Driverless cars are no longer a far-off pipe dream. Look for Hyundai and Toyota to showcase their driverless models at the upcoming 2018 and 2020 Olympics (in South Korea and Japan, respectively). Many predict that within 10 years, driverless cars will be the norm. Forbes has estimated that there will be approximately 10 million self-driving cars on the road by 2020. Others have been more conservative in their forecast.

There is no doubt that driverless technologies are poised to drastically impact society, with many touting the decrease in human error leading to fewer traffic fatalities and increased time for work and leisure. What about the potential implications for personal privacy?

The data that driverless vehicles could collect and the potential uses of that data could be quite intrusive. Driverless cars could provide both historic and real-time, continuous geolocation data. Companies could utilize this data to determine not only your current location and destination but also every place that you have been and when you were there. Advertisers may be able to discern the purchasing patterns of individuals by tracking what stores they frequent. Insurers may be able to determine what the lifestyle of individuals is like by following their daily activities (e.g., constant trips to the gym) and dining habits (e.g., frequent trips to fast food restaurants).

There are currently no federal statutes governing driverless cars, although the Department of Transportation released its Federal Automated Vehicles Policy in 2016, which provides guidelines to manufacturers regarding safety regulation compliance. Earlier this month, however, Secretary of Transportation Elaine Chao discussed an update to the federal guidance, which no longer includes a suggestion that automakers consider ethical and privacy issues. Only eight states (i.e., California, Florida, Louisiana, Michigan, Nevada, North Dakota, Tennessee, and Utah) and the District of Columbia have enacted laws addressing driverless cars. These state statutes typically address manufacturer liability, owner insurance and safety standards. Only the California statute addresses the data generated and collected by the driverless car, requiring that the manufacturer provide a written disclosure describing what information is collected by the “autonomous technology” equipped in the vehicle to the purchaser.

The Alliance of Auto Manufacturers, Inc., a major automakers trade group, adopted a list of non-binding privacy principles for vehicle technologies and services in 2014. These principles include commitments to transparency; increased consumer choice; reasonable and responsible use of information; data minimization, de-identification, and retention; data security; and accountability. They also recommend that consumers must affirmatively consent to having geolocation, biometric, and driver behavior data and other identifiable information used for marketing or by third parties. Unfortunately, these principles are nonbinding and subject to the interpretation of the specific auto manufacturer. State laws and regulations have neither incorporated nor even endorsed them. Therefore, for the present, the auto industry remains self-regulating in determining data collection, ownership, retention, and usage policies relating to self-driving cars.

So if you are one of the anticipated millions of adopters of driverless vehicles in the next several years, consider investigating or inquiring into what types of data the manufacturer, dealer or service (such as Uber or Lyft) collects in the course of your use of the vehicle or service and whether you can turn off or opt out of any types of data collection or data sharing. However, keep in mind that information about the vehicle’s data collection and sharing practices likely won’t be readily available and you may not have a meaningful choice of whether and how your information is used or shared if you want to participate in the driverless technology revolution – that is, unless manufacturers and service providers are required by new laws or regulations at the state or federal level to allow users such choices.

Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.