Drivers Privacy Protection Act (DPPA) – Comprehensive Overview (2025)

Published: August 1, 2023 • ToU & Privacy
Listen to audio overview

Introduction to the DPPA

The Driver’s Privacy Protection Act (DPPA) is a federal law enacted in 1994 to safeguard the privacy of personal information held in state motor vehicle records dmv.ca.gov. Prior to the DPPA, many states treated motor vehicle records (like driver’s licenses and registrations) as public records, which meant personal details could be obtained by virtually anyone. The DPPA established a national baseline of privacy protection, prohibiting state Departments of Motor Vehicles (DMVs) from disclosing an individual’s personal data except for specific, authorized purposes flhsmv.gov. This law was prompted by growing concerns over crimes and invasions of privacy facilitated through access to DMV information (for example, stalking incidents in the 1990s) and was passed as part of the Violent Crime Control and Law Enforcement Act of 1994.

In simple terms, the DPPA’s purpose is to keep your personal details – such as name, address, and driver’s license number – private and safe from misuse, while still allowing legitimate uses of that information by authorized parties. It requires all states to comply, overriding any state laws that previously made these records broadly public. The U.S. Supreme Court upheld the DPPA as a valid exercise of federal power, recognizing that protecting drivers’ privacy is an appropriate role for Congress in regulating interstate commerce govinfo.gov. Today, the DPPA remains a cornerstone of privacy law in the United States, and understanding its scope and recent developments is key to knowing how your driver information is handled in 2025.

Purpose and Scope of the DPPA

Purpose: The DPPA was designed to prevent personal data in DMV files from being disclosed improperly. Congress intended to enhance public safety and privacy by limiting access to information that could be used for unwanted marketing, identity theft, stalking, or other harm. As the Florida Department of Highway Safety puts it, the DPPA “keeps your personal information private by limiting those who can have it” flhsmv.gov. It effectively balances individual privacy rights against legitimate needs for information in areas like law enforcement, vehicle safety, and insurance.

Who Must Comply: The law applies to every state DMV and its officers, employees, and contractors. It governs anyone who obtains or uses data from a state motor vehicle record, meaning not only the DMV itself but also private individuals, companies, and government agencies that request or receive DMV information. In other words, if a person or entity gets personal data from DMV records, they are bound by the DPPA’s rules on what they can do with it. (Notably, this also means that if personal information is obtained through other means – for example, if you hand your driver’s license to someone or if information is gathered from a traffic accident report – the DPPA may not apply, since the data didn’t come directly from a state DMV database. The DPPA specifically regulates data drawn from DMV records.)

Scope – Protected Information: The DPPA defines “personal information” as any information that identifies an individual, as maintained in motor vehicle records. This includes a person’s name, address, driver’s license or identification number, photograph, Social Security Number (SSN), telephone number, and medical or disability information. In short, these are details in your driver’s license, vehicle registration, title, or state ID records that can be tied to you.

  • Highly Restricted Personal Information: Within this category, the law designates certain especially sensitive items as “highly restricted personal information.” This subset covers your photograph or digital image, Social Security Number, and medical or disability details. Highly restricted data enjoys extra protection – it generally cannot be disclosed without the individual’s explicit consent, unless one of a few specific DPPA exceptions applies (such as for law enforcement or other critical uses). For example, a DMV typically will not release your photograph or SSN at all except when required by law (like a court order) or with your express permission dmv.ny.gov.

Information Not Covered: Importantly, not everything in a DMV record is protected as “personal information.” The DPPA does not cover information about vehicular accidents, driving violations, or a driver’s license status. These are considered public record in many states (often under separate state laws). For instance, records of traffic offenses, collision reports, or whether someone’s license is suspended are usually open to public inquiry or available to interested parties. The rationale is that such information pertains to driving safety and regulatory status, rather than personal details about an individual’s identity. Many states explicitly allow public inspection of driving records related to convictions, violations, and license status dmv.ca.gov. The DPPA’s privacy protections are focused on personal identifying data, not on these aspects of driving history.

State vs. Federal Law: The DPPA sets a minimum standard of privacy nationwide. States can and often do impose additional protections beyond the DPPA’s requirements. For example, some states classify email addresses, emergency contact info, or other details as confidential even though the DPPA doesn’t mention them flhsmv.gov. (Florida law, for instance, adds emergency contacts and email addresses as protected information in motor vehicle records by state statute.) States also have their own general privacy laws (such as California’s Information Practices Act) that work alongside the DPPA dmv.ca.gov. We will explore in a later section how certain states like California and New York expand on DPPA protections. But regardless of where you live, at a minimum every state must comply with the DPPA’s baseline rules to keep your identifying driver data private dmv.ca.gov.

How the DPPA Works: Key Provisions and Permissible Uses

The DPPA operates by prohibiting the disclosure of personal DMV information except for specific permitted purposes defined in the law. This creates a general rule of privacy with enumerated exceptions:

General Prohibition on Disclosure

Under the DPPA, state DMVs are not allowed to “knowingly disclose or otherwise make available” personal information from motor vehicle records to any person or organization, except as authorized by the law. In practice, this means your state DMV cannot simply release your name, address, or other protected details to the public or to businesses without a legally permitted reason.

  • This prohibition covers all DMV officials, employees, and contractors. For example, a DMV clerk can’t look up someone’s address in the database and give it to a friend or sell it to a marketer – that would be illegal. Similarly, the DMV can’t publish driver data online or include personal info in publicly accessible files.
  • It also implicitly covers those who request or use DMV data. If someone misrepresents their identity or purpose to obtain DMV records (or if they receive data for an allowed purpose but then misuse it), they violate the DPPA. There’s even a section of the law that explicitly makes it unlawful to obtain data under false pretenses (see 18 U.S.C. § 2722) and provides penalties for misuse. In short, both disclosing and receiving DMV data improperly are forbidden.

Highly Restricted Data: As noted, the law is even stricter about highly restricted personal information (photographs, SSNs, etc.). A DMV cannot release those items at all unless you’ve given explicit consent or the request falls under a narrow set of DPPA exceptions. Many DMVs take this further by policy – for instance, the New York DMV will not release photos, SSNs, or medical information even to a requester with a permissible use, unless a court specifically orders it dmv.ny.gov. In such cases, if an authorized party (say, an insurance company investigating a claim) needs a driver’s SSN or photo, they’d likely have to obtain it through legal process (like a subpoena) rather than through a routine DMV records request.

Exceptions: Permissible Uses of DMV Information

While the default rule is non-disclosure, the DPPA carves out 14 permissible uses under which personal information may be released without the individual’s consent. These exceptions cover various legitimate needs for driver data. The key permissible purposes include:

  • Government Agencies and Law Enforcement: Access for any government agency (federal, state, or local), including courts and law enforcement, carrying out its official functions. This means police and other agencies can run driver records for investigations, traffic stops, background checks, etc. (For example, an officer can look up vehicle owner information by license plate during a traffic stop – that’s a DPPA-permitted use by law enforcement.) Courts can obtain information for cases, and agencies can use data to execute their duties (like a state tax agency verifying a person’s address through DMV records).
  • Matters of Motor Vehicle Safety, Theft, Emissions, and Product Recalls: Use by entities for vehicle-related safety activities. This includes automobile manufacturers, vehicle parts makers, or agencies conducting recalls, safety notifications, emissions monitoring, or investigations of theft dmv.ca.gov. For instance, if a car manufacturer needs to contact owners for a safety recall or to address an emissions issue, the DMV can release names and addresses for that purpose. (Auto manufacturers routinely rely on DMV data to mail recall notices to current vehicle owners flhsmv.gov.)
  • Legitimate Business Needs in Transactions Initiated by the Individual: Use in the normal course of business to verify the accuracy of personal information you provided, or to correct information if it’s wrong, but only for certain purposes. This typically applies to situations like fraud prevention or debt collection. For example, if you apply for credit or financing and give a driver’s license as ID, the bank might verify your info via the DMV. If something doesn’t match, they could use DMV data to get the correct info, but solely to prevent fraud or collect on a debt. Businesses must have a pre-existing transaction with you (you initiated it) and use the data only to confirm details or pursue legal remedies against you (if, say, you default and they need to locate you). This provision prevents abuse by limiting the use to specific, good-faith purposes.
  • Legal Proceedings: Use for any civil, criminal, administrative, or arbitral proceeding in any court or government agency, including for service of process, investigation in anticipation of litigation, and execution or enforcement of judgments and orders. Attorneys and investigators can obtain DMV information if it’s needed for a case (for example, to locate a witness or serve a subpoena in a lawsuit, or to enforce a court judgment). Importantly, in 2013 the U.S. Supreme Court clarified that this exception is not a catch-all – it cannot be used just to look up potential clients or for attorney solicitation. In Maracich v. Spears, the Court held that lawyers who obtained thousands of names/addresses from a DMV to solicit clients for a lawsuit were not covered by the “in anticipation of litigation” exception govinfo.gov. The litigation exception must be connected to an actual proceeding or investigation, not a fishing expedition for business. (If an attorney needs to contact vehicle owners as part of a lawsuit already filed or imminent, that’s fine; but using DMV data to generate a client list was deemed outside the DPPA’s scope.)
  • Research and Statistics: Use for research activities and producing statistical reports, as long as no personal information is published or used to contact individuals. This allows scholars or analysts to get bulk data for studies (e.g., traffic safety research) but only in anonymized form. For instance, a university study could get age and driving history data (without names) to analyze accident rates, but they cannot publicize personal details or reach out to the drivers involved.
  • Insurance Purposes: Use by any insurer or insurance support organization (or self-insured entity) in connection with claims investigation, antifraud activities, rating, or underwriting. Insurance companies rely on DMV records to verify driver information when issuing policies, setting premiums (your driving record affects your rates), or investigating accidents and claims. The DPPA expressly permits this so insurers can function effectively. (Example: after a car accident, your insurer and the other party’s insurer will likely exchange driver information and may verify license status or history through DMV data – allowed under DPPA for claims and antifraud.)
  • Towed or Impounded Vehicles Notification: Use to notify vehicle owners that their car has been towed or impounded. Tow companies or law enforcement can get owner info to send notice that, “Your car (license plate XYZ) has been towed – here’s how to retrieve it.” This is a necessary consumer protection; otherwise you might not know where your car went.
  • Licensed Private Investigators and Security Services: Use by a licensed private investigative agency or security service for any purpose permitted by the DPPA. This means P.I.s can access DMV data if they are doing so for one of the other allowed purposes on this list (they don’t get special new rights, but they can obtain data on behalf of clients for, say, a court case, fraud investigation, etc., as long as it fits one of the exceptions). Their access is not unlimited – they must still cite a permissible use.
  • Employment Screening for Commercial Drivers: Use by an employer (or its agent/insurer) to verify information relating to a holder of a commercial driver’s license (CDL). Employers hiring drivers (truck drivers, bus drivers, etc.) can confirm the status of an applicant’s CDL and driving record as required under federal law (49 U.S.C. Chapter 313). This ensures companies can screen for safe and qualified commercial drivers.
  • Operation of Private Toll Facilities: Use in connection with operating a private toll transportation facility. Toll road operators (even if privately run) may obtain vehicle owner information to collect unpaid tolls or manage billing for toll usage. For example, if you drive through a toll road without paying and it’s run by a private company, they can request the DMV for your address to send a bill or fine.
  • Consent-Based Requests (Individual Records): Disclosure with the express consent of the individual to whom the information pertains, for any use. If you give permission in writing, the DMV can release your info to whomever you authorized. For instance, you might consent to a background check that includes your driving record – your signature would allow the DMV to provide it to the requester. Some states have forms where a driver can authorize another person or company to access their records. Express consent must be specific and documented (including electronic consent with e-signature is valid under the DPPA’s definition of consent).
  • Consent-Based Requests (Bulk Marketing/Solicitation): The law also allows states to disclose information for bulk distribution for surveys, marketing, or solicitations, but only if the state has obtained the express consent of each individual whose information is included. In practice, this means “opt-in” for marketing. Originally, the DPPA allowed an opt-out model for marketing use, but a 1999 amendment (effective 2000) tightened this to require affirmative consent. As a result, today a state DMV cannot sell or share your data for marketing purposes unless you have knowingly agreed (opted in). Many states simply do not offer this option at all, effectively banning the sale of driver data for marketing. Others might include a checkbox on forms asking if you want your information shared for certain purposes – but if you ignore or decline, your data stays off marketing lists. (Example: If a research firm wants a bulk list of drivers to send surveys or a company wants to send promotional mailings, the DMV would need proof that each driver said “yes, you can share my info for this.”) In reality, this exception is rarely invoked because obtaining millions of individual consents is impractical. The default is that DMVs do not release personal info for bulk mail or advertising.
  • Use Specifically Authorized by State Law (Related to Motor Vehicles or Public Safety): A catch-all that allows disclosure for “any other use specifically authorized under the law of the State, if such use is related to the operation of a motor vehicle or public safety”. This means a state can pass its own law allowing additional reasons to use DMV data, but those reasons must relate to driving or safety. It gives states some flexibility to add uses not explicitly in the federal list, as long as they stay within the spirit of the DPPA. For example, a state law might allow driver data to be used in the context of investigating auto-related consumer fraud, or for research on highway safety beyond what’s in the federal exceptions. (States must still comply with the DPPA overall; they can’t authorize something completely contrary to the DPPA, but they can refine or expand certain use-cases in a limited way.)

It’s worth noting that **anyone requesting someone else’s DMV record usually must certify their permitted use (often by filling out a form and signing it) before the DMV will release information. For instance, Florida’s DMV requires requestors to specify which exemption under law they meet when seeking personal data flhsmv.gov. This helps ensure that personal info isn’t handed out improperly – there’s a paper trail, and making a false statement to get data can lead to legal penalties.

Redisclosure and Safeguards

The DPPA also addresses what happens after an authorized recipient receives DMV data. Under 18 U.S.C. § 2721(c), an authorized recipient can resell or redisclose personal information only for another permitted use (and they generally must keep records for 5 years of any entity they redisclose data to, including the purpose). For example, if an insurance company obtains a batch of driving records for underwriting, it cannot turn around and sell that information to a marketing firm – that would be an unauthorized use. The law prohibits downstream misuse by chaining the same restrictions to subsequent disclosures.

There are a couple of nuances here:

  • If information was obtained with express consent for a specific purpose (the (b)(13) exception), then the recipient can basically use it freely in line with that consent (even for other purposes, because the individual agreed to the release). Similarly, for bulk marketing consents (b)(12), the recipient can redisclose for marketing as allowed by that consent. But aside from those consent-based scenarios, any further sharing must itself fall under a DPPA permissible use.
  • The DPPA also allows states to have a “waiver procedure”: if someone requests personal information that doesn’t fit an allowed use, the state DMV can, if it chooses, contact the individual and ask if they consent to the release. For instance, if a person or company wants your data for a reason not on the list, the DMV could mail you a notice and only release the info if you sign a waiver. This is optional for states – not all states do this, but it’s a mechanism in the law.
  • No coercion for consent: The law explicitly forbids states from making you waive your DPPA rights as a condition of obtaining a service. A state can’t say “you must agree to share your info or we won’t issue your driver’s license.” That kind of condition is banned. Your choice to consent must be voluntary and not a requirement for getting a license or registration. (States can charge a small fee for issuing a copy of a record if needed for consent verification, but they can’t force consent.)

In summary, the DPPA’s core framework is privacy-first: no disclosure unless a specific, lawful exception applies. Those exceptions cover most of the common legitimate needs for driver data, from policing and courts to insurance and research. Outside of those, your personal details in DMV files are off-limits without your permission.

