California’s Department of Motor Vehicles (DMV) today proposed a rule change that would let companies deploy “light-duty” autonomous trucks on public roads. Specifically, it seeks to allow the testing of self-driving vehicles weighing less than 10,001 pounds with an approved permit from regulators, provided they don’t charge a delivery fee.
Organizations would still have to apply for a deployment (public use) permit to make their autonomous technologies commercially available, the DMV says, and the regulations would exclude the testing or deployment of autonomous cars weighing more than 10,001 pounds. But the tweaked rules appear to be a step toward legalizing the kinds of vehicles currently being piloted by Nuro and Udelv, among others.
Today’s release marks the start of a 45-day public comment period (ending May 27, 2019), during which the DMV will hold a public hearing at its Sacramento headquarters to gather input on the regulations. It’s targeting to complete the rulemaking within the year.
The Verge, which spotted the news this afternoon, notes that California is a veritable hotbed for autonomous vehicle startups. More than 60 companies have permits to test over 300 autonomous licensed cars, according to the DMV, including Waymo, which has a permit to test fully driverless vehicles on public roads.
Autonomous delivery is poised to become a particularly lucrative segment of the driverless car market, which is forecast to be worth $ 65.3 billion by 2027. In fact, the McKinsey Institute predicts that self-driving shuttles and rovers will make up 85% of last-mile deliveries by 2025.
Nuro and Udelv compete against the likes of Marble, Starship Technologies, BoxBot, Dispatch, Robby Technologies, and Ike. Robomart recently announced plans to test its driverless grocery store on wheels; Ford is collaborating with Postmates to deliver items from Walmart stores in Miami-Dade County; and Amazon last month debuted Scout, an autonomous delivery robot.
There’s also TuSimple, a three-year-old autonomous truck company with autonomous vehicles operating in Arizona, California, and China, and venture-backed Swedish driverless car company Einride. Meanwhile, Paz Eshel and former Uber and Otto engineer Don Burnette recently secured $ 40 million for startup Kodiak Robotics. That’s not to mention Embark, which integrates its self-driving systems into Peterbilt semis — and which recently launched a pilot with Amazon to haul cargo.
Public comments show lingering problems with California’s data privacy law
Earlier this month, the California Office of the Attorney General (CAG) held hearings across four cities where the public could offer comments and feedback to lawmakers as part of the rulemaking process for the California Consumer Privacy Act (CCPA). The hearings drew speakers from across a variety of industries, and their oral comments, as well as other written comments sent to the CAG’s office by Friday, December 6, are now available on the California Attorney General’s CCPA page.
While the hearings drew a number of concerns about the new data privacy law, which goes into effect January 1, four core issues emerged.
1. Crucial CCPA terms aren’t clearly defined
The most prominent concern that came out of the hearings was that terms central to the CCPA are unclear, making it difficult for companies to feel fully confident they are in compliance. At the San Francisco hearing alone, speakers said the definitions of personal information (PI) and service provider are unclear, as is what constitutes a sell. Speakers at the Los Angeles hearing made similar comments, adding that other terms like “business,” “reasonable security measures,” and “secure” transmissions of personal information were also unclear.
A common refrain was that the CCPA’s language was too vague or broad and overreaching. As a consequence, organizations have found key sections of the CCPA difficult to operationalize. They worry that the ambiguity of these terms could result in significant unintended consequences. For example, some argued that the broad definitions of PI and business may extend the reach of the CCPA to businesses that the AG likely had no intention of regulating, like small operations that serve fewer than 50,000 California customers but run high-traffic websites using cookies.
2. It’s unclear how CCPA’s scope effects other industry-specific regulation
Several commentators expressed confusion over the CCPA’s scope as it applies to companies that are already subject to industry-specific privacy legislation. At the San Francisco hearing, one speaker, representing a San Francisco credit union, indicated that the Gramm-Leach-Bliley Act (GLBA) and California Financial Information Privacy Act have definitions of PI that differ from the CCPA. She noted, though, that while the CCPA spells out exemptions to PI collected under the GLBA, inconsistencies in the definition of PI between laws have resulted in multiple interpretations about how the CCPA applies to data credit unions collect. Similar confusion may surround other regulations like HIPAA. At the Sacramento hearing, a speaker asked for clarification on how de-identification under the CCPA differs from de-identification under HIPAA, and how any de-identified data exempt from HIPAA should be handled by the CCPA.
3. Smaller organizations will have trouble meeting the January 1 deadline
Given the extensive scope of the CCPA, it’s no surprise that small and medium businesses have expressed concerns about the law’s reach and implications. Some organizations have said publicly that they’ll have substantial difficulty meeting the January 1 compliance deadline. At the San Francisco hearing, two speakers requested the compliance deadline be moved to 2022 to ensure their organizations could build a robust compliance program.
4. The system for data requests could be open to abuse
Speakers at the Los Angeles and San Francisco hearings also raised concerns about the potential for abuse with the request system. For example, they said that if companies were required to take unverified opt-out requests seriously, it could invite mass bot attacks by bad actors, either online or by phone. It’s been argued elsewhere that such abuse could effectively result in data request “denial of service” style attacks against organizations as their staff and infrastructure become tied up in an effort to respond to an unanticipated flood of fake requests. While tools exist to help automate data discovery and responses to data requests, some speakers argued that a “reasonable degree of certainty” should be the standard applied to requests, as that would give businesses more bandwidth to handle the issue.
What happens now?
Now that the hearings and the public comment period have passed, the CAG may use comments to revise the current draft regulations, after which the public will have 15 days (or longer) to provide comments on the revisions. So even though the CCPA goes into effect January 1, 2020, organizations should still expect changes to the law. Stakeholders should follow the rule-making process closely while making sure to submit any concerns to the CAG during the next comment period. Enforcement of the finalized law will begin July 1, 2020; however, organizations must make good faith efforts to comply starting January 1, 2020 and can be held liable for breaches of the law after this date.
Michael Osakwe is a tech writer and Content Marketing Manager at Nightfall AI.
Let’s block ads! (Why?)
Big Data – VentureBeat