Self-driving cars, or autonomous vehicles, may be the greatest disruptive innovation to travel that we have experienced in a century. A fully-automated, self-driving car is able to perceive its environment, determine the optimal route, and drive unaided by human intervention for the entire journey. Self-driving cars have the potential to drastically reduce accidents, travel time, and the environmental impact of road travel. However, obstacles remain for the full implementation of the technology including the need to reduce public fear, increase reliability, and create adequate regulations.

Of particular concern with regard to self-driving cars are data privacy and cyber security risks. To date, six states and the District of Columbia have enacted laws that address autonomous vehicles or autonomous technology, but none of these state regulations address key areas of data privacy and security, such as the collection, use, choice, and security of consumer data gathered from these autonomous vehicles or autonomous technology. As vehicles become more computerized and begin to generate huge amounts of data, the potential for unwanted third party access of that data and the risk of cyber threat increases. Hackers could access the personal data of a driver, such as the vehicle’s location, the identity of others in the car, and whether the driver is home at any particular time. Additionally, cyberattacks could have potentially fatal consequences, not just for the driver and passengers inside the vehicle, but for anyone or anything physically surrounding the vehicle.


Percentage of global automotive industry executives who expect self-driving cars to be on the market by 2025.1

54 million

The projected number of self-driving cars on the road globally by 2035.2

$87 billion

The market opportunity for car manufacturers, technology developers, and original equipment manufacturers by 2030.3

$759 million

The market opportunity for automotive cybersecurity technology by 2023.4

Questions to consider when evaluating the data privacy and security issues of self-driving cars:

  1. Do current regulations cover your self-driving car? If so, what aspect of your self-driving car do these regulations cover, and what do those regulations require?
  2. What types of data does your driverless technology collect?
  3. Do third parties have access to the data?
  4. Do you have a duty to notify the driver of the self-driving car of the data you are either actively or passively collecting?
  5. Do you have a duty to notify the driver if you lose the data or, based on the data, you are aware of conditions that could put the driver in danger?
  6. What choices have you given, or are you required to give, the driver of the self-driving car?
  7. Have you attained appropriate releases of liability permitted under current regulations?
  8. Is your self-driving car or driverless technology susceptible to a cyberattack?
  9. Have you tested and determined that your driverless technology is highly resilient to cyber threat?
  10. Have you procured insurance in sufficient amounts to cover likely risks and threats?