View PDF Version

No. 98-1464


In the Supreme Court of the United States


JANET RENO, ATTORNEY GENERAL, ET AL.,
PETITIONERS

v.

CHARLIE CONDON, ATTORNEY GENERAL
OF SOUTH CAROLINA, ET AL.



ON WRIT OF CERTIORARI
TO THE UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT



BRIEF FOR THE PETITIONERS



SETH P. WAXMAN
Solicitor General
Counsel of Record
DAVID W. OGDEN
Acting Assistant Attorney General
EDWIN S. KNEEDLER
Deputy Solicitor General
PAUL R.Q. WOLFSON
Assistant to the Solicitor
General
MARK B. STERN
ALISA B. KLEIN
DANIEL L. KAPLAN
Attorneys
Department of Justice
Washington, D.C. 20530-0001
(202) 514-2217
QUESTION PRESENTED
Whether the Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721-2725 (1994 & Supp. III 1997), contravenes constitutional principles of federalism.



In the Supreme Court of the United States


No. 98-1464

JANET RENO, ATTORNEY GENERAL, ET AL.,
PETITIONERS

v.

CHARLIE CONDON, ATTORNEY GENERAL
OF SOUTH CAROLINA, ET AL.



ON WRIT OF CERTIORARI
TO THE UNITED STATES COURT OF APPEALS
FOR THE FOURTH CIRCUIT



BRIEF FOR THE PETITIONERS


OPINIONS BELOW
The opinion of the court of appeals (Pet. App. 1a-37a) is reported at 155 F.3d 453. The opinion of the district court (Pet. App. 38a-72a) is reported at 972 F. Supp. 977.
JURISDICTION
The judgment of the court of appeals was entered on September 3, 1998. A petition for rehearing was denied on December 22, 1998. Pet. App. 73a-74a. The petition for a writ of certiorari was filed on March 15, 1999, and was granted on May 17, 1999. J.A. 19. The jurisdiction of this Court rests on 28 U.S.C. 1254(1).

