ACLU Asks Attorney General Ashcroft to Enforce Driver's License Information Privacy Law in Florida

Affiliate: ACLU of Florida
April 8, 2003 12:00 am

ACLU Affiliate
ACLU of Florida
Media Contact
125 Broad Street
18th Floor
New York, NY 10004
United States

FOR IMMEDIATE RELEASE

MIAMI – Saying state officials have ignored federal law and failed to protect people in Florida from becoming victims of identity fraud, the American Civil Liberties Union today asked Attorney General John Ashcroft to compel state officials to comply with a federal law that keeps driver’s license records from getting in the wrong hands.

“In total disregard for federal law, the State of Florida has been requiring people to jump through hoops to protect the privacy of their personal information,” said Howard Simon, Executive Director of the ACLU of Florida. “The burden is not on the Florida motorist to ask the state to protect their personal information. Rather, the burden is on the state to obtain express permission to sell or release people’s personal data.”

In Florida, Department of Highway Safety and Motor Vehicles records (including drivers’ licenses, identification cards, vehicle registrations and titles) are classified as “public records,” giving virtually anyone access to those records maintained by the department. Federal law bans state officials from sharing anyone’s personal information unless they obtain express permission to do so. Nevertheless, in past years the state has been selling that information to marketers and companies that traffic in personal data without even notifying people that their information is being sold. According to state records, the motor vehicle department collected in excess of $27 million in fees during fiscal year 2001-2002 from the sale of driving and motor vehicle records.

Florida also fails to provide heightened privacy protection for “highly restricted personal information,” as required by federal law. Consequently, the state’s motor vehicle department is permitted by state law to release such personal information as a motorist’s photograph, Social Security number, medical condition or disability, without obtaining the consent of the motorist.

“Americans are facing major new threats to their privacy each day and they should be able to look to their state governments for assistance in preserving their privacy,” said Barry Steinhardt, Director of the Technology and Liberty Program of the National ACLU. “With identity theft quickly emerging as one of the nation’s fastest-growing crimes, citizens are shocked to learn that local government officials are making their personal information available to criminals and others who might want to use their data for malicious reasons. And they are even more surprised to find that this is taking place when such activities have already been banned by Congress.”

The ACLU letter, signed by Simon and Steinhardt, was transmitted to the Attorney General today. It outlines ACLU concerns with the state’s blatant disregard for federal law and privacy rights. The ACLU cited the Driver’s Privacy Protection Act (DPPA), a federal law that bans state officials from sharing the personal information they collect when administering driver’s licenses unless they obtain a person’s “express consent” to do so. Passed by Congress in 1994 and upheld by the Supreme Court in 2000, the law also mandates that states keep the information private in most circumstances. It was passed after the tragic murder of actress Rebecca Schaeffer by a stalker who obtained her address from the California Department of Motor Vehicles.

The text of the letter to Ashcroft follows.

April 8, 2003

Attorney General John Ashcroft
U.S. Department of Justice
950 Pennsylvania Avenue, NW
Washington, DC 20530

Dear Mr. Ashcroft:

We are writing to call your attention to the fact that, for the last several years, the State of Florida has had policies or practices that are in substantial noncompliance with an important federal law, the Federal Driver’s Privacy Protection Act (DPPA). Further, the State of Florida continues to violate the DPPA.

The DPPA grants the Attorney General the authority to remedy substantial non-compliance by state motor vehicle departments, and we urge you to exercise that authority to penalize the State of Florida for its failure to comply with that law, and thereby secure compliance with this important federal law.

This Driver’s Privacy Protection Act (DPPA), passed by Congress in 1994 and upheld by the U.S. Supreme Court in 2000, bans the states from selling the personal information they collect on Americans when they administer driver’s licenses. The DPPA also requires the states to keep such information private in most circumstances, unless the state obtains the express consent of the individual involved. The law was passed after the tragic murder of actress Rebecca Shaeffer by a stalker who obtained her address from the California Department of Motor Vehicles.

