Fact-checked by Grok 2 weeks ago

Driver's Privacy Protection Act

The Driver's Privacy Protection Act (DPPA) of 1994 is a federal statute, codified at 18 U.S.C. §§ 2721–2725, that prohibits state Departments of Motor Vehicles (DMVs) and their authorized recipients from knowingly disclosing or using extracted from motor vehicle records—such as names, addresses, telephone numbers, Social Security numbers, medical or disability details, and photographs—except under enumerated permissible purposes or with explicit individual consent. Enacted as Title XXX of the Violent Crime Control and Law Enforcement Act (Public Law 103-322) on September 13, 1994, the DPPA responded to documented abuses where commercially sold DMV data enabled stalking, harassment, identity theft, and violent crimes, including high-profile cases like the 1989 murder of actress Rebecca Schaeffer after her address was obtained from California DMV records via a private investigator. The establishes fourteen categories of permissible uses, including functions, safety research, litigation, investigations, and journalistic activities, while imposing civil penalties up to $5,000 per violation, actual , and enforceable through private lawsuits or by the Attorney General. States must implement procedures to restrict access, with non-compliance risking funding cuts, though full implementation was delayed until 1999 amendments addressed constitutional concerns over of state functions. In Reno v. Condon (2000), the unanimously upheld the DPPA's constitutionality, rejecting Tenth Amendment claims that it improperly regulated state disclosure policies, affirming Congress's authority over interstate markets while distinguishing it from direct state coercion. The Act has since spurred extensive litigation, with targeting data brokers, employers, and marketers for improper bulk acquisitions, yielding multimillion-dollar settlements but drawing criticism for enabling opportunistic class actions that sometimes prioritize attorney fees over victim redress. Despite amendments expanding exceptions for and , the DPPA remains a cornerstone of federal , curbing the pre-1994 practice of states profiting from unrestricted sales while balancing public safety needs.

Background and Enactment

Catalyst Incidents and Public Concern

In 1989, the murder of actress exemplified the perils of unrestricted access to state motor vehicle records. On July 18, Schaeffer was shot and killed at her West Hollywood apartment by obsessed stalker , who had enlisted a to obtain her unlisted home address from (DMV) records for a nominal fee. This breach demonstrated how DMV data, readily available to third parties including investigators and criminals, enabled targeted violence by linking vehicle registration details directly to personal residences. Similar pre-1994 incidents amplified concerns over DMV-enabled . In numerous cases, perpetrators visited state offices to acquire victims' addresses, with Senator citing examples across 34 states where such information was obtainable without significant barriers, facilitating and assaults. Anti-abortion activists, for instance, exploited public records to locate and protest at the homes of providers, as seen in the of Susan Wicklund, whose residence was picketed for over a month after her details were sourced from records. These events underscored causal pathways from lax data access to real-world harms, including and , as bulk sales to marketers inadvertently supplied criminals with exploitable personal identifiers like names, addresses, and vehicle information. Public apprehension escalated in the early as awareness grew of systemic vulnerabilities in DMV systems, which many states classified as under open records laws, lacking federal safeguards against misuse. High-profile breaches like Schaeffer's death fueled media coverage and advocacy, revealing how routine disclosures—intended for administrative or commercial uses—eroded individual security without consent or oversight, prompting demands for restrictions to prevent further exploitation by stalkers, thieves, and unwanted solicitors.

Legislative Process and Key Stakeholders

The Driver's Privacy Protection Act was spurred by incidents of misuse of state motor vehicle records, particularly the 1989 murder of actress , in which her obtained her home address from records. This and similar cases in over 30 states involving , , and prompted action to curb unauthorized disclosures of personal information such as names, addresses, and photographs held by state DMVs. Early bills emerged in the 102nd , with Democratic Representative of introducing versions in 1992 to address escalating privacy violations, including those targeting providers and patients. Legislative momentum built in the 103rd , where reintroduced H.R. 3365 on October 26, 1993, prohibiting knowing disclosure of except under limited conditions, while Senator Barbara Boxer sponsored companion S. 1589. Senators like Chuck Robb and Tom Harkin also advocated for the measure, reflecting bipartisan concern over privacy erosion amid rising crime and data commercialization, though the Democratic-majority drove its integration into the broader Violent Crime Control and Law Enforcement Act (H.R. 3355). President Bill Clinton signed the omnibus bill into law on September 13, 1994, with the DPPA provisions (Title XXX) becoming enforceable against states three years later on September 13, 1997, to allow compliance adjustments. Advocacy came primarily from privacy organizations like the Electronic Privacy Information Center (EPIC), which supported the Act through amicus briefs and public campaigns emphasizing empirical risks of data sales to stalkers and criminals, alongside victims' families who testified on personal harms from DMV leaks. Opposing stakeholders included state officials wary of federal mandates infringing on traditional DMV autonomy—leading to challenges like South Carolina's suit in Reno v. Condon—and industries such as insurers and direct marketers, who contended that broad restrictions would impede fraud detection, underwriting accuracy, and targeted advertising reliant on verified records, potentially raising costs without commensurate privacy gains. Negotiations yielded compromises tempering absolute prohibitions with enumerated exceptions for , safety, and commercial needs, preserving data flows deemed essential for public welfare while imposing uniformity over disparate state practices. This balance addressed stakeholders' economic arguments by avoiding total bans on resale or access, though states criticized the shift from voluntary to compelled standards as an overreach lacking direct ties to interstate sales. The process highlighted tensions between individual safeguards and aggregate benefits of record accessibility, with no initial sunset clause limiting the Act's duration.