CONSTITUTIONAL AND STATUTORY
PROVISIONS INVOLVED
1. The Commerce Clause of the United States Constitution, Article I, Section 8, Clause 3, provides: "The Congress shall have Power * * * To regulate Commerce * * * among the several States."
2 The Tenth Amendment to the United States Constitution provides: "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people."
3. The Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721-2725 (1994 & Supp. III 1997), is reprinted in an appendix to this brief (App., infra, 1a-7a).
STATEMENT
1. This case presents a constitutional challenge to the Driver's Privacy Protection Act of 1994 (DPPA or Act), 18 U.S.C. 2721-2725 (1994 & Supp. III 1997). The DPPA regulates the disclosure of personal information contained in the records of state motor vehicle departments (DMVs). The Act also regulates the further resale and disclosure of such information by persons to whom it is disclosed by a state DMV.1
A resident of a State who wishes to operate a motor vehicle in that State is generally required to obtain a driver's license from his State's DMV. As a condition of obtaining a driver's license, an individual is usually required to provide the DMV with personal information, such as the driver's name, address, telephone number, and in some cases medical information that may bear on the driver's ability to operate a motor vehicle. In some States, the DMV also requires a driver to provide his social security number and takes a photograph of the driver. An individual who wishes to register a motor vehicle is also usually required by the state DMV to provide personal information, including his name and address, and information identifying his vehicle, such as the make, model, and year of manufacture. See, e.g., S.C. Code Ann. §§ 56-1-20 (driver's license required), 56-1-80, 56-1-90 (requirements of license application, identification requirement), 56-1-130 (medical information), 56-3-110 (vehicles required to be licensed and registered), 56-3-220 (certificate of title required), 56-3-240 (requirements of vehicle registration application) (Law. Co-op. 1977 & West Supp. 1998).
State DMVs, in turn, frequently sell this personal information to individuals and businesses.2 Although DMVs usually charge only a small fee for each particular sale of information, aggregate revenues are substantial. For example, New York's motor vehicle department earned $17 million in one year from individuals and businesses that used that State's computers to examine motor vehicle records. See 1994 WL 212813 (Feb. 3, 1994) (statement of Janlori Goldman, American Civil Liberties Union). The Wisconsin Department of Transportation receives about $8 million each year from its sale of motor vehicle information. See Travis v. Reno, 163 F.3d 1000, 1002 (7th Cir. 1998), petition for cert. pending, No. 98-1818.
Testimony before Congress established that the personal information contained in state DMV records has considerable commercial value. In particular, the personal information sold by state DMVs is used extensively to support the direct-marketing efforts of businesses. See 1994 WL 212836 (Feb. 3, 1994) (statement of Richard A. Barton, Direct Marketing Association) ("The names and addresses of vehicle owners, in combination with information about the vehicles they own, are absolutely essential to the marketing efforts of the nation's automotive industry."). Personal information in DMV records "is combined with information from other sources and used to create lists for selective marketing use by businesses, charities, and political candidates." Ibid. See also 1994 WL 212834 (Feb. 3, 1994) (statement of Prof. Mary J. Culnan, Georgetown University) (describing commercial uses of personal information in DMV records by database compilers and direct marketers); 140 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of Rep. Moran) ("Marketers use DMV lists to do targeted mailings and other types of marketing.").
Congressional testimony highlighted potential threats to privacy and personal safety from disclosure of personal information held in state DMV records. One highly publicized example involved the murder of actress Rebecca Schaeffer, who had taken pains to ensure that her address and phone number were not publicly listed. Despite those precautions, a stalker was able to obtain Schaeffer's home address in her state motor vehicle records. See 140 Cong. Rec. H2522 (daily ed. Apr. 20, 1994) (statement of Rep. Moran). Congress was informed of numerous similar instances in which stalkers, robbers, and assailants had used state motor vehicle records to locate, threaten, and harm their victims.3
More generally, Congress received evidence that the commercial use of personal information in state DMV records for purposes wholly unrelated to the regulatory reasons for which the information was initially obtained created serious privacy concerns. Professor Mary Culnan testified that privacy concerns about the use of information "are especially likely to arise when the reuse is not compatible with the original purpose for collecting the information," since in such circumstances "the prospect of misinterpretation or crass exploitation usually follows." 1994 WL 212834 (Feb. 3, 1994) (citation omitted). Professor Culnan further explained:
DMV information is not collected voluntarily. Few people can survive without a driver[']s license or an automobile, and a condition of having either is to register with the state. By providing this information to marketers without providing an opt-out to its citizens, the state is essentially requiring people to participate in direct marketing absent any compelling public safety argument. This is in direct contrast to most of the other mailing lists based on private sector data, such as a list of subscribers to a particular magazine. The people on these lists have indicated an interest in participating in direct marketing because they have "raised their hands" in the marketplace by voluntarily responding to a commercial offer of some type. No such claim may be made for all licensed drivers and registered automobile owner[s].
