CDT Comments in response to the National Highway Traffic Safety Administration (NHTSA) Proposed Rulemaking on Advanced Impaired Driving Prevention Technology
On March 5, 2024, the Center for Democracy & Technology (CDT) recently filed comments in response to the National Highway Traffic Safety Administration’s (NHTSA) Advanced Notice of Proposed Rulemaking (ANPR) on Advanced Impaired Driving Prevention Technology. While CDT commends NHTSA for its ongoing efforts to further reduce drunk and impaired driving crashes and fatalities, these new technologies pose potential privacy harms. As such, CDT’s comment urges NHTSA to include robust privacy protections in its rules for impaired driving prevention technology.
Privacy rules and regulations are critical because modern cars collect extraordinary and growing amounts of data. Cars have the power to watch, listen, and collect information through sensors including microphones and cameras, such as where people go in their cars, what drivers and passengers do and say, and also what is happening outside of and around those cars. A recent Mozilla report found that every car brand it examined collected more personal data than necessary and used that information for reasons other than to operate the vehicle and manage manufacturers’ relationship with consumers.
The advanced impaired driving prevention technologies contemplated within the ANPR would add to the ever-growing list of data-collecting components within modern passenger vehicles. Indeed, data that cars collect, including the types of data collected by advanced impaired driving prevention technologies, are the same types and categories of sensitive data that have been subject to greater privacy regulations and federal agency enforcement actions.
To ensure that drivers’ and passengers’ data is kept private and secure, CDT calls on NHTSA to impose strict limits on data collection and use to prevent widespread and government-approved privacy invasions. Specifically, CDT’s comments call on NHTSA to ensure that new advanced impaired driving prevention technologies do not simply allow business as usual with invasive privacy practices such as over-collection and over-sharing of data.
First, CDT calls on NHTSA to conduct a privacy threshold analysis (PTA) and publish a draft Privacy Impact Assessment (PIA) concurrent with its issuance of a regulatory proposal. Within that PIA, NHTSA should explicitly consider whether this technology is too privacy invasive, and whether alternative technologies that are less privacy-invasive would accomplish similar goals.
Next, NHTSA should impose strict limits on data collection and use to prevent widespread and government-approved privacy invasions from abuses of that system.
- NHTSA should allow data collection by these systems only to the extent necessary to make a determination as to whether the driver is impaired.
- NHTSA should require that the data collected be used only for determining whether the driver is impaired.
- Once data has been successfully used to determine whether a driver is impaired or not, that data should then be promptly deleted, unless there exists another legal duty or requirement to retain the data for longer.
Finally, CDT’s comment calls for NHTSA to establish effective mechanisms and requirements that inform drivers and passengers about how advanced impaired driving prevention technologies operate and how their data will be kept private. Importantly, transparency should not be conflated with a notice and consent regime: companies should be subject to the data minimization rules set forth above and not be permitted to evade them through providing “notice” in privacy policies based on the fiction that drivers and passengers have consented to whatever practices those policies contain.