As the ACLU’s legal analysis (attached) demonstrates, Florida is in clear violation of this important national privacy law:

  • Florida allows virtually anyone to access driver’s license records by classifying such records as public records unless the individual license holder has affirmatively requested the State to withhold such information. Federal law, however, bans the states from sharing anyone’s personal information unless they obtain a person’s “express consent” to do so. Federal law requires that the burden is on the state to obtain permission (opt-in), not on the individual to beseech the state to protect their privacy (opt-out).
  • Even worse, Florida permits the bulk distribution of private information from motor vehicle files to marketers and companies that traffic in Americans’ personal information.
  • Federal law requires that states give extra protection to “highly restricted personal information” (such as an individual’s photograph, social security number, medical or disability information). Florida fails to do so, making such information widely available along with everything else.

The bottom line is that federal law requires an “opt-in” privacy regime when it comes to the disclosure of driver’s license information. However, the State of Florida has in place an “opt-out” regime. Worse yet, Florida officials have been aware of the federal requirements for over three years but have taken no steps to bring their policies or procedures within those federal requirements.

The state of Florida’s failure to comply with the DPPA is a serious matter. In recent years, identity theft has emerged as one of our nation’s fastest-growing crimes, and the range of malicious uses to which an individual’s private information can be put is growing daily.

With Americans’ privacy under assault from many directions, citizens should be able to look to their state governments for assistance in preserving their privacy. They don’t expect to see those governments serving as the handmaiden of marketers, data aggregators, and others who make it their business to use and market an individual’s personal information. Citizens do not expect their state governments to leave their personal information open to any criminal who might want to look at it. And they certainly don’t expect to see that taking place when such activities have already been explicitly banned by Congress.

We trust that you will act with vigor to protect the will of Congress and the privacy of residents of the state of Florida.

Sincerely,

Howard Simon, Executive Director
American Civil Liberties Union of Florida

Barry Steinhardt, Director
Technology and Liberty Program
American Civil Liberties Union

Legal analysis of Florida Driver’s License Privacy Protections

An analysis of the relevant legal standards demonstrates that Florida has failed to comply with the Federal Driver’s Privacy Protection Act (DPPA), and is therefore subject to action by the Attorney General of the United States because of its policy or practice of substantial noncompliance with the DPPA.

DPPA Overview

Under the Act, a state department of motor vehicles generally cannot “knowingly disclose or otherwise make available to any person or entity” personal information from a motor vehicle record. (See 18 U.S.C. § 2721(a)(2002).) There are number of exceptions to this rule, allowing driver information to be used for variety of purposes, such as research activities (“so long as the personal information is not published, redisclosed, or used to contact individuals”), court proceedings, and various motor vehicle, driver safety and theft matters. (See, e.g. 18 U.S.C. §§ 2721(b)(2), (b)(4), (b)(5).) The statute does allow driver records to be used for “bulk distribution for surveys, marketing or solicitations,” but only “if the State has obtained the express consent of the person to whom such personal information pertains.” (See 18 U.S.C. § 2721(b)(12).)

The DPPA provides additional protections for “highly restricted personal information,” which is defined as an individual’s photograph or image, social security number and medical or disability information. (See 18 U.S.C. §§ 2725(4).) More specifically, the Federal law allows fewer permitted uses of “highly restricted personal information” than the general list of uses for driver information. Under this higher standard, highly restricted personal information can, for the most part, only be used (1) by government agencies in carrying out their respective functions, (2) in court proceedings (including service of process and execution or enforcement of judgments or orders), (3) by insurers for antifraud activities, ratings or underwriting, and (4) by employers/insurers to verify information regarding holders of commercial driver’s licenses. (See 18 U.S.C. §§ 2721(a)(2), (b)(1), (b)(4), (b)(6), (b)(9).)

