The DRIVER Act directs motor-vehicle manufacturers to give vehicle owners secure, real‑time access and joint control over electronic data generated onboard their vehicles, at no additional charge and without forcing owners to buy a manufacturer device or pay to decrypt data. It requires access via an on-board interface (e.g., OBD) and wireless transmission where available, mandates support for deleting user data, and requires compliance with voluntary automotive cybersecurity standards.
The bill also limits how covered data may be sold—requiring opt-outs for owners (and for individual drivers in many fleet situations), carving out national-security prohibitions on selling to five named countries, and putting violations under the Federal Trade Commission’s unfair-or-deceptive acts authority. It preempts state laws and preserves a narrow confidential-business-information exception, creating immediate compliance, IP, security, and enforcement trade-offs for OEMs, fleets, third‑party service providers, and regulators.
At a Glance
What It Does
The bill requires manufacturers to provide owners with secure, real‑time access to motor vehicle data through physical interface ports and wireless links, prohibit charging to decrypt or requiring proprietary hardware, and facilitate deletion of user data. It defines "covered data" (biometrics, precise geolocation, driver behavior) and restricts the sale of such data absent a clear opt-out, while banning knowing sales to five named foreign states.
Who It Affects
New obligations hit vehicle manufacturers first; motor vehicle fleet owners and lessees face opt‑out and data-sale rules; independent repair shops, telematics vendors, and aftermarket app developers gain access opportunities; insurers, advertisers, and data brokers will see changes to how they can buy and use telematics. The FTC is assigned enforcement duties.
Why It Matters
This bill shifts control of in‑vehicle data toward owners, undercuts closed OEM ecosystems, and forces business-model adjustments across the automotive and data-broker industries. It also centralizes enforcement at the FTC and preempts state patchwork approaches, making it a potential national standard for vehicle data rights.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The DRIVER Act creates a property-like access right for people who own or long-term lease vehicles: manufacturers must provide secure, real‑time access to electronic data produced by the vehicle and give owners joint control so they can use it themselves or authorize third parties to do so. That access must be provided at no charge beyond the vehicle’s purchase price and cannot be conditioned on buying a manufacturer-supplied device or paying a fee to decrypt data.
The statute specifies two delivery mechanisms: a motor vehicle interface port (for example, an OBD port) and wireless transmission when the vehicle supports it, and it requires manufacturers to make it easy for owners to delete user-supplied data stored in the vehicle.
The bill draws a line around certain kinds of data it calls "covered data"—biometric identifiers, precise geolocation, and driver behavior used for profiling that causes legally or similarly significant harms—and limits how that data may be sold. Manufacturers must give owners a clear opportunity to opt out of any sale of covered data; fleet owners must give drivers an opt‑out in many cases, though commercial fleet exceptions apply.
The statute also expressly prohibits knowingly selling motor vehicle data to five foreign governments named in the text, and it lists many operational exceptions (emergency responders, diagnostics, recalls, cybersecurity incident response, processors and affiliates, etc.) where transfer or disclosure is not treated as a sale.Enforcement is civil and delegated to the Federal Trade Commission: violations of the owner-access provision are treated as unfair or deceptive acts or practices under the FTC Act, giving the agency its usual investigatory and remedial tools. The bill preempts state laws that would touch the same subject matter, but it contains a separate carve-out preserving manufacturers’ confidential business information as defined in Department of Transportation regulations.
Finally, the bill supplies detailed definitions—e.g., a fleet owner is someone with an ownership interest in five or more vehicles or a lessee under a 180‑day lease, and "precise geolocation" is tied to a 1,750‑foot radius—each of which will shape implementation in specific sectors.
The Five Things You Need to Know
Manufacturers must provide vehicle owners secure, joint control of onboard data in real time at no cost beyond vehicle purchase and cannot require payment to decrypt or proprietary devices to access it.
Access must be available through the vehicle’s interface port (such as an OBD port) and via wireless transmission when the vehicle supports it, and manufacturers must facilitate deletion of user data stored in the vehicle.
