The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record

Introduction

The Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69, was originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs).

The DPPA prohibits the release or use by any State DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained by the department in connection with a motor vehicle record. It sets penalties for violations and makes violators liable on a civil action to the individual to whom the released information pertains.

The latest amendment to the DPPA requires states to get permission from individuals before their personal motor vehicle record may be sold or released to third-party marketers.

History of the DPPA

The DPPA was passed in reaction to the a series of abuses of drivers’ personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer’s address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars and obtaining home address information from the State’s department of motor vehicles.

Senator Barbara Boxer, who sponsored 103 S. 1589, a version of the DPPA, cited other examples where stalkers were able to find victims by simply visiting a DMV. She argued that in “34 States, someone [could] walk into a State Motor Vehicle Department with your license plate number and a few dollars and walk out with your name and home address.” Senator Boxer also said:

“In Tempe, AZ, a woman was murdered by a man who had obtained her home address from that State’s DMV.

And, in California, a 31-year-old man copied down the license plate numbers of five women in their early twenties, obtained their home address from the DMV and then sent them threatening letters at home. I want to briefly read from two of those letters.

I’m lonely and so I thought of you. I’ll give you one week to respond or I will come looking for you.

Another one read:

I looked for you though all I knew about you was your license plate. Now I know more and yet nothing. I know you’re a Libra, but I don’t know what it’s like to smell your hair while I’m kissing your neck and holding you in my arms.

When they apprehended him, they found in his possession a book entitled `You Can Find Anyone’ which spelled out how to do just that using someone’s license plate.

Senator Chuck Robb also spoke in favor of the DPPA:

“The right to privacy, without which the Americans are not secure in their own homes, is seriously threatened. It is easy for anyone anywhere to access information as personal as your address and phone number, even if they are not listed in the telephone directory. Even your Social Security number is available, and the chief agent giving out this kind of information is the very government that is supposed to protect its citizens.

Many Americans are infuriated and, more importantly, they are vulnerable to these violations of privacy which happen in 34 States in this country every day, my own included.

Recently, a woman in Virginia was shocked to discover black balloons and antiabortion literature on her doorstep days after she had visited a health clinic that performs abortions. Apparently, someone used her license plate number to track down personal information which was used to stalk her.

In another case in Georgia, an obsessive fan obtained the home address of a fashion model from the State Department of Motor Vehicles and assaulted her in front of her apartment.

These are but two examples of how simple it is to submit a driver’s license number, pay a nominal fee to the DMV and receive a person’s name and address. This is no mere loophole in a system, it is a visible gap that needs to be plugged.

Senator Harkin also spoke favorably of the DPPA, noting that:

“The Drivers Privacy Protection Act, of which I am an original cosponsor, strikes a fair balance between reasonable interests of the State and the public in this information, and the rights of private citizens to be left alone.

I became aware of this issue through the plight of one of my constituents, Karen Stewart. Karen was a patient of Dr. Herbert Remer, a physician who specializes in obstetrics and gynecological care in the Des Moines area. Because Dr. Remer performs abortions, his clinic has been the site of repeated protests by those who oppose women’s right to choose.

But Karen was going to Dr. Remer to save her pregnancy, not to terminate it. She was experiencing complications, and went to Dr. Remer for treatment. Unfortunately, a few days after the visit, Karen suffered a miscarriage.

And then she received the letter. Extremists from Operation Rescue sent a venomous letter apparently intended to traumatize Dr. Remer’s patients. The letter spoke of `God’s curses for the shedding of innocent blood,’ and ‘the guilt of having killed one’s own child.’ They got her name and address from department of transportation records, after they spotted her car parked near Dr. Remer’s clinic.

The DPPA ultimately passed as an amendment to 103 H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994.

  • 103 H.R. 3365, the DPPA, as introduced in the House of Representatives by Representative Moran.
  • 103 S. 1589, the DPPA, as introduced in the Senate by Senator Boxer.
  • 103 H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994. The DPPA is contained within Title XXX, Section 300001.

