Driver's Privacy Protection Act

Last updated

The Driver's Privacy Protection Act of 1994 (also referred to as the "DPPA"), Title XXX of the Violent Crime Control and Law Enforcement Act, is a United States federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.

Contents

The law was passed in 1994. It was introduced by Democratic Rep. Jim Moran of Virginia in 1992, after an increase in some opponents of abortion using public driving license databases to track down and harass abortion providers and patients. Prominent among such cases was physician Susan Wicklund, who faced protests and harassment including her house being picketed for a month. [1] The law is currently codified at Chapter 123 of Title 18 of the United States Code. [2]

Substantive provisions of the act

The statute prohibits the disclosure of personal information (as defined in 18 U.S.C.   § 2725) without the express consent of the person to whom such information applies, with the exception of certain circumstances set forth in 18 U.S.C.   § 2721. These rules apply to Departments of Motor Vehicles as well as other "authorized recipient[s] of personal information", and imposes record-keeping requirements on those "authorized recipients."

The permissible uses are: [3]

  1. For any government agency to carry out its functions
  2. For use in connection with "matters of motor vehicle or driver safety and theft", including
    1. disclosure "in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers"
    2. removal of non-owner records from the original owner records of motor vehicle manufacturers to carry out the purposes of the Automobile Information Disclosure Act, the Motor Vehicle Information and Cost Saving Act, the National Traffic and Motor Vehicle Safety Act of 1966, the Anti-Car Theft Act of 1992, and the Clean Air Act
  3. For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only to:
    1. verify the accuracy of personal information
    2. correct information
  4. For use in connection with any matter before a court or arbitration proceeding.
  5. For producing statistical reports and other research, provided that personal information is not published.
  6. For use by insurance companies.
  7. For providing notice to owners of towed vehicles.
  8. For use by licensed private investigation agencies, for a permitted DPPA use.
  9. For use by employers to verify commercial driver information as required by U.S. Code Title 49, subtitle VI, chapter 313.
  10. For use by private toll transportation facilities.
  11. For response to requests from motor vehicle departments.
  12. For the bulk distribution of surveys, marketing materials, or solicitations (opt-in only).
  13. When written consent of the individual is provided.
  14. For other uses specifically authorized by state laws.

The act also makes it illegal to obtain drivers' information for unlawful purposes or to make false representations to obtain such information. [4] The act establishes criminal fines for noncompliance, [5] and establishes a civil cause of action for drivers against those who unlawfully obtain their information. [6]

Legislative history

After Rebecca Schaeffer was murdered in 1989 by Robert John Bardo who found her address by a private detective agency's use of DMV records, the easy availability of personal information from the DMV was called into question. [7]

The bill was introduced simultaneously during the 103rd United States Congress in the House of Representatives (as H.R. 3365 [8] ) and the Senate (as S. 1589 [9] ) on 26 October 1993. The text of the bill was incorporated into H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994, which was eventually signed by President Bill Clinton as part of Public Law 103–322 on September 13, 1994. [10]

The statute's constitutionality was upheld by the U.S. Supreme Court against a Tenth Amendment challenge in Reno v. Condon . [11]

Jurisprudence

[ citation needed ]

With the emergence of new-age computing technology and devices in the early 2000s came collection, processing, aggregation, correlation, and redisclosure of user's data. Websites, 3rd party advertising, and tracking firms began using mechanisms that violated a user's privacy. While "online" data identifying the user's computing technology was helpful, such data benefit was limited. Advertising entities had a millisecond while users were online to market their products; moreover, in order to "track" consumers by obtaining computing device data, HTML cookies were added to their devices. [12] Since most computers and users deleted any cookies when they shut down their devices, this tracking mechanism failed to provide long-term tracking. What was needed was a means to associate "online" data activities with "offline" data, referencing personal information contained in public records, (Today, the objective is to associate "online" data with "offline" data and Biometrics, the new "Holy Grail" of advertising data). The most accurate source of offline data and the cheapest was motor vehicle records maintained by the DMVs.

Since computer technology was progressing rapidly, federal and state laws had failed to be proactive, a risk to society of ungoverned technology. As such, litigation for violations was relatively non-existent. A new method to litigate Federal privacy cases was needed to protect the hundreds of millions of people violated by unauthorized tracking user's activities “Online” and “Offline” (public records). This was a formidable task since no law firms had litigated privacy cases involving the computer technology inherent within the exchange of user data between third-party affiliated entities, thus there was no case precedent, no "blueprint" to follow. Earlier cases, such as the double-click "cookie" case in 2001, had relied on using a wiretap statute, the Electronic Communication Privacy Act ("ECPA"). While a plausible allegation, it was a weak allegation since the website user had granted such permissible use within the website's term of service ("TOS").

