Key Points

  • California's new regulations lay out the requirements for manufacturers to obtain permits to test and deploy autonomous-vehicles on public roads. The regulations enable manufacturers to test fully driverless vehicles and authorize the California DMV to issue driverless-testing and deployment permits as of April 2, 2018.
  • The Regulations eliminate provisions included in earlier drafts that limited manufacturer liability under certain circumstances (detailed in our  prior alert). To qualify for testing or deployment permits, however, manufacturers must provide proof of ability to meet $5 million in potential damages.
  • Included in the Regulations are some of the first rules in the Nation to address the collection of personal information by autonomous vehicles, as well as a requirement that vehicles meet applicable and appropriate industry standards for cybersecurity.

I. Introduction

On February 26, 2018, California's Office of Administrative Law (OAL) approved final regulations for the testing and deployment of autonomous vehicles. We reported on the regulations in a  prior alert. Already home to large autonomous vehicle testing facilities and key players in the industry, the new regulations may spur further development within California and could be a model for other states moving forward.

The regulations address (1) the testing of autonomous vehicles; and (2) the deployment of autonomous vehicles. The Regulations, among other things, permit fully driverless testing of autonomous vehicles on California roadways. The DMV has already issued testing permits for manufacturers using test drivers. On April 2, the Department of Motorvehicles (DMV) can begin issuing permits for driverless testing and for deployment of autonomous vehicles.

The new Regulations mark a dramatic change in California's stance toward autonomous vehicles when compared to the state's actions just a few years ago. In 2015, California regulators signaled that they might seek to supplant National Highway Traffic Safety Administration (NHTSA) leadership in this area by imposing strict controls on the testing of autonomous vehicles within the state. The California DMV initially proposed regulations that included restrictive requirements like mandating that all testing be carried out by independent third parties. This all began to change in 2016, after NHTSA issued its own guidelines. In September 2016, the California DMV issued revised draft deployment regulations, which were followed in March 2017 by proposed regulations to establish a path for both testing and deployment of autonomous vehicles. Those proposed rules shied away from many of the strict principles originally included just a couple years before. The March 2017 regulations set off a wave of public comments and revision that ultimately culminated in the final Regulations.     

The final Regulations recognize the preeminence of federal safety standards with regard to motor-vehicle safety on a broad scale. Under the Regulations, manufacturers must certify that their autonomous vehicles comply with all applicable Federal Motor Vehicle Safety Standards, or provide evidence of NHTSA exemption. In the deployment context, manufacturers also must certify that their autonomous technology meets standards for the vehicles' model year and does not make any federal safety standards inoperative, and that they have registered with NHTSA.

California's move to embrace driverless testing may be a signal of the state's desire to keep innovation in the field within its borders. States like Arizona have wooed companies with a more hands-off approach to regulation. Waymo, for example, began testing driverless autonomous vehicles on Arizona roads in October. There are also indications that some companies that began testing autonomous vehicles in California in 2016 moved their testing operations to other states in 2017 (e.g., Ford, Tesla).

II. Overview of Key Provisions in the Regulations

The restrictions in the Regulations apply to manufacturers of autonomous technology, which include both vehicle manufacturers that produce new autonomous vehicles and those who modify vehicles by installing autonomous technology. The Regulations apply to passenger vehicles and not to camp trailers, motorcycles, vehicles weighing more than 10,001 pounds, tour buses or vehicles transporting hazardous materials. CCR 227.28.

The DMV changed or deleted various sections between earlier drafts and the final version of the Regulations. Former Section 228.28, present in the October 2017 draft, but deleted from the final Regulations, would have relieved manufacturers of liability if their autonomous technology was modified in a manner not authorized by the manufacturer or if the vehicle was not properly maintained. Liability is addressed to some extent through requirements that manufacturers provide proof of their ability to pay damages up to $5 million resulting from the operation of autonomous vehicles on public roads, through either evidence of insurance, a surety bond or a certificate of self-insurance. CCR 227.04(c); 228.04. Elimination of the former Section 228.28, however, means that courts will address liability on a case-by-case basis, unless the legislature steps in and provides clarity.

Autonomous vehicles, particularly driverless vehicles, pose a special challenge to law enforcement and first responders. The Regulations recognize this challenge by requiring manufacturers to prepare a law enforcement interaction plan that details, among other things, how law enforcement and first responders should interact with the vehicle and how the vehicle will report who it belongs to and who is operating the vehicle. The plans must be updated on at least an annual basis. CCR 227.38(e); 228.06(c)(3). This aspect of the Regulations seeks to drive practical solutions for what exactly will occur when first responders find a crashed autonomous vehicle and need to know, for example, how to move the vehicle.

The Regulations include some of the first explicit restrictions on the collection and use of personal information in the autonomous-vehicle context. "Personal information" is defined as the "information that the autonomous vehicle collects, generates, records, or stores in an electronic form that is retrieved from the vehicles, that is not necessary for the safe operation of the vehicle, and that is linked or reasonably capable of being linked to the vehicle's registered owner or lessee or passengers using the vehicle for transportation services." CCR 227.02(l). In the testing context, a manufacturer must disclose to passengers what personal information may be collected and how it will be used. CCR 227.38(h). In the deployment context, a manufacturer has the option to either provide a written disclosure to the driver or passengers, or anonymize the personal information. CCR 228.24(a).1  It remains to be seen exactly what kind of information will be classified as "personal information."

