There’s a lot of questions when it comes to how to regulate driverless cars—Can you “operate” one if you’re drunk? What if you’re blind? When should a person have to take over? Who is at fault if one crashes? But then there’s one that hasn’t gotten a lot of attention, especially because the technology itself is still developing—what happens when a company knows everything about where you go?

Google, the company leading the driverless car revolution in the United States, is a company that makes almost all of its money by knowing essentially everything about you. What happens when they know where you drive to and when you do it, what route you take, where you stop, what you put in your car, and who’s in the car with you? 

There is very little driverless car regulation in the United States so far, but states are finally willing to broach the subject. Earlier this week, the California Department of Motor Vehicles held a discussion about how to move forward with driverless car legalization, and the organization said the state could be willing to allow privately-owned driverless cars on state roads as early as next year. The state is one of several that already allows Google and other companies to test their driverless cars on an experimental basis.

That legislation, SB. 1298, was passed in 2012 with all of its proposed privacy regulations stripped because Google lobbied for their removal. 

If you think about it, the entire feasibility of driverless cars is based on having an array of cameras and sensors watching everything that’s going on, including what’s happening inside of the car. Driverless cars always know exactly where they’re at and always know what’s happening around them. Suddenly, a company that seemed to be experimenting with a product on a merely can-we-do-it sort of basis seems like one that might just want to inject itself into the one place where it wasn’t already.

“Failure to act will mean substantial privacy risks from the manufacturers’ driverless car technology if there are not protections from what Google is best known for: the collection and use of voluminous personal information about us and our movements,” John Simpson, privacy project director of Consumer Watchdog, said at the California meeting.

“The DMV regulations must give the user control over what data is gathered and how the information will be used," he continued. "Merely stating what data is gathered with no explanation of its use is woefully inadequate. The DMV’s autonomous vehicle regulations must provide that driverless cars gather only the data necessary to operate the vehicle and retain that data only as long as necessary for the vehicle’s operation.”

Simpson says that, left unchecked, driverless cars offer the opportunity for manufacturers to sell driving data to insurance companies, to play personalized, in-car advertisements, and to track consumers’ movements.

In one sense, we’ve had this argument a thousand times before. Smartphones can pick up many of your personal movements in the same way that an automated car would be able to, and many newer cars have a “black box” that records all sorts of data that can be relayed back to manufacturers and police in the event of a crash.

It’s something that some of the country’s larger privacy organizations have begun working on. Last year, the Electronic Frontier Foundation, Electronic Privacy Information Center, American Civil Liberties Union, and several other privacy organizations asked the National Highway Traffic Safety Administration to reconsider a rule that would require all new cars to have a black box (formally known as an Electronic Data Recorder) that collects real-time crash data due to privacy concerns. They said that black boxes will collect too much data, that there is a growing “market” for that data, and that consumers should have control over who gets that data.

Among other concerns, the group asked that the NHTSA "explicitly restricts the amount of data that EDRs collect … uphold Privacy Act protections and grant vehicle owners and operators control over their data … [and] require security standards to maintain the integrity of EDR data.”

Regular cars can function without a black box, but driverless cars can’t function without a multitude of cameras and sensors. “The technology is based on mapping,” Brian Soublet, assistant chief counsel of the California DMV said. “Those maps are and need to be constantly updated in order for it to work.”

At the meeting, a representative for Volkswagen said that cars are already collecting much of the data that Simpson is worried about, and that current legislation and built-in manufacturer data protection is already fairly common. A spokesperson for Google at the meeting declined to respond to Simpson's concerns.

“There’s a big difference between crash data and the other types of data. Crash data is constantly recorded in volatile memory and nobody can access that. The only time it gets hard stored is after a crash, otherwise there is no data,” the Volkswagen rep said. “If you’re talking about the other things that are wirelessly extracted, that’s a different ballpark, but it’s happening already through other wireless media and there might already be laws that would cover autonomous vehicles as well as regular vehicles.”