The DPPA, Fortifying Driver Privacy in the U.S.

October 21, 2021 | 5 minutes read
The DPPA, Fortifying Driver Privacy in the U.S.

The Driver’s Privacy Protection Act of 1994 or DPPA for short is a federal law that was passed in 1994 for the purpose of limiting the disclosure of the personal information that U.S. citizens submit to their local departments of motor vehicles or DMV. Under the DPPA, the DMV is strictly prohibited from disclosing the personal information of individuals, unless an individual grants their consent to such disclosure. Subsequently, the DPPA defines what constitutes personal information or data under the law, as well as the legal and administrative penalties that can result from failing to adhere to the provisions laid forth by the law. Moreover, the DDPA also regulates the commercial and business use of personal information in the context of disclosure from the DMV.

How is personal information defined under the DPPA?

Under the DPPA, personal information is defined as “information that identifies an individual,” including their photograph, social security number, driver identification number, name, address (but not the five-digit zip code), telephone number, and medical or disability information”. Under the DDPA, disclosing any of these various forms of personal information are strictly prohibited. Alternatively, the DPPA does not protect other forms of personal information related to an individual’s motor vehicle record. Per the DPPA, “Personal information does not include information on car accidents, driving violations or driver’s status”. The DPPA also defines “highly restricted personal information” to include “an individual’s photograph or image, social security number, medical or disability information”.

The highly restricted personal information of an American citizen can only be disclosed under certain circumstances, such as an instance in which a law enforcement officer or agency needed such information in order to carry out a legal function. Furthermore, the DPPA defines an individual’s motor vehicle record to mean “any record that pertains to a motor vehicle operator’s permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles”.

However, due to variations in driving laws from state to state around the country, there have been some cases that have brought into question whether or not an individual’s driver’s license is a part of their motor vehicle record. However, in practice, most courts around the country have held that taking information from an individual’s physical driving record does not constitute taking information from their motor vehicle record.

Why was the DPPA needed?

The DPPA was enacted in 1994 in response to a number of high-profile legal cases that stemmed from personal information that was obtained through accessing an individual’s motor vehicle record. For context, the DMV was permitted to sell the personal information they had obtained from American citizens when rendering services, as no laws existed that regulated such disclosures. One of the legal cases that led to the passing of the DPPA was the death of actress and T.V. star Rebecca Schaeffer. On July 18, 1989, Rebecca Schaeffer was killed by Robert John Bardo at her West Hollywood home by a fan.

Bardo was a fan who was obsessed with Schaeffer and had spent more than three years stalking her. To this end, Bardo was able to acquire personal information regarding Schaeffer through the means of a detective agency, which had obtained Schaeffer through records accessed via the California Department of Motor Vehicles. Bardo then used this information to locate Schaeffer’s West Hollywood address, visit said address, and ultimately shoot and kill Schaeffer. Following the publicity of this harrowing and dreadful case, the U.S. government passed federal legislation in the form of the DPPA to avoid having such cases occur in the future.

What are the circumstances in which the DMV can release an individual’s motor vehicle record?

In line with the standard operating procedures of the DMV, an individual’s motor vehicle record may be disclosed in a variety of circumstances involving the operating of a motor vehicle, as well as legal situations that may arise from the improper operating of the said motor vehicle. For example, the DMV is permitted to disclose an individual’s personal information for the purposes of motor vehicle product alterations, as well as instances involving a motor vehicle or driver safety, as well as applicable crimes such as theft or destruction of property. Additionally, the DPPA also sets forth the fourteen “permissible uses” in which an individual’s personal information can be disclosed without violating the law. Some of these permissible uses include:

What’s more, personal information obtained from the DMV can also be used for commercial and business functions, permitting said use is authorized under the provisions of the DPPA. For example, an individual may consent to have their personal information obtained by the DMV used for commercial purposes. A company or business may also be permitted to access such personal information for use in an advertisement, or in conjunction with an official mailing sent on behalf of an official DMV business, such as reminders for an individual to renew their motor vehicle registration.

In terms of the penalties that may be imposed against individuals and agencies who fail to comply with the provisions laid down in the DPPA, anyone who is found to have obtained the personal information of an individual through the DMV is subject to a monetary fine, which can be as high a $5,000 per day that an individual or agency is found to be non-compliant. The law also allows individuals whose rights have been violated under the law to bring forth civil liability charges through a private right of action claim, including liquidated damages of up to $2,500 per violation.

While the notion of obtaining an individual’s personal information through the Department of Motor Vehicles may seem far-fetched in 2021, the practice was completely legal before the passing of the DDPA in 1994. As the death of Rebecca Schaeffer highlighted the wide range of consequences that could result from such unregulated disclosures of personal information, the passing of the DPPA was very much needed. Through the DDPA, individuals can now have the peace of mind that the personal information they share with the DMV will not be disclosed without their consent, or for purposes that would not put their life or freedom in danger.

Related Reads

Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy
September 06, 2023 | 4 minutes read
Blurring Faces from Videos and The Truth About Body-Worn Camera Privacy

Body-worn cameras are an essential piece of equipment for law enforcement officers and the redaction of faces from BWC footage is necessary to protect the privacy of individuals.

Learn More »
Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
FISA Section 702, Is The US Government Monitoring You?
June 26, 2023 | 6 minutes read
FISA Section 702, Is The US Government Monitoring You?

Is there a give-and-take relationship that must be accepted when it comes to keeping the country safe? Should U.S. persons be okay with the incidental collection of their conversations in the name of national security under FISA Section 702? Even when it violates their constitutional rights? Well, that’s up to Congress to decide.

Learn More »
The Gap You Won’t Want to Close: Air-Gapped Systems
June 05, 2023 | 6 minutes read
The Gap You Won’t Want to Close: Air-Gapped Systems

An air-gapped system is a computer, or network that is physically isolated from any external connections and networks which includes the Internet. It operates in total isolation with neither wired nor wireless connections to other devices.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »