Home » News & Events » News Archive » 2003 Press Releases
Legal Analysis of Florida Driver's License Privacy Protections
April 8, 2003
An analysis of the relevant legal standards demonstrates that Florida has failed to comply with the Federal Driver's Privacy Protection Act (DPPA), and is therefore subject to action by the Attorney General of the United States because of its policy or practice of substantial noncompliance with the DPPA.
DPPA Overview
Under the Act, a state department of motor vehicles generally cannot "knowingly disclose or otherwise make available to any person or entity" personal information from a motor vehicle record. (See 18 U.S.C. ? 2721(a)(2002).) There are number of exceptions to this rule, allowing driver information to be used for variety of purposes, such as research activities ("so long as the personal information is not published, redisclosed, or used to contact individuals"), court proceedings, and various motor vehicle, driver safety and theft matters. (See, e.g. 18 U.S.C. ?? 2721(b)(2), (b)(4), (b)(5).) The statute does allow driver records to be used for "bulk distribution for surveys, marketing or solicitations," but only "if the State has obtained the express consent of the person to whom such personal information pertains." (See 18 U.S.C. ? 2721(b)(12).)
The DPPA provides additional protections for "highly restricted personal information," which is defined as an individual's photograph or image, social security number and medical or disability information. (See 18 U.S.C. ?? 2725(4).) More specifically, the Federal law allows fewer permitted uses of "highly restricted personal information" than the general list of uses for driver information. Under this higher standard, highly restricted personal information can, for the most part, only be used (1) by government agencies in carrying out their respective functions, (2) in court proceedings (including service of process and execution or enforcement of judgments or orders), (3) by insurers for antifraud activities, ratings or underwriting, and (4) by employers/insurers to verify information regarding holders of commercial driver's licenses. (See 18 U.S.C. ?? 2721(a)(2), (b)(1), (b)(4), (b)(6), (b)(9).)
The Attorney General of the United States has the power to enforce the DPPA, especially in instances where the relevant state government failed to comply with the Federal guidelines. The DPPA specifically mentions that any "State department of motor vehicles that has a policy or practice of substantial noncompliance with this chapter shall be subject to a civil penalty imposed by the Attorney General of not more than $5,000 a day for each day of substantial noncompliance." (See 18 U.S.C. ? 2723(b).)
FL motor vehicle department practices are in substantial noncompliance with the DPPA and demand U.S. Attorney General action. The state of Florida has clearly violated the DPPA, both through the plain language of the relevant state statute and the subsequent actions of Florida's Department of Highway Safety and Motor Vehicles (DHSMV). The State of Florida continues to have policies and practices in place that are in plain violation of the Act. It is therefore imperative for the U.S. Attorney General to step in and correct the situation through civil penalties ? the DPPA specifically states that the U.S. Attorney General shall impose civil penalties on state motor vehicle departments that have "a policy or practice of substantial noncompliance with this chapter." (See 18 U.S.C. ? 2723(b).)
Florida driver information laws violate the DPPA At the outset, the plain language of relevant Florida statute evinces "a policy or practice" that violates some of the DPPA's most fundamental precepts.
Florida treats driver's personal information as public records that can be made available to virtually anyone. (See FLA. STAT. ch. 119.07(3)(aa)(2002).) Florida drivers who wish to protect their privacy must file a formal request with their state (DHSMV). (See Id.) This rule directly contradicts the DPPA, which generally bars state motor vehicle departments from making such information available, rather than placing the burden on drivers. (See 18 U.S.C. ? 2721(a).)
Even then, current Florida state law contains a huge loophole for bulk distribution of surveys, marketing and solicitations, which may force privacy-conscious drivers to again speak out to prevent their personal information from being used for such purposes. (See FLA. STAT. ch. 119.07(3)(aa)(12).) Indeed, the Florida statute authorizes the DHSMV to disclose otherwise private driver information to data resellers: "Personal information exempted from public disclosure ... may be disclosed by the Department of Highway Safety and Motor Vehicles to an individual, firm, corporation, or similar business entity whose primary business interest is to resell or redisclose the personal information to persons who are authorized to receive such information." (See FLA. STAT. Ch. 119.07(3)(aa).) The Federal law, by contrast, requires the state to obtain "the express consent of the person to whom such personal information pertains." (See 18 U.S.C. 2721(b)(12).)
Moreover, the Florida statute does not make any distinction between ordinary driver information and "highly restricted personal information," nor does provide any special protection for such "highly restricted personal information" as mandated by the DPPA. Remember that the Federal statute allows fewer permitted uses of "highly restricted personal information" than the general list of uses for driver information. (See 18 U.S.C. ?? 2721(a)(2), 2725(4).)
FL motor vehicle department actions are also in substantial noncompliance with the DPPA. Besides the issues implicated by the plain language of Florida's driver information law, the DHSMV's practices also surpass the "substantial noncompliance" threshold required under the DPPA.
Florida state authorities continue to operate on the premise that drivers have to shoulder the burden of protecting their respective personal information, telling people that the DPPA "allows you to keep your personal information private by limiting who has access to the information." (See Florida Dep't of Highway Safety and Motor Vehicles, Driver Privacy Protection Act; last visited Mar. 26, 2003.) The DHSMV's practices have already fostered cottage industries where personal information concerning millions of Florida drivers can be bought and downloaded with remarkable ease. (See Florida MVR Services, Instant Florida Driving Records; last visited Mar. 26, 2003.) Worse still, there is evidence that DHSMV officials have known about DPPA's requirements for over three years but have failed to carry out measures that would bring them into compliance with the Federal standard. (See Florida Department of Highway Safety and Motor Vehicles, Minutes of Executive Staff Meeting (Feb. 3, 2000).
