New DRIVER Act Mandates Free, Real-Time Access to Your Car Data, But Exceptions Abound

The Data Rights for Information and Vehicle Electronics in Real-time Act, or the DRIVER Act, is here to address that little fact that your car is basically a rolling smartphone that generates massive amounts of data about where you go, how fast you drive, and even your biometric characteristics. This bill steps in to give you, the vehicle owner, the keys to that data.

The Keys to Your Car’s Data Vault

Section 2 of the DRIVER Act is the core of the deal: it requires car manufacturers to give owners secure, real-time access and joint control over all their vehicle’s data. This access must be provided at absolutely no extra cost beyond the original purchase price. No hidden fees, no required manufacturer devices, and no decryption licenses needed. You get the data through the vehicle’s interface port and wirelessly, and you have the right to use that data for any lawful purpose or authorize a third party (like an independent mechanic or a preferred insurance company) to use it. This is a huge win for transparency and the “right to repair” movement, ensuring that manufacturers can’t lock down access to the information needed for diagnostics and service. It also requires manufacturers to make it easy for you to delete any user data stored in the vehicle—like contacts or navigation history transferred from your personal phone.

Opt-Outs and the Fine Print of Selling Your Habits

While Section 2 grants access, Section 3 tackles monetization by the manufacturer. It states that manufacturers can’t sell your “covered data”—which includes precise geolocation, biometric identifiers, and driver behavior—unless they give you a clear chance to opt out of that sale. This is the consumer protection mechanism designed to stop car companies from profiting off your driving habits without your consent. However, this is where the fine print gets tricky. The bill provides a long list of activities that don’t count as a “sale,” meaning they don’t trigger your opt-out right. For example, transferring data to emergency responders, using it for research to improve safety or develop products, performing diagnostics, administering warranties, or investigating fraud are all exempt from the “sale” definition. While some of these exemptions make sense (like safety recalls), they create a wide lane for manufacturers to share significant amounts of data with third parties for “research” or “product development” without ever having to ask you to opt out.

Fleet Drivers and the National Security Angle

For those who drive company cars or fleet vehicles, the bill offers limited protection. Fleet owners must also provide drivers with an opt-out before selling covered data. But there’s a big caveat: if you’re driving a commercial or government fleet vehicle as an employee, the opt-out doesn’t apply if the data is being sold for profiling related to your job. Your boss could sell data about your driving behavior—like how often you brake hard or speed—unless that profiling is being used to cause a “negative legal or similarly significant harmful effect” outside of your employment. This sets a very high bar for protection, essentially leaving the door open for employment-related performance profiling. On a different note, the bill also slams the door on selling vehicle data to specific foreign adversaries, including China, Russia, and Iran, which is a clear national security measure.

The Federal Takeover of Data Rules

Finally, the DRIVER Act gives the Federal Trade Commission (FTC) the job of enforcing the core access requirements in Section 2. Violations are treated as unfair or deceptive practices under the FTC Act. More importantly for state-level privacy efforts, Section 6 explicitly preempts state and local laws related to the requirements of Section 2. This means if your state was thinking about passing its own, potentially stronger, law about how you access your car’s data, this federal law will likely override it. While federal uniformity is sometimes good for business, it means that states are blocked from experimenting with stronger consumer protections in this specific area of data access.