. Effective communication with consumers via the privacy policy starts with a comprehensive internal understanding of personal data protection practices.

What are the key data privacy best practices for autonomous vehicle companies?

The Alliance for Automotive Innovation (Auto Innovators), a leading automotive industry group, spearheaded the development of consumer privacy protection principles in 2014. The organization reviewed these principles again in 2018 and is committed to periodic review to ensure their relevancy. These principles can be a useful data point.

Key elements of these principles include:

  • Transparency
  • Choice
  • Respect for Context
  • Data Minimization, De-Identification and Retention
  • Data Security
  • Integrity and Access
  • Accountability

What are the best practices for ensuring data security?

Autonomous vehicle companies should remain flexible and be willing to adapt to evolving cybersecurity principles. There are many different approaches and best practices.

As an example, the National Highway Traffic Safety Administration (NHTSA) recommends a layered approach to cybersecurity. NHTSA’s Cybersecurity Framework is structured around five principles — identify, protect, detect, respond and recover — and can be used as a basis for developing comprehensive data security policies.

NHTSA describes how this approach “at the vehicle level” includes:

  • Protective/Preventive Measures and Techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood and diminish the potential impact of a successful hack.
  • Real-time Intrusion (Hacking) Detection Measures: These measures continually monitor signatures of potential intrusions into the electronic system architecture.
  • Real-time Response Methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver’s ability to control the vehicle.
  • Assessment of Solutions: This involves information sharing and analysis of a hack by affected parties, development of a fix and dissemination of the fix to all relevant stakeholders (such as through an Information Sharing and Analysis Center). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with stakeholders.

How should autonomous vehicle companies strike a balance between data privacy and commercial opportunities?

In this dynamic landscape, autonomous vehicle companies should create data privacy policies that provide transparency, protect consumer privacy and respect consumers’ choices. Effective data protection practices allow customers a reasonable level of control over their data while still enabling business opportunities to monetize downstream value chains.

Varnum’s Mobility Practice has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Request a Meeting

Navigating the Data Privacy Landscape for Autonomous Vehicles by Balancing Consumer Rights and Monetization

This is the last part in a series of advisories on data privacy best practices for autonomous and connected vehicles. To read previous advisories in this series, please visit: Best Practices, Documenting Collected Data, Defining Data Privacy Principles and Implementing Effective Data Security.

The data collected from connected and autonomous vehicles is a treasure trove of information that can be used to continuously improve the customer experience, provide valuable and potentially cost-saving conveniences, and improve user and vehicle safety.

Today, much of the focus for data monetization seems to be on consumer-related data. Global management consultant McKinsey estimates the financial opportunity for AV companies to monetize this data at $250-$400 billion within a decade. Some examples of this monetization, noted in their new report on Unlocking the Full Life-Cycle Value From Connected-Car Data, include “insurers… tailor[ing] insurance rates to driving styles, for instance, and certain cities [using] sensory data to identify potholes. A few media agencies have also increased their advertising reach through new touch points inside and outside of vehicles.”

This industry-within-an-industry is possible because the collected data from connected and autonomous vehicles can allow third party businesses to deduce driver demographics, as well as coveted psychographic and behavioral factors such as personal interests, recreational activities and other preferences. More importantly, effective use of this data can dramatically increase driver safety while reducing traffic and road congestion.

In this dynamic landscape, in-house counsel should create privacy practices for connected and autonomous vehicles that meet or even exceed consumers’ privacy expectations while maximizing the data’s benefits. Strategies to accomplish this include highly transparent and accessible disclosures, meaningful consumer choice and effective data deidentification.

Read the complete series Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles:

Varnum’s Mobility Practice has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Request a Meeting

Implementing Effective Security Measures for Data Privacy for Autonomous Vehicles

This is the fourth part in a series of advisories on data privacy best practices for autonomous and connected vehicles. To read previous advisories in this series, please visit: Best Practices, Documenting Collected Data and Defining Data Privacy Principles

Autonomous vehicles can be vulnerable to cyber attacks, including those with malicious intent. Identifying an appropriate framework with policies and procedures will help mitigate the risk of a potential attack.

