Driver's Privacy Protection Act (DPPA) — Motor Vehicle Record Privacy
The Driver's Privacy Protection Act (18 U.S.C. §§ 2721–2725), enacted in 1994, restricts the disclosure and use of personal information contained in state motor vehicle records — your driver's license data, vehicle registration, and motor vehicle title information held by state DMVs. Before the DPPA, anyone could walk into a DMV and obtain your name, address, phone number, Social Security number, photograph, height, weight, and medical information — for any reason or no reason at all. Part of the broader federal data privacy landscape, the DPPA was prompted by the murder of actress Rebecca Schaeffer in 1989, whose stalker obtained her home address from California DMV records. Under the Act, state DMVs may not disclose personal information except for 14 enumerated "permissible uses" — including law enforcement, insurance claims processing, vehicle safety recalls, and legitimate business purposes (with consumer opt-out rights). The DPPA provides a private right of action with minimum damages of $2,500 per violation, plus punitive damages and attorney fees — making it one of the more potent federal privacy enforcement tools. The Supreme Court upheld the DPPA's constitutionality in Reno v. Condon (2000), ruling that Congress could regulate the disclosure of personal information by state DMVs under the Commerce Clause.
Current Law (2026)
| Parameter | Value |
|---|---|
| Governing law | 18 U.S.C. §§ 2721–2725 (Driver's Privacy Protection Act, 1994) |
| Covered entities | State DMVs and their employees, contractors, and authorized recipients |
| Protected information | Name, address, phone, SSN, photo, medical/disability info, height, weight, date of birth |
| Highly restricted information | SSN, photograph, medical/disability — requires express consent for most disclosures |
| Permissible uses | 14 enumerated exceptions (law enforcement, insurance, motor vehicle safety, research, etc.) |
| Civil damages | $2,500 minimum per violation, plus punitive damages and attorney fees |
| Criminal penalty | Fine for knowing violations; $5,000/day for state DMV systematic noncompliance |
| Key case | Reno v. Condon (2000) — DPPA upheld as valid exercise of Commerce Clause power |
Legal Authority
- 18 U.S.C. § 2721 — Prohibition on release and use (state DMVs may not knowingly disclose or make available personal information from motor vehicle records, except for 14 permissible uses; highly restricted information like SSN and photos requires express consent for most uses)
- 18 U.S.C. § 2722 — Additional unlawful acts (prohibits knowingly obtaining or disclosing motor vehicle record information for non-permissible purposes; prohibits making false representations to obtain records)
- 18 U.S.C. § 2723 — Penalties (criminal fine for knowing violations; state DMVs with a pattern of noncompliance face $5,000/day civil penalties imposed by the Attorney General)
- 18 U.S.C. § 2724 — Civil action (any person whose personal information is obtained, disclosed, or used in violation of the Act may bring a civil action; entitled to actual damages of not less than $2,500, punitive damages, reasonable attorney fees, and equitable relief)
How It Works
The DPPA allows disclosure of motor vehicle record information only for 14 specified purposes: motor vehicle and driver safety; theft prevention; emissions monitoring; product recalls; performance monitoring of vehicles and dealers; use by a government agency in its functions; court proceedings; research (without further disclosure of personal information); insurance claims investigation, antifraud, and rating; notification of owners of towed or impounded vehicles; use by licensed private investigators; employer verification of commercial driver information; private toll and parking facility operations; and other uses specifically authorized by state law consistent with the DPPA. For bulk distribution of records — such as marketing lists — states may only disclose if individuals have opted in (or under opt-out regimes depending on the state). The DPPA creates two tiers of protection: regular personal information (name, address, phone number) may be disclosed for any of the 14 permissible uses, while highly restricted personal information — Social Security numbers, photographs, and medical or disability information — requires express consent for most disclosures, with limited law enforcement and government exceptions.
The DPPA's enforcement teeth come from § 2724's private right of action: any person whose information is wrongfully obtained, disclosed, or used can sue in federal court for actual damages of no less than $2,500 per violation, plus punitive damages and attorney fees. Because the $2,500 minimum applies per person whose records were accessed, class actions involving thousands of individuals can reach into the tens or hundreds of millions in potential damages — generating significant litigation against data brokers, background screening companies, and marketing firms that purchased DMV data without proper permissible-use documentation. State DMVs must implement disclosure controls verifying permissible use before releasing records, maintaining opt-in/opt-out mechanisms for bulk disclosures, and restricting access to highly restricted information; states that maintain a pattern or practice of noncompliance face $5,000/day civil penalties from the Attorney General.
