Q: What is the Drivers Privacy Protection Act?
A: The Driver’s Privacy Protection Act (DPPA) is a federal law that limits the occasions when state departments of motor vehicles and authorized recipients may disclose to the public personal information contained in a person’s motor vehicle record, which includes a motor vehicle operator’s permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles. Many states have enacted similar legislation further regulating this data.
Q: What type of personal information is protected by the DPPA?
A: Personal information protected by the DPPA is information that identifies an individual, including an individual’s photograph, Social Security number, driver identification number, name, address (but not the five-digit zip code), telephone number, and medical or disability information. The DPPA does not protect information about a person’s vehicular accidents, driving violations, and driver’s status. Some states protect more than just the personal information listed above.
Q: Why was the DPPA enacted?
A: Records created and maintained by government agencies are considered public records and, as such, are generally available to all members of the public. In an “open” society, it is important that members of the general public have access to public records so they know how public agencies operate. However, there are exceptions. The DPPA is one of these exceptions. It was enacted in 1993 to help prevent private information from being available to those who might use that information for criminal or other prohibited purposes.
Q: What does the DPPA do?
A: The DPPA generally prohibits the department of motor vehicles and authorized recipients from knowingly disclosing the personal information contained in an individual’s driver’s license, motor vehicle registration and other departmental records to other people or organizations.
Q: Are there any circumstances under which the department of motor vehicles may release personal information?
A: Yes. A department of motor vehicles is required to disclose personal information for use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations; recalls, advisories, or performance monitoring of motor vehicles and dealers by motor vehicle manufacturers; and removal of non-owner records from the original owner records of motor vehicle manufacturers, and to carry out the purpose of certain vehicle-related laws.
There are also 14 exceptions to the DPPA’s prohibition against the disclosing of personal information. For example:
• law enforcement agencies may obtain the information to perform police work;
• insurance companies may obtain the information to investigate claims and for several other purposes;
• information can be obtained to verify a person’s identity under certain circumstances;
• information can be obtained by attorneys for use in a lawsuit; and
• a person may allow his or her personal information to be shared with another person by providing written consent.
In addition, an authorized recipient of personal information may obtain information from a department of motor vehicles to make that information available to persons or businesses with a permissible purpose.
Q: Can a commercial company obtain personal information from the department of motor vehicles records, such as my name and address, so that it can send me advertisements?
A: Not generally, but there are exceptions. With your written permission, a department of motor vehicles may give a company your personal information. Also, a company may be permitted to include advertisements in conjunction with mailings done for official department of motor vehicles business, such as a reminder to renew a motor vehicle registration.
Q: Are businesses permitted to obtain and use DPPA personal information?
A: Yes. A business may obtain data for a permissible use even if there is not a present need for the data. For example, a business can obtain DPPA personal information to verify the identity of persons with whom it intends to do business presently or at some undetermined time in the future. A business may also receive data if it intends to only make that information available to other businesses or persons for uses permitted by the DPPA.
Q: Is a business or person permitted to resell DPPA personal information it has lawfully received?
A: Yes. An authorized recipient of DPPA personal information may resell it to any person who uses it for a permissible purpose under the DPPA.
Q: Is there certain personal information that is protected more than other personal information?
A: Yes. Certain personal information, including Social Security numbers, photographs or disability information, is more carefully protected than other personal information, and may be provided under limited DPPA exceptions. For example, a law enforcement agency would be able to obtain all of this information.
Q: Are there penalties for violating the DPPA?
A: Yes. Anyone who makes a false statement (e.g., misrepresenting himself or herself as someone who fits an exception) to obtain personal information may have to pay a fine. Also, a lawsuit for “damages” (an amount of money to compensate someone for a particular loss) may be brought against anyone who knowingly obtains, discloses or uses the information for a purpose that is not permitted under the DPPA.
Law You Can Use is a consumer legal information column provided by the Ohio State Bar Association. This article was originally prepared by Springboro attorney Bruce Martino, and updated by Faruki Ireland & Cox P.L.L. partner Ronald I. Raether Jr., whose practice includes data and security compliance law.