The National Highway Traffic Safety Administration (NHTSA) recommends a layered approach to reduce the likelihood of an attack’s success and mitigate ramifications if one does occur. NHTSA’s Cybersecurity Framework is structured around the five principles of identify, protect, detect, respond and recover, and can be used as a basis for developing comprehensive data security policies.

NHTSA goes on to describe how this approach “at the vehicle level” includes:

  • Protective/Preventive Measures and Techniques: These measures, such as isolation of safety-critical control systems networks or encryption, implement hardware and software solutions that lower the likelihood of a successful hack and diminish the potential impact of a successful hack.
  • Real-time Intrusion (Hacking) Detection Measures: These measures continually monitor signatures of potential intrusions in the electronic system architecture.
  • Real-time Response Methods: These measures mitigate the potential adverse effects of a successful hack, preserving the driver’s ability to control the vehicle.
  • Assessment of Solutions: This [analysis] involves methods such as information sharing and analysis of a hack by affected parties, development of a fix, and dissemination of the fix to all relevant stakeholders (such as through an ISAC). This layer ensures that once a potential vulnerability or a hacking technique is identified, information about the issue and potential solutions are quickly shared with other stakeholders.

Other industry associations are also weighing in on best practices, including the Automotive Information Sharing and Analysis Center’s (Auto-ISAC) seven Key Cybersecurity Functions and, from a technology development perspective, SAE International’s J3061, a Cybersecurity Guidebook for Cyber-Physical Vehicle Systems to help AV companies “[minimize] the exploitation of vulnerabilities that can lead to losses, such as financial, operational, privacy, and safety.”

To build an effective data security protection posture, Varnum’s Data Privacy Team recommends in-house counsel be flexible. Prescriptive requirements aren’t always well-suited to cybersecurity protection. It’s important to learn to adapt and understand evolving best practices and key cybersecurity principles, with a focus on prevention, monitoring and response.

Read the complete series Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles:

Varnum’s Mobility Practice has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Request a Meeting

Defining Data Privacy Principles for Autonomous and Connected Vehicles

This is the third part in a series of advisories on data privacy best practices for autonomous and connected vehicles. To read previous advisories in this series, please visit: Best Practices and Documenting Collected Data.

In 2014, leading automakers adopted the Consumer Privacy Protection Principles for vehicle technology and services. These Principles were reviewed again in 2018. Led by the Alliance for Automotive Innovation (Auto Innovators), these Consumer Privacy Protection Principles currently define privacy principles for vehicle technologies and services including:

  • Voluntary disclosure of the types of data being collected and how the data will be used and shared
  • Multiple points of disclosure including in-vehicle displays, web-based registration portals and owner’s manuals
  • Ability for consumers to review privacy policies prior to purchase
  • Opportunity for consumers to grant permission for their data to be used for third-party marketing

Despite the time-lapse since the Principles’ initial adoption and their applicability to conventional vehicles they, along with industry best practices and current regulatory requirements, can nonetheless be a useful reference for autonomous vehicle companies. In-house counsel at autonomous vehicle companies should ask the following questions to help construct effective data protection and privacy policies that ensure their company’s technologies manage access to identifying data:

  • Where possible, can internal and external access to this data be restricted to the technologies required to perform a specific service?
  • Where should the technology use persistent versus randomly assigned identifiers?
  • Can the data be anonymized or de-identified?
  • What degree of control can customers have over what data is collected, stored or shared?
  • When it’s time to transfer ownership, which user data should be deleted, as it may be on other personal devices like a laptop?

Read the complete series Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles:

Varnum’s Mobility Practice has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Request a Meeting

Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles: Documenting Collected Data

This is the second part in a series of advisories on data privacy best practices for autonomous and connected vehicles. To read the first advisory, please visit Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles: Best Practices.