In Kehoe v. Fidelity Federal Bank and Trust, James Kehoe sued Fidelity Bank for purchasing hundreds of thousands of motor vehicle records from the state of Florida in violation of the federal Drivers Privacy Protection Act. Fidelity Bank had purchased 565,600 names and addresses from the Florida motor vehicles department from June 2000 – 2003. This information was sold for pennies—literally, Fidelity was able to obtain the information for only $5,656. Fidelity used the information to target residents of Palm Beach, Martin, and Broward Counties for car loan solicitations. The U.S. District Court for the Southern District of Florida ruled in June 2004 that James Kehoe needed to demonstrate actual damages before obtaining any monetary recovery under the DPPA. The Court relied upon the recently decided Doe v. Chao and statutory construction rules to rule that the DPPA's liquidated damages do not accrue to a plaintiff unless he can show actual damages. Kehoe appealed to the 11th Circuit Court of Appeals which ruled: "...The statute at issue is the Driver's Privacy Protection Act, 18 U.S.C. § 2721, et seq. ("DPPA"). Having considered the plain text of the statute, we conclude that a plaintiff need not prove actual damages to recover liquidated damages for a violation of the DPPA. Since the district court reached a contrary conclusion, we reverse and remand". Kehoe v. Fidelity Federal Bank & Trust, 421 F. 3d 1209 (11th Cir. 2005), cert. denied.

While the Kehoe case was on appeal to the 11th circuit, then to SCOTUS, the Law Offices of Joseph Malley P.C. began an extensive freedom of information requests to all state DMVs, requesting any and all documents on persons and companies obtaining the DMV database in bulk, referencing the obtainment of all DMV records and periodic updates. The research and followup with all state DMVs would take more than a year. The firm was able to ID 36 State DMVs that were selling motor vehicle records in bulk. An analysis then was required of all of the people and entities obtaining the data to determine if it appeared they had a DPPA permissible use as required by the DPPA. Extensive follow-up discussions with all DMV officials were required to obtain additional information. Gambling on the outcome of the SCOTUS ruling, the extensive research turned out not to be in vain. Once SCOTUS denied writ on the Kehoe case, permitting the 11th circuit ruling to stand that actual damages were not required and an individual could choose to accept actual or statutory damages, the precedent was set. The Malley Firm was prepared to file and began filing an extensive amount of Federal Privacy Litigation. The Federal Class Actions involving violations of the Driver's Privacy Protection Act ("DPPA"), 18 U.S.C. § 2721, et seq, filed by the Law Offices of Joseph H. Malley P.C. in Texas, Florida, Missouri, and Arkansas, involving about 4-500 companies, include the following: 

  1. Sharon Taylor et al. v. Acxiom Corporation et al., 2:07-cv-0001, (E.D. Tex. 2007)
  2. Sharon Taylor et al. v. ACS State & Local Solutions, Inc. et al., 2:07-cv-0013, (E.D. Tex. 2007) 
  3. Sharon Taylor et al. v. Texas Farm Bureau Mutual Insurance Company et al., 2:07-cv-0014, (E.D. Tex. 2007)
  4. Sharon Taylor et al. v. Safeway Inc. et al., 2:07-cv-0017, (E.D. Tex. 2007)
  5. Sharon Taylor et al. v. Biometric Access Company et al., 2:07-cv-0018, (E.D. Tex. 2007)
  6. Sharon Taylor et al. v. Freeman Publishers Inc., 2:07-cv-0410, et al., (E.D. Tex. 2007)
  7. Richard Fresco v. R.L. Polk., No. 09-13344 (11th Cir. 2010), (Fresco II"- Intervention)
  8. Cook v. ACS State & Local Solutions, Inc. 663 F.3d 989 (10th Cir. 2011)
  9. Haney v. Recall Center, No. 10-cv-04003 (W.D. Ark. May 9, 2012) (certified class action)
  10. Doe et al. v. Compact Information Systems Inc. et al., 3:13cv05013MBH, (N.D. Tex. 2013)
  11. Cross v. Blank, Adv. No.: 9:15ap00926FMD, (M.D. Fla. 2015)
  12. Arthur Lopez v. Cross-Sell et al., 3:16-cv-02009-K, (N.D. Tex. 2016)
  13. Laning et al. v. National Recall & Data Services Inc. et al., 3:16-cv-02358-B (N.D. Tex. 2016)
  14. Lopez v. Herring, Civil Action No. 3:16-CV-02663-B, (N.D. Tex. 2017).       

