Overview of California’s Final Autonomous Vehicle Testing and Deployment Regulations – Fully Driverless Vehicles Permitted

by Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP

Key Points

  • California’s new regulations lay out the requirements for manufacturers to obtain permits to test and deploy autonomous-vehicles on public roads. The regulations enable manufacturers to test fully driverless vehicles and authorize the California DMV to issue driverless-testing and deployment permits as of April 2, 2018.
  • The Regulations eliminate provisions included in earlier drafts that limited manufacturer liability under certain circumstances (detailed in our prior alert). To qualify for testing or deployment permits, however, manufacturers must provide proof of ability to meet $5 million in potential damages.
  • Included in the Regulations are some of the first rules in the Nation to address the collection of personal information by autonomous vehicles, as well as a requirement that vehicles meet applicable and appropriate industry standards for cybersecurity.

I. Introduction

On February 26, 2018, California's Office of Administrative Law (OAL) approved final regulations for the testing and deployment of autonomous vehicles. We reported on the regulations in a prior alert. Already home to large autonomous vehicle testing facilities and key players in the industry, the new regulations may spur further development within California and could be a model for other states moving forward.

The regulations address (1) the testing of autonomous vehicles; and (2) the deployment of autonomous vehicles. The Regulations, among other things, permit fully driverless testing of autonomous vehicles on California roadways. The DMV has already issued testing permits for manufacturers using test drivers. On April 2, the Department of Motorvehicles (DMV) can begin issuing permits for driverless testing and for deployment of autonomous vehicles.

The new Regulations mark a dramatic change in California’s stance toward autonomous vehicles when compared to the state’s actions just a few years ago. In 2015, California regulators signaled that they might seek to supplant National Highway Traffic Safety Administration (NHTSA) leadership in this area by imposing strict controls on the testing of autonomous vehicles within the state. The California DMV initially proposed regulations that included restrictive requirements like mandating that all testing be carried out by independent third parties. This all began to change in 2016, after NHTSA issued its own guidelines. In September 2016, the California DMV issued revised draft deployment regulations, which were followed in March 2017 by proposed regulations to establish a path for both testing and deployment of autonomous vehicles. Those proposed rules shied away from many of the strict principles originally included just a couple years before. The March 2017 regulations set off a wave of public comments and revision that ultimately culminated in the final Regulations.     

The final Regulations recognize the preeminence of federal safety standards with regard to motor-vehicle safety on a broad scale. Under the Regulations, manufacturers must certify that their autonomous vehicles comply with all applicable Federal Motor Vehicle Safety Standards, or provide evidence of NHTSA exemption. In the deployment context, manufacturers also must certify that their autonomous technology meets standards for the vehicles’ model year and does not make any federal safety standards inoperative, and that they have registered with NHTSA.

California’s move to embrace driverless testing may be a signal of the state’s desire to keep innovation in the field within its borders. States like Arizona have wooed companies with a more hands-off approach to regulation. Waymo, for example, began testing driverless autonomous vehicles on Arizona roads in October. There are also indications that some companies that began testing autonomous vehicles in California in 2016 moved their testing operations to other states in 2017 (e.g., Ford, Tesla).

II. Overview of Key Provisions in the Regulations

The restrictions in the Regulations apply to manufacturers of autonomous technology, which include both vehicle manufacturers that produce new autonomous vehicles and those who modify vehicles by installing autonomous technology. The Regulations apply to passenger vehicles and not to camp trailers, motorcycles, vehicles weighing more than 10,001 pounds, tour buses or vehicles transporting hazardous materials. CCR 227.28.