Federal Developments and Recent Court Decisions (2024–2025)

Since its enactment, the DPPA has seen relatively few amendments, but there have been important judicial interpretations and some legislative discussions at the federal level shaping how the law works in practice. As of 2025, the DPPA’s text remains essentially as it was after the year 2000 amendments (which introduced the opt-in requirement for marketing). No major DPPA-specific legislation has been enacted by Congress in the past two decades. However, the law has featured in broader privacy debates and there have been notable court rulings clarifying its reach:

Supreme Court Rulings: Reno v. Condon and Maracich v. Spears

The U.S. Supreme Court has directly addressed the DPPA in two cases:

  • Reno v. Condon (2000): This was a challenge by states (South Carolina, in this case) arguing that the DPPA overstepped federal authority and violated the Tenth Amendment. The Supreme Court unanimously upheld the DPPA, confirming that Congress validly enacted it under the Commerce Clause because driver data is an article of commerce and its regulation has multistate impacts govinfo.gov. The Court noted the DPPA “regulates the resale and redisclosure of drivers’ personal information by private persons who have obtained that information from a state DMV” govinfo.gov. In other words, the law was seen as regulating activity (buying/selling of personal data) that affects interstate commerce, not commandeering the states. Reno v. Condon cemented that states must comply with the DPPA and that the federal government can set these privacy rules.
  • Maracich v. Spears (2013): This case clarified the scope of one DPPA exception. A group of lawyers had obtained personal information on thousands of drivers from a state DMV, intending to solicit those people to join a class-action lawsuit (an unlawful practice case against car dealerships). The lawyers claimed their use fell under the exception for use “in connection with” litigation or anticipated litigation. The Supreme Court disagreed, ruling that soliciting clients is not a permitted use under the DPPA’s litigation exception govinfo.gov. The 5-4 decision held that the attorneys’ mass mailing was not sufficiently related to a legal proceeding; it was essentially a commercial solicitation. The Court left open that some other exception (like if the individuals had consented, or possibly an investigatory use) might apply in other scenarios, but firmly said that exception (b)(4) doesn’t cover trolling DMV data for clients. This decision put attorneys and others on notice: permissible uses are to be read narrowly – one must have a clear allowed purpose, not just a tangential or self-serving rationale.

These Supreme Court decisions guide how lower courts and states interpret the DPPA. Reno confirmed the law’s legitimacy and Maracich narrowed one potential loophole in usage.

Clarifying the Source of Data: What Counts as a “Motor Vehicle Record”

Several federal appellate courts have addressed what it means to obtain information “from a motor vehicle record,” which is critical because the DPPA only applies in that context govinfo.gov. Two noteworthy clarifications:

  • Data from a physical driver’s license vs. DMV database: If someone obtains your personal info by simply looking at your driver’s license or ID card that you present, is that covered by the DPPA? The answer is no. The Ninth Circuit in Andrews v. Sirius XM Radio Inc. (2019) held that the DPPA does not apply when the source of personal information is a driver’s license in the individual’s possession, rather than a state DMV lexology.com. In that case, a car dealership scanned customers’ licenses and then shared the info with Sirius XM for marketing. The court found that since the data came from the license directly (with the person’s knowledge at the point of sale), not from a DMV lookup, it wasn’t “obtained from a motor vehicle record” under the DPPA’s definition. Similarly, other courts (including the Second Circuit) have said that if an individual voluntarily gives their driver’s license information to someone (like a guard or a business), and that person misuses it, the DPPA doesn’t provide a remedy because the data didn’t come from the DMV govinfo.gov. The DPPA isn’t a general privacy law for all ID information – it’s specifically about data drawn from DMV sources. (Such situations might be covered by other laws or contract terms, but not the DPPA.)
  • Police accident reports and other non-DMV records: A related question is if personal information appears in a police report, court record, or other document outside the DMV, does the DPPA prevent its disclosure? Courts have generally found that the DPPA does not extend to records that are not DMV-maintained, even if they contain information originally from the DMV. For example, many states use standardized accident report forms (often filled out by law enforcement at a crash scene) that include drivers’ names, addresses, license numbers, etc. In a 2021 federal case concerning such accident reports, the court held that because the reports were not obtained from the DMV (the defendants got them from police files) and the reports themselves were not “motor vehicle records” as defined by the DPPA, the DPPA did not applygovinfo.govgovinfo.gov. Essentially, once the info is recorded in a separate record (like a police report available through public records law), the DPPA’s protections don’t magically travel with that info in all contexts. This has practical implications: for instance, some law firms or companies gather accident reports (publicly available) and then use the names/addresses in them for marketing or legal solicitation. Courts have said DPPA can’t be used to stop that because the data wasn’t obtained from the DMV. However, if those firms then went to the DMV to get additional details (say, to cross-reference plate numbers to owners outside of the report), that would invoke the DPPA.

These interpretations underscore that the DPPA’s reach is limited to the DMV as the source. Personal data can exist in many places (courts, the internet, etc.), and DPPA is not a blanket privacy shield for all such data – it’s targeted to motor vehicle records.

Recent Legislative Proposals and Discussions

At the federal level, there have been no new amendments to the DPPA enacted through 2024. The core provisions remain as described above. That said, the DPPA often comes up in discussions of comprehensive data privacy legislation. Lawmakers crafting broader privacy bills have referenced the DPPA as an example of existing protections for specific data. For instance, the proposed Online Privacy Act of 2023 listed the DPPA alongside other sectoral privacy laws (like those for health and financial data) as part of the federal privacy frameworkcongress.gov. This indicates Congress’s awareness that driver data is already protected by a dedicated law.

There have also been niche proposals around tangential issues, such as rules for automotive “event data recorders” (black boxes in cars) – e.g., the Driver Privacy Act of 2015 (which became law, but it dealt with ownership of car black box data, not DMV records, despite the similar name)congress.gov. These don’t change the DPPA but show attention to vehicle-related privacy.

Looking ahead, no major federal regulatory actions specifically targeting the DPPA have been rolled out in 2024 or early 2025. The Department of Justice (DOJ) is responsible for enforcement (it can penalize non-compliant state DMVs and criminally charge knowing violators), but there hasn’t been a widely publicized DOJ crackdown or new DPPA regulations in recent years. The law is relatively straightforward and self-executing (it doesn’t require a lot of agency rulemaking to enforce). Federal oversight has largely consisted of ensuring state compliance (which was achieved after Reno v. Condon) and sometimes weighing in on court cases as needed.

In summary, at the federal level the DPPA is stable and settled as of 2025: its text is unchanged since 2000, its constitutionality is affirmed, and courts continue to refine its interpretation in specific scenarios. The main action has shifted to state-level implementation and enforcement, as well as private litigation, which we cover next.

State Implementation and Variations under the DPPA

All states must follow the DPPA, but they have leeway in how they implement and even expand upon its protections. Many states have incorporated the DPPA into their own statutes or administrative codes, sometimes adding stricter privacy measures. Here we’ll explore how CaliforniaNew York, and other states handle DMV privacy, highlighting differences and additional safeguards.

California: Beyond the DPPA – Strong State Privacy Rules

California is known for robust privacy laws, and that extends to driver information. The state adheres to the DPPA and also layers on its own protections through the California Vehicle Code and other statutes:

  • California’s DMV is bound by the Information Practices Act of 1977 (IPA), a state law that broadly prohibits agencies from disclosing personal data in a way that identifies someone, subject to certain exceptionsdmv.ca.gov. The DMV explicitly notes it complies with both the DPPA and state laws to protect your informationdmv.ca.gov.
  • Definition of Personal Info: California law aligns with the DPPA’s definition and even adds to it. Under state law, “personal information” includes things like physical description, and home telephone number, in addition to the usual identifiersdmv.ca.gov. Practically, this means California treats even more data as sensitive.
  • Public Driving Records vs. Personal Data: By law (Calif. Vehicle Code §1808), California makes certain driver record information public – specifically, “information regarding official actions relating to a person’s driving privilege,” such as convictions, traffic accidents, license status (suspensions, revocations)dmv.ca.govdmv.ca.gov. Anyone can access a basic driving record showing those items. However, personal information like name, address, etc., is generally not public and is separated from those records or redacted unless an exemption appliesdmv.ca.gov. For example, a California driving record request by a member of the public might show that a person has violations or a suspension, but not reveal their address – unless the requester qualifies under an exception.
  • Address Confidentiality: California Vehicle Code §1808.21 makes home addresses in DMV records confidentialdmv.ca.gov. The DMV will not release your address except to certain authorized entities. These include:
    • Courts, law enforcement, and other government agencies (for official use)dmv.ca.gov.
    • Insurance companies, financial institutions, and attorneys when a case involves the use of a motor vehicle (e.g., after an accident, an attorney or insurer can get address info to contact the parties)dmv.ca.gov. This is similar to DPPA’s insurance and litigation exceptions, codified in state law.
    • Vehicle manufacturers (for recalls, etc.), vehicle dealers (to process registrations), and, interestingly, utility companies for identifying where an electric vehicle is registered (to plan for electrical grid or incentives), as well as certain limited research or statistical usesdmv.ca.govdmv.ca.gov. These specific carve-outs mirror DPPA’s allowance for safety recalls and add a twist for EV-related data sharing.
    • Certain private parking enforcement uses (a unique California twist: universities can get info for enforcing campus parking rules under an agreement)dmv.ca.gov.
  • Physical and Medical Information: California explicitly protects any physical or mental condition information and medical data in DMV records. Under Vehicle Code §1808.5, such information “is not disclosed outside of the department, unless authorized by the person or by law.”dmv.ca.gov. A cited case, DMV v. Superior Court (Carmona), affirmed that medical info held by DMV (like vision test results, disability status for parking placards, etc.) is confidentialdmv.ca.gov. Essentially, unless a statute or a court order says otherwise, even permitted users can’t get your medical or disability details from CA DMV. This aligns with the DPPA’s highly restricted category and takes a cautious stance: for example, if an insurer requests a driving record, California will omit medical info (like whether you have a handicap placard) because it’s not relevant to most purposes and protected by law.
  • Photographs and Biometrics: California is very strict about photographs. Vehicle Code §12800.5 provides that your DMV photo can only be released to: law enforcement agencies (including the Attorney General, DAs) for their functions, to public defenders (for their investigations), to the person in the photo themselves (you can request a copy of your own license photo), to someone who has written authorization from the individual (consent), in response to a subpoena specifically demanding the photo, or to a close family member if the person is deceased (and even then with proof of death)dmv.ca.govdmv.ca.gov. This is more detailed than the DPPA itself, effectively ensuring driver’s license photos are treated almost like law enforcement-sensitive material. The average permitted user (say an insurer or employer) cannot get a copy of your photo from the CA DMV. Even if the DPPA might have allowed a photo under an exception, California doesn’t release it except to those few categories. Likewise, fingerprints (thumbprints taken during the license process) are protected – they are collected for security and are not shared outside DMV except as required by lawdmv.ca.gov. California references a state Supreme Court case (Perkey v. DMV) reinforcing that positiondmv.ca.gov.
  • Contact Information: California DMV collects your telephone number and email when you apply for a license/registration, but by policy does not share them externally except as authorized by lawdmv.ca.govdmv.ca.gov. There’s no general exception that would let marketers get your phone or email from the DMV in California; those would be given out only in rare cases (perhaps to investigators if absolutely necessary). In short, California treats your phone and email as confidential DMV data, akin to how DPPA treats address.
  • License Type and Immigration Status: California issues special driver’s licenses (under AB 60) for individuals who cannot prove lawful U.S. presence (often undocumented immigrants). The state has taken measures to protect those drivers’ information from misuse. Notably, when law enforcement runs a license check, the system does not indicate the person’s immigration-related license status or what documents they used to obtain the licensedmv.ca.gov. This prevents, for example, a police officer from knowing just by the DMV response whether a driver has an AB 60 license (which could otherwise reveal immigration status). This is a state-level privacy protection going beyond the DPPA, aimed at encouraging undocumented residents to get licensed and insured without fear that their info will be turned over to immigration authorities. California law (and a 2020 law SB 34) explicitly restricts sharing DMV data with federal immigration agencies absent a court order, aligning with the state’s broader privacy and “sanctuary” policies. Such provisions illustrate how a state can build on DPPA to address local concerns.

Overall, California’s approach exemplifies a “belt-and-suspenders” strategy: DPPA provides the baseline, and state laws add extra layers of confidentiality (especially for particularly sensitive data like photos, medical info, or immigration-related matters). The result is one of the most protective regimes for driver data in the country.

New York: Limited Disclosure and “Highly Restricted” Info Practices

New York also implements the DPPA through state law and policy, with some distinctive practices:

  • The New York DMV affirms that the DPPA “regulates and restricts who has access to the information in DMV records”dmv.ny.gov. New York defines personal information similarly to the federal law: name, address, driver ID number, photo, SSN, phone number, medical or disability info are all includeddmv.ny.gov.
  • No Photographs or SSN Release: New York DMV’s policy is that it will not release certain highly sensitive personal information at all – photographs, Social Security Numbers, telephone numbers, medical and disability information will not be given out, even to those with a permissible DPPA usedmv.ny.gov. The only way someone other than the DMV or law enforcement can get these is via a court order (“so-ordered” subpoena from a judge)dmv.ny.gov. This effectively treats those data points as off-limits in typical DPPA requests. For example, if an attorney were investigating a case and had a permissible purpose to request a driver’s record, the record New York DMV provides would have the photo, SSN, phone, etc., redacted. This is consistent with DPPA’s spirit (those are highly restricted data) but New York’s practice sets a high bar (court oversight) for their release.
  • What NY Considers Public: Like many states, New York does not consider certain driving information as private under DPPA. The NY DMV confirms the DPPA “does NOT restrict information about traffic accidents, traffic violations, and driver’s license status”dmv.ny.gov. Those remain available, often through other channels (e.g., a request to the DMV for an accident history, or via FOIL for an accident report). So, if someone needs to know if a person has a valid license or any violations, that info can be obtained without running afoul of DPPA (though typically one would still go through DMV or court record inquiries to get it).
  • Certified Use and Record-Keeping: When New York shares DMV records for a permitted use, the recipient is reminded that if they in turn share that information with another party who also has a DPPA permissible use, they must keep a record for five years of that transaction – specifically, they must log exactly who they gave the info to, which driver’s record it was, and what permissible use that next party had dmv.ny.gov. This mirrors the DPPA’s redisclosure tracking requirement. New York DMV even provides forms and guidance on this. For example, an insurance company that obtains a batch of records might share some with an antifraud database – they’d need to record that transfer in case the DMV asks to verify proper use.
  • Previous Owners & License Plate Searches: New York highlights that the DPPA stops certain lookups: you generally cannot use a vehicle’s license plate number or VIN to obtain the owner’s name or address from the DMV, except for allowed purposes dmv.ny.gov. Similarly, one cannot simply request a list of all prior owners of a vehicle by name/address (unless a valid reason exists). This is basically the DPPA’s core rule as applied to common scenarios: no random plate-to-name fishing. New York has a specific form (MV-15) that outlines permissible uses and warns requesters of these limits dmv.ny.gov.
  • State Legislation Updates: New York periodically updates its Vehicle & Traffic Law to adjust to DPPA and state needs. For instance, a bill in 2025 (A061) was introduced to allow the DMV to contract with certain private entities to provide limited driver’s license record information for specific purposes, but only if those entities agree to comply with the DPPA nysenate.gov. The bill enumerated exactly what data fields could be shared (like license numbers, violation dates, etc., but notably not personal addresses) nysenate.gov, and it required a binding agreement of DPPA compliance nysenate.gov. This illustrates how New York is trying to facilitate necessary data flows (like sharing data with a research firm or another agency) while keeping the DPPA guardrails firmly in place.

In summary, New York implements the DPPA strictly, often choosing not to disclose the most sensitive info at all outside of court supervision. It also is proactive in ensuring any bulk or contracted sharing of data is done with DPPA compliance built-in.

Other State Approaches and Notable Differences

Florida: Before the DPPA, Florida (like some other states) treated motor vehicle records as public by default. Florida’s response to the DPPA was to automatically “block” personal information in all motor vehicle and driver license recordsflhsmv.gov. The Florida DMV assures residents that “You do not need to do anything to have your personal information protected.”flhsmv.gov It’s done by default, meaning when someone requests a record, the personal data is suppressed unless an exemption is met. Florida law (Fla. Stat. §119.0712(2)) formally adopts the DPPA and lists the same exceptionsflhsmv.gov. Florida also extended protections: for example, email addresses and emergency contact info in DMV files are protected by state law in addition to DPPAflhsmv.gov.

Florida provides user-friendly forms for requesters to certify their exemption (with the permissible use options clearly listed)flhsmv.gov. They also explicitly mention examples of who can get data: auto manufacturers for recalls, insurance companies, tow companies, employers of commercial drivers, and of course law enforcementflhsmv.gov. This matches the DPPA’s list. Florida’s implementation shows a close adherence to the federal law, with an emphasis on no action required by drivers – the privacy is on autopilot.