Autonomous vehicles require a vast amount of data to operate safely, some of which could answer questions like:

  • Where is the car right now, and what direction is it heading?
  • What other vehicles, landmarks or pedestrians are nearby?

This data may be grouped by type (sensor, image) and category (location, driving).

Sensor and Image Data

  • A myriad of sensors, cameras and radars collect external environment data ranging from traffic and road conditions to surrounding geographies and points of interest. 
  • While this type of data helps the autonomous vehicle stay safe relative to other cars, pedestrians and transportation users (like cyclists) on the road, the technology may also capture images of people or events that occurred outside the vehicle.

Location and Driving Data

  • Knowing a vehicle’s location is crucial for the safe operation of an autonomous car and its passengers but could pose privacy concerns that vary depending on whether the autonomous vehicle is utilized in a transportation service or as an owned vehicle. 
  • Individual trips route information and other types of location information combined with elements such as time that may be personally sensitive to the driver.

These data sets, if not handled properly, may be used to identify riders from where they work to preferred places to shop and frequent places they visit. Moreover, whereas all this collected data reveals privacy considerations for riders and passengers, sensor and image data in particular may raise privacy concerns for individuals outside the vehicle.

Law enforcement may also seek access to this data in relation to investigating a civil or criminal matter, further complicating the desire for consumer privacy.

Varnum’s Mobility Team recommends documenting what data is collected, how it flows into and through the technology stack and, when it leaves the system, where it goes. This information can inform in-house counsel on the creation of data privacy policies that balance the need for successful automation, while protecting personal privacy and meeting compliance standards.

Read the complete series Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles:

Varnum’s Mobility Practice has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Request a Meeting

Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles: Best Practices

Autonomous and connected vehicles, and the data they collect, process and store, create high demands for strong data privacy and security policies. Accordingly, in-house counsel must define holistic data privacy best practices for consumer and B2B autonomous vehicles that balance compliance, safety, consumer protections and opportunities for commercial success against a patchwork of federal and state regulations.

Understanding key best practices related to the collection, use, storage and disposal of data will help in-house counsel frame balanced data privacy policies for autonomous vehicles and consumers. This is the inaugural article in our series on privacy policy best practices related to:

  1. Data collection
  2. Data privacy
  3. Data security
  4. Monetizing data

Autonomous and Connected Vehicles: Data Protection and Privacy Issues

The spirit of America is tightly intertwined with the concept of personal liberty, including freedom to jump in a car and go… wherever the road takes you. As the famous song claims, you can “get your kicks on Route 66.” But today you don’t just get your kicks. You also get terabytes of data on where you went, when you left and arrived, how fast you traveled to get there, and more.

Today’s connected and semi-autonomous vehicles are actively collecting 100x more data than a personal smartphone, precipitating a revolution that will drive changes not just to automotive manufacturing, but to our culture, economy, infrastructure, legal and regulatory landscapes.

As our cars are becoming computers, the volume and specificity of data collected continues to grow. The future is now. Or at least, very near. Global management consultant McKinsey estimates “full autonomy with Level 5 technology—operating anytime, anywhere” as soon as the next decade.

This near-term future isn’t only for consumer automobiles and ride-sharing robo taxis. B2B industries, including logistics and delivery, agriculture, mining, waste management and more are pursuing connected and autonomous vehicle deployments. 

In-house counsel must balance evolving regulations at the federal and state level, as well as consider cross-border and international regulations for global technologies. In the United States, the Federal Trade Commission (FTC) is the regulatory agency governing data privacy, alongside individual states that are developing their own regulations, with the California Consumer Privacy Act (CCPA) leading the way. Virginia and Colorado have new laws coming into effect in 2023, the California Privacy Rights Act comes into effect in 2023 as well, and a half dozen more states are expected to enact new privacy legislation in the near future. 

While federal and state regulations continue to evolve, mobility companies in the consumer and B2B mobility sectors need to make decisions today about their own data privacy and security policies in order to optimize compliance and consumer protection with opportunities for commercial success.

