A provision in the 2021 Infrastructure Investment and Jobs Act (Section 24220) requires the National Highway Traffic Safety Administration to develop a federal safety standard for advanced impaired driving prevention technology in all new passenger vehicles. The law sets a deadline: by 2027, every new car sold in the United States must include technology that can detect whether a driver is impaired and prevent the vehicle from operating. NHTSA's proposed approach? Cameras pointed at your face, monitoring you constantly while you drive. This is not theoretical. The rulemaking process is underway. And it arrives on top of an existing surveillance infrastructure that automakers have already built into your car without asking. The NHTSA Proposed Rule for Driver Monitoring Systems Section 24220 directed NHTSA to establish a safety standard requiring passive technology that can detect driver impairment and prevent or limit vehicle operation. "Passive" means the system must work without the driver doing anything -- no breathalyzer, no ignition interlock device. NHTSA's Advance Notice of Proposed Rulemaking identifies driver monitoring systems (DMS) using cabin-facing cameras and sensors as the most likely technological approach. These systems would use cameras mounted on the steering column or dashboard to continuously track: Eye movement and gaze direction Blink rate and eyelid closure Head position and nodding Facial expressions Hand position on the steering wheel AI algorithms would analyze this data in real time to determine whether the driver is impaired by alcohol, drugs, fatigue, or distraction. If the system determines impairment, it could trigger warnings, limit vehicle speed, or prevent the car from starting. NHTSA has missed multiple rulemaking deadlines, and the technology is not yet reliable enough to meet the statutory requirements. The timeline is uncertain. But the direction is clear: the federal government wants cameras watching you every time you get behind the wheel. What Data Modern Cars Already Collect Before the mandate even takes effect, your car is likely already collecting more data than you realize. Modern vehicles are essentially rolling surveillance platforms. Location data: GPS tracking records everywhere you go, when you go there, how long you stay, and how fast you travel between points. This data is collected continuously, even when you're not using navigation. Driving behavior: Speed, acceleration, braking force, cornering, lane changes, and trip start/end times are logged and stored. Some systems record second-by-second telemetry. Cabin cameras: Multiple automakers already install driver-facing cameras for features like "driver attention monitoring." Tesla, BMW, Subaru, Ford, and others use cabin cameras. In most cases, the cameras are always on when the car is running. Microphones: Built-in microphones for voice assistants and hands-free calling are standard. The always-listening capability is a feature, not a bug. Infotainment data: Phone contacts, call logs, text messages, browsing history, and music preferences synced from your phone are stored on the vehicle's systems. Biometric data: Some vehicles now collect fingerprints (for door/ignition), voice prints, and facial recognition data for driver profiles. The Mozilla Foundation's 2023 "Privacy Not Included" investigation examined 25 major car brands and found that every single one collected what Mozilla categorized as "too much personal data." The report concluded that connected cars are the worst product category for privacy that Mozilla has ever reviewed -- worse than smart home devices, fitness trackers, and mental health apps. The GM OnStar FTC Scandal In January 2025, the Federal Trade Commission took action against General Motors and its OnStar division for collecting and selling drivers' precise geolocation and driving behavior data without proper consent. Here is what happened: GM used a misleading enrollment process for its OnStar Smart Driver program. Consumers were signed up during vehicle purchase or lease without being clearly told what data would be collected or how it would be used. The program collected detailed driving data including precise GPS coordinates, speed, hard braking events, rapid acceleration, and trip timestamps for hundreds of thousands of vehicles. GM sold this data to data brokers including LexisNexis Risk Solutions and Verisk, which compiled the data into consumer risk profiles and sold those profiles to insurance companies. Drivers were not informed that their data was being shared with insurance companies. Many first learned about it when they received insurance rate increases or denial letters they could not explain. In January 2026, the FTC finalized its order: a five-year ban on GM disclosing geolocation and driver behavior data to consumer reporting agencies. GM was also required to delete the data it had already collected unless consumers gave explicit consent for retention. In May 2026, GM agreed to pay California a $12 million civil penalty for violating state privacy law related to the same conduct. A federal court has since allowed key claims in a class-action data privacy lawsuit against GM and OnStar to proceed. GM is not the only automaker doing this. They are just the one that got caught first. Insurance Company Data Partnerships The GM case exposed a data pipeline that exists across the auto industry: Automakers collect driving behavior data through telematics systems built into vehicles Data brokers like LexisNexis Risk Solutions and Verisk purchase this data and compile consumer risk profiles -- detailed reports showing every trip taken, hard braking event, speeding incident, and late-night drive Insurance companies including Progressive, Allstate, and State Farm purchase these risk profiles and use them to set rates, deny coverage, or target