Every so often a law that was passed years ago quietly becomes a present-day compliance reality. Section 24220 of the 2021 Infrastructure Investment and Jobs Act is one of those laws. Tucked into an eleven-hundred-page infrastructure bill with little public debate, the “kill switch law” as it has come to be known by some, awaits implementing regulations. The law has triggered debates in Congress seeking to defund the law, as well as lots of hand wringing around privacy and data governance questions that businesses, fleet operators, and their legal counsel are trying to answer before the technology becomes standard equipment in new vehicles.

What the Law Actually Requires

Section 24220 directs the National Highway Traffic Safety Administration (NHTSA) to require that all new passenger vehicles be equipped with what the statute calls “advanced drunk and impaired driving prevention technology.” In practical terms, the law contemplates two types of systems:

  • A passive performance-monitoring system that continuously observes a driver’s behavior and restricts or prevents vehicle operation if the system determines the driver may be impaired; or
  • A blood-alcohol detection system that prevents or limits operation when BAC meets or exceeds the legal limit of 0.08%.

Manufacturers can deploy either type, or a combination. The technology could involve cameras monitoring eye movement, sensors analyzing steering and braking patterns, or touch-based biometric readers built into the steering wheel or ignition surface. It also could leverage AI. NHTSA is still finalizing the technical standards — a detail that matters, because the specific data collection methods will drive (no pun intended) privacy and security compliance. Notably, many of these features and capabilities – often embedded in devices referred to as “dashcams” – have already become popular in fleet vehicles.

The January 2026 Vote — and What It Means That It Failed

Earlier this year, Representative Thomas Massie introduced an amendment to a budget bill that would have defunded Section 24220 entirely, blocking NHTSA from spending any funds on implementation or enforcement. The amendment failed 229–201, with 57 Republicans joining 211 Democrats in opposition. Repeal legislation (the No Kill Switches in Cars Act, H.R. 1137) remains stalled. Barring an unexpected reversal, the mandate goes forward.

Why Privacy Lawyers Are Paying Attention

Despite concerns about “Big Brother” and references to Orwell’s novel, 1984, the statute does not give the government a remote kill switch. No federal agency can log into your vehicle and disable it. The technology would operate through onboard software, and the decision to restrict operation is made by the vehicle’s own algorithms — not by a government operator.

That distinction is real and legally significant. But it does not exhaust the privacy concerns, not by a long shot. A decision is still being made other than by the driver to restrict operation of the vehicle.

Whether the system uses cameras, eye-tracking, biometrics, or driving pattern analysis, it is continuously collecting sensitive behavioral and physiological data about the driver. It is generated, stored — somewhere — and potentially transmitted. To whom? Under what retention schedule? With what security controls? The statute is silent. NHTSA’s rules are not yet final. The answers will depend heavily on what manufacturers build and what their privacy policies and terms of service say.

Additionally, new vehicles are networked, able to connect to manufacturer cloud infrastructure, and many connect to insurers, fleet management platforms, and dealership service systems. An open question raised during the funding debate, could insurance companies or law enforcement access impairment event data without the driver’s knowledge or a warrant. The Fourth Amendment analysis in that context is genuinely unsettled.

Beyond privacy concerns, some have raised the potential for fleet-wide attacks:

Unlike traditional vehicle theft or individual hacks, networked kill switch systems create the potential for mass-casualty cyberattacks. Research from Georgia Tech has modeled scenarios where:

Simultaneously activating kill switches on millions of vehicles could shut down entire transportation networks- Supply chain disruptions from disabled commercial vehicles could affect food, fuel, and medical supply delivery- A Consumer Watchdog report estimated a fleet-wide hack could cause approximately 3,000 deaths from a single coordinated breach.

The “kill switch jail” problem.

The statute contains no provision defining how a driver challenges or overrides a lockout once the system flags impairment. There is no appeal mechanism, no defined waiting period, no human review. A false positive — a sober driver whose steering pattern triggers the algorithm — could leave that person stranded with no clear recourse, raising significant liability, worker safety, and consumer protection concerns.

The fleet and employer liability problem.

Businesses that operate vehicle fleets — delivery companies, field services organizations, transportation providers — will have vehicles generating continuous data streams about their drivers, raising employment privacy considerations: What does the employer know? When do they know it? What state monitoring disclosure obligations apply? Will the technology trigger policy and consent obligations, such as in states with strong biometric privacy laws? Are risk assessments required?

What Businesses Can Be Doing Now

As the NHTSA continues its work on implementing regulations, a few action items worth considering:

  • If your organization currently leverages similar technology in vehicles used in the business, take a look at Dashcams: There’s More Risk To Manage Than You’d Expect.
  • Fleet operators should assess what data their vehicle management agreements and manufacturer privacy policies say about impairment event data — specifically who receives it, how long it is retained, and under what circumstances it is disclosed to third parties including law enforcement. Existing driver monitoring policies may need to be reviewed and updated.
  • HR and employment counsel should evaluate whether the passive monitoring and biometric data components of compliant vehicles trigger state-level employee monitoring notification laws (several states require advance notice before monitoring employees’ electronic activity) or biometric data statutes like Illinois BIPA. The analysis will vary by jurisdiction, but the risk of inaction is higher in states with private rights of action.
  • Privacy program managers should flag newly acquired vehicles as a data asset in enterprise data inventories. Vehicle-generated data — particularly behavioral and biometric data about identified individuals — may fall within the scope of state consumer privacy laws depending on how it is collected, processed, and shared.
  • Risk and compliance teams should watch NHTSA’s rulemaking closely. The final technical standards will determine which specific data elements are collected and by what methods.

The Broader Trend

Section 24220 is not an isolated development. It reflects a broader pattern of embedded sensors and passive monitoring becoming standard infrastructure in physical environments — vehicles, workplaces, commercial buildings — generating continuous data streams about individuals going about their ordinary daily activities. The challenge, which legislatures and regulators, and businesses, are only beginning to confront, is how to govern systems that never stop collecting.