The Attorney General of the United States has the power to enforce the DPPA, especially in instances where the relevant state government failed to comply with the Federal guidelines. The DPPA specifically mentions that any “State department of motor vehicles that has a policy or practice of substantial noncompliance with this chapter shall be subject to a civil penalty imposed by the Attorney General of not more than $5,000 a day for each day of substantial noncompliance.” (See 18 U.S.C. § 2723(b).)

FL motor vehicle department practices are in substantial noncompliance with the DPPA and demand U.S. Attorney General action. The state of Florida has clearly violated the DPPA, both through the plain language of the relevant state statute and the subsequent actions of Florida’s Department of Highway Safety and Motor Vehicles (DHSMV). The State of Florida continues to have policies and practices in place that are in plain violation of the Act. It is therefore imperative for the U.S. Attorney General to step in and correct the situation through civil penalties – the DPPA specifically states that the U.S. Attorney General shall impose civil penalties on state motor vehicle departments that have “a policy or practice of substantial noncompliance with this chapter.” (See 18 U.S.C. § 2723(b).)

Florida driver information laws violate the DPPA At the outset, the plain language of relevant Florida statute evinces “a policy or practice” that violates some of the DPPA’s most fundamental precepts.

Florida treats driver’s personal information as public records that can be made available to virtually anyone. (See FLA. STAT. ch. 119.07(3)(aa)(2002).) Florida drivers who wish to protect their privacy must file a formal request with their state (DHSMV). (See Id.) This rule directly contradicts the DPPA, which generally bars state motor vehicle departments from making such information available, rather than placing the burden on drivers. (See 18 U.S.C. § 2721(a).)

Even then, current Florida state law contains a huge loophole for bulk distribution of surveys, marketing and solicitations, which may force privacy-conscious drivers to again speak out to prevent their personal information from being used for such purposes. (See FLA. STAT. ch. 119.07(3)(aa)(12).) Indeed, the Florida statute authorizes the DHSMV to disclose otherwise private driver information to data resellers:

“Personal information exempted from public disclosure … may be disclosed by the Department of Highway Safety and Motor Vehicles to an individual, firm, corporation, or similar business entity whose primary business interest is to resell or redisclose the personal information to persons who are authorized to receive such information.” (See FLA. STAT. Ch. 119.07(3)(aa).) The Federal law, by contrast, requires the state to obtain “the express consent of the person to whom such personal information pertains.” (See 18 U.S.C. 2721(b)(12).)

Moreover, the Florida statute does not make any distinction between ordinary driver information and “highly restricted personal information,” nor does provide any special protection for such “highly restricted personal information” as mandated by the DPPA. Remember that the Federal statute allows fewer permitted uses of “highly restricted personal information” than the general list of uses for driver information. (See 18 U.S.C. §§ 2721(a)(2), 2725(4).)

FL motor vehicle department actions are also in substantial noncompliance with the DPPA. Besides the issues implicated by the plain language of Florida’s driver information law, the DHSMV’s practices also surpass the “substantial noncompliance” threshold required under the DPPA.

Florida state authorities continue to operate on the premise that drivers have to shoulder the burden of protecting their respective personal information, telling people that the DPPA “allows you to keep your personal information private by limiting who has access to the information.” (See Florida Dep’t of Highway Safety and Motor Vehicles, Driver Privacy Protection Act, http://www.hsmv.state.fl.us/ddl/DPPAInfo.html (last visited Mar. 26, 2003).) The DHSMV’s practices have already fostered cottage industries where personal information concerning millions of Florida drivers can be bought and downloaded with remarkable ease. (See Florida MVR Services, Instant Florida Driving Records, http://www.flmvr.com/instant.html (last visited Mar. 26, 2003).) Worse still, there is evidence that DHSMV officials have known about DPPA’s requirements for over three years but have failed to carry out measures that would bring them into compliance with the Federal standard. (See Florida Department of Highway Safety and Motor Vehicles, Minutes of Executive Staff Meeting (Feb. 3, 2000), available at http://www.hsmv.state.fl.us/Intranet/FredCom/late0210.html

Sign up to be the first to hear about how to take action.

Learn More About the Issues in This Press Release