The DMV changed or deleted various sections between earlier drafts and the final version of the Regulations. Former Section 228.28, present in the October 2017 draft, but deleted from the final Regulations, would have relieved manufacturers of liability if their autonomous technology was modified in a manner not authorized by the manufacturer or if the vehicle was not properly maintained. Liability is addressed to some extent through requirements that manufacturers provide proof of their ability to pay damages up to $5 million resulting from the operation of autonomous vehicles on public roads, through either evidence of insurance, a surety bond or a certificate of self-insurance. CCR 227.04(c); 228.04. Elimination of the former Section 228.28, however, means that courts will address liability on a case-by-case basis, unless the legislature steps in and provides clarity.

Autonomous vehicles, particularly driverless vehicles, pose a special challenge to law enforcement and first responders. The Regulations recognize this challenge by requiring manufacturers to prepare a law enforcement interaction plan that details, among other things, how law enforcement and first responders should interact with the vehicle and how the vehicle will report who it belongs to and who is operating the vehicle. The plans must be updated on at least an annual basis. CCR 227.38(e); 228.06(c)(3). This aspect of the Regulations seeks to drive practical solutions for what exactly will occur when first responders find a crashed autonomous vehicle and need to know, for example, how to move the vehicle.

The Regulations include some of the first explicit restrictions on the collection and use of personal information in the autonomous-vehicle context. “Personal information” is defined as the “information that the autonomous vehicle collects, generates, records, or stores in an electronic form that is retrieved from the vehicles, that is not necessary for the safe operation of the vehicle, and that is linked or reasonably capable of being linked to the vehicle’s registered owner or lessee or passengers using the vehicle for transportation services.” CCR 227.02(l). In the testing context, a manufacturer must disclose to passengers what personal information may be collected and how it will be used. CCR 227.38(h). In the deployment context, a manufacturer has the option to either provide a written disclosure to the driver or passengers, or anonymize the personal information. CCR 228.24(a).1  It remains to be seen exactly what kind of information will be classified as “personal information.”

III. Permit Application Requirements

A. Requirements for Testing Permits

There are four major prerequisites to testing autonomous vehicles on California roads: (1) the manufacturer must conduct the testing; (2) the vehicle must be operated by a competent and licensed test driver or remote controller who is an employee, contractor or designee of the manufacturer; (3) the manufacturer must provide the DMV with proof of its ability to satisfy judgments for potential damages in the amount of $5 million; and (4) the manufacturer must have a general or driverless testing permit. CCR 227.04. We include an overview of some of the driverless permit requirements here, given the importance of the issue:

  • Conducted Pre-Permit Testing – The vehicles have been tested under controlled conditions that simulate each operational design domain in which the vehicles will be operated and have been reasonably determined to be safe.
  • Notify Local Authorities – Manufacturers must notify authorities where the vehicles will be tested of the operational design domains of the vehicles, the public roads where the vehicles will be tested, the date that testing will begin and when it will be conducted, the number and type of vehicles that will be tested, and the contact information for the testers.
  • Two-Way Communication Link with Remote Operator – Driverless vehicles must be equipped with two-way communication links that provide the remote operator with general information on the vehicle and enables communication between the passengers and the remote operator in the event that there are any issues with the autonomous technology.
  • Process to Communicate Vehicle Information to Observer – There must be a way to display information on the vehicle in the event that there is a collision or it is needed by law enforcement.
  • Comply with Federal Standards or Exemption – The vehicle must comply with relevant federal motor vehicle standards, or it must have an NHTSA exemption.
  • SAE Level 4 or 5 and No Driver Needed – The vehicle must have capabilities that meet the description of an SAE level 4 or 5 automated driving system, with no driver present.
  • Remote-Operator Training – All remote operators must be licensed to operate the type of vehicle at issue and must complete specialized training provided by the manufacturer.  
  • Notification of Personal Information Collection and Use – Passengers must be notified of what personal information is collected from them and how it will be used.
  • Collect Autonomous System Disengagement Data – Manufacturers must collect data on the disengagement of autonomous technology (i.e., the failure of autonomous technology or a need for the remote operator to take control) and submit that data in an annual report.
  • Notify DMV Within 10 Days of Collision – Manufacturers must notify the DMV within 10 days of any collision caused by their vehicles if the collision causes damage, injury or death.
  • Cannot Charge Passengers a Fee – Manufacturers may not charge passengers a fee, nor receive any type of compensation, in exchange for rides in test vehicles.