Ibid.
2. Because unregulated dissemination of personal information in state DMV records raised concerns about privacy and personal safety, Congress enacted the DPPA to restrict the disclosure of personal information in motor vehicle records without the consent of the individual to whom the information pertains, and to restrict the resale and redisclosure of such personal information once it has been disclosed by a DMV for a permissible purpose. The overarching theory of the DPPA is that, except in certain circumstances in which Congress has found an important public interest warranting disclosure, the permissibility of dissemination of personal information in state DMV records should turn on the consent of the individual to whom the information pertains. The DPPA therefore permits disclosure of individuals' personal information only for specific purposes, unless a DMV adopts an alternative procedure to permit drivers to block unrestricted disclosure of their personal information. If a DMV does adopt such an alternative "opt-out" procedure, then it may release more broadly the records of those individuals who do not invoke their right to block unrestricted disclosure.
a. The DPPA generally prohibits any state DMV, or officer or employee thereof, from "knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record." 18 U.S.C. 2721(a). The DPPA defines "personal information" as any information "that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information," but not including "information on vehicular accidents, driving violations, and driver's status." 18 U.S.C. 2725(3). A "motor vehicle record" is defined as "any record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles." 18 U.S.C. 2725(1).
As noted above, the DPPA bars only nonconsensual disclosures. Thus, DMVs may release personal information for any use, if they provide individuals with an opportunity to opt out from such general disclosure when they receive or renew their licenses. 18 U.S.C. 2721(b)(11). In addition, a DMV may release personal information if the DMV obtains consent on a case-by-case basis from the individual to whom the information pertains. 18 U.S.C. 2721(d). A DMV also may disclose information about an individual if the requester has that individual's written consent. 18 U.S.C. 2721(b)(13).
The prohibition on nonconsensual disclosures is not absolute. The Act permits DMVs to disclose personal information from motor vehicle records in circumstances in which Congress found that the public interest in disclosure for a particular use outweighs concerns about invasion of privacy. Accordingly, the DPPA expressly permits DMVs to disclose personal information from motor vehicle records for use "by any government agency," including a court, or by "any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions." 18 U.S.C. 2721(b)(1). The Act also allows DMVs to disclose personal information for any state-authorized purpose relating to the operation of a motor vehicle or public safety. 18 U.S.C. 2721(b)(14). Thus, the DPPA expressly accommodates safety and law enforcement needs of public authorities.
The DPPA also authorizes disclosure of personal information to private entities for other specific purposes. The Act allows DMVs to disclose information for use in connection with car safety, prevention of car theft, driver safety, and other motor-vehicle-related matters, 18 U.S.C. 2721(b)(2); for use by a business to verify the accuracy of personal information submitted to that business, and to prevent fraud or to pursue legal remedies if the information the individual submitted to the business is revealed to have been inaccurate, 18 U.S.C. 2721(b)(3); for use in connection with court, agency, or self-regulatory body proceedings, 18 U.S.C. 2721(b)(4); for research purposes, if the personal information is not further disclosed or used to contact the individuals, 18 U.S.C. 2721(b)(5); by insurers in connection with claims investigations, anti-fraud activities, rating, or underwriting, 18 U.S.C. 2721(b)(6); to notify owners of towed or impounded vehicles, 18 U.S.C. 2721(b)(7); by licensed private investigative agencies or security services for permitted purposes, 18 U.S.C. 2721(b)(8); for use by employers to verify information relating to a holder of a commercial driver's license, 18 U.S.C. 2721(b)(9) (1994 & Supp. III 1997); and for use in connection with private tollways, 18 U.S.C. 2721(b)(10).
In addition, personal information in motor vehicle records may be disclosed in certain circumstances for bulk distribution for surveys, marketing, or solicitation, but only if individuals are provided an opportunity, in a clear and conspicuous manner, to block such use of information pertaining to them. 18 U.S.C. 2721(b)(12). Thus, disclosure of motor vehicle information about an individual for direct-marketing purposes is prohibited unless (a) the individual is provided the opportunity, under Section 2721(b)(11), to block general disclosure of his personal information, and declines that opportunity, or (b) the individual is given the opportunity to block use of his personal information for direct marketing specifically, and declines that opportunity.4