marketing to "desirable" drivers Drivers are never told any of this is happening LexisNexis risk profiles were found to contain data on every trip a driver had taken in their GM vehicle -- start time, end time, route, and driving events. Verisk operated a similar product but shut it down in June 2024 after the New York Times investigation and public backlash. The pipeline does not require your consent. In most cases, it does not even require your knowledge. Your car collects the data, the automaker sells it, the broker packages it, and your insurance company uses it to raise your rates. You find out last, if at all. How Car Data Is Sold to Data Brokers The automotive data economy operates through a network of intermediaries: OEM telematics platforms: Built into the car, these systems transmit data to the manufacturer's cloud. You cannot opt out without disabling connectivity features. Data aggregators: Companies like Otonomo, Wejo, and Smartcar serve as data marketplaces, purchasing raw vehicle data from automakers and reselling it to insurers, marketers, municipal planners, and law enforcement. Law enforcement access: A May 2025 WIRED investigation revealed that US police are being trained to extract personal data from connected cars -- often without drivers' knowledge or a warrant. The Difference Between Safety Features and Surveillance Automakers and regulators frame driver monitoring as a safety feature. There is no question that impaired driving kills people. Approximately 13,000 people die annually in alcohol-related crashes in the United States. Technology that could prevent those deaths is worth discussing. But safety and surveillance are not the same thing. Here is the difference: Safety feature: Detects impairment, prevents vehicle operation, deletes the data immediately. No retention, no transmission, no secondary use. Surveillance system: Collects continuous biometric and behavioral data, stores it, transmits it to external servers, makes it available to third parties, and provides no meaningful mechanism for driver control or deletion. The NHTSA mandate does not include data retention limits, use restrictions beyond the immediate impairment detection function, or prohibitions on secondary data use. Without those guardrails, a safety mandate becomes a surveillance mandate. The camera that watches for impairment can also watch for everything else. The data that proves you were drowsy can also prove where you went, who was in the car, and what you did. What Privacy Advocates Are Pushing For Organizations including the Electronic Privacy Information Center (EPIC), Consumer Reports, and the Electronic Frontier Foundation have called for: Data minimization: DMS systems should collect only the data necessary for impairment detection and delete it immediately after processing. No retention, no storage, no transmission. Purpose limitation: Any data collected for safety purposes must be legally prohibited from use for any other purpose -- insurance, marketing, law enforcement, or otherwise. Opt-out rights: Drivers must have the ability to disable data collection and transmission without losing core vehicle functionality. Warrant requirements: Law enforcement must obtain a warrant before accessing any vehicle data, including DMS data. Independent oversight: Third-party audits of DMS data handling, with public reporting on compliance. No preemption of stronger state laws: A federal standard should not override state privacy laws that provide greater protection. What You Can Do Check your car's privacy settings: Most connected vehicles have settings to control data sharing. Look in the infotainment system or the manufacturer's mobile app. Disable what you can. Request your data: Under some state privacy laws, you can request the data automakers have collected about you. File a request with your vehicle manufacturer and with LexisNexis and Verisk. Contact NHTSA: The rulemaking process includes public comment periods. Submit comments opposing DMS mandates that lack data privacy guardrails. Tell your representatives: The 2027 mandate was created by Congress. Congress can amend it. Demand that any DMS requirement include strict data minimization, purpose limitation, and warrant requirements. Don't connect your phone: Syncing your phone to your car's infotainment system gives the vehicle access to your contacts, messages, call logs, and location history. Use a standalone GPS and a dash mount instead. Support privacy legislation: The automotive data economy exists because there is no comprehensive federal privacy law. State laws like the California Consumer Privacy Act provide some protection. Federal legislation is overdue. Be aware at purchase time: When buying a new car, ask about data collection practices before signing. Request written information about what data the vehicle collects, how it is used, and whether it is sold. Walk away if the dealer cannot answer. Your car is already collecting data about you. The government wants to require cameras that watch your face while you drive. Automakers want to sell the data. Insurance companies want to buy it. Police want access to it. Nobody in this chain is asking for your consent. The technology to detect impaired driving without building a surveillance system exists. The choice to build surveillance instead of safety is deliberate. It needs to be challenged -- before every new car becomes a surveillance machine that you pay for and cannot refuse. --- _Sources include the National Highway Traffic Safety Administration Advance Notice of Proposed Rulemaking, FTC complaints and orders against General Motors and OnStar, the Mozilla Foundation 2023 "Privacy Not Included" report on connected cars, the New York Times investigation into automaker data sharing with insurers, and WIRED reporting on law enforcement access to connected car data._