Driver's Privacy Protection Act of 1994 (DPPA), Pub. L. No. 103-322, Tit. XXX, 108 Stat. 2099 (1994), codified as amended, 18 U.S.C. §§ 2721-25.
Prior to 1997, in many states the easiest way for an individual to get another person's identity information was simply to purchase the individual's driving record from the local DMV. For a few dollars, anyone could obtain a driver's full name, address, birth date and license number, which in many states was the same as the individual's SSN. Thus, the DMV served as a one-stop shop for the would-be identity thief.
Her death inspired the passage of the "Driver's Privacy Protection Act of 1994" as an amendment to the Violent Crime Control and Law Enforcement Act of 1994.
The Act prohibits state departments of motor vehicles (DMVs) and others to whom the DMVs provide information from "knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record."
The term "personal information" is defined as any information "that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information," but not including "information on vehicular accidents, driving violations, and driver's status." without the driver's consent. DMVs that violate the Act are subject to civil penalties.
Under the Act, personal information contained in a motor vehicle record may be disclosed for use by any government agency, including any court or law enforcement agency, in carrying out its functions, or to any private person or entity acting on behalf of a Federal, State, or local agency; and for use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, or pursuant to a Federal, State, or local court order.
The Act requires that the driver consent before the state discloses most of this information, but permits disclosure of the 5-digit zip code and "information on vehicular accidents, driving violations and driver's status." The Act provides a number of exceptions, including information required to control emissions, driver safety, thefts, recalls, verifying personal information submitted to a business, and insurance. The private parties that receive this information are also authorized to disclose it to others for the same purposes. And "a private actor who has obtained drivers' information from DMV [Department of Motor Vehicles] records specifically for direct-marketing purposes may resell that information for other direct-marketing uses, but not otherwise."
The broadest of all the exceptions to the Act are the so-called "opt-out provisions" found in Sections 2721(b)(11) and (12). These provisions permit a state to disclose personal identification information to any individual or business so long as the state provides license holders written notice that includes a clear opportunity to opt-out.
While numerous states have enacted statutes with disclosure prohibitions as strict or stricter than the DPPA's default standard, the majority of states have enacted a variety of opt-out laws which allow drivers to choose different levels of confidentiality.
In 2000, the Act was amended to create a new class of "highly restricted personal information." This includes an individual's photograph or image, social security number, and medical or disability information. This information may not be shared without the express consent of the person to whom the information applies, except for four purposes stated in the Act.
Violation of the DPPA exposes both states and individuals that do not comply with its requirements to sanctions. One of these provides that "a state agency that maintains a 'policy or practice of substantial noncompliance' with the Act may be subject to a civil penalty imposed by the United States Attorney General of not more than $5,000 per day of substantial noncompliance."
In July 2013, the Court of Appeals for the Second Circuit determined that data brokers could be liable for the use of personal information that they obtain from state departments of motor vehicles and sell to others. The court held that the Act imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records.
- See 140 Cong. Rec. H2522 (daily ed. Apr. 20, 1994 (statement of Rep. Moran).
- 18 U.S.C. §2721(a).
- Id. §2725(3).
- 18 U.S.C. §2721(c).
- Angela R. Karras, "The Constitutionality of the Driver’s Privacy Protection Act: A Fork in the Information Access Road," 52 Fed. Comm. L.J. 125, 131 (1999).
- Id. at 132-33.
- 18 U.S.C. §2723(b).
- Gordon v. Softech, Int'l, Inc., 726 F.3d 42 (2d Cir. 2013).