b. The DPPA also regulates the resale and redisclosure of motor vehicle information by private persons who have obtained that information from a DMV. See 18 U.S.C. 2721(c) (1994 & Supp. III 1997). The DPPA's restrictions on resale and redisclosure by private persons turn in large part on whether the DMV from which the information was obtained has adopted opt-out procedures under Section 2721(b)(11) to permit individuals to object to general disclosure of their personal information. If the DMV has not adopted such opt-out procedures, then a private person who obtained the information for one of the permissible purposes specified in Section 2721(b)(1)-(10) may further disclose DMV information only for one of those purposes; he may not further disclose information either for direct-marketing purposes, or more generally. See 18 U.S.C. 2721(c) (first sentence) (1994 & Supp. III 1997). If the DMV has adopted opt-out procedures to permit individuals to object to general disclosure, then an authorized recipient who has obtained motor vehicle information pursuant to a policy of general disclosure may disclose the information for any purpose. See ibid. (second sentence). In addition, a recipient who has obtained motor vehicle information specifically for direct-marketing purposes may resell that information for other direct-marketing uses, but not otherwise. See ibid. (third sentence) (permitting redisclosure "pursuant to" 18 U.S.C. 2721(b)(12)); 18 U.S.C. 2721(b)(12)(B) (permitting disclosure for direct marketing only if "the information will be used, rented, or sold solely for bulk distribution for surveys, marketing, and solicitations"). Finally, any person who receives personal information from a DMV and resells or further discloses that information must, for five years, maintain records identifying each person or entity to whom a further resale or redisclosure was made, and the permitted purpose for such resale or redisclosure. See 18 U.S.C. 2721(c) (fourth sentence) (1994 & Supp. III 1997).
c. The DPPA makes it unlawful for any "person" knowingly to obtain or disclose any record for a use not permitted by the Act, 18 U.S.C. 2722(a), or to make a false representation in order to obtain personal information from a motor vehicle record, 18 U.S.C. 2722(b). "Person" is defined to exclude any State or state agency. See 18 U.S.C. 2725(2). The Act also sets forth penalties and civil remedies for knowing violations. Any "person" who knowingly violates the DPPA may be subject to a criminal fine. 18 U.S.C. 2723(a), 2725(2). A state agency that maintains "a policy or practice of substantial noncompliance" with the DPPA may be subject to a civil penalty imposed by the Attorney General of not more than $5000 per day for each day of substantial noncompliance. 18 U.S.C. 2723(b). Any "person" who knowingly obtains, discloses, or uses information from a state motor vehicle record for a use not permitted by the DPPA may be subject to liability in a civil action brought by the person to whom the information pertains. 18 U.S.C. 2724. The responsibility for enforcement of the Act's criminal and civil penalty provisions lies entirely with the Attorney General of the United States. The DPPA does not impose on the States any obligation to pursue legal remedies against any requester who obtains, uses, or discloses information in violation of the Act, or any employee who wrongfully discloses information.
3. South Carolina law provides that the Motor Vehicle Division of the State's Department of Public Safety will release information contained in its motor vehicle records to anyone, provided that the requester fills out a form listing his name and address and stating that the information will not be used for telephone solicitation. S.C. Code Ann. §§ 56-3-510 to 56-3-540 (West Supp. 1998). The Department of Public Safety is authorized to charge a fee for the release of requested information. Id. § 56-3-530 (West Supp. 1998).
Respondents, the Attorney General of South Carolina and the State of South Carolina, brought this action in federal district court, alleging that the DPPA violates the Tenth Amendment, and seeking an injunction against enforcement of the DPPA. J.A. 9-14. The district court granted summary judgment for respondents and entered a permanent injunction against the Act's enforcement. Pet. App. 38a-40a. The district court ruled that this case is controlled by New York v. United States, 505 U.S. 144 (1992), and Printz v. United States, 521 U.S. 898 (1997). The court stated that the DPPA has the same defect as the statutes invalidated in New York and Printz because, "[i]n enacting the DPPA, Congress has chosen not to assume responsibility directly for the dissemination and use of these motor vehicle records. Instead, Congress has commanded the States to implement federal policy by requiring them to regulate the dissemination and use of these records." Pet. App. 53a.
4. a. A divided panel of the court of appeals affirmed. Pet. App. 1a-37a. The court expressed no doubt that the DPPA regulates "commerce" within the scope of Congress's Commerce Clause power. The court observed, however, that Congress "is constrained in the exercise of that [commerce] power by the Tenth Amendment. Thus, the question * * * is not whether the DPPA regulates commerce, but whether it is consistent with the system of dual sovereignty established by the Constitution." Id. at 8a.
The court acknowledged that "the DPPA is different in several respects from the statutes struck down in New York and Printz." Pet. App. 14a. "Unlike the federal statute in New York, the DPPA does not commandeer the state legislative process. In particular, the DPPA does not require the States to enact legislation regulating the disclosure of personal information contained in their motor vehicle records." Ibid. Further, "unlike the federal statute in Printz, the DPPA does not conscript state officers to enforce the regulations established by Congress. Indeed, the DPPA does not require that state officials report or arrest violators of the DPPA." Ibid.
