NHTSA Releases Autonomous Vehicle Policy and Guidelines

Today, the National Highway Traffic Safety Administration (NHTSA) released its long-awaited Policy and guidelines regarding autonomous vehicles. The Federal Automated Vehicles Policy consists of four parts: (1) Vehicle Performance Guidance for Automated Vehicles; (2) Model State Policy; (3) NHTSA’s Current Regulatory Tools; and (4) Modern Regulatory Tools.

Although much of the Policy went into effect today, some portions will become effective in the future. It should be noted, however, that Policy and the guidance set forth are not federally enacted statutes or regulations – they are only first steps towards autonomous vehicle regulation on the federal level. In his introductory message for the Policy, Department of Transportation Secretary Anthony Foxx states that NHTSA does “not intend to write the final word on highly automated vehicles here. Rather, [it intends] to establish a foundation and a framework upon which future Agency action will occur.” To that end, NHTSA will allow public comment and feedback on the Policy and plans to continually update the Policy in the future.

Overall, the Policy emphasizes the need for a consistent, unified national regulatory framework for autonomous vehicles and encourages manufacturers to work together by sharing data generated from the testing and deployment of autonomous vehicles. The ultimate goal is to increase the knowledge and understanding of the government, automotive industry, and the public as autonomous technology quickly develops into a part of our everyday lives.

Vehicle Performance Guidance for Automated Vehicles

The Vehicle Performance Guidance “outlines best practices for the safe pre-deployment design, development, and testing of [highly autonomous vehicles or HAVs] prior to commercial sale or operation on public roads.” Although there are no federal laws which specifically address autonomous vehicles, generally, manufacturers must self-certify their vehicles comply with all applicable Federal Motor Vehicle Safety Standards. Although the Vehicle Performance Guidance (VPG”) is not mandatory, the Department of Transportation expects manufacturers to use the VPG as well as industry standards and other best practices “to ensure that their systems will be reasonably safe under real-world conditions.” Moreover, the VPG should be considered by all individuals and entities “manufacturing, designing, testing, and/or planning to sell automated vehicle systems in the United States,” both for test-level and production-level vehicles. The VPG includes provisions which apply to all automation aspects of a vehicle (for semi-autonomous to fully-autonomous vehicles) as well as provisions which apply to specific autonomous systems.

The most notable provisions of the VPG address issues of data recording and sharing, privacy, cybersecurity and creates a safety assessment procedure.

Data Recording & Sharing: Under the VPG, manufacturers and other entities are to develop a process for the testing, validation and collection of event, incident and crash data in order to establish the cause of malfunctions, failures, or degradations. Data recorded by manufacturers must be collected, recorded, shared, stored, audited and deconstructed in accordance with the manufacturer’s own consumer privacy and security agreements and notices. With respect to crash reconstruction, the data collected by the manufacturer should be readily available for retrieval by the manufacturer or by NHTSA. The VPG only provides general statements regarding the type of data that should be collected, i.e., at minimum, all info relevant to event and performance of the system so event can be reconstructed. For the purposes of developing safety standards, the VPG advises manufacturers to also collect, store and analyze data regarding positive autonomous technology outcomes – instances where the autonomous technology worked to save human life or avoid collision.

The VPG encourages the sharing of data collected by manufacturers. Manufacturers should have both the technical and legal capability to share relevant recorded data. Entities are to develop a plan to share their event reconstruction and other relevant data with other manufacturers. In terms of protecting the rights of individuals and limiting the dissemination of the data recorded, the Vehicle Performance Guidance states that the data intended to be shared through a third party should not contain any personally identifiable information.

These guidelines leave many issues regarding data ownership unaddressed. Recognizing this, the Policy notes that further research and discussion is needed to fully develop this topic.

Privacy: The VPG contains little by way of new guidance on the issue of privacy. Rather, it points to guidelines published by federal agencies and industry associations as recommended resources for manufacturers to follow. Manufacturers of highly automated vehicles should “take steps to protect consumer privacy” in order to ensure, among other things:

(a) transparency – by developing clear notices explaining how the manufacturer collects, uses, shares, secures, audits, destroys data generated by their vehicles;
(b) respect for context – by using the data in manners consistent with the purpose the data was originally collected;
(c) minimize de-identification and retention – by collecting and retaining data only as long as needed to achieve legitimate business purpose;
(d) data security – by implementing measures to protect data; and
(e) accountability – by taking steps to audit privacy and data protection.