The bill defines "covered data" to include biometric identifiers, precise geolocation (locations within a 1,750‑foot radius), and driver behavior used for profiling that causes significant harms; sale of covered data requires a clear, conspicuous opt‑out for owners.
A motor vehicle fleet owner (5+ vehicles or a lease ≥180 days) must offer drivers an opt‑out before selling covered data, but the bill carves out commercial/govt fleet data in many operational contexts and lists many exceptions (emergency response, diagnostics, recalls, etc.).
Violations of the owner-access mandate are enforced by the Federal Trade Commission under the FTC Act’s unfair-or-deceptive authority, and the statute preempts any state law relating to the owner‑access rules.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the "Data Rights for Information and Vehicle Electronics in Real-time Act" or the "DRIVER Act." This is purely stylistic but signals the bill’s intent to treat vehicular data as a distinct category of consumer rights tied to ownership.
Owner access: real-time, no-cost, nonrestrictive access and deletion
This is the operational core: manufacturers must give owners secure access to vehicle-generated electronic data in real time, at no charge beyond what the owner paid for the vehicle, and with joint control so owners can use or authorize third parties to use the data. The provision forbids charging owners to decrypt data or conditioning access on use of manufacturer-supplied hardware; it requires access via a vehicle interface port and via wireless transmission where available, obliges manufacturers to make it possible to delete user-supplied data, and ties compliance to voluntary industry cybersecurity standards such as ISO/SAE 24134. Practically, manufacturers will need to establish authenticated access channels, document deletion mechanisms, and reconcile live data streams with safety-critical network isolation.
Additional access controls, opt-outs, and national-security prohibitions
Section 3 tackles secondary uses and sales. Subsection (a) requires manufacturers to offer a clear opt‑out before selling covered data. Subsection (b) duplicates an opt‑out entitlement for drivers of fleet vehicles, but allows an exception where the data originates from commercial or government fleet vehicles driven in the course of employment—except when driver behavior profiling used for extra‑employment decisions causes significant harms. Subsection (c) lists five countries (North Korea, China, Russia, Iran, Venezuela) to which manufacturers and fleet owners may not knowingly sell motor vehicle data. Subsection (d) enumerates numerous exceptions to what counts as a "sale," covering emergency responders, diagnostics, recalls, processors and affiliates, lawful court orders, and other operational transfers—each exception narrows the opt‑out’s reach and will be focal points in implementation disputes.
Enforcement by the Federal Trade Commission
The bill treats violations of Section 2 as unfair or deceptive acts or practices under section 18(a)(1)(B) of the FTC Act and gives the FTC its normal investigatory and remedial authority. That means civil enforcement, notices, and potential monetary remedies within the FTC’s current statutory powers; the bill does not create a private right of action or direct criminal penalties. Because enforcement is centralized at the FTC, implementation will rely on the agency’s rulemaking, resource allocation, and case selection.
Confidential business information carve-out
Section 5 clarifies that, apart from the access obligations in Section 2, the Act does not require manufacturers to disclose confidential business information as defined in DOT regulations. That preserves a narrow protection for trade secrets and sensitive commercial data, but it also raises questions about the boundary between data owners are entitled to and the manufacturer data the bill treats as CBI.
Federal preemption of state law
The statute bars States and their political subdivisions from maintaining or enforcing any law that relates to Section 2. That creates a single federal standard for owner access but prevents state-level experiments or stricter privacy or safety requirements tied to vehicle data access. Preemption will be consequential for states that have existing telematics, privacy, or right-to-repair rules targeting vehicle data.
Definitions that shape coverage and scope
A cluster of definitions determines who is covered and what "covered data" means. Notable definitions include: biometric identifiers (fingerprints, facial features, gait, voice, etc.); covered data (biometrics, precise geolocation within 1,750 feet, or certain driver behavior used for harmful profiling); motor vehicle fleet owner (5+ vehicles or ≥180‑day leases); and "sell" which is limited to exchanging data for monetary consideration (excluding many operational transfers). Those definitions will be central in disputes about what data owners can access and what transfers require opt‑outs.