The court nonetheless reasoned that state officials must "administer" the DPPA, and that the Act is unconstitutional for that reason. Pet. App. 14a. In the court's view, New York and Printz made "perfectly clear that the Federal Government may not require State officials to administer a federal regulatory program." Ibid. The court rejected the government's contention that "the holdings in Printz and New York apply only when the [federal] law in question requires a State to regulate the behavior of its citizens," and do not condemn a statute that, like the DPPA, "simply regulates a state activity." Id. at 15a.
The court also found the DPPA unconstitutional even on the assumption that the federal government's understanding of New York and Printz is correct. The majority rejected the argument that the DPPA should be sustained under cases such as Garcia v. San Antonio Metropolitan Transit Authority, 469 U.S. 528 (1985), and South Carolina v. Baker, 485 U.S. 505 (1988), which upheld federal regulation of state activities affecting commerce. The majority believed that Garcia established a broad limit on Congress's power to regulate state activity: "Under Garcia and its progeny, Congress may only 'subject state governments to generally applicable laws.'" Pet. App. 15a (quoting New York, 505 U.S. at 160). In the court's view, Garcia and its progeny do not govern this case because the DPPA's restrictions apply only to state agencies:
[T]he DPPA exclusively regulates the disclosure of information contained in state motor vehicle records. Of course, there is no private counterpart to a state Department of Motor Vehicles. Private parties simply do not issue drivers' licenses or prohibit the use of unregistered motor vehicles. Thus, rather than enacting a law of general applicability that incidentally applies to the States, Congress enacted a law that, for all intents and purposes, applies only to the States.
Pet. App. 17a.
The court recognized that, in other federal statutes, Congress has restricted the disclosure of personal information by private parties, and that the DPPA thus subjects the States to the same kind of regulation that governs private parties. Pet. App. 18a. The court dismissed that point as irrelevant, however, because Congress had not regulated information disclosure by private and state entities in a single, general statute:
Under Garcia, a statute is constitutional only if it is generally applicable. A law is not generally applicable simply because it could be generally applicable. That Congress could subject private parties to the same type of regulation is irrelevant to the Tenth Amendment. Congress may invade the sovereignty of the States only when it actually enacts a law of general applicability. Nothing short of that will pass constitutional muster.
Ibid.
b. Judge Phillips dissented. Pet. App. 27a-37a. He concluded that the DPPA is valid Commerce Clause legislation that does not contravene any Tenth Amendment limitation on congressional power. Judge Phillips stressed that "the end object of the Act is the direct regulation of state conduct," not "the indirect regulation of private conduct" accomplished "by forcing the states directly to regulate that conduct." Id. at 29a. He concluded that the Act's "direct regulation of the State activity * * * distinguishes the DPPA, in the most fundamental of ways, from the federal legislation struck down respectively in New York and Printz." Id. at 30a.
Judge Phillips also contested the majority's view that Garcia limited Congress to regulating state activity only through laws of general applicability. Pet. App. 31a-32a. Although Judge Phillips noted that the statutes upheld in Garcia and EEOC v. Wyoming, 460 U.S. 226 (1983), imposed duties on both state and private actors, he explained that those laws were upheld "not so much--if at all--because they applied equally to state and private actors as because they directly regulated state activities rather than using the 'States as implements of regulation' of third parties." Pet. App. 32a (quoting New York, 505 U.S. at 161). Judge Phillips also urged that "[s]urely it is no basis for invalidating such regulations that no private equivalent could be found in the particular area of regulation." Id. at 37a. To the contrary, he concluded, "[t]o assume that Congress could only regulate the states' conduct directly if it also equally regulated comparable private conduct (even where none in fact exists)" bears "no relationship to any concept of federalism implicit in the Tenth Amendment as interpreted by the Supreme Court." Id. at 34a.
c. The panel denied the government's petition for rehearing, and the full court denied the government's suggestion of rehearing en banc by a vote of seven to six. Pet. App. 73a-74a.5
SUMMARY OF ARGUMENT
A. In an age of advancing information technology, the threat to privacy from the nonconsensual dissemination of personal information has become a matter of increasing public concern and regulatory attention. Congress has thus far addressed privacy concerns arising out of the nonconsensual disclosure of personal information in statutes that regulate particular sectors of the private economy, such as video stores, cable television companies, financial institutions, credit bureaus, and electronic communications services. In addition, other federal statutes restrict the circumstances in which the federal government may disclose personal information about private citizens that federal agencies gather in the course of their official duties. In each of those focused statutes, Congress has prohibited many kinds of disclosures but has permitted personal information to be released in circumstances where it has found an important countervailing interest warranting disclosure or access.
