Driver's Privacy Protection Act
The Driver's Privacy Protection Act of 1994 (also referred to as the "DPPA"), Title XXX of the Violent Crime Control and Law Enforcement Act, is a United States federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.
The law was passed in 1994. It was introduced by Democratic Rep. Jim Moran of Virginia in 1992, after an increase in some opponents of abortion using public driving license databases to track down and harass abortion providers and patients. Prominent among such cases was physician Susan Wicklund, who faced protests and harassment including her house being picketed for a month.[1] The law is currently codified at Chapter 123 of Title 18 of the United States Code.[2]
Substantive provisions of the act
The statute prohibits the disclosure of personal information (as defined in 18 U.S.C. § 2725) without the express consent of the person to whom such information applies, with the exception of certain circumstances set forth in 18 U.S.C. § 2721. These rules apply to Departments of Motor Vehicles as well as other "authorized recipient[s] of personal information", and imposes record-keeping requirements on those "authorized recipients."
The permissible uses are:[3]
- For any government agency to carry out its functions
- For use in connection with "matters of motor vehicle or driver safety and theft", including
- disclosure "in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers"
- removal of non-owner records from the original owner records of motor vehicle manufacturers to carry out the purposes of the Automobile Information Disclosure Act, the Motor Vehicle Information and Cost Saving Act, the National Traffic and Motor Vehicle Safety Act of 1966, the Anti-Car Theft Act of 1992, and the Clean Air Act
- For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to:
- verify the accuracy of personal information
- correct information
- For use in connection with any matter before a court or arbitration proceeding.
- For producing statistical reports and other research, provided that personal information is not published.
- For use by insurance companies.
- For providing notice to owners of towed vehicles.
- For use by licensed private investigation agencies, for a permitted DPPA use.
- For use by employers to verify commercial driver information as required by U.S. Code Title 49, subtitle VI, chapter 313.
- For use by private toll transportation facilities.
- For response to requests from motor vehicle departments.
- For the bulk distribution of surveys, marketing materials, or solicitations (opt-in only).
- When written consent of the individual is provided.
- For other uses specifically authorized by state laws.
The act also makes it illegal to obtain drivers' information for unlawful purposes or to make false representations to obtain such information.[4] The act establishes criminal fines for noncompliance,[5] and establishes a civil cause of action for drivers against those who unlawfully obtain their information.[6]
Legislative history
After Rebecca Schaeffer was murdered in 1989 by Robert John Bardo who found her address by a private detective agency's use of DMV records, the easy availability of personal information from the DMV was called into question.[7]
The bill was introduced simultaneously during the 103rd United States Congress in the House of Representatives (as H.R. 3365[8]) and the Senate (as S. 1589[9]) on 26 October 1993. The text of the bill was incorporated into H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994, which was eventually signed by President Bill Clinton as part of Public Law 103–322 on September 13, 1994.[10]
The statute's constitutionality was upheld by the U.S. Supreme Court against a Tenth Amendment challenge in Reno v. Condon.[11]
Jurisprudence
With the emergence of new-age computing technology and devices in the early 2000s came collection, processing, aggregation, correlation, and redisclosure of user's data. Websites, 3rd party advertising, and tracking firms began using mechanisms that violated a user's privacy. While "online" data identifying the user's computing technology was helpful, such data benefit was limited. Advertising entities had a millisecond while users were online to market their products; moreover, in order to "track" consumers by obtaining computing device data, HTML cookies were added to their devices.[12] Since most computers and users deleted any cookies when they shut down their devices, this tracking mechanism failed to provide long-term tracking. What was needed was a means to associate "online" data activities with "offline" data, referencing personal information contained in public records, (Today, the objective is to associate "online" data with "offline" data and Biometrics, the new "Holy Grail" of advertising data). The most accurate source of offline data and the cheapest was motor vehicle records maintained by the DMVs.
Since computer technology was progressing rapidly, federal and state laws had failed to be proactive, a risk to society of ungoverned technology. As such, litigation for violations was relatively non-existent. A new method to litigate Federal privacy cases was needed to protect the hundreds of millions of people violated by unauthorized tracking user's activities “Online” and “Offline” (public records). This was a formidable task since no law firms had litigated privacy cases involving the computer technology inherent within the exchange of user data between third-party affiliated entities, thus there was no case precedent, no "blueprint" to follow. Earlier cases, such as the double-click "cookie" case in 2001, had relied on using a wiretap statute, the Electronic Communication Privacy Act ("ECPA"). While a plausible allegation, it was a weak allegation since the website user had granted such permissible use within the website's term of service ("TOS").