Core Provisions

Restrictions on Disclosure

The Driver's Privacy Protection Act (DPPA), codified at 18 U.S.C. § 2721 et seq., establishes a general prohibition against state departments of motor vehicles (DMVs), their officers, employees, or contractors knowingly disclosing or making available personal information obtained from motor vehicle records, such as those related to driver's licenses, vehicle registrations, or titles. This restriction targets the routine pre-enactment practices where states freely disseminated such data, often for revenue, enabling its commodification by third parties for tracking, marketing, or other non-public purposes that exposed individuals to harassment, stalking, and identity-related harms. The law's enactment in 1994 responded to documented abuses, including instances where private investigators and adversaries accessed addresses via DMV records to locate targets, as in the 1989 stalking and murder of actress Rebecca Schaeffer after her California DMV data was obtained and sold. "Personal information" under the DPPA is defined expansively in 18 U.S.C. § 2725(3) to encompass any data identifying an , including name, address (excluding 5-digit ), telephone number, photograph or image, , driver identification number, and medical or disability details, but excluding vehicular reports, violations, or licensure status. This broad scope reflects causal recognition that piecemeal identifiers, when aggregated, facilitate or targeted harm, a amplified by pre-DPPA state practices of bulk data sales—such as California's of millions of records annually to commercial entities without safeguards. The prohibition extends to resale or further use of knowingly obtained data, aiming to disrupt chains of unauthorized that treated public-held personal details as unrestricted commodities. For disclosures outside statutorily delineated conditions, the DPPA mandates the individual's affirmative, written consent, revocable at any time, thereby imposing an requirement that relocates the burden from citizens—previously reliant on inconsistent state mechanisms or no protections—to DMVs and custodians as gatekeepers. This framework privileges empirical preservation by default, countering the pre-1994 norm where states like those in high-volume data markets generated significant fees from unrestricted , often exceeding millions in annual per , without accounting for downstream risks.

Permissible Exceptions and Uses

The Driver's Privacy Protection Act (DPPA), codified at 18 U.S.C. § 2721, specifies 14 enumerated permissible uses for disclosing from state motor vehicle records, balancing privacy protections against essential needs in public safety, legal enforcement, and commercial operations. These exceptions permit disclosure without individual consent for purposes such as government agency functions under subsection (b)(1), which include law enforcement investigations and court proceedings to maintain order and security. Similarly, subsection (b)(2) allows access for motor vehicle safety matters, including theft prevention, emissions compliance, and manufacturer recalls, enabling rapid response to hazards affecting public welfare. Subsection (b)(4) authorizes release in civil, criminal, or administrative proceedings, such as service of process or enforcement of judgments, often pursuant to court orders, to uphold judicial processes. Subsection (b)(6) extends to insurers for claims investigation, antifraud activities, and underwriting, supporting risk assessment in a sector reliant on accurate data verification. Distinctions exist between mandatory uses requiring no —such as those in subsections (b)(1) through (b)(10) and (b)(14), which cover employer verification for drivers (b)(9) and state-authorized public safety operations (b)(14)—and conditional uses tied to verifiable purposes or . The latter include individual record requests under (b)(11) and any with written under (b)(13), ensuring targeted while mitigating broad dissemination. For bulk distributions, subsection (b)(5) permits release for research or statistical purposes provided the data is not used to contact individuals or republished with identifiers, preserving analytical utility without direct invasion. Subsection (b)(12), however, mandates express for bulk use in surveys or , a requirement strengthened by a amendment that shifted from an to an opt-in model to curb unsolicited exploitation. Highly restricted personal information, such as Social Security numbers or medical details, faces stricter limits, allowable only under select exceptions like (b)(1), (b)(4), (b)(6), and (b)(9), with otherwise required to prevent misuse in or targeted harm. These provisions emphasize documented permissible purposes to deter pretextual requests, though the flexibility in categories like business fraud prevention under (b)(3) or private investigations under (b)(8) can invite scrutiny over enforcement rigor. Overall, the exceptions prioritize causal benefits, such as enabling notifications (b)(7) or toll facility operations (b)(10), where withholding would impair societal functions more than disclosure risks .

