The 2027 Car Surveillance Mandate: Every New Car Will Watch Your Eyes

Starting as early as September 2027, every new passenger vehicle sold in the United States will be required to include technology that monitors the driver for signs of impairment — and the most likely implementation involves infrared cameras pointed at your face, tracking your eye movements, blink rate, and pupil dilation. The federal government mandated this technology but wrote zero rules about what happens to the biometric data it collects.

The Law Behind the Mandate

The requirement comes from Section 24220 of the Infrastructure Investment and Jobs Act (IIJA), signed into law by President Biden in November 2021. Buried in the 1,039-page infrastructure bill was a provision directing the National Highway Traffic Safety Administration (NHTSA) to issue a final rule requiring "advanced drunk and impaired driving prevention technology" in all new passenger motor vehicles.

The statute gave NHTSA a timeline: issue an advance notice of proposed rulemaking within two years (by November 2023), then a final rule within three years of that (by November 2026), with full compliance required for all new vehicles within three years of the final rule. The original timeline pointed to full deployment by roughly 2029, but NHTSA accelerated certain aspects and indicated a September 2027 target for new model year vehicles.

However, as of March 2026, NHTSA publicly acknowledged that no currently available system meets the reliability and performance requirements the agency considers necessary for a federal mandate. The agency has been evaluating multiple technology approaches and testing prototypes, but a final rule with specific technical standards has not yet been published. This means the September 2027 date could slip — but the underlying legal mandate remains in force. The technology is coming. The question is when, not if.

What the Technology Looks Like

NHTSA has been evaluating several technology approaches for impaired driving prevention. The two leading categories are driver monitoring systems (DMS) and vehicle performance analysis. In practice, most industry proposals combine both.

Camera-Based Driver Monitoring

The most mature technology uses infrared cameras mounted in the steering column, dashboard, or instrument cluster area. These cameras continuously capture images of the driver's face and analyze:

• Eye tracking: Gaze direction, blink rate, blink duration, and percentage of time eyes are closed (PERCLOS)
• Pupil dilation: Changes in pupil size that correlate with impairment or fatigue
• Head position: Head angle, nodding, and drooping patterns
• Facial muscle analysis: Micro-expressions and facial asymmetry associated with cognitive impairment
• Eyelid behavior: Slow eyelid closure, prolonged blinks, and irregular blinking patterns

Several automakers already ship voluntary DMS systems. GM's Super Cruise, Ford's BlueCruise, and BMW's Extended Drive all use infrared cameras to verify driver attention during semi-autonomous driving. Tesla added cabin-facing cameras in 2021, though their use for impairment detection has been limited. The European Union mandated basic driver drowsiness detection in all new vehicles sold after July 2024 under the General Safety Regulation.

Vehicle Performance Analysis

The second approach analyzes driving behavior rather than biometrics. These systems monitor:

• Steering patterns: Micro-corrections, lane weaving, and reaction time to lane departures
• Braking behavior: Response time, braking force, and frequency of hard braking events
• Speed management: Inconsistent speed, drifting above or below set speed, and delayed acceleration
• Lane position: Standard deviation of lane position, time-to-line-crossing metrics

Vehicle performance analysis is less privacy-invasive than face cameras because it does not involve biometric data collection. However, industry consensus and NHTSA's research suggest that camera-based DMS is significantly more reliable at detecting impairment. The final mandate will most likely require camera-based monitoring, either alone or in combination with vehicle behavior analysis.

Touch-Based Blood Alcohol Sensors

A third technology — pioneered by the DADSS (Driver Alcohol Detection System for Safety) research program — uses infrared spectroscopy built into the steering wheel or start button to measure blood alcohol concentration through the driver's skin. This approach is the most privacy-friendly because it measures a specific, relevant biomarker rather than collecting facial imagery. However, DADSS has been in development since 2008 and still faces accuracy and speed-of-measurement challenges. NHTSA considers it a promising but not yet production-ready technology.

The Privacy Problem: No Rules for the Data

Here is the core issue. The Infrastructure Investment and Jobs Act mandates the technology. It does not include a single word about what happens to the data the technology collects.

Section 24220 requires NHTSA to ensure the technology "passively monitors the performance of a driver" and can "prevent or limit motor vehicle operation if an impairment is detected." The statute addresses what the system must do. It says nothing about:

• Whether biometric data must be processed locally on the vehicle or can be transmitted to the cloud
• How long biometric data can be stored
• Whether automakers can share the data with insurance companies
• Whether law enforcement can access the data without a warrant
• Whether the data can be sold to data brokers or used for targeted advertising
• Whether drivers must be informed about what data is collected and how it is used

There is no federal biometric privacy law. Congress has introduced several bills over the years — the National Biometric Information Privacy Act, the FACE Act, and others — but none have passed. This means that a driver's infrared facial scans, eye tracking data, and impairment assessments sit in a regulatory vacuum. The automaker collects it. What they do with it is up to them.

State Biometric Privacy Laws: Where You Are Protected

In the absence of federal protection, a handful of states offer some legal coverage for biometric data. The strength of these protections varies significantly.

Illinois — BIPA (Biometric Information Privacy Act)

Illinois has the strongest biometric privacy law in the country. BIPA, enacted in 2008, requires companies to obtain informed written consent before collecting biometric identifiers (including facial geometry and retinal scans). It provides a private right of action, meaning individuals can sue companies that violate the law. Statutory damages range from $1,000 per negligent violation to $5,000 per intentional or reckless violation. BIPA has generated billions of dollars in settlements — Facebook (now Meta) paid $650 million in 2021 for collecting facial geometry without consent.

If a car sold in Illinois collects infrared facial scans without obtaining written consent from the driver, the automaker could face BIPA liability. Whether automakers will carve out Illinois-specific consent flows or simply disable DMS features in Illinois remains to be seen.

Texas — CUBI (Capture or Use of Biometric Identifier Act)

Texas prohibits the capture of biometric identifiers for a commercial purpose without consent. Unlike Illinois, Texas does not provide a private right of action — enforcement is through the Texas Attorney General's office. However, the AG's office has been active. In 2024, Texas secured a $1.4 billion settlement with Meta over facial recognition data collected without consent.

Washington — Biometric Identifiers Law

Washington's law prohibits enrolling biometric identifiers in a database for a commercial purpose without consent. Like Texas, it lacks a private right of action and relies on AG enforcement. The law's scope is narrower than BIPA — it focuses on storage in databases rather than collection itself.

Comprehensive State Privacy Laws

Several states with comprehensive privacy laws classify biometric data as "sensitive data" requiring opt-in consent before processing. This includes California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), and others. These laws could provide some protection against automakers collecting DMS biometrics without consent, but enforcement in the automotive context has not been tested.

If you live in a state without biometric privacy protections — which is the majority of states — there is currently no law preventing an automaker from collecting your infrared facial scans and doing whatever they want with the data.

The Insurance Connection

One of the most concerning downstream uses of DMS data is insurance pricing. Automakers have already been caught sharing detailed driving behavior data with insurance companies. GM's OnStar program shared acceleration, braking, and speed data with LexisNexis, which repackaged it into driving behavior scores that insurers used to adjust premiums — often without the driver's meaningful knowledge or consent.

DMS data takes this further. If an automaker records that a driver's eyes were closed for extended periods, or that the impairment detection system was triggered, that information could be profoundly valuable to insurers. A record of "possible impairment events" could be used to deny claims, raise premiums, or even cancel policies. Without federal rules preventing it, the path from DMS camera to insurance database is legally unobstructed in most states.

What You Can Do

The mandate is federal law, and if you buy a new car after it takes effect, the technology will be in it. But there are still steps you can take to limit your exposure.

1. Understand your state's protections. If you live in Illinois, Texas, Washington, California, or Colorado, you have some level of biometric data protection. Know your rights under your state's specific law.
2. Read the privacy policy before buying. Automakers are required to disclose their data practices. Before purchasing a vehicle, review the privacy policy — specifically sections on biometric data, data sharing with third parties, and data retention periods.
3. Opt out of data sharing where possible. Some automakers provide settings to limit data transmission from connected vehicles. These controls are often buried in infotainment menus or companion apps, but they exist. Review every connected services agreement and opt out of anything non-essential.
4. Limit connected services. Many data collection features depend on the vehicle's cellular connection. Declining connected services subscriptions (like GM's OnStar or Ford's FordPass Connect) can reduce — though not eliminate — the amount of data transmitted from your vehicle.
5. Remove your data from brokers. Even if you cannot prevent the car from collecting data, you can limit how much contextual data brokers have about you. The less a broker knows about your identity, the harder it is to link vehicle data to your personal profile. GhostVault removes your personal information from 500+ data broker sites, reducing the connective tissue that links your car's data to your identity.
6. Support biometric privacy legislation. Contact your state and federal representatives about biometric privacy laws. The most effective protection is legislation that puts clear limits on how biometric data can be collected, stored, shared, and sold.