Related Research Articles

Doe v. Chao, 540 U.S. 614 (2004), is a decision by the United States Supreme Court that interpreted the statutory damages provision of the Privacy Act of 1974.

<span class="mw-page-title-main">Department of motor vehicles</span> Government agency

The Department of Motor Vehicles (DMV) is a government agency that administers motor vehicle registration and driver licensing. In countries with federal states such as in North America, these agencies are generally administered by subnational entities governments, while in unitary states such as many of those in Europe, DMVs are organized nationally by the central government.

<span class="mw-page-title-main">Fair Credit Reporting Act</span> U.S. federal legislation

The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq., is federal legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It was intended to shield consumers from the willful and/or negligent inclusion of erroneous data in their credit reports. To that end, the FCRA regulates the collection, dissemination, and use of consumer information, including consumer credit information. Together with the Fair Debt Collection Practices Act (FDCPA), the FCRA forms the foundation of consumer rights law in the United States. It was originally passed in 1970, and is enforced by the U.S. Federal Trade Commission, the Consumer Financial Protection Bureau, and private litigants.

<span class="mw-page-title-main">Electronic Communications Privacy Act</span> 1986 United States federal law

The Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer, added new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act, and added so-called pen trap provisions that permit the tracing of telephone communications . ECPA was an amendment to Title III of the Omnibus Crime Control and Safe Streets Act of 1968, which was primarily designed to prevent unauthorized government access to private electronic communications. The ECPA has been amended by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008)

<span class="mw-page-title-main">Video Privacy Protection Act</span> 1988 American law on tape rental privacy

The Video Privacy Protection Act (VPPA) is a bill that was passed by the United States Congress in 1988 as Pub. L.Tooltip Public Law (United States) 100–618 and signed into law by President Ronald Reagan. It was created to prevent what it refers to as "wrongful disclosure of video tape rental or sale records" or similar audio visual materials, to cover items such as video games and the future DVD format. Congress passed the VPPA after Robert Bork's video rental history was published during his Supreme Court nomination and it became known as the "Bork bill". It makes any "video tape service provider" that discloses rental information outside the ordinary course of business liable for up to $2500 in actual damages.

CARFAX, Inc. is an American company that provides vehicle data to individuals and businesses. Its most well-known product is the CARFAX Vehicle History Report. Their other products include vehicle listings, car valuation, and buying and maintenance advice.

In the United States, the Driver License Agreement (DLA) is an interstate compact written by the Joint Executive Board of the Driver License Compact (DLC) and the Non-Resident Violator Compact (NRVC) with staff support provided by the American Association of Motor Vehicle Administrators (AAMVA). The DLA requires all states to honor licenses issued by other member states, report traffic convictions to the licensing state, prohibit a member state from confiscating an out-of-state driver's license or jailing an out-of-state driver for a minor violation; and maintain a complete driver's history, including withdrawals and traffic convictions including those committed in non-DLA states.

The National Driver Register (NDR) is a computerized database of information about United States drivers who have had their driver's licenses revoked or suspended, or who have been convicted of serious traffic violations, such as driving under the influence or drugs or alcohol.. The records are added and maintained and deleted by the motor vehicle agency (MVA) of the state that convicted the driver or withdrew the driver's license.

<span class="mw-page-title-main">Driver's licenses in the United States</span> Drivers licenses as issued by individual states

In the United States, driver's licenses are issued by each individual state, territory, and the District of Columbia rather than by the federal government due to federalism. Drivers are normally required to obtain a license from their state of residence. All states of the United States and provinces and territories of Canada recognize each other's licenses for non-resident age requirements. There are also licenses for motorcycle use. Generally, a minimum age of 15 is required to apply for a non-commercial driver license, and 25 for commercial licenses which drivers must have to operate vehicles that are too heavy for a non-commercial licensed driver or vehicles with at least 16 passengers or containing hazardous materials that require placards. A state may also suspend an individual's driving privilege within its borders for traffic violations. Many states share a common system of license classes, with some exceptions, e.g. commercial license classes are standardized by federal regulation at 49 CFR 383. Many driving permits and ID cards display small digits next to each data field. This is required by the American Association of Motor Vehicle Administrators' design standard and has been adopted by many US states. According to the United States Department of Transportation, as of 2018, there are approximately 227 million licensed drivers in the United States.