Obligations Imposed on States

The Driver's Privacy Protection Act (DPPA), codified at 18 U.S.C. § 2721 et seq., mandates that state departments of motor vehicles (DMVs) prohibit the knowing disclosure of from motor vehicle records by any officer, employee, or contractor, except for the limited permissible uses enumerated in § 2721(b), such as government agency functions, motor vehicle safety and theft prevention, and court proceedings. This restriction applies to including names, addresses, and photographs, while highly restricted —such as Social Security numbers and medical details—requires the individual's express consent for disclosure in most instances, with narrow exceptions for public safety and legal enforcement. State DMVs must therefore implement internal controls to limit employee and contractor access to records solely for authorized purposes, preventing unauthorized dissemination that could facilitate identity theft or stalking. Under § 2721(e), states are explicitly forbidden from conditioning the issuance of a , vehicle registration, or any record on an individual's provision of express to disclose their , preserving access to essential licensing services without coercing privacy waivers. To facilitate compliance and enable oversight, state DMVs must maintain records of any redisclosures of for a period of five years, supporting potential audits and investigations into misuse. These requirements establish a baseline national standard that overrides state practices allowing broader disclosures, aiming to avert competitive pressures among states to sell data for revenue and thereby erode privacy uniformly across jurisdictions. Implementation of these obligations imposes administrative burdens on states, including system modifications for tracking and request verification, with legislative analyses during the DPPA's enactment identifying substantial costs and efforts required of DMVs. States assume these expenses without reimbursement, as the integrates safeguards into existing record-keeping infrastructures while prohibiting revenue-generating bulk sales absent individual opt-in.

Legal Framework and Challenges

Enforcement Mechanisms and Penalties

The Driver's Privacy Protection Act (DPPA), codified at 18 U.S.C. §§ 2721–2725, establishes a private right of action for individuals aggrieved by violations, enabling civil suits against any person who knowingly obtains, discloses, or uses personal information from state motor vehicle records in violation of the statute's restrictions. Successful plaintiffs may recover actual damages or liquidated damages of $2,500 per violation (whichever is greater), punitive damages upon proof of willful or reckless disregard of the law, reasonable attorneys' fees and litigation costs, and other appropriate equitable relief, such as injunctions. This structure incentivizes private enforcement by providing statutory minima and fee-shifting, which lower barriers to litigation and promote deterrence through individual accountability rather than reliance solely on government action. Criminal penalties under the DPPA target knowing violations by any person, including state department of motor vehicle employees and private recipients of disclosed information, imposing a fine under Title 18 of the U.S. Code but no specified term of . For state departments of motor vehicles exhibiting a policy or practice of substantial noncompliance, the U.S. may impose civil penalties of up to $5,000 per day of noncompliance, serving as a to address systemic failures at the institutional level. These penalties apply to both disclosers and users, extending beyond initial state actors to downstream parties who improperly handle protected data. The General's focuses on injunctive and daily fines against noncompliant agencies, complementing suits by enabling broader remedial actions for ongoing or patterned violations without requiring individualized . Courts in civil actions may also grant preliminary or permanent injunctions to halt improper disclosures, reinforcing the statute's emphasis on preventive measures alongside compensatory remedies. This dual framework— litigation for direct harms and federal oversight for institutional lapses—aims to deter misuse through financial and operational consequences tailored to the violator's scope.

Major Judicial Interpretations

In Reno v. Condon, 528 U.S. 141 (2000), the unanimously upheld the constitutionality of the DPPA against a Tenth Amendment challenge brought by officials, who argued it unlawfully commandeered state operations. The Court held that the Act regulates states as participants in the interstate market for personal information derived from motor vehicle records, which substantially affects interstate commerce, thereby falling within Congress's authority under the . This decision rejected claims of federal overreach into traditional state functions, emphasizing the DPPA's focus on market regulation rather than direct state regulation mandates. Subsequent interpretations have narrowed the scope of permissible uses under the DPPA. In Maracich v. Spears, 570 U.S. 48 (2013), the , in a 6-3 ruling, construed the "litigation" exception (18 U.S.C. § 2721(b)(3)) strictly, holding that obtaining drivers' personal information from state records to potential clients does not qualify as use "in anticipation of litigation." The majority reasoned that constitutes , distinct from investigative activities tied to actual or contemplated judicial proceedings, thereby limiting the exception to purposes causally linked to resolving legal claims rather than client acquisition. This interpretation reinforced the Act's privacy protections by rejecting expansive readings that could undermine disclosure restrictions. Federal courts have also imposed stringent standing requirements for DPPA claims, requiring plaintiffs to demonstrate concrete injury beyond mere statutory violations. In line with TransUnion LLC v. Ramirez (2021), circuit decisions emphasize that bare allegations of improper obtaining or disclosure do not suffice; harm such as , , or tangible invasion must be shown. For instance, rulings have dismissed suits where plaintiffs failed to allege specific misuse leading to injury-in-fact, underscoring that procedural violations alone do not confer Article III standing without causal connection to real-world detriment. This approach has curtailed class actions predicated on speculative risks, prioritizing empirical evidence of harm in DPPA enforcement.

