Driver's Privacy Protection Act of 1994

Citation: Driver’s Privacy Protection Act of 1994, 18 U.S.C. §§ 2721-25.

Overview

Prior to 1997, in many states the easiest way for an individual to get another person’s identity information was simply to purchase the individual’s driving record from the local DMV. For a few dollars, anyone could obtain a driver’s full name, address, birth date and license number, which in many states was the same as the individual’s SSN. Thus, the DMV served as a one-stop shop for the would-be identity thief.

The Statute

This practice changed with Congress's passage of the Driver’s Privacy Protection Act of 1994 (DPPA) as an amendment to the Omnibus Crime Act of 1994. The Act prohibits state departments of motor vehicles (DMVs) and others to whom the DMVs provide information from disclosing a driver’s personal information^[1] without the driver’s consent. DMVs that violate the Act are subject to civil penalties.

Under the DPPA, personal information contained in a motor vehicle record may be disclosed for use by any government agency, including any court or law enforcement agency, in carrying out its functions, or to any private person or entity acting on behalf of a Federal, State, or local agency; and for use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, or pursuant to a Federal, State, or local court order.

The Act requires that the driver consent before the state discloses most of this information, but permits disclosure of the 5-digit zip code and “information on vehicular accidents, driving violations and driver's status.” The opinion also notes a number of exceptions, including information required to control emissions, driver safety, thefts, recalls, verifying personal information submitted to a business, and insurance. The private parties that receive this information are also authorized to disclose it to others for the same purposes. And “a private actor who has obtained drivers' information from DMV [Department of Motor Vehicles] records specifically for direct-marketing purposes may resell that information for other direct-marketing uses, but not otherwise.”^[2]

2000 Amendment

In 2000, the Act was amended to create a new class of "highly restricted personal information." This includes an individual's photograph or image, social security number, and medical or disability information. This information may not be shared without the express consent of the person to whom the information applies, except for four purposes stated in the Act.

Remedies

Violation of the DPPA exposes both states and individuals that do not comply with its requirements to sanctions. One of these provides that “a state agency that maintains a ‘policy or practice of substantial noncompliance’ with the Act may be subject to a civil penalty imposed by the United States Attorney General of not more than $5,000 per day of substantial noncompliance.”^[3]

Constitutionality

In 2000, the U.S. Supreme Court upheld that constitutionality of the Act in Reno v. Condon.

References

↑ The term "personal information" is defined as information that identifies an individual, including an individual’s photograph, Social Security number, driver identification number, name, address, telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver’s status.
↑ 18 U.S.C. §2721(c).
↑ Id. §2723(b).

[1] The term "personal information" is defined as information that identifies an individual, including an individual’s photograph, Social Security number, driver identification number, name, address, telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver’s status.

[2] 18 U.S.C. §2721(c).

[3] Id. §2723(b).

[1]

[2]

[3]