<span class="mw-page-title-main">Charlie Condon</span> American lawyer

Charles Molony Condon, known as Charlie Condon, is a former Attorney General of the U.S. state of South Carolina. For part of his term, he concurrently served as the first chairman of the Republican Attorneys General Association. Condon is also a former Ninth Circuit solicitor (1980-1991); when he was elected to the position at the age of 27, he became the youngest solicitor in the history of South Carolina. In 2008, he was the chairman of John McCain's presidential campaign in South Carolina. He currently is an attorney in private practice in Mt. Pleasant outside his native Charleston, South Carolina.

Information technology law(IT law) or information, communication and technology law (ICT law) (also called cyberlaw) concerns the juridical regulation of information technology, its possibilities and the consequences of its use, including computing, software coding, artificial intelligence, the internet and virtual worlds. The ICT field of law comprises elements of various branches of law, originating under various acts or statutes of parliaments, the common and continental law and international law. Some important areas it covers are information and data, communication, and information technology, both software and hardware and technical communications technology, including coding and protocols.

<span class="mw-page-title-main">Stored Communications Act</span>

The Stored Communications Act is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party Internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA).

<i>In re DoubleClick</i>

In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.

Reno v. Condon, 528 U.S. 141 (2000), was a case in which the Supreme Court of the United States upheld the Driver's Privacy Protection Act of 1994 (DPPA) against a Tenth Amendment challenge.

<i>Lane v. Facebook, Inc.</i> US District Court class-action lawsuit

Lane vs. Facebook was a class-action lawsuit in the United States District Court for the Northern District of California regarding internet privacy and social media. In December 2007, Facebook launched Beacon, which resulted in users' private information being posted on Facebook without the users' consent. Facebook ended up terminating the Beacon program and created a $9.5 million fund for privacy and security. There was no monetary compensation awarded to Facebook users affected negatively by the Beacon program.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

Federal Aviation Administration v. Cooper, 566 U.S. 284 (2012), was a United States Supreme Court case in which the Court held that "actual damages" under the Privacy Act of 1974 is not clear enough to allow damages for suits for mental and emotional distress. The reasoning behind this is that the United States Congress, when authorizing suit against the government, must be clear in waiving the government's sovereign immunity.

<i>In re Application of the United States for Historical Cell Site Data</i>

In re Application of the United States for Historical Cell Site Data, 724 F.3d 600, was a case in which the United States Court of Appeals for the Fifth Circuit held that the government can access cell site records without a warrant. Specifically, the court held that court orders under the Stored Communications Act compelling cell phone providers to disclose historical cell site information are not per se unconstitutional.

The Biometric Information Privacy Act is a law set forth on October 3, 2008 in the U.S. state of Illinois, in an effort to regulate the collection, use, and handling of biometric identifiers and information by private entities. Notably, the Act does not apply to government entities. While Texas and Washington are the only other states that implemented similar biometric protections, BIPA is the most stringent. The Act prescribes $1,000 per violation, and $5,000 per violation if the violation is intentional or reckless. Because of this damages provision, the BIPA has spawned several class action lawsuits.

<span class="mw-page-title-main">Docusearch</span>

Docusearch is an American private investigations company headquartered in Boise, Idaho. Docusearch, founded by Dan Cohn, was started in 1996. It is a subsidiary of Arcanum Investigations Inc. The company operates in all states of the US.

References

  1. Miller, Michael W. (August 25, 1992). "Information Age: Debate Mounts Over Disclosure Of Driver Data". Wall Street Journal.
  2. 18 U.S.C.   §§ 2721 2725
  3. 18 U.S.C.   § 2721
  4. 18 U.S.C.   § 2722
  5. 18 U.S.C.   § 2723
  6. 18 U.S.C.   § 2724
  7. "Addresses at DMV Remain Accessible : Privacy: New rules were written to keep information confidential. Critics say there are too many loopholes". Los Angeles Times. August 19, 1991. Retrieved November 18, 2020.
  8. "Bill details of H.R. 3365 from THOMAS". Archived from the original on April 15, 2016. Retrieved June 1, 2009.
  9. "Bill details of S. 1589 from THOMAS". Archived from the original on April 15, 2016. Retrieved June 1, 2009.
  10. Legislative notes on the Driver's Privacy Protection Act, courtesy of the Legal Information Institute
  11. 528 U.S. 141 (2000)
  12. Englehardt, Steven; Narayanan, Arvind (October 24, 2016). "Online Tracking". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS '16. Vienna, Austria: Association for Computing Machinery. pp. 1388–1401. doi:10.1145/2976749.2978313. ISBN   978-1-4503-4139-4.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.