New Jersey: New Jersey’s Motor Vehicle Commission states that it “will not disclose any personal information without your consent and a proper written request form.”nj.gov This sounds like NJ requires the individual’s consent as a blanket rule, but in practice New Jersey does release info for DPPA exceptions (some of which inherently involve consent, like a court order or insurance claim). What NJ’s statement signifies is a strong default of non-disclosure – essentially treating every request with scrutiny and requiring either the data subject’s consent or a demonstrated exemption. New Jersey, like many states, publishes a summary of the DPPA for the public and provides a form (known as an “OPRA” form or similar) where the requestor must certify the reason for the request. They also highlight that any personal data given out can only be used in conjunction with motor vehicle or driver safety purposesnj.gov, reinforcing that you can’t get the data and then repurpose it arbitrarily.

Texas: Texas DMV (TxDMV) similarly proclaims that federal law prohibits disclosure of personal info to the general public and that the TxDMV will only release it for DPPA-specified purposesdmv.ny.gov. Texas has an interesting state law twist: a few years ago, Texas created an Address Confidentiality Program for certain protected individuals (like victims of violence) which works with the DMV to ensure their actual address is not on public-facing records. While that’s not a DPPA thing per se, it’s an extra state measure showing how states can layer victim-protective confidentiality on top of DPPA.

Wisconsin, Indiana, Missouri (data sale practices): These states have made news for their handling of DPPA-permitted disclosures. They strictly follow the DPPA’s exceptions but also charge fees and generate revenue by selling access to those records (to insurers, employers, data aggregators, etc.). For example, Wisconsin’s DOT reportedly collected over $15 million in 2022 from selling driver record information under DPPA exceptions (e.g., bulk data to authorized entities)wmtv15news.com. Indiana’s Bureau of Motor Vehicles similarly has made tens of millions per year through contracts and electronic access for authorized users (like background check companies, insurance databases, towing firms, etc.). This is legal under DPPA as long as the purchasers are using the data only for allowed purposes – and typically they must sign agreements to that effect. However, this monetization has raised eyebrows and led to proposed state legislation to curb it.

Legislative responses to data sales: States are reconsidering how easy it should be for third parties to get driver data, even for “permissible uses,” when significant money is involved. For instance, lawmakers in Indiana introduced bills in 2023 and 2024 to allow drivers to opt out of having their information sold in certain cases or to stop sales for certain age groups (like minors and seniors)wrtv.comwrtv.com. One bill would prohibit the BMV from selling personal info of drivers under 21 or over 65wrtv.com. Although as of the 2024 session such measures hadn’t yet become law, Indiana did pass a law requiring the BMV to report annually on its data sales revenue and how the money is used, increasing transparencywrtv.com. This came after public reporting showed the BMV had collected about $263 million over 10 years from selling driver datawrtv.comwrtv.com. The issue is that many drivers are unaware of these sanctioned data disclosures because it’s all behind the scenes. The DPPA allows it, but states are now confronting the ethics and optics of it. We may see more states adding consumer-friendly measures, such as easier opt-outs or at least notifying drivers about what happens with their info.

Enforcement by States: Some states have been proactive in enforcing DPPA compliance among their own agencies and local authorities. For example, North Carolina issued guidance that accident reports created by law enforcement are not clearly covered by DPPA (absent a court ruling)ncdoj.gov, but cautioned agencies to handle personal info carefully regardless. There have been instances where state employees were disciplined or prosecuted under state law equivalents for misusing DMV data (e.g., a clerk looking up someone without authorization). States can impose their own penalties (administrative or criminal) on top of DPPA’s federal penalties.

In short, while the DPPA provides a uniform baseline, states like California and New York go above and beyond with stricter rules on certain data types, and states like Florida and Texas have clear, public-facing compliance with the baseline. An emerging trend is states grappling with how much DMV data should be commodified even within DPPA’s bounds, and considering laws to increase privacy or transparency around that.

Enforcement and Trends (2024–2025)

The Drivers Privacy Protection Act carries significant penalties for violations and has been enforced through a combination of federal actions and private lawsuits. Here we examine how the law is enforced, notable cases, and current trends up to 2025:

Penalties for Violations

The DPPA includes both criminal and civil penalties:

  • Criminal Penalty: It is a federal crime to knowingly violate the DPPA. A person (which could be a DMV employee, a private individual, a business, etc.) who knowingly obtains, discloses, or uses personal information from a motor vehicle record for an impermissible purpose can be fined by the federal governmentgovinfo.govgovinfo.gov. The law doesn’t set a specific dollar amount in the text for individuals (it says “fined under this title,” meaning the court can impose a monetary fine according to federal fine schedules). There is no mention of imprisonment in the statute for a DPPA violation; it is essentially treated as a misdemeanor punishable by fines.
  • State DMV Noncompliance: If a state DMV has a “policy or practice of substantial noncompliance” with the DPPA, the U.S. Attorney General can impose a civil penalty up to $5,000 per day for each day of noncompliancegovinfo.gov. This was intended to coerce states into following the law when it first took effect. In practice, after the Supreme Court upheld the DPPA, states fell in line, and we haven’t seen public instances of the DOJ actually fining a state DMV by this provision. It’s more of a safeguard to ensure states don’t openly defy the requirements (for example, by selling data wholesale without restrictions or refusing to implement opt-in for marketing).
  • Civil Lawsuits (Private Right of Action): The DPPA empowers individuals to sue in federal court if their information was obtained or disclosed unlawfullygovinfo.govAny person whose personal data was misused can bring a civil action against the perpetrator (whether that’s an individual, a company, or even a government agency). The court may award:
    • Actual damages, or if those are hard to quantify, “liquidated” damages of at least $2,500 per violationgovinfo.gov. That means even if you can’t show a monetary harm, the law presumes a minimum of $2,500 in damages for you if your info was unlawfully obtained/disclosed.
    • Punitive damages if the violation was willful or recklessgovinfo.gov. This is to punish egregious conduct beyond the base level damages.
    • Attorney’s fees and litigation costs if you win the casegovinfo.gov. This is important because it incentivizes attorneys to take DPPA cases – the violator can be made to pay the plaintiff’s legal bills.
    • Any other equitable relief the court deems proper.

These remedies have made the DPPA a tool in numerous class action lawsuits and individual suits. For example, if a data broker illegally obtained thousands of DMV records for marketing, they could face a class action seeking $2,500 for each person affected – potentially millions of dollars total. Indeed, in the early 2000s, there were high-profile settlements: one case, Kehoe v. Fidelity Federal, involved a bank that bought Florida DMV data to send out auto loan offers; it ended up settling for about $50 million to a class of drivers, given the DPPA’s damages provision (that case helped spur the 2000 amendment to opt-in for marketing).

Another example: There have been cases of law enforcement officers misusing DMV databases to look up people (sometimes for personal reasons). Victims of such look-ups have sued under the DPPA and won settlements. A well-known instance involved a female police officer in Minnesota who found that dozens of fellow officers across the state had accessed her DMV photograph and information out of curiosity or prurient interest – she sued multiple departments and individuals under DPPA. The case led to significant settlements and highlighted the issue of database snooping. The threat of $2,500 per violation, multiplied by numerous look-ups, created a strong incentive for agencies to train and monitor their staff.

In summary, the DPPA has teeth: violators can face federal fines and substantial civil liability. The civil action provision is the most actively used enforcement mechanism, often via class actions.

