Introduction
The Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69, was originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs).
The DPPA prohibits the release or use by any State DMV (or any officer, employee, or contractor thereof) of personal information about an individual obtained by the department in connection with a motor vehicle record. It sets penalties for violations and makes violators liable on a civil action to the individual to whom the released information pertains.
The latest amendment to the DPPA requires states to get permission from individuals before their personal motor vehicle record may be sold or released to third-party marketers.
· 18 U.S.C. § 2721 Text of the Drivers Privacy Protection Act of 1994.
· 18 U.S.C. § 2722 Additional Unlawful Acts.
· 18 U.S.C. § 2723 Penalties.
· 18 U.S.C. § 2724 Civil Action.
· 18 U.S.C. § 2725 Definitions.
· Commentary on the DPPA Cornell Legal Information Institute.
The DPPA ultimately passed as an amendment to 103 H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994.
· 103 H.R. 3365, the DPPA, as introduced in the House of Representatives by Representative Moran.
· 103 S. 1589, the DPPA, as introduced in the Senate by Senator Boxer.
· 103 H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994. The DPPA is contained within Title XXX, Section 300001.
In 1999 Congress amended the law to give drivers additional privacy protections. The "Shelby amendment," which took affect June 1, 2000, changed the DPPA to require that states obtain a driver's express consent before releasing any personal information, regardless of whether the request is made for a particular individual's information or in bulk for marketing purposes.
The DPPA survived a Constitutional challenge in Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:
The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes.
The DPPA's Provisions
The Drivers Privacy Protection Act requires all States to protect the privacy of personal information contained in an individual's motor vehicle record. This information includes the driver's name, address, phone number, Social Security Number, driver identification number, photograph, height, weight, gender, age, certain medical or disability information, and in some states, fingerprints. It does not include information concerning a driver's traffic violations, license status or accidents.
The Act has a number of exceptions. A driver's personal information may be obtained from the department of motor vehicles for any federal, state or local agency use in carrying out its functions; for any state, federal or local proceeding if the proceeding involves a motor vehicle; for automobile and driver safety purposes, such as conducting recall of motor vehicles; and for use in market research activities. Ironically, personal data is still available to licensed private investigators.
The Act imposes criminal fines for non-compliance and grants individuals a private right of action including actual and punitive damages, as well as attorneys fees.
Permissible Uses of a Driver's Motor Vehicle Record
The DPPA limits the use of a driver's motor vehicle record to certain purposes. These purposes are defined in 18 U.S.C. § 2721:
· Legitimate government agency functions.
· Use in matters of motor vehicle safety, theft, emissions, product recalls.
· Motor vehicle market research and surveys.
· "Legitimate" business needs in transactions initiated by the individual to verify accuracy of personal information.
· Use in connection with a civil, criminal, administrative or arbitral proceeding.
· Research activities and statistical reports, so long as personal information is not disclosed or used to contact individuals.
· Insurance activities.
· Notice for towed or impounded vehicles.
· Use by licensed investigators or security service.
· Use by private toll transportation facilities.
· In response to requests for individual records if the State has obtained express consent from the individual.
· For bulk marketing distribution if State has obtained express consent from the individual.
· Use by any requestor where the reqestor can show written consent of the individual.
· For any other legitimate State use if it relates to motor vehicle or public safety.
If an individual has not given consent to the release of a motor vehicle record, the DPPA limits sharing of information once it is obtained. Information may only be shared with other approved users only for permitted uses. In addition, records must be kept of each additional disclosure identifying each person or entity that is receiving the disclosure and for what purpose. The disclosure records must be kept for a period of 5 years.
State Protections May Be Broader than the DPPA
The DPPA, like many other privacy statutes, provides a federal baseline of protections for individuals. The DPPA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the DPPA.
States were required to comply with the minimum requirements of the DPPA by September 1997. Many states are more restrictive than the federal rules. Certain states, such as Arkansas and Wyoming, only release personal information to the licensee; a person who has written permission from a licensee; or a traffic court, law enforcement, or governmental agency who has a need for such information to perform their required duties.
States differ as to whether the DPPA applies to records of vehicles owned by corporations, proprietorships, partnerships, limited liability partnerships, associations, estates, lienholders, or trusts.
· Reno v. Condon, 528 U.S. 141 (2000). In Condon, the Supreme Court upheld the constitutionality of the Drivers Privacy Protection Act following a challenge by the state of South Carolina which alleged that the Act violated principles of federalism. The Court held that the Act is a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause. Read EPIC's amicus brief that was filed in this case (PDF).
· Davis v. Freedom of Information Commission, 259 Conn. 45 (2001). In Davis, the Connecticut Supreme Court ruled that the DPPA does not apply to other government agencies who receive personal information from the State DMV in the course of their normal government functions. Therefore, records compiled by the office of the tax accessor, which were based on state motor vehicle records, were publicly accessible.
· The Constitutionality of the Driver's Privacy Protection Act: A Fork in the Information Access Road, 52 Fed. Comm. L.J. 125 (1999). (PDF)
· Current Development in the Law: A Survey of Federal Cases Involving the Constitutionality of the Driver's Privacy Protection Act, 8 B.U. Pub. Int. L.J. 555 (1999).