The Drivers Privacy Protection Act (DPPA)
and the Privacy of Your State Motor Vehicle RecordIntroduction | DPPA's Provisions
The Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69, was originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs).
The DPPA prohibits the release or use by any State DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained by the department in connection with a motor vehicle record. It sets penalties for violations and makes violators liable on a civil action to the individual to whom the released information pertains.
The latest amendment to the DPPA requires states to get permission from individuals before their personal motor vehicle record may be sold or released to third-party marketers.
- 18 U.S.C. § 2721 Text of the Drivers Privacy Protection Act of 1994.
- 18 U.S.C. § 2722 Additional Unlawful Acts.
- 18 U.S.C. § 2723 Penalties.
- 18 U.S.C. § 2724 Civil Action.
- 18 U.S.C. § 2725 Definitions.
- Commentary on the DPPA Cornell Legal Information Institute.
History of the DPPA
The DPPA was passed in reaction to the 1989 death of actress, Rebecca Schaeffer. A private investigator, hired by an obsessed fan, was able to obtain her address through her California motor vehicle record. The fan used her address information to stalk and to kill her.
In 1999 Congress amended the law to give drivers additional privacy protections. The "Shelby amendment," which took affect June 1, 2000, changed the DPPA to require that states obtain a driver's express consent before releasing any personal information, regardless of whether the request is made for a particular individual's information or in bulk for marketing purposes.
The DPPA survived a Constitutional challenge in Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:
The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes.
The Drivers Privacy Protection Act requires all States to protect the privacy of personal information contained in an individual's motor vehicle record. This information includes the driver's name, address, phone number, Social Security Number, driver identification number, photograph, height, weight, gender, age, certain medical or disability information, and in some states, fingerprints. It does not include information concerning a driver's traffic violations, license status or accidents.
The Act has a number of exceptions. A driver's personal information may be obtained from the department of motor vehicles for any federal, state or local agency use in carrying out its functions; for any state, federal or local proceeding if the proceeding involves a motor vehicle; for automobile and driver safety purposes, such as conducting recall of motor vehicles; and for use in market research activities. Ironically, personal data is still available to licensed private investigators.
The Act imposes criminal fines for non-compliance and grants individuals a private right of action including actual and punitive damages, as well as attorneys fees.
Permissible Uses of a Driver's Motor Vehicle Record
The DPPA limits the use of a driver's motor vehicle record to certain purposes. These purposes are defined in 18 U.S.C. § 2721:
- Legitimate government agency functions.
- Use in matters of motor vehicle safety, theft, emissions, product recalls.
- Motor vehicle market research and surveys.
- "Legitimate" business needs in transactions initiated by the individual to verify accuracy of personal information.
- Use in connection with a civil, criminal, administrative or arbitral proceeding.
- Research activities and statistical reports, so long as personal information is not disclosed or used to contact individuals.
- Insurance activities.
- Notice for towed or impounded vehicles.
- Use by licensed investigators or security service.
- Use by private toll transportation facilities.
- In response to requests for individual records if the State has obtained express consent from the individual.
- For bulk marketing distribution if State has obtained express consent from the individual.
- Use by any requestor where the reqestor can show written consent of the individual.
- For any other legitimate State use if it relates to motor vehicle or public safety.
If an individual has not given consent to the release of a motor vehicle record, the DPPA limits sharing of information once it is obtained. Information may only be shared with other approved users only for permitted uses. In addition, records must be kept of each additional disclosure identifying each person or entity that is receiving the disclosure and for what purpose. The disclosure records must be kept for a period of 5 years.
State Protections May Be Broader than the DPPA
The DPPA, like many other privacy statutes, provides a federal baseline of protections for individuals. The DPPA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the DPPA.
States were required to comply with the minimum requirements of the DPPA by September 1997. Many states are more restrictive than the federal rules. Certain states, such as Arkansas and Wyoming, only release personal information to the licensee; a person who has written permission from a licensee; or a traffic court, law enforcement, or governmental agency who has a need for such information to perform their required duties.
States differ as to whether the DPPA applies to records of vehicles owned by corporations, proprietorships, partnerships, limited liability partnerships, associations, estates, lienholders, or trusts.