Notable Enforcement Actions and Cases

  • Misuse by Employees or Officials: Across the country, there have been several incidents where DMV employees or police officers improperly accessed driver data. These have led to DPPA charges or civil suits. For instance, if a DMV clerk was caught selling personal info to identity thieves, the DOJ could prosecute them (at least for the false pretenses clause or other laws) – such cases, when they occur, may also involve charges like bribery or fraud in addition to DPPA. On the civil side, as mentioned, officers accessing data for non-official reasons have been a recurring problem. Agencies have paid out settlements and instituted reforms (audit trails, requiring a reason for each lookup, etc.) as a result. In one case, the 8th Circuit Court of Appeals affirmed that officers who looked up a person without a job-related reason could be individually liable under DPPA, stripping them of qualified immunity because the law was clearly establishedaele.org. This sends a message that “curiosity” lookups are not only against policy – they are against federal law.
  • Data Broker and Marketing Cases: Some of the earliest DPPA enforcement came from lawsuits against data brokers and direct marketers. Before the law tightened, list brokers did sometimes get DMV data. After 2000, that largely stopped (at least overtly). However, a few cases have alleged that certain companies obtained data under a permissible pretext but then used it for marketing, which is not allowed. Courts have scrutinized the exact use. In one recent case (Fourth Circuit, 2023), drivers received advertising mailings from a firm that had obtained their info from DMV records via accident reports. The drivers sued under DPPA, but the court found in favor of the defendant, essentially because of the nuance that the info came from accident reports (not directly from DMV) and possibly citing First Amendment grounds for the communicationprivacyworld.bloggovinfo.gov. This ties back to the earlier discussion that how the data is obtained matters. But where a clear violation is present – e.g., a company flat-out buying DMV data for solicitation without consent – the DPPA provides a strong basis for a lawsuit.
  • Accident Reports and Solicitation: A trend in litigation has been attorneys or companies using information from police accident reports to solicit business (like personal injury lawyers contacting accident victims). Some have attempted to use DPPA to block that practice, but as noted, courts often say DPPA doesn’t apply because the info wasn’t requested from the DMV. Instead, states have tackled this through other laws (for example, Florida has a separate statute restricting how soon after an accident attorneys or clinics can use accident report info to solicit victims). So while DPPA itself hasn’t been amended to cover that, it’s part of the evolving dialogue on privacy vs. access in motorist data.
  • Technology and DPPA: The rise of technology raises questions on how DPPA intersects with new data sources:
    • Automatic License Plate Readers (ALPRs): These devices used by police (and sometimes private entities) scan license plates on the road. ALPRs by themselves don’t violate DPPA because they’re capturing plate numbers in public (not pulling from DMV records). However, when an ALPR hit is matched against a DMV database to find the registered owner, that access is subject to DPPA. Law enforcement use is permissible. Private use is more tricky – a private parking enforcement company could argue it fits the “toll” or “private parking” exception or obtains owner info with consent of the state under a law, but generally, a private actor would need a DPPA-allowed reason to get owner info from a plate (they might go through the DMV’s permitted channels like any other requester with cause).
    • Mobile Apps and Scanning: Some apps can scan the barcode on a driver’s license (which encodes the info on the card). When bars check IDs, or retail stores scan IDs for age verification, that’s reading from the license (not querying the DMV), so DPPA doesn’t apply. But states like California have separate laws (like Civ. Code §1798.90.1) limiting how businesses can use information obtained from swiping a driver’s license (e.g., they can verify age but can’t keep the personal info). So outside the DPPA, states are legislating on these practices.
    • Data Breaches: If a state DMV were hacked or a contractor exposed records, DPPA would certainly be in play. The affected individuals could potentially sue if the breach was due to a knowing unauthorized disclosure (though typically a breach is not “knowing” on part of the DMV, it’s more a security failure – those are addressed by other laws like state breach notification laws). We haven’t seen a landmark DPPA case on a hack, and hopefully won’t, if DMVs maintain good security.

Trends Through 2024–2025

  • Increased Public Awareness: More drivers are becoming aware that their DMV data can be shared in certain situations (often due to news investigations like those in Florida, Indiana, etc.). This awareness is driving political pressure to tighten controls. While the DPPA itself might not change federally, states are introducing bills to give individuals more control, such as opt-outs for data sharing as noted with Indiana’s efforts indianahousedemocrats.orgindianahousedemocrats.org. We may see a patchwork of state laws providing additional opt-outs or limiting which DPPA exceptions the state will actually utilize. (Remember, a state can choose to be stricter – e.g., even though DPPA would technically allow selling data for marketing with consent, a state can decide not to do that at all, or to require opt-ins for even more categories.)
  • Transparency and Accountability: States like Indiana now require the DMV to publicly report how much money they make from data disclosures wrtv.com. Other states might follow to ensure there’s oversight on this semi-hidden economy of driver data. If the numbers are high, it could spur either defense (DMVs saying “we need this revenue to keep fees low”) or backlash (“are we monetizing privacy?”).
  • Litigation Continues: Plaintiffs’ lawyers are actively monitoring and pursuing cases where they suspect DPPA violations. As data flows increase (with digital services, more electronic record exchanges, etc.), there are more points where errors or abuses can occur. For example, if a tech company somehow got a bulk dump of DMV records outside the allowed channels, it would face massive DPPA exposure. So far, industries seem cautious – we haven’t seen a big tech scandal with DPPA, but the law is there as a backstop.
  • Intersection with Other Privacy Laws: The DPPA sits alongside newer state consumer privacy laws (like California’s Consumer Privacy Act, Virginia’s CDPA, etc.). Generally those laws exempt government-held data and focus on private companies. But imagine a scenario where a private company holds DMV data (say, a contractor managing records) – DPPA would cover that data usage, and the company would also have to consider state privacy laws if they tried to use it for any broader purpose. Additionally, if Congress ever passes a comprehensive privacy law, it may explicitly leave DPPA intact (similar to how health and financial data laws are carved out). So DPPA is a piece of a larger privacy puzzle, and any new law would likely treat it as the controlling rule for DMV data, given its specificity.
  • No Major Federal Changes Yet: As of early 2025, there’s no bill in Congress that seems poised to overhaul or update the DPPA itself. The focus federally has been on bigger-picture privacy (like internet data, children’s privacy, etc.) and on issues like facial recognition or vehicle telematics. DPPA is working relatively well in its domain, so it hasn’t been a target for reform. The one area that could eventually prompt a federal look is the data sale issue – if enough states complain or if there’s a scandal (like a DMV accidentally selling data to a scammer), Congress might hold hearings. In fact, a consumer advocacy report in 2022 questioned whether selling data to third parties might warrant Congress amending DPPA to require more explicit consumer consent or profit-sharing. But for now, no concrete action.

In conclusion, the DPPA is actively enforced through a combination of federal oversight, state implementation, and private litigation. The trends show a push for even greater privacy protections at the state level and vigilance in ensuring DPPA’s exceptions aren’t abused. Drivers today enjoy far more privacy for their DMV information than they did prior to 1994, and ongoing enforcement efforts aim to keep it that way, even as new challenges emerge.

Frequently Asked Questions (FAQ) – Drivers Privacy Protection Act (2025)

Q1: What is the Driver’s Privacy Protection Act (DPPA)?
A: The DPPA is a federal law passed in 1994 that protects the privacy of personal information in state motor vehicle records. It prohibits state DMVs from releasing your name, address, and other identifying information to the public, allowing access only for specific, authorized purposes. In essence, it keeps your DMV records private – only you and those with a legal need (like certain government, safety, or insurance uses) can get that information. The law was enacted after concerns that easy access to DMV data was leading to stalkers, unsolicited marketing, and other harms. All 50 states must follow the DPPA’s rules.

Q2: Why was the DPPA enacted?
A: The DPPA was enacted to enhance public safety and privacy by closing a loophole in public records laws. Prior to the DPPA, many states treated driver’s license and vehicle registration data as public, meaning anyone could request someone’s address or personal details from the DMV. This led to abuses – famously, a tragic incident where an actress’s stalker obtained her address from DMV records prompted Congress to act. The DPPA ensures that your personal details can’t be freely obtained by just anyone, reducing the risk of stalking, identity theft, harassment, and unwanted commercial use of your data. The Supreme Court has noted that the DPPA is a proper exercise of federal power to protect individuals’ privacy in their motor vehicle records govinfo.gov. In short, it was enacted to put privacy guardrails around information we all have to give to the government (to get a license or register a car).

Q3: What personal information does the DPPA protect?
A: The DPPA protects information that identifies you in DMV records. This includes:

  • Name
  • Address (street address – note: the 5-digit ZIP code is not protected by DPPA itself, but usually a zip alone isn’t identifying without more context)
  • Photograph (and any digital image on file)
  • Social Security Number (if you provided it to DMV)
  • Driver’s license or identification number
  • Telephone number
  • Medical or disability information (e.g., if you have a disability placard or restrictions on your license for medical reasons)

Basically, if it’s in your driver’s license, permit, vehicle registration, or state ID record and it identifies you personally, the DPPA covers it. Some states also treat additional items as protected (for example, email addresses or emergency contacts you’ve given to the DMV) under their own laws, but those are bonuses on top of DPPA.

There is also a category called “highly restricted personal information,” which is a subset that includes your photo, SSN, and medical/disability info. These are treated with an even higher level of protection (they generally cannot be released without your express consent, except to very few exempted parties like law enforcement).

Q4: What information is not protected by the DPPA?
A: The DPPA does not cover certain non-personal or driving-specific information. Notably, it does not protect:

  • Information on vehicular accidents (accident reports, crash histories)
  • Driving violations (traffic tickets, DUI convictions, point history)
  • Driver’s license status (whether your license is valid, suspended, revoked, etc.)

