Your Car Is Spying on You: New US Law Makes It Worse

Modern Vehicles Collect Massive Amounts of Personal Data

Modern cars are increasingly becoming surveillance devices on wheels, collecting vast amounts of personal data about drivers and passengers. A new US federal law will soon mandate infrared biometric cameras in all new vehicles, raising serious privacy concerns. The car data privacy crisis is poised to escalate as automakers gain access to even more intimate information about drivers.

According to a 2023 report by Mozilla, cars are officially the worst product category ever reviewed for privacy. The foundation examined the privacy policies of 25 car brands and found that every single one failed to meet basic privacy and security standards. Automakers collect data including name, age, race, gender, weight, psychological profiles, and even facial expressions. 84% of brands share or sell data to third parties, while 56% would comply with informal government requests for driver information.

What Data Is Your Car Collecting?

Modern internet-connected vehicles—expected to represent 95% of all cars by 2030 according to McKinsey—function as rolling computers. The data collected includes:

• Personal identification: Name, address, email, phone number
• Biometric data: Facial expressions, eye movements, pupil dilation
• Health information: Weight, heart rate, potential impairment indicators
• Behavioral data: Driving habits, routes, speed, braking patterns
• Location data: Precise GPS tracking of every trip
• In-cabin audio and video: Recordings of conversations and activities inside the vehicle

Mozilla's research found that some manufacturers, like Nissan, collect data categories as invasive as 'sexual activity.' Only European brands Renault and Dacia sold in the US allow drivers to request deletion of their data. The rest, as Mozilla noted, 'do whatever they can get away with legally.'

New US Law Mandates Biometric Cameras in All Vehicles

Under the 2021 Infrastructure Investment and Jobs Act (Section 24220), the National Highway Traffic Safety Administration (NHTSA) is developing rules to require 'Advanced Impaired Driving Prevention Technology' in all new passenger vehicles starting September 2027. The technology uses infrared cameras and sensors mounted on steering columns or A-pillars to track eye movement, pupil dilation, and signs of drowsiness or intoxication.

If the system detects impairment—such as a blood alcohol concentration at or above 0.08%—it can prevent the vehicle from starting, limit its speed, or even pull it over safely. The mandate, supported by Mothers Against Drunk Driving (MADD) and the Insurance Institute for Highway Safety, aims to save an estimated 9,000 to 10,000 lives per year from alcohol-related crashes.

Privacy Risks of Mandatory Driver Monitoring

Privacy advocates warn that the mandate lacks explicit federal protections for the biometric data collected. Jen Caltrider, a privacy researcher at Mozilla, told the BBC: 'It would be great if there was a guarantee that the data wouldn't be used for purposes other than keeping drunk drivers off the road, but that's not what's happening. Much of the data collection in cars is done under the guise of safety.'

The same infrared cameras that monitor for impairment could also track emotional states, attention levels, and even medical conditions. Without a comprehensive federal privacy law, automakers may sell this data to insurers, data brokers, or law enforcement. Currently, protections remain a patchwork—Illinois' Biometric Information Privacy Act (BIPA) and California's privacy laws offer partial coverage, but no federal law specifically governs in-vehicle biometric data.

Real-World Consequences: Insurance and Law Enforcement

The risks are not theoretical. In New York, a driver discovered that General Motors had sold 130 pages of his driving data to data broker LexisNexis, after which his insurance premiums mysteriously increased. The Federal Trade Commission (FTC) intervened against GM, but other manufacturers continue selling driver data unchecked. Automakers can earn up to $100 per vehicle annually from data monetization.

Law enforcement access is another concern. Mozilla found that 56% of car brands would share data with police or government agencies even on informal requests—without a warrant. The FTC action against GM data sharing set a precedent, but privacy advocates argue stronger legislation is needed.

What Can Drivers Do to Protect Their Privacy?

Until federal privacy laws catch up, drivers can take steps to limit data collection:

• Review privacy settings: Many vehicles allow you to opt out of data sharing through the infotainment system
• Disable connectivity features: Turn off Wi-Fi, Bluetooth, and cellular data when not needed
• Check your carmaker's privacy policy: Look for data collection and sharing practices on the manufacturer's website
• Support privacy legislation: Advocate for laws like the proposed Auto Data Privacy and Autonomy Act
• Consider European brands: Renault and Dacia offer better data deletion rights in the US market

Darrell West, senior fellow at the Brookings Institution, told the BBC: 'People would be astonished if they knew the amount of data their car collects and transmits to others, either the manufacturer or third-party applications.'

Frequently Asked Questions

What is the new US car surveillance law?

The Advanced Impaired Driving Prevention Technology mandate, part of the 2021 Infrastructure Investment and Jobs Act, requires all new passenger vehicles sold in the US starting September 2027 to include technology that detects driver impairment. This includes infrared cameras and breath-based sensors that monitor for alcohol, drowsiness, and distraction.

Can car companies sell my driving data?

Yes. Mozilla's 2023 study found that 84% of car brands share or sell personal data to third parties, and 76% can sell data outright. Automakers often monetize driver data by selling it to data brokers, insurance companies, and advertisers. There is currently no federal law prohibiting this practice.

How can I stop my car from collecting data?

You can limit data collection by disabling connected services in your vehicle's settings, avoiding linking your phone or accounts, and reviewing the privacy policy of your car manufacturer. Some brands, like Renault and Dacia, allow you to request deletion of your data. However, the new mandate will make biometric monitoring mandatory and non-opt-outable.

What data do biometric cameras in cars collect?

The infrared cameras track eye movement, pupil dilation, head position, and facial expressions to detect signs of drowsiness, distraction, or intoxication. This biometric data can reveal medical conditions, emotional states, and other sensitive information. Without strong privacy protections, this data could be shared or sold.

Are European cars better for privacy?

Mozilla's research found that only Renault and Dacia (European brands sold in the US) give drivers the right to have their data deleted. European Union regulations like GDPR provide stronger privacy protections, but cars sold in the US must comply with US laws, which are less comprehensive.

Sources

Mozilla Foundation - Cars: Worst Product Category for Privacy

BBC Future - Your Car Is Spying on You

NHTSA Report to Congress - Advanced Impaired Driving Prevention Technology

New York Times - Carmakers Are Tracking Drivers and Sharing Data With Insurers