Cybersecurity: The VPG also only generally addresses issues relating to cybersecurity – stating manufacturers should develop a process to minimize safety risks, including cybersecurity threats and vulnerabilities. Particularly, the process should include a systematic and ongoing assessment of the safety risk of the autonomous system to address threats, enable risk management decisions, quick responses, and to learn from cybersecurity events. The VPG encourages manufacturers to utilize and incorporate best practices already developed by the industry, including those from the SAE International Alliance, Association of Global Automakers, and Automotive Information Sharing and Analysis Center (Auto-ISAC), to name a few. And finally, manufacturers are also encouraged to share data regarding cybersecurity events in order to foster “group learning” amongst manufacturers. In addition to immediately reporting cybersecurity events to Auto-ISAC, manufacturers should also develop a disclosure policy with respect to cybersecurity threats.

Safety Assessment Letter to NHTSA: The Policy requests manufacturers to voluntarily provide Safety Assessment Letters to NHTSA, reporting compliance with the VPG. Eventually, NHTSA expects the Safety Assessment Letter to be a mandatory reporting requirement once a manufacturer intends to release their product for use on public roads. The Safety Assessment Report should including information on compliance with the NHTSA Policy on data recording and sharing, privacy, vehicle cybersecurity, among other topics. This provision of the Policy will not take effect until the Paperwork Reduction Act review and process has been completed. However, manufacturers and others are instructed to develop documented plans specifying how they intend to comply with applicable Federal State and local laws right now.

Model State Policy

NHTSA strongly encourages states to allow the Department of Transportation alone to regulate the performance of autonomous vehicles and technology. The Model State Policy is a “model regulatory framework for States that wish to regulate procedures and conditions for testing, deployment, and operation of [autonomous vehicles].” The goal of the Model State Policy is to provide consistency in state laws to avoid a patchwork of inconsistent state laws that could impede innovation of autonomous technology – echoing concerns previously expressed by automobile manufacturers.

NHTSA also encourages states to evaluate and address unnecessary impediments to the testing, deployment and operation of autonomous vehicles., including an update on laws referencing a human driver. For highly autonomous vehicles, NHTSA suggests states deem the autonomous vehicle as the “driver” for the purposes of applying laws applicable to drivers of vehicles.

In terms of state oversight, each state should identify a lead agency responsible for the consideration of requests to test autonomous vehicles. That agency should take steps to implement a framework and regulations regarding autonomous vehicle testing, including an examination of the state’s current laws and the establishment of necessary authority to enact and amend necessary regulations. In particular, NHTSA recommends the state agency identify legal issues that need to be addressed before autonomous vehicles are deployed.

Each manufacturer should submit an application to the lead state agency detailing the manufacturer’s plan to test autonomous vehicles. The application should include (a) a statement that the vehicle meets the Vehicle Performance Guidance; (b) an outline of the manufacturer’s safety compliance plan; and (c) evidence of the manufacturer’s ability to satisfy judgment(s) against it. This application model is similar to California’s current statutory framework under Vehicle Code Section 38750 and its attendant regulations.

In terms of liability and insurance, NHTSA recognizes that states will determine these rules with respect to autonomous vehicles. It recommends state legislators to consider how to allocate liability and identify who must carry insurance for autonomous vehicles. Noting that the rules implemented by the states will impact the deployment of autonomous vehicles and related insurance costs, NHTSA recommends states create a commission to examine liability and insurance issues and make necessary recommendations to state legislators.

NHTSA & Modern Regulatory Tools

The Policy concludes with a summary and discussion of regulatory tools which can be used to help manufacturers develop with autonomous vehicle testing and to develop regulations pertaining to autonomous vehicles in the future. Again, the Policy is a work in progress and the regulatory tools are discussed in order to allow manufacturers and the public to help formulate federal law as to autonomous vehicles.

You can read the full Policy here:


This document is intended to provide you with information about trending legal developments. The contents of this document are not intended to provide specific legal advice. This communication may be considered advertising in some jurisdictions.

September 20, 2016