These types of information are often considered public record or are available to those with a valid need. For example, if someone wants to check if a used-car seller has a clean driving record or if a trucking company needs to verify a driver’s commercial license status, that falls outside DPPA’s privacy scope. Many states have separate systems or laws for accessing driving histories and accident reports. The DPPA’s focus is on personal identity details, not the record of driving events or infractions. However, even when accessing those public driving records, typically the personal info (name, address) is still handled carefully. For instance, an accident report might be public, but a state might restrict how that report’s personal data can be used for marketing due to other laws.

Q5: Who can access my DMV information under the DPPA?
A: Only certain people or organizations with specific, lawful purposes can access your personal DMV data. The DPPA lists a number of permissible uses. Key examples include:

  • Government agencies and law enforcement: Police, courts, and government agencies can check records to carry out their functions (e.g., during a traffic stop or an investigation).
  • Insurance companies: To obtain info for underwriting policies, processing claims, or investigating fraud. If you’re in an accident, insurers will get necessary driver info.
  • Businesses verifying identity: A business can confirm personal info you provide in a transaction. For example, if you apply for a loan or rent a car and give your license, the company might verify through the DMV that the details are accurate – and if not, get correct info to prevent fraud or collect a debt.
  • Legal use in courts: Lawyers and courts can obtain data in connection with a case – for instance, to serve someone with legal papers, or as evidence in a lawsui. (They can’t go on fishing expeditions; it has to be related to an active or potential case.)
  • Vehicle-related safety recalls or research: Automakers can get owner information to send out recall notices or to research vehicle safety issues. Also, researchers can use data (without personal identifiers) for statistical reports.
  • Towing companies / impound notification: If your car is towed, the towing service or police can get your address to notify you how to retrieve your vehicle.
  • Private investigators and security services: They can access data only for DPPA-permitted reasons, such as investigating a fraud or during litigation on behalf of a client.
  • Employers of commercial drivers: Companies can verify the commercial driver’s license credentials and driving record of truck drivers, bus drivers, etc., they are hiring.
  • Toll road operators: Private (or public) toll agencies can get info to bill drivers for tolls or violations on their roads.

In all cases, the person requesting the info has to certify their purpose to the DMV and it must align with one of these allowed uses. Misrepresenting oneself or the purpose to obtain data is illegal. For example, someone can’t just say “I’m doing research” to get your info and then use it to send you ads – that would be a DPPA violation.

Q6: Can I find out the owner of a license plate number I saw (or get someone’s address from their plate)?
A: Generally, no – not for casual or personal reasons. The DPPA blocks using a plate or VIN to retrieve personal owner information except for the specific purposes allowed by lawdmv.ny.gov. That means you, as a private individual, cannot go to the DMV and ask, “Who owns the car with license ABC123?” unless you have a permissible reason (which, as a private citizen, you typically wouldn’t).

Permissible reasons for a plate lookup would be things like:

  • You are a tow truck operator trying to find a vehicle owner to inform them of a tow (allowed).
  • You are an insurer or attorney following up on a hit-and-run claim and need to identify the owner (allowed as part of claim or legal proceeding).
  • Law enforcement or a government agency (always allowed to run plates for official duties).

But curiosity or personal interest is not allowed. The NY DMV explicitly notes that using a plate number to get someone’s name or address is restricted by DPPAdmv.ny.gov. So, if someone hits your car and drives off, you can give the plate number to the police or your insurer – they can run it. But you can’t get that info directly as a member of the public.

Q7: Do I have to give consent for my information to be shared? Can I opt out?
A: In most cases, you do not need to do anything to protect your information – it’s automatically protected by the DPPA. Your state DMV will not release your personal data to unauthorized people without your consent. There is no general “opt-out” needed because the default is “opt-in only” for most disclosures.

However, here are the nuances:

  • For marketing or solicitation purposes, the law requires your express consent (opt-in) before the DMV can release your info. In practice, many states don’t even offer an opt-in for marketing. So you won’t suddenly find yourself on a mailing list just because you have a driver’s license – not from DMV data, at least. If a state does allow it, it would be via a checkbox or form where you clearly agree. If you ignore such a form, nothing is shared.
  • For other permitted uses (like insurance, recalls, law enforcement), your consent is implied by law – you generally cannot opt out of those because they are integral to how those systems work. For example, by driving on public roads, you can’t opt out of law enforcement running your plate if needed, and by having insurance, you can’t prevent an insurer from checking your license status. These are considered acceptable uses that don’t require individual approval each time.
  • Some states offer additional choices: A few states are considering or have implemented limited opt-outs. For instance, as mentioned, Indiana debated allowing older drivers or minors to opt out of data sales to third partieswrtv.com. If you’re in such a state, you would be informed by the DMV of that right. But under the DPPA itself, outside of marketing, there isn’t a mechanism for a person to say “Don’t share my info even for permitted uses.” The law’s approach is that all permitted uses are, by definition, uses you can’t veto (except by not getting a license at all, which isn’t practical).
  • You can withhold consent for those uses that require it. If, say, a research firm asks the DMV for your data to send you a survey, the DMV would need your consent – you can simply not give it, and they won’t get your data. Similarly, if an employer or landlord asks you to sign a form to run your driving record and you’re not comfortable, you can decline – but keep in mind they might then choose not to hire or rent to you if having that info was crucial to them.

In summary: No action is required on your part to keep your DMV info private from general disclosureflhsmv.gov. It’s already protected. You’ll only be asked for consent in special cases (like marketing or if you personally authorize someone to pull your record). Of course, always read notices from your DMV; some states at license renewal might include updated privacy notices or options.

Q8: How do I obtain a copy of my own driving record or someone else’s record?
A:

  • Your own record: You have the right to access your own DMV records. Each state DMV has a procedure – typically, you fill out a form and provide identification to request your driving record or vehicle record. You may have to pay a small fee. Under DPPA, since it’s your info, you can obtain it (this falls under either your consent or a statutory allowance). For example, Florida lets individuals request their own driver history by completing a specific form and mailing it in flhsmv.gov. Many states also offer online portals for you to order your driving record (which shows your violations, points, etc.). When you request your own record, personal info isn’t redacted because it’s yours.
  • Someone else’s record: To get another person’s driving record or personal DMV information, you must qualify under one of the DPPA exceptions and often you must certify that on a request form flhsmv.gov. For instance:
    • If you are an attorney or insurance agent involved in a case or claim involving that person, you would note that on the form (permissible use for legal or insurance).
    • If you’re a private citizen, it’s very hard to get someone else’s info unless they give written consent or perhaps if you have a court order. A common scenario is employers obtaining records of prospective employees – they either get the employee’s signed consent or qualify as a legitimate business with a permitted use (verification of info relating to a job that involves driving).
    • News media or researchers might get access to certain data, but personal details would likely be redacted unless there’s consent or a compelling state law reason.

Each state form usually has a list of the permissible uses (often mirroring the DPPA list) – you’d check the box that applies and sign. If none apply, the DMV will deny the request. Falsely certifying a reason to get info is illegal. (In some states, that’s a felony; plus federal law could impose fines.)

In short, you can easily get your own records. But you can’t just pull up others’ records without jumping through legal hoops. If you think you have a valid reason, check your state DMV’s website for a “Request for record” form (sometimes called a DPPA request or a Driver Privacy request form) and see the criteria. And remember, the person whose record is requested is generally not notified (except in certain waiver procedures), so the onus is on the DMV to vet the request carefully.

Q9: What are the penalties if someone violates the DPPA?
A: They can be quite severe:

  • Criminal fines: Anyone who knowingly accesses or shares personal DMV data without authorization can be fined by the federal government govinfo.gov. While the law doesn’t set a specific amount per violation for individuals, fines could go up to $5,000 per violation in serious cases (and theoretically even more under general federal fine guidelines, depending on circumstances).
  • Civil lawsuit damages: The person whose privacy was invaded can sue the violator in federal court. The court must award at least $2,500 in damages for each violation (that’s per person whose data was misused) govinfo.gov. It can award more if actual harm was greater, plus possibly punitive damages if the conduct was willful or reckless govinfo.gov. The violator also likely has to pay the attorney fees and costs of the person who sued govinfo.gov.
  • State penalties: Some states have their own penalties too. For example, an employee who misuses DMV data might face state criminal charges (for computer crimes or misconduct in office). But focusing on DPPA itself – the big deterrents are the fine and lawsuit provisions.
  • Enforcement examples: There have been cases where police officers paid out of pocket for DPPA violations (after being sued), and cases where companies ended up owing millions due to a class action. It’s a strong law on paper and has been enforced in practice. Also, the U.S. Attorney General can hit a state DMV with a penalty up to $5,000 per day if the state agency itself is systematically breaking the rules govinfo.gov (though this hasn’t really been used because states comply now).

