The DRIVER Act Drives Privacy Into a Ditch

How a Right-to-Repair Bill Quietly Expands Vehicle Data Exposure

Modern vehicles generate constant data.
Where you go.
When you stop.
How you drive.
Who is in the car.
What your phone connects to.

This data is not abstract.

• It maps routines.
• It reveals habits.
• It predicts behavior.

The DRIVER Act is marketed as a consumer rights bill.
In reality, it increases how much automobile data moves, how fast it spreads, and how many entities can touch it.
It makes vehicle data more vulnerable.

🟥 Access Is Not the Same as Control

The bill gives vehicle owners access to their data.
That sounds like protection.
It also allows owners to authorize third parties to use that data for any lawful purpose.

There are no strong limits on:

• What data is shared
• How long it is kept
• Who it is shared with next
• Whether it can be recombined with other datasets

Once vehicle data leaves the car, it does not come back.
Every authorization increases exposure.
Every exposure increases risk.

🟥 Businesses Gain Broad Data Rights Without Strong Privacy Duties

The bill does not stop with consumers.
It expands data access for:

• Manufacturers
• Fleet owners
• Affiliates
• Data processors
• Acquirers in mergers or bankruptcies

These entities gain sensitive vehicle data without strict rules governing use or retention.
There is no default data minimization.
No meaningful restriction on secondary use.
No guaranteed deletion.

The result is predictable.

• More copies.
• More integrations.
• More attack surface.

🟥 The “Sale” Definition Misses How Data Is Actually Exploited

The bill limits selling data only when money changes hands.
That is not how modern data sharing works.
Vehicle data is routinely exchanged for:

• Analytics services
• Insurance risk models
• Product development
• Behavioral insights

No payment is required.
The exposure is the same.
This loophole allows sensitive driving and location data to circulate freely while remaining technically compliant.

🟥 Research Is a One-Way Door

The bill allows vehicle data to be used for research and product improvement.
There are no real safeguards.
Data does not have to be anonymized.
It can be combined with other datasets.
It can be retained indefinitely.

Research exceptions are permanent exits.
They are not temporary uses.
This is how location and behavioral datasets become long-lived surveillance assets.

🟥 Fleet Drivers Lose Meaningful Protection

Driver behavior protections are limited.
They only apply when profiling causes harm outside employment.
That leaves a large gap.

Fleet drivers can be monitored continuously.
Their driving patterns can be analyzed.
Their behavior can be scored.
All without meaningful opt-out.
This creates a class of people whose mobility data is always exposed.

🟥 De-Identification Is Treated as Safe When It Is Not

The bill excludes deidentified and pseudonymous data from coverage.
Vehicle data does not stay anonymous.
Location data reidentifies people quickly.
Time patterns narrow identities further.
Vehicle fingerprints close the gap.
Once reidentified, there are no consequences.
This exemption turns sensitive data into a legal fiction.

🟥 Stronger State Protections Are Blocked

The bill preempts state laws that might offer stronger privacy protections.
That freezes progress.
States cannot respond to new risks.
They cannot close gaps.
They cannot raise standards.
Once vehicle data is exposed at scale, the damage is hard to undo.

🟥 Vehicle Data Becomes Easier to Access, Harder to Protect

The bill allows broad disclosure under warrants and court orders.
What it does not require:

• User notice
• Data minimization
• Transparency reporting

Vehicle data becomes a standing record of movement and behavior.
Always collected.
Always available.
Rarely constrained.

🟥 The Real Risk