January 28, 2021

Volume XI, Number 28


January 27, 2021

Subscribe to Latest Legal News and Analysis

January 26, 2021

Subscribe to Latest Legal News and Analysis

January 25, 2021

Subscribe to Latest Legal News and Analysis

New Jersey Legislature Considers Additional Protections for Car “Black Box” Data

You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you?

New Jersey legislators are debating two identical bills that would provide additional safeguards against the disclosure of data contained in a car’s “black box,” which track a vehicle’s technical status and operational performance. These devices, often referred to as event data recorders or EDRs, are present on 90% of all cars and light trucks in the U.S. and may soon become mandatory on all new vehicles. In addition to assisting mechanics with car repairs, EDRs can assist law enforcement and insurance companies in crash investigations.

According to the National Conference of State Legislatures, fourteen states have enacted statutes that generally only allow access to data on an EDR with the car owner’s consent. If enacted, New Jersey’s law would prohibit third parties from accessing an EDR’s data without the owner’s consent, a warrant, or a discovery order in a civil case. Other provisions in the law would allow manufacturers, dealerships, and car repair facilities to access the data for the purpose of diagnosing or repairing the vehicle, as well as allowing the disclosure of de-identified data “for the purpose of improving motor vehicle safety, security, or traffic management.”

In addition, car owners would be required to retain the information on an EDR for two years after an accident resulting in injury or death. Any individual who knowingly attempt to destroy the EDR or its information during this period could face a $5,000 fine, although it is unclear whether this provision would apply in instances where a car is rendered useless as a result of an accident and is subsequently scrapped.

Although most vehicle EDRs are only designed to collect information for a few seconds before and after a collision that triggers a vehicle’s airbags, there is no current federal limitation on the types or durations of data that vehicle EDRs can collect. With an increasing percentage of new vehicles coming equipped with built-in communication systems, legislators are concerned that the types and volume of data that EDRs collect could grow exponentially. The Driver’s Privacy Act, currently under consideration in the Senate, would allow owners or lessees of vehicles to retain ownership over the data in a vehicle’s EDR and prohibit other individuals from accessing the data, subject to certain exceptions. Another bill under consideration in the House contains similar provisions, in addition to a requirement that purchasers of new vehicles are notified if their vehicle contains an EDR and prohibiting the sale of new vehicles after 2015 unless the owner can control the recording of information on the EDR.

In addition to a vehicle’s EDR, other types of technology that manufacturers are adding to cars can pose new privacy questions. Last month, General Motors notified owners of its new Chevrolet Corvette that using the car’s Valet Mode, which records audio in the car’s cabin when activated, could violate the law in 13 states if the prior consent of other individuals present in the car is not obtained. Valet Mode, which also records video of the car’s activities when activated, was intended to monitor the activities of third parties who drive the car when the owner is not present. General Motors has promised to release an update in order to ensure compliance with legal requirements, but in the meantime has advised owners to disable Valet Mode or obtain consent of the vehicle’s occupants prior to any recording.

This post was written with contributions from Caleb Skeath.

© 2020 Covington & Burling LLPNational Law Review, Volume IV, Number 286



About this Author

Daniel Cooper, Data privacy lawyer, Covington Burling

Daniel Cooper advises clients on information technology regulatory issues, particularly data protection, e-commerce and data security matters.

According to the latest edition of Chambers UK (2018), his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." In 2017, it was noted that "he is very good at calibrating and helping to gauge risk."

Yaron Dori, Communications and media attorney, Covington


Yaron Dori has 20 years of experience in telecommunications, privacy, and consumer protection law advising telecom, technology, and media companies on their most pressing business challenges.

In doing so, Mr. Dori focuses on strategic planning, policy development, transactions, investigations and enforcement, and overall regulatory compliance.

Mr. Dori represents clients before federal and state regulatory agencies—including the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) —and the U.S. Congress...

David Fagan, Data privacy attorney, Covington

David Fagan co-chairs the firm’s top ranked practice on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and also leads the firm’s cyber and data security incident response practice. Mr. Fagan is rated by Chambers USA and Chambers Global for his leading expertise in CFIUS matters and privacy and data security, and was named as a ...

Henriette Tielemans, Covington, litigation attorney

Described as “a league ahead” in Legal 500, Henriette (Jetty) Tielemans advises global companies on data protection and cyber security.

Ms. Tielemans focuses on international data transfers, binding corporate rules, big data, cloud computing, e-discovery, consumer privacy, behavioural advertising, and mobile privacy issues.

Ms. Tielemans serves on the board of directors of the International Association of Privacy Professionals and on a European Commission-designated five-member expert group discussing revising the 1995 Data Protection Framework...

Kurt Wimmer, Data privacy and cybersecurity lawyer, Covington

Kurt Wimmer is the U.S. chair of our Data Privacy and Cybersecurity practice, and is past chair of the Privacy and Information Security Committee of the American Bar Association’s Antitrust Section. He is rated in the first tier by Legal 500, designated as a national leader in Chambers USA, and is included in Best Lawyers in America in four areas. Sources for Chambers USA describe him as "a leading person in the field" and "extremely gifted at what he does."

Mr. Wimmer represents major social media companies, global technology...