This bill is one of many.
Codify tracks hundreds of bills on Transportation across all five countries.
Explore Transportation in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individual vehicle owners and long-term lessees — Gain direct, authenticated access to onboard data in real time, the ability to share that data with third‑party apps and service providers, and tools to delete user-supplied data; this increases portability and consumer control.
- Independent repair shops and aftermarket software developers — Secure, standardized access through interface ports and wireless channels lowers barriers to entry for diagnostics, remote services, and third‑party telematics solutions previously locked inside OEM ecosystems.
- Telematics and app developers — Access to new, real‑time data streams expands product opportunities (fleet management, safety tools, consumer apps) and reduces dependence on OEM APIs and commercial data brokers.
- Privacy‑minded consumers and advocates — Opt‑out rules and the classification of sensitive categories (biometrics, precise geolocation) create stronger limits on commercial sale of sensitive vehicle data.
- Drivers of fleet vehicles — Where applicable, drivers receive affirmative opt‑out opportunities before fleet owners sell covered data about them, giving individual drivers more control over sensitive telematics.
Who Bears the Cost
- Vehicle manufacturers (OEMs) — Face engineering, cybersecurity, authentication, and compliance costs to provide secure, real‑time access; must redesign systems to separate safety-critical networks from owner-accessible telemetry and document deletion mechanisms, all while protecting CBI and IP.
- Motor vehicle fleet owners — Must operationalize driver opt‑outs, adjust data‑sale contracts and monetization strategies, and manage exceptions for commercial-use vehicles, increasing administrative burden and potential liability exposure.
- Dealerships and service centers — Will likely receive increased owner requests for access, deletion, and troubleshooting of access channels, requiring staff training and new customer‑support procedures.
- FTC and regulators — Enforcement responsibility shifts to the FTC, which will need resources to investigate violations, adjudicate claims about access, and interpret technical compliance standards.
- Third‑party data brokers and some insurers — May lose unfettered access to certain monetizable covered data or must obtain explicit opt‑outs, shrinking business models built on opaque data purchases.
Key Issues
The Core Tension
The bill pits consumer control and data portability against manufacturers’ interests in protecting safety‑critical architecture, intellectual property, and cybersecurity: giving owners broad, real‑time access and the right to direct third parties to use vehicle data promotes competition and privacy but risks exposing systems, operationalizes hard-to-police transfer pathways, and forces OEMs to choose between opening data and protecting proprietary or safety‑sensitive functions.
The bill resolves a core ownership question (owners get access) but leaves significant implementation ambiguity. The requirement to provide “secure access” and “joint control” does not specify authentication, minimum latency, data formats, or standard APIs; those details will determine whether access is meaningful or effectively unusable.
The statute ties cybersecurity compliance to voluntary standards (for example, ISO/SAE 24134) without mandating specific technical controls or creating certification obligations, so manufacturers can meet the letter of the requirement while diverging on practical interoperability.
Several definitional choices create practical and legal tension. "Precise geolocation" is pegged to a radius of 1,750 feet—an unusually large figure that changes how much location data counts as sensitive. The statutory definition of "sell" confines the prohibition to monetary exchanges but allows many operational transfers (processors, affiliates, emergency responders) to escape the sale label; this invites commercial structures that monetize access without triggering the opt‑out requirement.
The CBI carve‑out preserves trade‑secret claims but does not describe how to reconcile owner access rights with proprietary telemetry formats, embedded firmware, or reverse engineering concerns.
Finally, the national‑security prohibition on selling to five named countries targets direct sales but leaves open indirect transfers, affiliate exchanges, and cross‑border processing pathways. The bill centralizes enforcement at the FTC and preempts state law, which streamlines national policy but removes state laboratories of experimentation and may compress legal avenues for aggrieved parties (no private right of action).
Taken together, these elements produce a law that sets a clear direction—owner access and limits on sale—while allocating many critical decisions to regulatory interpretation, contractual practice, and industry implementation.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.