Constitutional Debates

Critics of the Driver's Privacy Protection Act (DPPA) have argued that it exceeds Congress's authority under the Commerce Clause by regulating the disclosure of state-held driver's license data, which traditionally falls within state police powers over motor vehicle administration. They contend that the Act lacks a substantial interstate nexus, as the regulated activity—state management of public records—primarily involves intrastate operations with only attenuated effects on interstate commerce, such as occasional data sales across state lines. This view posits that extending federal power to micromanage state record-keeping practices distorts the enumerated powers framework, potentially justifying broad federal intrusion into areas like public document access without clear economic justification. Under the Tenth Amendment, opponents have raised concerns, asserting that the DPPA effectively directs states to alter their administrative processes for handling records, compelling compliance without offering states a role in federal objectives. For instance, South Carolina's challenge highlighted that the Act intrudes on reserved state authority by prohibiting disclosures that states deem permissible under their own laws, resembling prohibited federal mandates on state legislatures or executives to enforce federal regulatory schemes. Such arguments emphasize that while may regulate private markets, imposing uniform restrictions on state-operated databases commandeers state resources and erodes autonomy over traditionally local functions like licensing and record-keeping. Proponents defend the DPPA as a valid exercise of authority, pointing to evidence of a national market in where state disclosures enable interstate sales by private vendors, creating burdens on through inconsistent protections. They argue that without federal intervention, variations in state practices distort competition and facilitate harms like that spill across borders, justifying regulation of states as participants in this data marketplace rather than as sovereign regulators. However, skeptics counter that empirical data on data sales volumes indicate minimal aggregate economic impact—far outweighed by the Act's -focused aims—suggesting the commerce rationale serves more as a for federalizing state records than addressing genuine market failures. These debates underscore broader tensions, with the DPPA illustrating how conditional federal regulation—tying state funding or compliance to mandates—can indirectly erode state control over public documents without overt . Critics maintain this approach incrementally shifts power from states to the federal government, undermining the Tenth Amendment's reservation of non-delegated powers and inviting expansive precedents for regulating any state-held information with potential secondary economic effects.

Criticisms and Limitations

Questioned Effectiveness Against Misuse

Despite the enactment of the Driver's Privacy Protection Act (DPPA) in 1994, incidents of and involving motor vehicle records have persisted, as private investigators and other actors exploit permissible use exceptions by claiming legitimate purposes such as litigation support or verification, often with minimal scrutiny of requests. For instance, PIs have accessed bulk data at costs as low as one cent per record to track individuals in or cases, enabling surveillance that privacy advocates link to abusive partner relocations, while in places like and have confirmed unauthorized uses but terminated only a handful of access agreements since 2017. DMV verification processes remain inadequate against pretextual claims, as licensing for PIs varies widely by state—requiring merely a filing fee in some jurisdictions—and permits even felons to obtain data through professional networks, undermining the Act's intent to curb falsified access. Data obtained under DPPA exceptions frequently enters hidden resale markets via brokers, where it fuels scammer schemes tailored with personal details like addresses and information, facilitating and beyond original permitted scopes. Comparisons to the pre-DPPA era reveal modest reductions in overt harms, such as the 1989 stalking murder via open records, but residual risks endure not primarily from lax enforcement but from the Act's broad exceptions that enable downstream sharing and pretextual , as evidenced by ongoing revenues from sales exceeding tens of millions annually (e.g., Florida's $77 million yearly). This questions the causal efficacy of the DPPA's design in fully deterring criminal misuse, with organizations like the Resource Center noting outdated provisions amid rising vulnerabilities.