III. Permit Application Requirements

A. Requirements for Testing Permits

There are four major prerequisites to testing autonomous vehicles on California roads: (1) the manufacturer must conduct the testing; (2) the vehicle must be operated by a competent and licensed test driver or remote controller who is an employee, contractor or designee of the manufacturer; (3) the manufacturer must provide the DMV with proof of its ability to satisfy judgments for potential damages in the amount of $5 million; and (4) the manufacturer must have a general or driverless testing permit. CCR 227.04. We include an overview of some of the driverless permit requirements here, given the importance of the issue:

  • Conducted Pre-Permit Testing – The vehicles have been tested under controlled conditions that simulate each operational design domain in which the vehicles will be operated and have been reasonably determined to be safe.
  • Notify Local Authorities – Manufacturers must notify authorities where the vehicles will be tested of the operational design domains of the vehicles, the public roads where the vehicles will be tested, the date that testing will begin and when it will be conducted, the number and type of vehicles that will be tested, and the contact information for the testers.
  • Two-Way Communication Link with Remote Operator – Driverless vehicles must be equipped with two-way communication links that provide the remote operator with general information on the vehicle and enables communication between the passengers and the remote operator in the event that there are any issues with the autonomous technology.
  • Process to Communicate Vehicle Information to Observer – There must be a way to display information on the vehicle in the event that there is a collision or it is needed by law enforcement.
  • Comply with Federal Standards or Exemption – The vehicle must comply with relevant federal motor vehicle standards, or it must have an NHTSA exemption.
  • SAE Level 4 or 5 and No Driver Needed – The vehicle must have capabilities that meet the description of an SAE level 4 or 5 automated driving system, with no driver present.
  • Remote-Operator Training – All remote operators must be licensed to operate the type of vehicle at issue and must complete specialized training provided by the manufacturer.  
  • Notification of Personal Information Collection and Use – Passengers must be notified of what personal information is collected from them and how it will be used.
  • Collect Autonomous System Disengagement Data – Manufacturers must collect data on the disengagement of autonomous technology (i.e., the failure of autonomous technology or a need for the remote operator to take control) and submit that data in an annual report.
  • Notify DMV Within 10 Days of Collision – Manufacturers must notify the DMV within 10 days of any collision caused by their vehicles if the collision causes damage, injury or death.
  • Cannot Charge Passengers a Fee – Manufacturers may not charge passengers a fee, nor receive any type of compensation, in exchange for rides in test vehicles.

B. Requirements for Deployment Permits

The requirements to obtain a deployment permit are more onerous than a driverless permit. We provide an overview of some of the key deployment-permit requirements below:

  • Autonomous Operation Parameters – The vehicles must not be able to operate in autonomous mode outside of the specific operational design domains disclosed in the application. Manufacturers must identify any conditions (e.g., fog, wet roads) under which their vehicles are either designed to be incapable of operating or unable to operate reliably.
  • Equipped with Autonomous-Technology Data Recorder – Vehicles must be equipped with a data recorder that captures and stores sensor data for all vehicle functions that are controlled by autonomous technology at least 30 seconds before a collision that occurs in autonomous mode. The data must be in read-only format and be retrievable through commercial means.
  • Compliance with Federal Standards or Exemption – Vehicles must comply with relevant federal safety standards (or have an NHTSA exemption) and with any standards for their respective model year. Manufacturers must register with NHTSA.
  • Designed to Comply with California Vehicle Code and Local Regulations – Autonomous technology must be designed to detect and respond to roadway situations in a manner compliant with the California Vehicle Code and applicable local regulations.  
  • Must Update Autonomous Technology – Manufacturers must update autonomous technology as needed, and at least annually, to ensure compliance with California and local vehicle regulations. They must also make available on a continual basis consistent with changes updates regarding location and mapping information utilized by a vehicle's autonomous technology. Registered owners must be told how to update their systems.
  • Must Meet Industry Cybersecurity Best Practices – Vehicles must meet appropriate and applicable current industry standards to help defend against, detect and respond to cyber-attacks, unauthorized intrusions or false vehicle control commands.
  • Must Conduct Testing and Be Satisfied Safe – Manufacturers must conduct tests and be satisfied from the results that their vehicles are safe for deployment. A summary of such testing must be attached to the permit application and describe testing locations, among other things.
  • Two-Way Communication Link with Remote Operator for Driverless Vehicles – Driverless vehicles must be equipped with two-way communication links, as required of test vehicles.
  • Must Comply with California Vehicle Code Section 38750(c)(1) – Manufacturers must comply with California Vehicle Code Section 38750(c)(1), which requires them to certify that their autonomous technology, among other things, includes a series of safeguards (e.g., an alert when a failure is detected), is easily accessible and has a separate data recorder.
  • Safety-Related Defects Must Be Disclosed – Manufacturers must disclose to the DMV any identified safety-related defects in their autonomous technology that creates an unreasonable risk of safety in compliance with related federal timelines and requirements.
  • Provide Consumer or End-User Education Plan – Manufacturers must provide a consumer or end-user education plan for all vehicles sold or leased by someone other than themselves.
  • Describe How to Meet SAE Level 3-5 Requirements – Manufacturers must describe how a SAE Level 3-5 vehicle will safely come to a complete stop when there is a technology failure.

IV.  Potential Import of New Regulations

California's passage of the final Regulations is likely to usher in an exciting period of innovation within the state and may spur the movement of autonomous vehicles into the everyday. It remains to be seen how courts will interpret these regulations once lawsuits are filed after these vehicles are inevitably involved in accidents. We will continue to monitor these issues and provide periodic updates.


1 If the vehicle is sold or leased, and data is not anonymized, a manufacturer must obtain the written approval of the registered owner or lessee of the vehicle.  CCR 228.24(b).  This may enable fleet operators to authorize the collection of personal information in their fleets after providing only a disclaimer to passengers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.