The Driver's Privacy Protection Act of 1994 (DPPA or Act), 18 U.S.C. 2721-2725 (1994 & Supp. III 1997), extends this balanced regulatory approach to restrict certain nonconsensual disclosures of personal information held by state motor vehicle departments. Congress addressed disclosure of personal information held in state DMV records after receiving evidence of threats to personal privacy and safety resulting from unrestricted disclosure. Evidence before Congress established that the States earn substantial revenues from sales of personal information in DMV records, and that such personal information is central to the direct-marketing operations of commercial enterprises. Personal information obtained from state DMV files is therefore subject to federal regulation under Congress's Commerce Clause power because such information is itself in interstate commerce, and because disclosure of such information substantially affects interstate commerce.
B. This Court's decisions articulating the constitutional principles of federalism reflected in the Tenth Amendment interpose no obstacle to the DPPA. In New York v. United States, 505 U.S. 144 (1992), and Printz v. United States, 521 U.S. 898 (1997), the Court explained that, although Congress may directly regulate state activity in or affecting commerce, it may not commandeer a State's legislative process by requiring it to adopt legislation to implement a federal regulatory scheme, and it may not conscript state officials in the application of federal law to private parties. The DPPA, however, does not have either of these defects. The DPPA does not direct the States to adopt legislation or regulations, nor does it require state officers to enforce its provisions against dissemination by private persons. Enforcement of the law against violators is the responsibility of the Attorney General of the United States. The States' obligation is simply to comply with the Act's prohibition against disclosure of personal information from DMV records. A congressional prohibition against state action does not commandeer state officers or entities into regulating or enforcing federal law.
Such an obligation to comply with the substantive terms of a federal statute is not equivalent to a duty to implement a federal regulatory scheme. Even if a duty to comply with the substantive requirements of a federal regulatory statute has the effect of causing a State to modify its internal administrative procedures, that does not transform substantive federal regulation into impermissible commandeering of the State's executive branch. As the Court made clear in South Carolina v. Baker, 485 U.S. 505 (1988), Congress may, consistent with the Tenth Amendment, require States to comply with federal law, even if the States find it necessary or practically useful to revise their administrative practices or legislation in response to the federal legislation.
The DPPA, moreover, is respectful of state regulatory prerogatives. It does not interfere with the States' ability to license and regulate driving within their borders, or to collect information from individuals who apply for driver's licenses and motor vehicle registration. Thus, the DPPA does not interfere with the States' ability to regulate their citizens' primary conduct.
C. The DPPA is not constitutionally infirm because it applies only to state entities, and is not a "generally applicable" law. No constitutional rule requires Congress to regulate state activity in or affecting commerce only through statutes that also regulate similar private activity. Congress may exercise its Commerce Clause power to address problems as they make themselves manifest, and it is not required to legislate for the entire economy as a precondition to regulating state activity that presents an immediately pressing concern warranting federal attention.
A rule requiring a generally applicable law as a precondition to federal regulation of state activity in or affecting commerce would be inconsistent with the plenary grants to Congress of the power to regulate interstate commerce by making "all Laws," not merely generally applicable ones, that are necessary and proper for doing so. U.S. Const. Art. I, § 8, Cls. 3 and 18. Those Clauses confirm that Congress retains the flexibility ordinarily possessed by legislative bodies to tailor their laws to the problems at hand and to choose between laws of general or more particular applicability. The need for that flexibility is particularly evident here, for Congress reasonably could decide not to address in a single act all privacy concerns raised across the economy by dissemination of personal information from a wide variety of private and public databases.
The rigid rule adopted by the court of appeals also finds no support in the constitutional structure of federalism insofar as it protects the sovereign powers of the States. The Tenth Amendment provides: "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." If particular state activity affecting commerce may be brought within the reach of a regulatory law of the United States when it is generally applicable, then the power to address that particular state activity necessarily does lie within the powers "delegated to the United States" by the Constitution. Nothing in the Tenth Amendment divests Congress of that power if it seeks to act through a law directed only to the state activity. Nor does the absolute rule adopted by the court of appeals bear any relation to whether a federal law impermissibly intrudes on the exercise of the sovereign powers of the States, or to the diffusion of power and protection of liberty that the constitutional structure of federalism was designed to secure.

