Interior of a modern car at dusk, dashboard and steering wheel lit, the kind of cabin where new EU rules now require an infrared camera pointed at the driver

TL;DR: As of July 7, 2026, every new passenger car sold in the EU has to include a small infrared camera near the steering wheel that watches where the driver is looking. The system, called Advanced Driver Distraction Warning (ADDW), is supposed to be closed-loop: it runs the analysis on the device and never streams the face data anywhere. Researchers who already mapped how carmakers handle driver data say the closed-loop claim has no independent audit. The same feature that is supposed to save lives sits inside an industry that, in 2023, was found to share or sell driver data in the vast majority of brands tested.

What ADDW Actually Requires

Advanced Driver Distraction Warning sits inside the EU General Safety Regulation, the same package that already mandates intelligent speed assistance and lane-keeping tech on new cars. The system uses a small infrared camera mounted near the steering column or dashboard. Once the car is moving above roughly 20 km/h (about 12 mph), the camera tracks where the driver's eyes are pointing. If the driver looks away from the road for more than 3.5 seconds at highway speed, or more than 6 seconds at lower speeds, the system fires a warning: a light, a sound, or a vibration through the seat [1].

The driver cannot turn the system off permanently. Manually switching it off only works until the next drive. The point of the rule is straightforward. EU-funded research cited in the same policy package estimated that driver distraction plays a role in 5% to 25% of car crashes, and the broader safety package is projected to save more than 25,000 lives by 2038 [1].

The privacy story is in the next sentence. Article 6(3) of the General Safety Regulation tells carmakers that the system "must not continuously record or retain data beyond what is necessary" for the warning to work [1]. In other words: closed-loop. The biometric data is supposed to live and die on the head unit, never reaching the maker, never reaching the cloud, never reaching a data broker.

That is the regulatory claim. The watchdog question is whether anyone outside the car can check it.

The Closed-Loop Claim Has No Independent Audit

All About Cookies reported on July 7 that the EU's General Safety Regulation does not specify an independent audit mechanism for ADDW compliance, and that the regulation leaves the definition of "necessary" data open [1]. That is the gap. If a regulator never inspects the data flow, the closed-loop promise is whatever each carmaker says it is.

The same outlet tested the system in an Xpeng P7+ through the Belgian automotive platform Gocar.be and found that the camera activates aggressively in normal driving. A Reddit user quoted by the outlet described a Ford Puma that, ten minutes into a drive, started telling the driver to take a break with an amber light and a loud chime, calling the experience "incredibly distracting" [1]. If the system is so easy to trigger that it nags careful drivers, the room for "necessary" data collection is wider than the rule suggests.

GDPR applies on top. Any system that processes personal data of an identifiable person inside the EU falls under the regulation. The data-protection regime exists; the missing piece is the supervisory layer that would actually catch a carmaker pulling biometric data off the head unit and shipping it home.

What 25 Carmakers Were Already Doing in 2023

The reason the audit gap matters is the industry's track record. In September 2023, the Mozilla Foundation published "It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy." Researchers Jen Caltrider, Misha Rykov, and Zoë MacDonald spent more than 600 hours reviewing 25 car brands, roughly three times the time Mozilla spends on a normal product review [2].

Every one of the 25 brands received Mozilla's "Privacy Not Included" warning. 100% of the brands received a ding for collecting more personal data than necessary and using it for purposes beyond operating the vehicle [2]. The data collected can include medical information, genetic information, "sex life" data, driving speed, location, and in-car music choices. Six brands reserve the right to collect "genetic information" or "genetic characteristics." Nissan's privacy policy references "sexual activity"; Kia's references "sex life" [2].

The findings on sharing were stark. 84% of brands say they can share personal data with service providers, data brokers, and other businesses. 76% (19 brands) say they can sell personal data outright. 56% say they can share information with government or law enforcement in response to an "informal request," not a court order. Hyundai's policy says it will comply with "lawful requests, whether formal or informal" [2].

Mozilla could not confirm that any of the 25 brands met its Minimum Security Standards. 68% of the brands (17 of them) earned a "bad track record" ding for leaks, hacks, or breaches in the prior three years [2]. The researchers' summary line: cars are "surveillance-machines on wheels that can detect everything we do and where and when we do it" [2].

Three Concrete Cases That Show Why the Gap Matters

The pattern is not hypothetical. Three cases from the past three years show how easily in-cabin data, telemetry, and driver-identity records travel from the car into other hands.

LexisNexis ran a 258-page dossier on one driver. All About Cookies reported that one driver's LexisNexis driving report ran 258 pages, logging nearly every trip over six months. That driver's insurance premium jumped 21% based on the data [1]. The report was built from data brokers pulling telematics from connected cars. None of it came from a driver-monitoring camera, which makes it a useful preview of what happens when car data is collected, sold, and scored without the driver's full awareness.

GM settled with California for $12.75 million. All About Cookies reported that GM settled with California over OnStar driver data that was sold to brokers, in a case that resulted in a $12.75 million resolution [1]. The earlier California CCPA penalty against GM's OnStar program is the same case from the state side.

Tesla employees shared sensitive recordings internally between 2019 and 2022. All About Cookies cited a 2023 Reuters investigation that found Tesla employees shared sensitive in-car recordings internally during 2019 to 2022 [1]. Mozilla noted that Tesla was the second product it ever reviewed to receive all "dings," including an "untrustworthy AI" label, and that Tesla's privacy policy warns that opting out of data collection may cause "reduced functionality, serious damage, or inoperability" [2]. Tesla was the only brand to refuse to sign onto the Alliance for Automotive Innovation's Consumer Protection Principles [2].

The Subaru case is the cleanest illustration of consent in the connected-car era. Subaru's privacy policy states that passengers of connected-service vehicles have "consented" to data use simply by being inside the car [2]. ADDW extends the same logic to a biometric sensor. If you are in the driver's seat, you are the input.

What to Watch

Who audits "necessary" data. The European Data Protection Board or national DPAs could issue guidance clarifying what counts as necessary under Article 6(3), or they could require independent technical audits of the closed-loop claim. Either move would convert the rule from a written promise into a tested one [1].

Where the data goes once it leaves the closed loop. Even with a closed-loop eye-tracker in the cabin, the rest of the car still has GPS, a cellular modem, an OBD port, and a microphone. The Mozilla review found that 56% of brands are willing to share with law enforcement on an informal request [2]. The eye-tracking system is the new sensor on the bus. The bus still exists.

How US carmakers respond. The EU's General Safety Regulation effectively sets a global OEM default, the same way GDPR did. Expect US-market cars to start shipping with the same hardware enabled by default, and watch for state-level bills like Washington's SB 6002 and federal action to push back the other way.

Sources

  1. All About Cookies, Krishi Chowdhary: "All Cars Sold in the EU Now Require a Camera Aimed at Your Face. It's Still Not Clear Where That Data Goes" (July 7, 2026)
  2. Mozilla Foundation, Jen Caltrider, Misha Rykov, and Zoë MacDonald: "It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy" (September 6, 2023)