Impacts on Legitimate Data Access

The Driver's Privacy Protection Act's restrictions on personal motor vehicle data disclosure, while permitting exceptions for insurance claims investigation and antifraud activities under 18 U.S.C. § 2721(b)(6), have been narrowed by judicial interpretations that limit access when the predominant purpose involves non-litigation matters, thereby complicating insurers' efforts to verify claims and detect fraud efficiently. In Maracich v. Spears (2013), the Supreme Court emphasized that permissible uses must align strictly with enumerated purposes, excluding incidental solicitation or broader risk assessment, which critics argue deters proactive fraud prevention by imposing uncertainty and potential liability on insurers reliant on verified driver records for underwriting and loss mitigation. Journalistic investigations have similarly faced hurdles, as the absence of an explicit exception for uses forces reliance on vague "legitimate needs" interpretations, often resulting in denied access to records essential for reporting on traffic incidents or vehicle-related scandals. For instance, post-DPPA enactment in , reporters have reported impeded ability to cross-reference driver data with public events, slowing exposés on safety lapses or criminal patterns tied to licensed operators. This has prompted arguments that such barriers undermine the societal utility of informed discourse, prioritizing individual over collective in accountability mechanisms. Researchers conducting traffic safety studies encounter limitations, as bulk data access is confined to anonymized formats under § 2721(b)(11), restricting linkage to individual behaviors or vehicle histories needed for causal analyses of accident patterns. Cases like Senne v. Village of (2012) have imposed "" requirements that further constrain datasets, potentially delaying insights into risk factors and impeding innovations in predictive modeling for . Although exceptions exist for safety and product recalls under § 2721(b)(2), narrow constructions in litigation have led to multimillion-dollar liabilities—such as $80 million in Senne and over $200 million exposure in Maracich—elevating compliance costs that exceed marginal gains for industries dependent on granular data. These constraints illustrate trade-offs where stringent privacy measures overlook utilities in private-sector , such as enhanced actuarial precision for pricing or accelerated recall notifications tied to owner , fostering calls for expanded exceptions to maximize net societal benefits from data-driven advancements. Analyses contend that absolutist interpretations fail to weigh empirical needs against speculative harms, as evidenced by legislative history balancing for and .

Concerns Over Federal Authority

Critics of the Driver's Privacy Protection Act (DPPA) have argued that it exemplifies unnecessary federal intervention into state-administered functions, as driver's licensing and records fall under traditional powers rather than enumerated federal authorities. Legal scholars contend that states possess the capacity to address concerns through tailored mechanisms, such as voluntary provisions for individuals or internal audits of access, which could adapt to regional variations in handling practices without imposing a rigid national standard that overlooks differences in state resources and priorities. This approach, proponents of maintain, would preserve causal at the state level, where officials directly bear the consequences of policy choices, rather than diffusing responsibility through federal mandates. The DPPA's requirements for states to restrict disclosure of personal information from motor vehicle records, including redesigning databases and verification processes, have been criticized as imposing unfunded fiscal burdens that strain state budgets without corresponding federal reimbursements. For instance, implementation in states like Connecticut involved substantial costs and administrative efforts for department of motor vehicles to comply, including system overhauls and staff training, without dedicated funding, raising questions about equitable federalism under the Tenth Amendment's reservation of powers to the states. Such impositions, detractors assert, compel states to allocate resources toward federal objectives at the expense of local needs, potentially incentivizing inefficient one-size-fits-all compliance over state-specific innovations. More broadly, the DPPA has been viewed by advocates as setting a for expansive federal data regulation that incrementally erodes the boundaries of enumerated congressional powers, favoring centralized control over distributed governance better suited to varying contexts. By regulating the internal dissemination of state-held information, even when tied to interstate rationales, the risks normalizing federal dictates on state operations, which could extend to other areas of personal and undermine the constitutional structure designed to limit national overreach. This perspective emphasizes that decentralized solutions enhance responsiveness to empirical risks, as states can experiment and refine policies based on direct loops absent in uniform federal frameworks.

Impact and Evolution

Empirical Outcomes and Data Privacy Effects

Following the enactment of the Driver's Privacy Protection Act (DPPA) in 1994, states shifted from permitting widespread bulk sales of driver records for marketing purposes under systems to stricter opt-in requirements after a 1999 amendment, significantly curtailing unsolicited commercial use of data. This change correlated with anecdotal reductions in -sourced incidents, as the law's restrictions limited access to personal details like addresses that had previously enabled and unwanted solicitations, though comprehensive quantitative tracking of such events remains absent from federal oversight records. The DPPA influenced state-level adoption of enhanced safeguards, establishing a federal baseline that prompted many jurisdictions to codify similar consent mechanisms for records, fostering broader norms against indiscriminate . However, its framework has proven ineffective against modern digital threats, such as cyberattacks on systems that bypass rules entirely; for instance, breaches expose records without invoking permissible uses, leaving the Act's remedies—civil suits with a four-year —as reactive rather than preventive. Empirical evaluations indicate modest net privacy benefits, primarily in curbing pre-digital bulk abuses, but at the expense of procedural hurdles for legitimate inquiries like insurance verification or . No peer-reviewed or government-commissioned studies demonstrate the DPPA's superiority over alternative mechanisms, such as expanded tort liabilities for misuse, nor quantify overall reductions in harms relative to ongoing legal sales to entities like private investigators. Persistent bulk transactions under exceptions underscore unaddressed vulnerabilities, with states generating revenue from permissible resales post-1994 without evident spikes in regulated misuse but amid rising breach risks.

Recent Litigation and Enforcement Trends

Following the uptick in data-driven business practices post-2020, private lawsuits under the DPPA have proliferated, often targeting data brokers and vendors accused of accessing or disclosing personal information from state motor vehicle records without a permissible purpose, such as for or unverified background checks. For example, in , a federal court in the Middle District of granted final approval to a class settlement in Gaston v. Inc., where the defendant agreed to halt the sale of drivers' crash reports to third parties for purposes, resolving allegations of improper under the DPPA. Similar suits against entities handling DMV-derived data have led to multimillion-dollar resolutions, though many settle to avoid protracted discovery rather than concede liability. Federal courts, influenced by Supreme Court precedents like Spokeo v. Robins (2016) and TransUnion LLC v. Ramirez (2021), have imposed stricter standing requirements in DPPA cases, demanding plaintiffs allege concrete harms beyond mere statutory violations to establish Article III jurisdiction. In 2022, the Fourth Circuit affirmed summary judgment for defendants in a case challenging the dissemination of accident reports, ruling that plaintiffs' claimed privacy invasion did not constitute a particularized injury sufficient for standing. The Seventh Circuit followed suit in 2023, upholding dismissal of a proposed class action in a split decision, as plaintiffs failed to demonstrate tangible harm from alleged unauthorized access to driver records. These rulings, spanning multiple circuits from 2019 onward, have diminished the viability of claims predicated solely on technical noncompliance, thereby curbing opportunistic filings driven by the DPPA's liquidated damages provisions of $2,500 to $5,000 per violation. Through 2025, the DPPA has seen no substantive legislative amendments, maintaining its 1994 framework amid the litigation surge, while state privacy statutes like California's CCPA have layered additional restrictions on data brokers' handling of motor vehicle records, requiring verifiable permissible purposes that align with but extend beyond federal baselines. This interplay has prompted hybrid enforcement strategies in states with comprehensive laws, where DPPA violations inform broader compliance audits, though federal courts continue to prioritize injury-based standing to filter marginal claims.

