For the past several months, this blog has primarily focused on new legal questions that will be raised by connected and automated vehicles. This new transportation technology will undoubtedly raise novel concerns around tort liability, traffic stops, and city design. Along with raising novel problems, CAVs will also add new urgency to longstanding legal challenges. In some ways, this is best encapsulated in the field of privacy and data management.
In recent decades, the need to understand where our data goes has increased exponentially. The smartphones that most of us carry around every day are already capable of tracking our location, and recording a lot of our personal information. In addition to this computer/data generation machine in our pockets, the CAV will be a supercomputer on wheels, predicted to generate 4,000 gigabytes of data per day. Human driven vehicles with some automated features, such as Tesla’s with the company’s “Autopilot” functionality, already collect vast amounts of user data. Tesla’s website notes that the company may access a user’s browsing history, navigation history, and radio listening history, for example.
In response to this growing concern, California recently passed a sweeping new digital privacy law, set to take effect in 2020. Nicknamed “GDPR-Lite” after the European Union’s General Data Protection Regulation, California’s law “grants consumers the right to know what information companies are collecting about them, why they are collecting that data and with whom they are sharing it.” It also requires companies to delete data about a customer upon request, and mandates that companies provide the same quality and cost of service to users who opt out of data collection as those who opt in.
In comparison to the GDPR, California’s law is relatively limited in scope. The California Consumer Privacy Act (CCPA) is tailored to apply only to businesses that are relatively large or that are primarily engaged in the business of collecting and selling personal data. Furthermore, CCPA contains few limitations on what a business can do internally with data it collects. Instead, it focuses on the sale of that data to third parties.
In many ways, it remains too early to evaluate the effectiveness of California’s approach. This is in part because the law does not take effect until the beginning of next year. The bill also enables the California Attorney General to issue guidance and regulations fleshing out the requirements of the bill. These as-yet-unknown regulations will play a major role in how CCPA operates in practice.
Regardless of its uncertainties and potential shortcomings though, CCPA is likely to play a significant role in the future of American data privacy law and policy. It is the first significant privacy legislation in the US to respond to the recent tech boom, and it comes out of a state that is the world’s fifth largest economy. CCPA’s implementation will undoubtedly provide important lessons for both other states and the federal government as they consider the future of data privacy.