First Take: Privacy in Updated Federal Guidance for Automated Driving


Yesterday, the Department of Transportation and the National Highway Traffic Safety Administration issued updated guidance for autonomous vehicles; streamlining last year’s guidance, incorporating public comments, and stripping privacy from its recommendations.

While Transportation Secretary Elaine Chao’s opening message highlights the importance of protecting consumer privacy, privacy was among three elements removed in the updated guidance, along with “Registration and Certification” and “Ethical Considerations.” This means that these topics are not to be included in the Safety Assessment Letters, which the guidance stresses are highly voluntary, despite recent legislative proposals that would make mandatory. Readers seeking information on NHTSA’s updated approach to privacy had to look to the footnotes, which point to a new NHTSA website, where answers can be found by clicking through and expanding an extended series of Q&As.

A close read of these Q&A’s reveals the removed sections of the guidance “remain important and are areas for further discussion and research” and the updated guidance instead focuses on topics readier for implementation in the near term. The site emphasizes the Federal Trade Commission’s role as the chief agency for protecting consumer privacy in this space, in part because “privacy is not directly relevant to motor vehicle safety.” This is one of the clearest instances to date of NHTSA clarifying the limits of their jurisdiction over privacy as related to the FTC.

A call for data sharing between entities in this space was also largely removed from the guidance, with NHTSA on their website citing industry concern about sharing of proprietary information, and lack of clarity around safety metrics. While much of the promise of advanced driving systems will eventually be their ability to enhance safety through data sharing, the nascent nature of this technology renders it a bit early for such mandates between non-governmental entities, and NHTSA focuses first on building standardized mechanisms for crash reconstruction data reporting to government. In the meantime, they do encourage voluntary collaboration among industry.

NHTSA’s removal of a privacy focus stands in contrast to some recent approaches to this issue. The SELF DRIVE Act that passed in the House of Representatives last week includes a comprehensive section on consumer privacy with a mandate that manufacturers create and share their “privacy plan,” creates an advisory group that will review privacy among its topics, and calls on the FTC undertake study of this topic (our full recap of the House bill here). In June, NHTSA and the FTC co-hosted a workshop focused on privacy around connected cars, emphasizing the two agencies’ commitment to the issue, but with the FTC taking a much more vocal role throughout the workshop. Also of note, a recently shared Staff Discussion Draft of the Senate version of self-driving legislation does not include a privacy section, and its data recording section focuses on crash data.

For those of us who think that proactively protecting consumer privacy in the connected car is crucial to the adoption of this safety-enhancing technology, its absence from the NHTSA guidance is notable. But some may find that this move achieves the clarity that many of us, including the Government Accountability Office in a recent study, have called for regarding NHTSA and FTC roles—by explaining that nearly all issues related to privacy in connected cars fall squarely in the FTC’s camp.


See our recap of the privacy elements of the first Federal Automated Vehicles Policy here

See our comments on the first Federal Automated Vehicles Policy here

See our comments on the NHTSA/FTC Workshop here

See our infographic mapping data flows in the connected car here