In 1999 Congress amended the law to give drivers additional privacy protections. The “Shelby amendment,” which took affect June 1, 2000, changed the DPPA to require that states obtain a driver’s express consent before releasing any personal information, regardless of whether the request is made for a particular individual’s information or in bulk for marketing purposes.

The DPPA survived a Constitutional challenge in Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress’ authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:

The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes.

The DPPA’s Provisions

The Drivers Privacy Protection Act requires all States to protect the privacy of personal information contained in an individual’s motor vehicle record. This information includes the driver’s name, address, phone number, Social Security Number, driver identification number, photograph, height, weight, gender, age, certain medical or disability information, and in some states, fingerprints. It does not include information concerning a driver’s traffic violations, license status or accidents.

The Act has a number of exceptions. A driver’s personal information may be obtained from the department of motor vehicles for any federal, state or local agency use in carrying out its functions; for any state, federal or local proceeding if the proceeding involves a motor vehicle; for automobile and driver safety purposes, such as conducting recall of motor vehicles; and for use in market research activities. Ironically, personal data is still available to licensed private investigators.

The Act imposes criminal fines for non-compliance and grants individuals a private right of action including actual and punitive damages, as well as attorneys fees.

Permissible Uses of a Driver’s Motor Vehicle Record

The DPPA limits the use of a driver’s motor vehicle record to certain purposes. These purposes are defined in 18 U.S.C. § 2721:

  • Legitimate government agency functions.
  • Use in matters of motor vehicle safety, theft, emissions, product recalls.
  • Motor vehicle market research and surveys.
  • “Legitimate” business needs in transactions initiated by the individual to verify accuracy of personal information.
  • Use in connection with a civil, criminal, administrative or arbitral proceeding.
  • Research activities and statistical reports, so long as personal information is not disclosed or used to contact individuals.
  • Insurance activities.
  • Notice for towed or impounded vehicles.
  • Use by licensed investigators or security service.
  • Use by private toll transportation facilities.
  • In response to requests for individual records if the State has obtained express consent from the individual.
  • For bulk marketing distribution if State has obtained express consent from the individual.
  • Use by any requestor where the reqestor can show written consent of the individual.
  • For any other legitimate State use if it relates to motor vehicle or public safety.

If an individual has not given consent to the release of a motor vehicle record, the DPPA limits sharing of information once it is obtained. Information may only be shared with other approved users only for permitted uses. In addition, records must be kept of each additional disclosure identifying each person or entity that is receiving the disclosure and for what purpose. The disclosure records must be kept for a period of 5 years.

State Protections May Be Broader than the DPPA

The DPPA, like many other privacy statutes, provides a federal baseline of protections for individuals. The DPPA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the DPPA.

States were required to comply with the minimum requirements of the DPPA by September 1997. Many states are more restrictive than the federal rules. Certain states, such as Arkansas and Wyoming, only release personal information to the licensee; a person who has written permission from a licensee; or a traffic court, law enforcement, or governmental agency who has a need for such information to perform their required duties.

States differ as to whether the DPPA applies to records of vehicles owned by corporations, proprietorships, partnerships, limited liability partnerships, associations, estates, lienholders, or trusts.

Cases

  • Reno v. Condon, 528 U.S. 141 (2000). In Condon, the Supreme Court upheld the constitutionality of the Drivers Privacy Protection Act following a challenge by the state of South Carolina which alleged that the Act violated principles of federalism. The Court held that the Act is a proper exercise of Congress’ authority to regulate interstate commerce under the Commerce Clause. Read EPIC’s amicus brief that was filed in this case (PDF).
  • Davis v. Freedom of Information Commission, 259 Conn. 45 (2001). In Davis, the Connecticut Supreme Court ruled that the DPPA does not apply to other government agencies who receive personal information from the State DMV in the course of their normal government functions. Therefore, records compiled by the office of the tax accessor, which were based on state motor vehicle records, were publicly accessible.

Resources