What Happens Next

NHTSA is still working on the final rule. The agency has collected public comments, tested prototype systems, and acknowledged the technical challenges. Several key questions remain open:

• Will the final rule specify technology type? NHTSA could mandate camera-based DMS specifically, or it could set performance standards and let automakers choose their approach. Performance-based standards would leave the door open for less privacy-invasive alternatives like the DADSS touch sensor.
• Will there be data privacy provisions? NHTSA has received extensive public comment urging the agency to include data privacy requirements in the final rule. The agency has the authority to require that DMS data be processed locally and never transmitted — but whether it will exercise that authority is unclear.
• Will the timeline slip? NHTSA's March 2026 admission that no system meets reliability requirements suggests the September 2027 target may be pushed back. Automakers need lead time to integrate new systems into production vehicles, and a final rule needs to be published well in advance of the compliance date.
• Will Congress act on federal biometric privacy? The DMS mandate has given new urgency to the federal biometric privacy debate. Whether Congress can pass a biometric privacy law before the mandate takes effect remains uncertain.

We will update this article as NHTSA publishes its final rule and the compliance timeline becomes clearer.

Frequently Asked Questions

Will my new car have a camera watching me?

If you buy a new passenger vehicle after the NHTSA rule takes effect — currently targeted for September 2027, though delays are possible — it will be required to include "advanced drunk and impaired driving prevention technology." The leading technology approaches involve infrared cameras pointed at the driver's face to monitor eye movement, blink rate, pupil dilation, and head position. Some systems may use alternative approaches like steering pattern analysis or touch-based blood alcohol sensors, but camera-based driver monitoring is the most mature technology available. Several automakers, including GM, Ford, and BMW, already ship optional DMS systems in current vehicles.

What data does a driver monitoring system collect?

Driver monitoring systems collect biometric data including infrared images of your face, eye-tracking data (gaze direction, blink rate, pupil dilation), head position and movement, and behavioral data like steering patterns, lane position, and braking frequency. Some systems also collect vehicle telemetry data including speed, acceleration, GPS location, and time of day. Whether this data is stored locally in the vehicle, transmitted to the manufacturer, or shared with third parties depends entirely on the automaker's data practices — there is currently no federal law restricting it.

Can I disable the driver monitoring camera?

The NHTSA mandate is expected to require the technology as a safety feature, similar to seatbelts or airbags. Disabling it will likely not be permitted under the final rule, and doing so could affect your vehicle's warranty or registration status. The exact provisions will depend on the final NHTSA rulemaking, which has not yet been published as of May 2026. Some current voluntary DMS systems (like GM's Super Cruise) already restrict certain features when the driver monitoring camera is blocked or disabled.

Which states have biometric privacy laws that cover car data?

Illinois has the strongest protection through BIPA, which requires informed written consent before collecting biometric identifiers and provides a private right of action with statutory damages of $1,000 to $5,000 per violation. Texas and Washington also have biometric privacy statutes, though with weaker enforcement mechanisms and no private right of action. Several state comprehensive privacy laws — including California, Colorado, Virginia, and Connecticut — classify biometric data as "sensitive data" requiring opt-in consent, but enforcement has not been tested in the automotive context. If you live outside these states, you currently have no specific legal protection for biometric data collected by your vehicle.

Is there any federal law protecting biometric data from cars?

No. As of May 2026, there is no federal biometric privacy law. The Infrastructure Investment and Jobs Act mandates the technology but does not include any provisions restricting what automakers can do with the biometric data collected. Congress has introduced several federal biometric privacy bills over the years, but none have passed. This creates a gap where the federal government requires cars to collect biometric data but provides no rules about how that data must be stored, who can access it, or whether it can be sold. Privacy advocates have urged NHTSA to include data minimization and local-processing requirements in the final rule, but the agency has not committed to doing so.