In summary, a violation isn’t treated lightly. If you suspect your data was illegally obtained or disclosed (for example, you find out a company got your info and sent you spam without any consent or permissible purpose), you have recourse: you can report it to authorities and consider a civil action knowing the law backs significant damages for your privacy.

Q10: Has the DPPA changed recently (2024–2025), or are any changes coming?
A: No major changes to the DPPA have occurred in recent years. The last significant amendment was in 2000, which required explicit consent for the sale of data for marketing. Since then, the core provisions of the law have stayed the same.

That said, the world around the DPPA is changing:

  • Federal privacy law efforts: Congress has been debating comprehensive data privacy legislation, but those discussions haven’t specifically targeted the DPPA. It’s generally viewed that if a broad privacy law passes, it would likely leave the DPPA in place (as it’s a sector-specific law that’s functioning). Any new federal law might explicitly state that it doesn’t weaken DPPA protections.
  • State-level enhancements: Rather than changes to the DPPA itself, what we see are states enacting their own laws to augment the DPPA. For example, California added protections for driver’s license info related to immigration status, and Indiana (as mentioned) considered laws to let people opt out of data sales. New York introduced a bill to further control how DMV data can be contracted out, ensuring compliance with DPPA nysenate.gov. These aren’t changes to DPPA, but they change the landscape in which DPPA operates.
  • Court interpretations: Each year, new court decisions refine understanding of the DPPA (like the cases about what counts as obtaining from a DMV, etc.). These aren’t changes to the text, but they affect how it’s applied. For instance, the clarification that scanning a physical license is outside DPPA came from a 2019 court decision lexology.com. In 2024, courts continue to handle DPPA claims, but no blockbuster Supreme Court case is on the horizon at the moment.
  • Possible future tweaks: If any trend might prompt Congress to revisit DPPA, it could be concerns about data being used in ways not originally anticipated (like, hypothetically, if DMVs started partnering with big tech on something). Also, if there were evidence of widespread abuse of the exceptions (say, companies lying about their use), Congress might consider adding stricter disclosure controls or oversight. So far, there hasn’t been a groundswell for that. The law is relatively strict as-is and enjoys bipartisan support (who doesn’t like driver privacy?).

So, in summary, as of 2025 the DPPA is stable and unchanged. Keep an eye on your state, though – local law might give you even more rights or, conversely, might be something to engage with (for example, to support additional protections). Always stay informed through official channels (state DMV notices, legislative updates) for any tweaks that affect your personal information.

Q11: How does the DPPA interact with state laws like California’s DMV privacy rules?
A: The DPPA sets a floor of protection that all states must meet, but states are free to go further. If a state law offers stronger privacy, there’s no conflict – the state can enforce its stricter rules in addition to the DPPA. For example:

  • California, under its own laws, will not release your home address except in very narrow circumstancesdmv.ca.gov, whereas DPPA might have allowed more scenarios (like an attorney in a car accident case could get it – California will still allow that, but they’ve codified the exceptions tightly in state law).
  • If a state law tried to allow something the DPPA forbids – say a hypothetical state law that says “DMV can sell driver info to anyone who asks” – that law would be invalid due to the Supremacy Clause. But no state has done that since DPPA passed.
  • States often have their own privacy or open records laws that dovetail with DPPA. Many states basically wrote the DPPA exceptions into their statutes so that state employees have one clear set of rules to follow that satisfies both state and federal law flhsmv.gov.
  • The bottom line is the stricter rule wins: If DPPA says “you may release for X purpose” but the state says “we won’t release for X purpose,” then the data won’t be released. DPPA doesn’t force a state to disclose; it only permits it. Conversely, if state law is looser than DPPA, DPPA overrides to prevent that disclosure.

For individuals, this means in places like California, New York, New Jersey, etc., you might actually experience even more privacy than DPPA alone guarantees. You don’t need to figure out which law is doing the work – just know that your info isn’t going out unless it checks out under all applicable laws. It’s a layered protection.

Q12: Does the DPPA protect information I give to private companies, like car rental agencies or auto dealers?
A: Not directly. The DPPA specifically governs data in records kept by state DMVs. When you give your driver’s license to a private company (car rental, hotel, retailer for age check, etc.), that’s not covered by DPPA. Those companies are not DMVs. However:

  • Other laws may protect that information. For instance, many states have laws that say a business can scan your driver’s license for certain purposes (like verifying age or identity) but cannot retain or use the personal information for other purposes. (California and Texas have such laws; many states do after incidents of over-collection.)
  • If a private company contacts the DMV to verify or retrieve information about you, then the DPPA applies to that contact. For example, a car dealer might run a driver’s license check through the DMV to see if your license is valid before letting you test drive – that access is subject to DPPA (legitimate business use to verify info).
  • If a company misuses your driver’s license info you gave them directly (say a store clerk photocopies it and later stalks you), DPPA isn’t the remedy – but other privacy or criminal laws would likely apply.

So, keep in mind the DPPA doesn’t follow your data everywhere – it’s focused on DMV-held data. Once you voluntarily provide your info to a private party, DPPA protections don’t cover that interaction (though again, that party can’t then go to the DMV for more info without a DPPA-approved purpose).

Q13: How does the DPPA affect online services or apps that want DMV info (like verifying identity for rideshare or rental)?
A: Any online service that wants to obtain data from the DMV needs to fit a permissible use or get your consent:

  • Some online services act as intermediaries – for instance, a background check service for gig economy companies might be granted access to DMV records. They must certify a purpose like “employment screening for driving position” (which is allowed with consent of the driver or under the business use exception for verification).
  • Many identity verification processes actually rely on you to upload or present your driver’s license (pulling info from the card), not by pinging the DMV. As discussed, reading off the card isn’t covered by DPPA. So if you scan your license for an app, DPPA isn’t in play, but the app’s privacy policy is.
  • If an app did want to query the DMV (say there was a service to check your driving history), it would need you to authorize it and it would use a DPPA mechanism (some states have online portals where you, the driver, log in and can share your record with others by consent code).

The big picture: DPPA keeps a tight lid on official DMV databases in the online age. There’s no open API for random apps to pull driver data. Any legitimate data exchange is governed and audited.

Q14: What should I do if I suspect my DPPA rights were violated?
A: If you believe someone obtained or used your DMV information improperly:

  • Report it to your state DMV and/or state Attorney General. They may have a unit that handles privacy or fraud complaints. Provide as much detail as possible (e.g., “I got a solicitation letter that references my vehicle purchase – I never agreed to that.” or “I learned a local official looked me up without cause.”).
  • You can file a complaint with the U.S. Department of Justice as well, since DPPA is a federal law. The DOJ can investigate willful violations, especially large scale ones.
  • Consult an attorney about a possible DPPA civil suit. Because the law provides for attorney fees, many lawyers will be interested if it’s a clear violation affecting you (and possibly others – it could become a class action). They can advise if your situation meets the criteria.
  • Preserve evidence. If you received something suspect (like a marketing mail that indicates it came via DMV data), keep it. If it’s an electronic event, save emails or screenshots.
  • Keep in mind some things that feel like violations may not be: e.g., accident reports might be used to contact you (which could be annoying but not a DPPA violation if the info wasn’t from DMV). A lawyer can help sort that out.

The DPPA has a 4-year statute of limitations (time to sue) from when the violation occurred or was discovered, in many cases. So act in a timely manner.

Sources: This overview is based on the DPPA’s provisions in 18 U.S.C. §§ 2721–2725 (current through 2025) and official information from state DMVs and government websites. Key references include the U.S. Code text, state DMV guidelines (e.g., California DMV’s privacy fact sheet dmv.ca.gov, Florida HSMV’s DPPA summary flhsmv.gov, New York DMV records access information dmv.ny.gov), and pertinent court decisions (such as Reno v. Condon govinfo.gov and Maracich v. Spears as discussed).