In Kehoe v. Fidelity Federal Bank and Trust, James Kehoe sued Fidelity Bank for purchasing hundreds of thousands of motor vehicle records from the state of Florida in violation of the federal Drivers Privacy Protection Act. Fidelity Bank had purchased 565,600 names and addresses from the Florida motor vehicles department from June 2000 – 2003. This information was sold for pennies—literally, Fidelity was able to obtain the information for only $5,656. Fidelity used the information to target residents of Palm Beach, Martin, and Broward Counties for car loan solicitations. The U.S. District Court for the Southern District of Florida ruled in June 2004 that James Kehoe needed to demonstrate actual damages before obtaining any monetary recovery under the DPPA. The Court relied upon the recently decided Doe v. Chao and statutory construction rules to rule that the DPPA's liquidated damages do not accrue to a plaintiff unless he can show actual damages. Kehoe appealed to the 11th Circuit Court of Appeals which ruled: "...The statute at issue is the Driver's Privacy Protection Act, 18 U.S.C. § 2721, et seq. ("DPPA"). Having considered the plain text of the statute, we conclude that a plaintiff need not prove actual damages to recover liquidated damages for a violation of the DPPA. Since the district court reached a contrary conclusion, we reverse and remand". Kehoe v. Fidelity Federal Bank & Trust, 421 F. 3d 1209 (11th Cir. 2005), cert. denied.
While the Kehoe case was on appeal to the 11th circuit, then to SCOTUS, the Law Offices of Joseph Malley P.C. began an extensive freedom of information requests to all state DMVs, requesting any and all documents on persons and companies obtaining the DMV database in bulk, referencing the obtainment of all DMV records and periodic updates. The research and followup with all state DMVs would take more than a year. The firm was able to ID 36 State DMVs that were selling motor vehicle records in bulk. An analysis then was required of all of the people and entities obtaining the data to determine if it appeared they had a DPPA permissible use as required by the DPPA. Extensive follow-up discussions with all DMV officials were required to obtain additional information. Gambling on the outcome of the SCOTUS ruling, the extensive research turned out not to be in vain. Once SCOTUS denied writ on the Kehoe case, permitting the 11th circuit ruling to stand that actual damages were not required and an individual could choose to accept actual or statutory damages, the precedent was set. The Malley Firm was prepared to file and began filing an extensive amount of Federal Privacy Litigation. The Federal Class Actions involving violations of the Driver's Privacy Protection Act ("DPPA"), 18 U.S.C. § 2721, et seq, filed by the Law Offices of Joseph H. Malley P.C. in Texas, Florida, Missouri, and Arkansas, involving about 4-500 companies, include the following:
- Sharon Taylor et al. v. Acxiom Corporation et al., 2:07-cv-0001, (E.D. Tex. 2007)
- Sharon Taylor et al. v. ACS State & Local Solutions, Inc. et al., 2:07-cv-0013, (E.D. Tex. 2007)
- Sharon Taylor et al. v. Texas Farm Bureau Mutual Insurance Company et al., 2:07-cv-0014, (E.D. Tex. 2007)
- Sharon Taylor et al. v. Safeway Inc. et al., 2:07-cv-0017, (E.D. Tex. 2007)
- Sharon Taylor et al. v. Biometric Access Company et al., 2:07-cv-0018, (E.D. Tex. 2007)
- Sharon Taylor et al. v. Freeman Publishers Inc., 2:07-cv-0410, et al., (E.D. Tex. 2007)
- Richard Fresco v. R.L. Polk., No. 09-13344 (11th Cir. 2010), (Fresco II"- Intervention)
- Cook v. ACS State & Local Solutions, Inc. 663 F.3d 989 (10th Cir. 2011)
- Haney v. Recall Center, No. 10-cv-04003 (W.D. Ark. May 9, 2012) (certified class action)
- Doe et al. v. Compact Information Systems Inc. et al., 3:13cv05013MBH, (N.D. Tex. 2013)
- Cross v. Blank, Adv. No.: 9:15ap00926FMD, (M.D. Fla. 2015)
- Arthur Lopez v. Cross-Sell et al., 3:16-cv-02009-K, (N.D. Tex. 2016)
- Laning et al. v. National Recall & Data Services Inc. et al., 3:16-cv-02358-B (N.D. Tex. 2016)
- Lopez v. Herring, Civil Action No. 3:16-CV-02663-B, (N.D. Tex. 2017).
References
- Miller, Michael W. (August 25, 1992). "Information Age: Debate Mounts Over Disclosure Of Driver Data". Wall Street Journal.
- 18 U.S.C. §§ 2721–2725
- 18 U.S.C. § 2721
- 18 U.S.C. § 2722
- 18 U.S.C. § 2723
- 18 U.S.C. § 2724
- "Addresses at DMV Remain Accessible : Privacy: New rules were written to keep information confidential. Critics say there are too many loopholes". Los Angeles Times. August 19, 1991. Retrieved November 18, 2020.
- "Bill details of H.R. 3365 from THOMAS". Archived from the original on April 15, 2016. Retrieved June 1, 2009.
- "Bill details of S. 1589 from THOMAS". Archived from the original on April 15, 2016. Retrieved June 1, 2009.
- Legislative notes on the Driver's Privacy Protection Act, courtesy of the Legal Information Institute
- 528 U.S. 141 (2000)
- Englehardt, Steven; Narayanan, Arvind (October 24, 2016). "Online Tracking". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS '16. Vienna, Austria: Association for Computing Machinery. pp. 1388–1401. doi:10.1145/2976749.2978313. ISBN 978-1-4503-4139-4.