Understanding Types of Connected and Autonomous Vehicles

Autonomous, semi-autonomous, self-driving, connected and networked cars; in this developing category, these descriptions are often used interchangeably in leading business and industry publications. B2B International defines “connected vehicles (CVs) [as those that] use the latest technology to communicate with each other and the world around them” whereas “autonomous vehicles (AVs)… are capable of recognizing their environment via the use of on-board sensors and global positioning systems in order to navigate with little or no human input. Examples of autonomous vehicle technology already in action in many modern cars include self-parking and auto-collision avoidance systems.”

But SAE International and the National Highway Traffic Safety Administration (NHTSA) go further, defining five levels of automation in self-driving cars.

Low
>>>>>
High
Human Monitors Driving Environment
AV Monitors

No Automation

The human driver does all the driving.

Assistance

Vehicle is controlled by the driver, but some driving assist features may be included.

Partial Automation

Vehicle has combined automated functions, like acceleration and steering, but the driver must remain engaged with the driving task and monitor the environment at all times.

Conditional Automation

Driver is a necessity, but is not required to monitor the environment. The driver must be ready to take control of the vehicle at all times with notice.

High Automation

The vehicle is capable of performing all driving functions under certain conditions. The driver may have the option to control the vehicle.

Full Automation

The vehicle is capable of performing all driving functions under all conditions. The driver may have the option to control the vehicle.

Level 3 and above autonomous driving is getting closer to reality every day because of an array of technologies, including: sensors, radar, sonar, lidar, biometrics, artificial intelligence and advanced computing power.

Approaching a Data Privacy Policy for Connected and Autonomous Vehicles

Because the mobility tech ecosystem is so dynamic, many companies, though well intentioned, inadvertently start with insufficient data privacy and security policies for their autonomous vehicle technology. The focus for these early and second stage companies is on bringing a product to market and, when sales accelerate, there is an urgent need to ensure their data privacy policies are comprehensive and compliant.

Whether companies are drafting initial policies or revising existing ones, there are general data principles that can guide policy development across the lifecycle of data:

Collect
Use
Store
Dispose
Only collect the data you need
Only use data for the reason you informed the consumer
Ensure reasonable data security protections are in place
Dispose the data when it’s no longer needed

Additionally, for many companies, framing autonomous and connected vehicle data protection and privacy issues through a safety lens can help determine the optimal approach to constructing policies that support the goals of the business while satisfying federal and state regulations.

For example, a company that monitors driver alertness (critical for safety in today’s Level 2 AV environment) through biometrics is, by design, collecting data on each driver who uses the car. This scenario clearly supports vehicle and driver safety while at the same time implicates U.S. data privacy law.

In the emerging regulatory landscape, in-house counsel will continue to be challenged to balance safety and privacy. Biometrics will become even more prevalent in connection to identification and authentication, along with other driver-monitoring technologies for all connected and autonomous vehicles, but particularly in relation to commercial fleet deployments.

Developing Best Practices for Data Privacy Policies

In-house counsel at autonomous vehicle companies are responsible for constructing their company’s data privacy and security policies. Best practices should be set around:

  • What data to collect and when
  • How collected data will be used
  • How to store collected data securely
  • Data ownership and monetization

Today, the CCPA sets the standard for rigorous consumer protections related to data ownership and privacy. However, in this evolving space, counsel will need to monitor and adjust their company’s practices and policies to comply with new regulations as they continue to develop in the U.S. and countries around the world.

Keeping best practices related to the collection, use, storage and disposal of data in mind will help in-house counsel construct policies that balance consumer protections with safety and the commercial goals of their organizations.

A parting consideration may be opportunistic, if extralegal: companies that choose to advocate strongly for customer protections may be afforded a powerful, positive opportunity to position themselves as responsible corporate citizens.

Read the complete series Navigating the Data Privacy Landscape for Autonomous and Connected Vehicles:

Varnum’s Mobility Practice Team has helped leading autonomous vehicle companies craft their data privacy policies. How robust is your plan? Schedule a meeting with our mobility data privacy and security attorneys.

Request a Meeting