The Driver's Privacy Protection Act of 1994 (also referred to as the "DPPA"), Title XXX of the Violent Crime Control and Law Enforcement Act, is a United States federal statute governing the privacy and disclosure of personal information gathered by state Departments of Motor Vehicles.
The law was passed in 1994. It was introduced by Democratic Rep. Jim Moran of Virginia in 1992, after an increase in some opponents of abortion using public driving license databases to track down and harass abortion providers and patients. Prominent among such cases was physician Susan Wicklund, who faced protests and harassment including her house being picketed for a month.[1] The law is currently codified at Chapter 123 of Title 18 of the United States Code.
The statute prohibits the disclosure of personal information (as defined in) without the express consent of the person to whom such information applies, with the exception of certain circumstances set forth in . These rules apply to Departments of Motor Vehicles as well as other "authorized recipient[s] of personal information", and imposes record-keeping requirements on those "authorized recipients."
The permissible uses are:
The act also makes it illegal to obtain drivers' information for unlawful purposes or to make false representations to obtain such information. The act establishes criminal fines for noncompliance, and establishes a civil cause of action for drivers against those who unlawfully obtain their information.
After Rebecca Schaeffer was murdered in 1989 by Robert John Bardo who found her address by a private detective agency's use of DMV records, the easy availability of personal information from the DMV was called into question.[2]
The bill was introduced simultaneously during the 103rd United States Congress in the House of Representatives (as H.R. 3365[3]) and the Senate (as S. 1589[4]) on 26 October 1993. The text of the bill was incorporated into H.R. 3355, the Violent Crime Control and Law Enforcement Act of 1994, which was eventually signed by President Bill Clinton as part of Public Law 103–322 on September 13, 1994.[5]
The statute's constitutionality was upheld by the U.S. Supreme Court against a Tenth Amendment challenge in Reno v. Condon.[6]
With the emergence of new-age computing technology and devices in the early 2000s came collection, processing, aggregation, correlation, and redisclosure of user's data. Websites, 3rd party advertising, and tracking firms began using mechanisms that violated a user's privacy. While "online" data identifying the user's computing technology was helpful, such data benefit was limited. Advertising entities had a millisecond while users were online to market their products; moreover, in order to "track" consumers by obtaining computing device data, HTML cookies were added to their devices.[7] Since most computers and users deleted any cookies when they shut down their devices, this tracking mechanism failed to provide long-term tracking. What was needed was a means to associate "online" data activities with "offline" data, referencing personal information contained in public records, (Today, the objective is to associate "online" data with "offline" data and Biometrics, the new "Holy Grail" of advertising data). The most accurate source of offline data and the cheapest was motor vehicle records maintained by the DMVs.
Since computer technology was progressing rapidly, federal and state laws had failed to be proactive, a risk to society of ungoverned technology. As such, litigation for violations was relatively non-existent. A new method to litigate Federal privacy cases was needed to protect the hundreds of millions of people violated by unauthorized tracking user's activities “Online” and “Offline” (public records). This was a formidable task since no law firms had litigated privacy cases involving the computer technology inherent within the exchange of user data between third-party affiliated entities, thus there was no case precedent, no "blueprint" to follow. Earlier cases, such as the double-click "cookie" case in 2001, had relied on using a wiretap statute, the Electronic Communication Privacy Act ("ECPA"). While a plausible allegation, it was a weak allegation since the website user had granted such permissible use within the website's term of service ("TOS").
In Kehoe v. Fidelity Federal Bank and Trust, James Kehoe sued Fidelity Bank for purchasing hundreds of thousands of motor vehicle records from the state of Florida in violation of the federal Drivers Privacy Protection Act. Fidelity Bank had purchased 565,600 names and addresses from the Florida motor vehicles department from June 2000 – 2003. This information was sold for pennies—literally, Fidelity was able to obtain the information for only $5,656. Fidelity used the information to target residents of Palm Beach, Martin, and Broward Counties for car loan solicitations. The U.S. District Court for the Southern District of Florida ruled in June 2004 that James Kehoe needed to demonstrate actual damages before obtaining any monetary recovery under the DPPA. The Court relied upon the recently decided Doe v. Chao and statutory construction rules to rule that the DPPA's liquidated damages do not accrue to a plaintiff unless he can show actual damages. Kehoe appealed to the 11th Circuit Court of Appeals which ruled: "...The statute at issue is the Driver's Privacy Protection Act, 18 U.S.C. § 2721, et seq. ("DPPA"). Having considered the plain text of the statute, we conclude that a plaintiff need not prove actual damages to recover liquidated damages for a violation of the DPPA. Since the district court reached a contrary conclusion, we reverse and remand". Kehoe v. Fidelity Federal Bank & Trust, 421 F. 3d 1209 (11th Cir. 2005), cert. denied.
While the Kehoe case was on appeal to the 11th circuit, then to SCOTUS, the Law Offices of Joseph Malley P.C. began an extensive freedom of information requests to all state DMVs, requesting any and all documents on persons and companies obtaining the DMV database in bulk, referencing the obtainment of all DMV records and periodic updates. The research and followup with all state DMVs would take more than a year. The firm was able to ID 36 State DMVs that were selling motor vehicle records in bulk. An analysis then was required of all of the people and entities obtaining the data to determine if it appeared they had a DPPA permissible use as required by the DPPA. Extensive follow-up discussions with all DMV officials were required to obtain additional information. Gambling on the outcome of the SCOTUS ruling, the extensive research turned out not to be in vain. Once SCOTUS denied writ on the Kehoe case, permitting the 11th circuit ruling to stand that actual damages were not required and an individual could choose to accept actual or statutory damages, the precedent was set. The Malley Firm was prepared to file and began filing an extensive amount of Federal Privacy Litigation. The Federal Class Actions involving violations of the Driver's Privacy Protection Act ("DPPA"), 18 U.S.C. § 2721, et seq, filed by the Law Offices of Joseph H. Malley P.C. in Texas, Florida, Missouri, and Arkansas, involving about 4-500 companies, include the following: