This month, Colorado joined a growing list of nearly half of U.S. states when it enacted a law approving the use of autonomous driving systems. The Colorado law governs systems capable of controlling highly and fully autonomous driving vehicles as long as the autonomous driving system complies with every state and federal law that applies to the function that the system is operating.

Colorado continues to follow the automation levels of SAE's International Standard J3016, under which the state had previously recognized level 0 to 3 automation. In recognizing the more complete levels of automation in levels 4 and 5, this new law defined an "automated driving system" as "hardware and software that are collectively capable, without any intervention or supervision by a human operator, of performing all aspects of the dynamic driving task for a vehicle on a part-time of full-time basis."

SAE Standard J3016 provides for six levels of driving automation for on-road vehicles: (0) no automation, (1) driver assistance, (2) partial automation, (3) conditional automation, (4) high automation, and (5) full automation.

Level 3, which already was legal under Colorado law, is defined by SAE as the automated driving system controlling "all aspects of the driving task with the expectation that the human driver will respond appropriately to a request to intervene." In comparison, level 4 automated driving systems control "all aspects of the dynamic driving task, even if a human driver does not respond appropriately to a request to intervene." In level 5, the automated driving system controls "all aspects of the dynamic driving task under all roadway conditions."

The law’s definition of "dynamic driving task" is consistent with the definition provided in SAE J3016. It includes operational aspects of driving (steering, braking, accelerating, and monitoring of the vehicle) and tactical aspects (responding to events, determining when to change lanes, turning, and using signals) but not strategic aspects (determining destinations and waypoints).

Police are given the authority to impound or immobilize any motor vehicle that uses an automated driving system that is not capable of complying with every state and federal law that applies to the function the system is operating. Testing of such vehicles can be accomplished only through the approval of the Colorado State Patrol and Department of Transportation.

According to the National Conference of State Legislatures, 18 states and the District of Columbia have passed legislation related to autonomous vehicles. Four more states have addressed the issue through executive orders.

While the use of highly and fully autonomous driving vehicles may seem futuristic, car manufacturers have been aggressively pursuing the technology. Ford announced its intent to produce level 4 autonomous vehicles by 2021 and Volvo's CEO stated that the company's goal is to have a car that can drive fully autonomously on the highway by 2021.

Notably, while state laws such as the one enacted in Colorado authorize the use of automated driving systems, they do not address the privacy and cybersecurity risks associated with their use. Autonomous vehicles rely on car-mounted sensors, geolocation, and internet of things technology to navigate. Although experts disagree on exactly how much data will be created through automated driving systems, some have estimated that it could create as much as 1 GB of data per second. As this new technology becomes more commonplace, lawmakers and regulators will need to consider the methods by which that data is collected, stored, protected, and used to ensure user privacy.

In addition, it is not difficult to imagine the inherent cybersecurity risks, such as hackers employing ransomware attacks to prohibit owners from using their vehicles. Consequently, it is likely that policy makers will want to ensure that the technology has adequate information security protections in place to protect consumers.

Attorneys in Ballard Spahr's Denver office have significant experience defending and counseling automotive companies in product liability matters and advising companies on cybersecurity risks. The firm’s Privacy and Data Security Group provides a full range of counseling, transactional, regulatory, investigative, and litigation services across industry sectors, including the automotive industry. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation risk. The firm's Product Liability and Mass Tort Group has substantial experience representing automotive companies in a wide range of litigation and counseling matters, including class actions and regulatory compliance.

Copyright © 2017 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.