Ride-hailing companies have bet on a future with autonomous vehicles. It's a future filled with privacy compliance complications for in-house counsel.

A panel of outside and in-house counsel discussed autonomous vehicles' data collection and the impacts of future and current privacy regulation, particularly the California Consumer Privacy Act, on the emerging technology at the Minority Corporate Counsel Association's Global TEC Forum on Friday in San Francisco.

Panelist Darah Okeke, senior employment counsel at Uber Technologies Inc., said vehicles can track health, location or safety information, which people may not be comfortable sharing.

“It's really interesting when you see this expanded definition of personal information that now includes … things like how you smell or your size or your weight,” Okeke said. “Things that are really personal to you, things that you often can't change about yourself. And so if we're now in a space where companies are collecting this data about consumers and about drivers, we need to question ourselves.”

Brett Cook, an associate general counsel of data privacy, cybersecurity and investigations for the U.S. Navy, said companies designing or using autonomous vehicles should consider the ethical implications of sharing data with law enforcement. High-tech cars may be able to tell when a person is intoxicated or near a crime scene.

Vehicles can also collect health-habit data about trips to the gym or fast food restaurants, noted moderator Jeewon Kim Serrato, Norton Rose Fulbright's U.S. head of data protection, privacy and cybersecurity and former chief privacy officer of Fannie Mae.

“Do [car owners] have a right to say, 'Hey, Volvo. Hey, Uber. Delete my data. I don't want to be tracked. I don't want the autonomous vehicle to know that I like to have In-N-Out every night at 10 p.m.,'” Serrato asked. ”So what type of data then is necessary to be kept? What is the obligation for a company to keep the data for accounting purposes, for responding to law enforcement?”

Self-driving cars could also raise privacy issues around gathering children's data, Serrato said. CCPA requires opt-in consent from minors between 13 and 16, and a guardian's consent to collect data from children under 13.

Offering rides to mixed-age groups could get complicated. It's unclear how young riders who don't order the car will be notified about their privacy rights or provide consent. Cars could collect the data of children playing on tablets or phones during a ride, as well as location data.

“When you are putting a lot of these automation products and services into the market, and it's the machine who has decided what data to collect … how do you know what data has been collected and to whom it's transferred when there is no human involvement?” Serrato said.

She tossed that scenario to the audience—a mix of around 40 in-house counsel and firm lawyers—to brainstorm, alongside two other scenarios: who owns the data collected by a leased car, and whether location-based suggestion services for restaurants or gas stations should be opt-in.

Many respondents noted these issues are complicated and, at the moment, unclear from a regulatory standpoint. Lior Nuchi, a panelist and Norton Rose Fullbright partner said it's possible companies will see more privacy regulation related to autonomous vehicles in the coming years as public awareness grows.

Cook noted autonomous vehicles' data collection processes can be a good thing if done responsibly, leading to safer vehicles and roads.

“Maybe you want the car to know when you're in danger and you want it to communicate, to get help. Or if your vehicle is faulty … If there's a problem, this data it's collecting and sharing could be used to help you,” Cook said. “How can we be educated on what's needed, and what's just monetary data?”