References

  1. [1]
    18 U.S. Code § 2721 - Prohibition on release and use of certain ...
    18 U.S.C. 2721 prohibits state motor vehicle departments from disclosing personal information, except for highly restricted information with express consent, ...
  2. [2]
    The Drivers Privacy Protection Act (DPPA) and the Privacy of Your ...
    The DPPA protects personal information from DMVs, prohibits release of personal data, and requires consent for third-party sales of motor vehicle records.
  3. [3]
    Driver's Privacy Protection Act of 1993 103rd Congress (1993-1994)
    Driver's Privacy Protection Act of 1993 - Amends the Federal criminal code to prohibit disclosure of personal information derived from an individual's motor ...
  4. [4]
    The Driver's Privacy Protection Act of 1994 - CaseGuard
    Oct 21, 2021 · The DPPA was enacted in 1994 in response to a number of high-profile legal cases that stemmed from personal information that was obtained ...<|control11|><|separator|>
  5. [5]
    18 U.S. Code § 2724 - Civil action - Law.Cornell.Edu
    18 U.S. Code § 2724 - Civil action ; (1). actual damages, but not less than liquidated damages in the amount of $2,500; ; (2). punitive damages upon proof of ...Missing: mechanisms 2723
  6. [6]
    [PDF] PennDOT - Federal Driver's Privacy Protection Act Fact Sheet
    The Federal Driver's Privacy Protection Act (DPPA) went into effect in September 13, 1997. The passage of this Act provided additional protection to the ...
  7. [7]
    Federal Driver's Privacy Protection Act - TN.gov
    Effective June 1, 2000, the Federal Driver's Privacy Protection Act (DPPA) (18 U.S.C.A. 2721) as amended by Section 350 of Public Law 106 Appropriations Act ...
  8. [8]
    Understanding the Driver's Privacy Protection Act
    Apr 12, 2025 · The DPPA, passed in 1994, restricts how state DMVs and third parties can share or use personal information from motor vehicle records.
  9. [9]
    Drivers Privacy Protection Act | 18 U.S. Code § 2721
    Dec 12, 2023 · The DPPA protects personal information from misuse by DMVs, prohibiting them from sharing or misusing data obtained from motor vehicle records, ...
  10. [10]
    The Drivers Privacy Protection Act - Why a 1989 Hollywood Murder ...
    Aug 5, 2016 · In 1989, an obsessed fan fatally shot actress Rebecca Schaeffer in the doorway of her West Hollywood home. He had obtained her address from ...Missing: catalyst | Show results with:catalyst
  11. [11]
    How celebrity stalking cases have changed since 1989 murder of ...
    Jul 18, 2014 · It was 25 years ago that obsessed fan Robert Bardo used DMV records to track down 21-year old actress Rebecca Schaeffer at her home.<|separator|>
  12. [12]
    [PDF] EPIC- The Drivers Privacy Protection Act (DPPA ... - Supreme Court
    Driver's Privacy Protection Act, 8 B.U. Pub. Int. L.J. 555 (1999). Previous Top News. •. Supreme Court Upholds Drivers' Privacy Law. The Supreme Court issued ...<|separator|>
  13. [13]
    The Dark History Behind the Driver's Privacy Protection Act and Why ...
    May 14, 2024 · The DPPA was created due to the sale of personal information, stalking, robbery, and murder, including the murder of Rebecca Schaeffer.Missing: enactment | Show results with:enactment
  14. [14]
    Death of actress aided by state's failure to protect data in 1989
    Sep 3, 2020 · The 1989 death of actress Rebecca Schaeffer is a prominent example of failure to safeguard confidential and personal data entrusted to a state agency.Missing: catalyst | Show results with:catalyst
  15. [15]
    Mitigating Targeted Violence in Our Communities
    Jun 3, 2020 · It also led to the passing of the Driver's Privacy Protection Act, prohibiting the release of home addresses.
  16. [16]
    RENO V. CONDON - Law.Cornell.Edu
    South Carolina law conflicts with the DPPA's provisions. Following the DPPA's enactment, South Carolina and its Attorney General filed this suit, alleging that ...Missing: opposition | Show results with:opposition
  17. [17]
    https://www.law.cornell.edu/uscode/text/18/2725
  18. [18]
    Drivers Privacy Protection Act (DPPA) – Comprehensive Overview ...
    Aug 1, 2023 · The Driver's Privacy Protection Act (DPPA), enacted in 1994, safeguards personal information in state motor vehicle records by prohibiting ...
  19. [19]
    18 U.S. Code § 2723 - Penalties - Law.Cornell.Edu
    Any State department of motor vehicles that has a policy or practice of substantial noncompliance with this chapter shall be subject to a civil penalty ...Missing: Driver's mechanisms 2724
  20. [20]
    Reno v. Condon | 528 U.S. 141 (2000)
    Concluding that the DPPA is incompatible with the principles of federalism inherent in the Constitution's division of power between the States and the Federal ...
  21. [21]
    RENO V. CONDON - Law.Cornell.Edu
    The District Court concluded that the Act is incompatible with the principles of federalism inherent in the Constitution's division of power between the States ...
  22. [22]
    Reno v. Condon | Oyez
    Nov 10, 1999 · The District Court concluded that the DPPA was incompatible with the principles of federalism, granted summary judgement for the State, and ...
  23. [23]
    Maracich v. Spears | Oyez
    Jan 9, 2013 · The Supreme Court held that the exceptions to the DPPA's protections do not encompass the use of personal information for solicitation of legal clients.<|control11|><|separator|>
  24. [24]
    Opinion analysis: Turns out, turnabout is fair play - SCOTUSblog
    Jun 17, 2013 · As a result, the Court held that the litigation exemption only applies when protected driver information is used to determine whether a claim ...Missing: major | Show results with:major
  25. [25]
    Maracich v. Spears – EPIC – Electronic Privacy Information Center
    This case presents an issue of first impression for the Supreme Court: the scope of the “litigation” exception under the Drivers' Privacy Protection Act (“DPPA”) ...Missing: major judicial
  26. [26]
    William Garey v. James S. Farrin, P.C., No. 21-1478 (4th Cir. 2022)
    The district court held that, although Plaintiffs have standing to bring their claims, the claim failed on the merits. ... reports; however, Plaintiffs failed to ...
  27. [27]
    Fourth Circuit Grants Summary Judgment to Defendant in Driver ...
