This is the third part in a series of advisories on data privacy best practices for autonomous and connected vehicles. To read previous advisories in this series, please visit: Best Practices and Documenting Data Collection.

In 2014, leading automakers adopted the Consumer Privacy Protection Principles for vehicle technology and services. These Principles were reviewed again in 2018. Led by the Alliance for Automotive Innovation (Auto Innovators), these Consumer Privacy Protection Principles currently define privacy principles for vehicle technologies and services including:

• Voluntary disclosure of the types of data being collected and how the data will be used and shared

• Multiple points of disclosure including in-vehicle displays, web-based registration portals and owner’s manuals

• Ability for consumers to review privacy policies prior to purchase

• Opportunity for consumers to grant permission for their data to be used for third-party marketing

Despite the time lapse since the Principles’ initial adoption and their applicability to conventional vehicles they, along with industry best practices and current regulatory requirements, can nonetheless be a useful reference for autonomous vehicle companies. In-house counsel at autonomous vehicle companies should ask the following questions to help construct effective data protection and privacy policies that ensure their company’s technologies manage access to identifying data:

• Where possible, can internal and external access to this data be restricted to the technologies required to perform a specific service?

• Where should the technology use persistent versus randomly assigned identifiers?

• Can the data be anonymized or de-identified?

• What degree of control can customers have over what data is collected, stored or shared?

• When it’s time to transfer ownership, which user data should be deleted, as it may be on other personal devices like a laptop?