ARGUMENT

THE DRIVER'S PRIVACY PROTECTION ACT OF 1994 IS CONSISTENT WITH CONSTITUTIONAL PRINCIPLES OF FEDERALISM

A. Personal Information Held In State Motor Vehicle Records Is Subject To Congress's Commerce Clause Power

In several sectors, Congress has identified concerns arising out of the dissemination of, and commerce in, personal information without the consent of the individual to whom the information pertains, and has acted to restrict and regulate such disclosure and commerce. In the context of personal information in the records of private enterprises, Congress has enacted statutes that restrict nonconsensual disclosures of personal information by credit bureaus, educational institutions, banks, cable television companies, electronic communications services, video stores, and, in some circumstances, employers.6 Congress has also restricted the disclosure of personal information held by the federal government.7 In these statutes, Congress has balanced individuals' privacy interests with countervailing public interests in disclosure by prohibiting certain forms of disclosure of personal information and permitting others. Each of these statutes accommodates those considerations differently.
The Driver's Privacy Protection Act of 1994 (DPPA or Act), 18 U.S.C. 2721-2725 (1994 & Supp. III 1997), added another panel to this quilt of federal privacy protections by regulating the dissemination of personal information originally collected from individuals by state motor vehicle agencies.8 The DPPA authorizes disclosure for certain purposes, and prohibits disclosure for others; it also permits disclosure for any purpose if individuals are afforded the opportunity to opt out from such general disclosure. These rules regulate disclosure as an initial matter by a state DMV, and also govern private persons' resale of personal information obtained from a DMV. See pp. 6-11, supra.
There can be no doubt that the subject matter of the DPPA, the disclosure of and commerce in personal information held by state DMVs, is a proper object of regulation under Congress's Commerce Clause powers. (Indeed, the court of appeals did not suggest otherwise, and respondents did not allege or argue below that the subject of the DPPA, dissemination of personal information held in state DMV records, is beyond the reach of Congress's Commerce Clause power.9) The activity licensed by state DMVs and in connection with which individuals must submit personal information to the DMV-the operation of motor vehicles-is itself integrally related to interstate commerce. Further, Congress learned that state DMVs frequently sell the personal information held in their records, and that States collect substantial sums from such sales. See pp. 3-4, supra. The record before Congress also established that personal information obtained from DMVs is central to the direct-marketing efforts of many companies, as well as to database compilers.10 And the DPPA regulates the resale and redisclosure of personal information from DMV records once it has passed into private hands, as well as the initial disclosure from a state DMV. Such personal information is therefore legitimately subject to congressional regulation because the States place the private information into commerce, and because dissemination of the information is an activity "having a substantial relation to interstate commerce." See United States v. Lopez, 514 U.S. 549, 558-559 (1995); see also Garcia v. San Antonio Metro. Transit Auth., 469 U.S. 528, 538 (1985); EEOC v. Wyoming, 460 U.S. 226, 235-236 (1983); FERC v. Mississippi, 456 U.S. 742, 753-758 (1982); id. at 775 (O'Connor, J., concurring in the judgment in part and dissenting in part).
Without questioning that the dissemination of personal information in state DMV records falls within Congress's power to regulate commerce, the court of appeals ruled the DPPA is nonetheless unconstitutional, for two reasons. First, although the court acknowledged (Pet. App. 14a) that the DPPA neither "commandeer[s] the state legislative process" nor "conscript[s] state officers to enforce the regulations established by Congress," it concluded (id. at 14a-15a) that the DPPA requires state agencies to "administer" the Act. Therefore, it held, the DPPA contravenes "our system of 'dual sovereignty,'" as explicated in this Court's decisions in New York v. United States, 505 U.S. 144 (1992), and Printz v. United States, 521 U.S. 898 (1997).
Second, the court rejected the contention that the DPPA is constitutional under cases such as Garcia, supra, which sustained the application of federal statutes regulating commercial activity to state entities. The court concluded that, unlike the federal statutes upheld in cases like Garcia, the DPPA is not a law "generally applicable" to both private and state activity. Further, the court regarded as irrelevant the fact that the DPPA is similar to other federal legislation that regulates disclosure of personal information by private enterprises. "Under Garcia," the court held (Pet. App. 18a), "a statute is constitutional only if it is generally applicable. * * * That Congress could subject private parties to the same type of regulation is irrelevant to the Tenth Amendment. Congress may invade the sovereignty of the States only when it actually enacts a law of general applicability. Nothing short of that will pass constitutional muster." As we now explain, both reasons given by the court of appeals for invalidating the DPPA are without substance.11

B. The DPPA Does Not Commandeer Or Conscript States Into Applying Federal Law; Rather, It Requires State Entities To Comply With Substantive Federal Regulation, And Prohibits Contrary State Practices