    Jun 15, 2022 · The Fourth Circuit recently affirmed the Middle District of North Carolina's grant of summary judgment in favor of the Defendants in a Driver's Privacy ...
  28. [28]
    GAREY v. United States of America, Intervenor. (2022) | FindLaw
    Jun 3, 2022 · Having amended their complaint to jettison a “use” theory of DPPA liability and bring only an “obtaining” claim, the Garey Plaintiffs cannot now ...
  29. [29]
    [PDF] Is the Driver's Privacy Protection Act Constitutional Under the
    Because the DPPA is within the federal government's enumerated power under the Commerce Clause, under the formalistic approach of. Lopez and perhaps under the ...
  30. [30]
    [PDF] State Sale of Driver's License Data Sparks Debate over Federal ...
    Circuit struck down the DPPA as unconstitutional, ruling that Congress lacked authority for its passage under either the Commerce Clause or the Fourteenth ...
  31. [31]
    Federal Driver's Privacy Protection Act
    RE: Federal Driver's Privacy Protection Act. You asked if (1) the federal Driver's Privacy Protection Act has been declared unconstitutional because it ...
  32. [32]
    [PDF] New York, Printz, and the Driver's Privacy Protection Act
    17 This Note will argue that the DPPA is a constitutionally valid legislative enactment under the anti- commandeering principle articulated by the Court in ...<|separator|>
  33. [33]
    [PDF] Right Result, Wrong Reasons: Reno v. Condon
    For the first time in a decade, the Supreme Court rejected a federalism challenge to a federal statute and upheld the constitutionality of the federal Drivers' ...
  34. [34]
    Reno v. Condon - Merits | United States Department of Justice
    Oct 21, 2014 · One highly publicized example involved the murder of actress Rebecca Schaeffer ... "Unlike the federal statute in New York, the DPPA does not ...Missing: bills Jim
  35. [35]
    Constitutional Authority to Regulate the Privacy of State-Collected ...
    Jun 26, 2020 · This Legal Sidebar examines constitutional limitations on Congress's regulation of state activity, particularly in the context of applying federal privacy ...
  36. [36]
    DMVs Are Selling Your Data to Private Investigators - VICE
    Sep 6, 2019 · The DPPA was created in 1994 after a private investigator, hired by a stalker, obtained the address of actress Rebecca Schaeffer from a DMV. The ...<|separator|>
  37. [37]
    New Report Finds DMVs are Selling Personal Information - ITRC
    Oct 11, 2019 · DMVs in several different states are selling personal information that belongs to drivers' to third-parties for as little as one cent per record.
  38. [38]
    The Hidden Market in DMV Records - ObscureIQ
    Sep 25, 2025 · Here's the twist: data brokers rarely buy DMV data directly. Instead, the DMV sells access to permitted buyers under the DPPA. Like insurers ...Missing: EPIC underground
  39. [39]
    https://www.supremecourt.gov/opinions/12pdf/12-25_8n59.pdf
  40. [40]
    [PDF] An Argument for Broader Interpretation of Permissible Uses Under ...
    Dec 1, 2014 · The Driver's Privacy Protection Act of 1994 (DPPA) was passed as part of an omnibus crime bill to protect the privacy of individuals from ...
  41. [41]
    [PDF] Use of Public Record Databases in Newspaper and Television ...
    Watkins, Jr., The Driver's Privacy Protection Act: Congress Makes a Wrong ... 40 This has hindered journalists' attempts to gather information and ...
  42. [42]
    "Challenging the Federal Driver's Privacy Protection Act: The Next ...
    Challenging the Federal Driver's Privacy Protection Act: The Next Step in Developing a Jurisprudence of Process-Oriented Federalism Under the Tenth Amendment ...
  43. [43]
    https://repository.law.indiana.edu/cgi/viewcontent.cgi?article=1219&context=fclj
  44. [44]
    [PDF] Challenging the Federal Driver's Privacy Protection Act - CORE
    Jan 10, 1998 · Part V analyzes the Tenth Amendment issues in greater depth and explains how the DPPA litigation directs attention to the next logi- cal ...
  45. [45]
    [PDF] Federal Controls On State Information Disclosure:
    DPPA after the law was amended in 1999, changing the opt-out standard for bulk marketing sales to the stricter opt-in standard, there have been several ...
  46. [46]
    Companies Can Buy Bulk DMV Records, Court Says
    (CN) - Businesses can buy and resell motor vehicle records in bulk without actually using them, so long as they intend to use them for "permissible purposes ...<|separator|>
  47. [47]
    Report: DMVs Sell Your Personal Information For Millions Of Dollars
    Feb 6, 2020 · North Carolina's DMV has reportedly made more than $4 million in the past five years from selling drivers' personal information.
  48. [48]
    Litigation - Privacy World
    Keep up with the latest in TCPA regulatory developments, case law and litigation trends ... Driver's Privacy Protection Act (DPPA), Dutch Data Protection ...
  49. [49]
    Settlement Over Disclosure of Driver's Information Receives Final ...
    Jun 8, 2021 · The court held that the DMV-349 crash reports are “motor vehicle records” under the DPPA. Additionally, “based on Defendants' admission that ...
  50. [50]
    Court approves final settlement in LexisNexis driver record privacy suit
    May 27, 2021 · LexisNexis Risk Solutions Inc. has agreed to stop selling drivers' crash reports to third parties for marketing and solicitation purposes.Missing: post- | Show results with:post-
  51. [51]
    Fourth Circuit Holds Drivers Fall Short on Standing in Accident ...
    Jun 23, 2022 · The Fourth Circuit considered standing and more in a previously thwarted class action concerning federal privacy protection for motor vehicle records.Missing: era comparison
  52. [52]
    7th Circuit affirms dismissal of proposed Driver's Privacy Protection ...
    Aug 25, 2023 · In a split decision, the majority opinion held that plaintiffs failed to establish standing to bring a lawsuit under the Driver's Privacy ...Missing: 2019-2025 | Show results with:2019-2025
  53. [53]
    US State Comprehensive Privacy Laws Report - IAPP
    This report analyzes similarities and differences between the 19 enacted comprehensive US state privacy laws.Missing: DPPA | Show results with:DPPA
  54. [54]
    Federal Court Dismisses Driver Privacy Class Action, Holding ...
    Aug 10, 2021 · The statute contains a private right of action. The court relying on Gaston found that Plaintiff's DPPA claim was deficient as a matter of law.