B. Requirements for Deployment Permits

The requirements to obtain a deployment permit are more onerous than a driverless permit. We provide an overview of some of the key deployment-permit requirements below:

  • Autonomous Operation Parameters – The vehicles must not be able to operate in autonomous mode outside of the specific operational design domains disclosed in the application. Manufacturers must identify any conditions (e.g., fog, wet roads) under which their vehicles are either designed to be incapable of operating or unable to operate reliably.
  • Equipped with Autonomous-Technology Data Recorder – Vehicles must be equipped with a data recorder that captures and stores sensor data for all vehicle functions that are controlled by autonomous technology at least 30 seconds before a collision that occurs in autonomous mode. The data must be in read-only format and be retrievable through commercial means.
  • Compliance with Federal Standards or Exemption – Vehicles must comply with relevant federal safety standards (or have an NHTSA exemption) and with any standards for their respective model year. Manufacturers must register with NHTSA.
  • Designed to Comply with California Vehicle Code and Local Regulations – Autonomous technology must be designed to detect and respond to roadway situations in a manner compliant with the California Vehicle Code and applicable local regulations.  
  • Must Update Autonomous Technology – Manufacturers must update autonomous technology as needed, and at least annually, to ensure compliance with California and local vehicle regulations. They must also make available on a continual basis consistent with changes updates regarding location and mapping information utilized by a vehicle’s autonomous technology. Registered owners must be told how to update their systems.
  • Must Meet Industry Cybersecurity Best Practices – Vehicles must meet appropriate and applicable current industry standards to help defend against, detect and respond to cyber-attacks, unauthorized intrusions or false vehicle control commands.
  • Must Conduct Testing and Be Satisfied Safe – Manufacturers must conduct tests and be satisfied from the results that their vehicles are safe for deployment. A summary of such testing must be attached to the permit application and describe testing locations, among other things.
  • Two-Way Communication Link with Remote Operator for Driverless Vehicles – Driverless vehicles must be equipped with two-way communication links, as required of test vehicles.
  • Must Comply with California Vehicle Code Section 38750(c)(1) – Manufacturers must comply with California Vehicle Code Section 38750(c)(1), which requires them to certify that their autonomous technology, among other things, includes a series of safeguards (e.g., an alert when a failure is detected), is easily accessible and has a separate data recorder.
  • Safety-Related Defects Must Be Disclosed – Manufacturers must disclose to the DMV any identified safety-related defects in their autonomous technology that creates an unreasonable risk of safety in compliance with related federal timelines and requirements.
  • Provide Consumer or End-User Education Plan – Manufacturers must provide a consumer or end-user education plan for all vehicles sold or leased by someone other than themselves.
  • Describe How to Meet SAE Level 3-5 Requirements – Manufacturers must describe how a SAE Level 3-5 vehicle will safely come to a complete stop when there is a technology failure.

IV.  Potential Import of New Regulations

California’s passage of the final Regulations is likely to usher in an exciting period of innovation within the state and may spur the movement of autonomous vehicles into the everyday. It remains to be seen how courts will interpret these regulations once lawsuits are filed after these vehicles are inevitably involved in accidents. We will continue to monitor these issues and provide periodic updates.

1 If the vehicle is sold or leased, and data is not anonymized, a manufacturer must obtain the written approval of the registered owner or lessee of the vehicle.  CCR 228.24(b).  This may enable fleet operators to authorize the collection of personal information in their fleets after providing only a disclaimer to passengers.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Akin Gump Strauss Hauer & Feld LLP | Attorney Advertising

Written by:

Akin Gump Strauss Hauer & Feld LLP

Akin Gump Strauss Hauer & Feld LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.