How It Affects You
<!-- pria:personalize type="impact" -->If you're a driver or anyone whose information is in state motor vehicle records: Your DMV data — name, home address, date of birth, photo, height, weight, and in some cases Social Security number and medical/disability information — is protected from indiscriminate public disclosure. Before the DPPA, anyone could walk into a DMV and get your home address for any reason, creating a stalking risk that led directly to the murder of actress Rebecca Schaeffer in 1989. Now, your information can only be disclosed for 14 enumerated permissible purposes. If a company or individual wrongfully obtains or uses your DMV data, you can sue in federal court for actual damages of no less than $2,500 per violation plus punitive damages and attorney fees. This private right of action has driven significant litigation against data brokers and background screening companies that accessed DMV records without proper authorization. If you believe your records have been improperly accessed — for example, if someone obtained your address from a DMV-sourced database for stalking or harassment — the DPPA is one of the strongest privacy statutes available for civil relief.
If you're a data broker, background check company, or business that purchases motor vehicle records: The DPPA's $2,500 minimum damages — multiplied across a database of thousands of individuals — creates catastrophic exposure for systematic non-compliance. Before purchasing or using DMV data, you must have a permissible use under 18 U.S.C. § 2721 — the 14 enumerated exceptions include insurance claims processing, motor vehicle safety, vehicle recalls, court proceedings, licensed private investigators, employer verification of commercial drivers, and others. "Business purposes" is not a standalone permissible use without meeting specific criteria; marketing and data aggregation for general commercial purposes do not qualify. When obtaining records in bulk, the applicable regime (opt-in or opt-out) depends on the individual state's DMV. Courts have generally interpreted the $2,500 minimum as applying per person whose records were wrongfully accessed, making class actions involving thousands of individuals potentially worth tens or hundreds of millions in damages — the operative cases include class actions against major data companies that purchased DMV records without documenting permissible use.
If you work in law enforcement, government, or licensed investigation: The DPPA permits disclosure for carrying out government functions (including law enforcement investigations, identification, and enforcement) and for licensed private investigators working within the statute's purposes. For law enforcement: DPPA access is broadly available for legitimate investigative purposes, but the data must be used for law enforcement functions — accessing DMV records for personal reasons or to assist private parties without a qualifying purpose is a violation. For licensed private investigators: you can access motor vehicle records for permissible purposes (locating a missing person, serving process, investigating civil claims) but must document the authorized use and cannot resell or repurpose the data outside the permissible use you certified. Automated license plate reader (ALPR) data raises unsettled questions about whether ALPR-generated vehicle location data constitutes "motor vehicle records" under the DPPA — litigation is ongoing.
If you're a business with a legitimate need for motor vehicle records — insurance, employers, toll operators, or vehicle dealers: Several of the 14 permissible uses directly cover standard business purposes. Insurance companies may access records for claims investigation, underwriting, rating, and antifraud purposes — this is one of the most commonly used permissible uses. Employers may verify commercial driver license information for their CDL-holding employees. Toll and parking facility operators may access records for enforcement and billing. Product recall programs may use records to notify vehicle owners. For each use, you should document your permissible use basis before pulling records, train staff who access records on the permissible use limits, and have legal counsel review any bulk data purchase agreements. Using DMV data you legitimately obtained for one purpose (insurance underwriting) for a different purpose not within your permissible use authorization (marketing) is a separate DPPA violation.
<!-- /pria:personalize -->State Variations
<!-- pria:personalize type="state-specific" -->The DPPA is federal law that regulates state agencies:
- States must comply with DPPA's minimum protections but may enact stronger privacy protections
- States choose whether to use an "opt-in" or "opt-out" regime for bulk record disclosures
- Some states have enacted additional motor vehicle record privacy laws beyond DPPA requirements
- State implementation of the 14 permissible uses varies — some states interpret them more restrictively
Implementing Regulations
The DPPA (18 U.S.C. §§ 2721–2725) is primarily self-executing — it directly prohibits disclosure of personal information from motor vehicle records without consent and provides a private right of action. No major CFR implementing regulations exist at the federal level.
State DMV regulations implement DPPA requirements through their own privacy policies and opt-out procedures, as the Act operates through the state motor vehicle departments. Each state DMV must establish disclosure controls, permissible-use verification procedures, and opt-in/opt-out mechanisms for bulk record disclosures to comply with the federal floor.
Pending Legislation
No standalone DPPA reform bills have been introduced in the 119th Congress. Driver privacy provisions appear in broader data privacy legislation — see Data Privacy and Right to Financial Privacy for a parallel statute protecting financial records.
Recent Developments
DPPA litigation has increased, particularly class actions against data brokers, background screening companies, and insurance companies that accessed DMV records without proper permissible use authorization. Courts have addressed whether the DPPA's $2,500 minimum applies per record accessed or per violation — with most circuits interpreting it per person whose records were improperly accessed. The growth of automated license plate reader (ALPR) technology has raised questions about whether ALPR data constitutes "motor vehicle records" under the DPPA. The Act's interaction with state "motor voter" registration laws (see Federal Elections) and Real ID Act requirements has created compliance complexities for state DMVs managing multiple federal mandates.