1. In New York v. United States, the Court sustained a constitutional challenge to provisions of the Low-Level Radioactive Waste Policy Amendments Act of 1985, 42 U.S.C. 2021b et seq. (1988), that required the States either to regulate the disposal of certain radioactive waste generated within their borders, or to take title to such waste. See 505 U.S. at 169-170, 174-177. The Court framed the constitutional question before it as whether "Congress may use the States as implements of regulation; that is, whether Congress may direct or otherwise motivate the States to regulate in a particular field or in a particular way." Id. at 161. Emphasizing that, "even where Congress has the authority under the Constitution to pass laws requiring or prohibiting certain acts, it lacks the power directly to compel the States to require or prohibit those acts," id. at 166, the Court held that "[t]he Federal Government may not compel the States to enact or administer a federal regulatory program," id. at 188. The Court concluded that the challenged provisions were inconsistent with "the Constitution's division of authority between federal and state governments," id. at 175, because they "commandeer[ed] the legislative processes of the States by directly compelling them to enact and enforce a federal regulatory program," id. at 176 (citation omitted).
In Printz v. United States, the Court found a similar constitutional flaw in a provision of the Brady Handgun Violence Prevention Act, 18 U.S.C. 922(s) (1994), that required local chief law enforcement officers to make a reasonable effort to determine whether a proposed transfer of a handgun would violate the law. The Court found it "apparent that the Brady Act purports to direct state law enforcement officers to participate * * * in the administration of a federally enacted regulatory scheme." 521 U.S. at 904. The Court reemphasized that Congress "cannot compel the States to enact or enforce a federal regulatory program," and held also that Congress "cannot circumvent that prohibition by conscripting the States' officers directly" in the administration of federal law. Id. at 935. The Brady Act's "conscript[ion]" of local law enforcement officials also violated the Constitution's division of authority between federal and state governments, the Court held, because "[t]he Federal Government may neither issue directives requiring the States to address particular problems, nor command the States' officers, or those of their political subdivisions, to administer or enforce a federal regulatory program." Ibid. See also Alden v. Maine, No. 98-436 (June 23, 1999), slip op. 3-4 (States are "not relegated to the role of mere provinces or political corporations" of the national government).
The court of appeals in this case recognized that the DPPA does not present the constitutional flaw present in either New York or Printz:
Unlike the federal statute in New York, the DPPA does not commandeer the state legislative process. In particular, the DPPA does not require the States to enact legislation regulating the disclosure of personal information contained in their motor vehicle records. Instead, Congress enacted the regulations limiting the dissemination of information from those records. Moreover, unlike the federal statute in Printz, the DPPA does not conscript state officers to enforce the regulations established by Congress. Indeed, the DPPA does not require that state officials report or arrest violators of the DPPA. Instead, the DPPA is enforced through civil penalties imposed by the United States Attorney General against the States and permits criminal fines and civil causes of action against individuals.
Pet. App. 14a.
The court of appeals' conclusion that the DPPA does not conscript state governments into federal service is plainly correct. Unlike the statutes examined in New York and Printz, the DPPA does not require state governments or officers to regulate the primary activities of private parties or to participate in the enforcement of federal law against private actors. The DPPA therefore does not "conscript state governments" as "agents" of federal regulatory power. See New York, 505 U.S. at 178; see also FERC, 456 U.S. at 792 (O'Connor, J., concurring in part and dissenting in part) ("the Framers concluded that government by one sovereign through the agency of a second cannot be satisfactory"). Rather, the DPPA directly regulates the dissemination of personal information in state DMV files, and requires DMVs to comply with that substantive regulation. Moreover, unlike the statute invalidated in Printz, see 521 U.S. at 904-905, the DPPA's restrictions on disclosure do not operate as means to effectuate private parties' compliance with federal law. Nor did Congress obligate the States to enforce the DPPA's proscriptions against violators. Enforcement of the DPPA's substantive restrictions on dissemination against violators is the responsibility of federal officials. The DPPA therefore does not effect "the indirect regulation of private conduct" through a state apparatus, Pet. App. 29a (Phillips, J., dissenting), and does not "impress the state executive into [federal] service," Printz, 521 U.S. at 907.
Our point that the DPPA does not conscript state governments into federal service is underscored by the fact that the DPPA's disclosure restrictions impose no affirmative obligations on the States to implement federal law; rather, they impose substantive prohibitions on state activity. In Printz and New York, in which this Court found federal statutes to contravene the Constitution's structure of federalism, Congress had required active state participation in the enforcement of federal law against private parties. See also Alden, slip op. 40 (Congress may not "commandeer the entire political machinery of the State against its will"). The DPPA's disclosure restrictions, however, require no active state participation. Instead, they simply forbid DMVs from taking action (dissemination of information) that contravenes the substantive restrictions on disclosure put in place by the federal law to protect personal privacy.12
The distinction between laws that impose affirmative obligations on States and those that prevent States from taking action is well reflected in this Court's preemption jurisprudence. Although New York and Printz hold that Congress may not require the States to pass legislation or participate in the execution of a federal regulatory program, it is well established that Congress may prohibit the States from regulating in a particular field, as long as regulation of the field lies within reach of Congress's enumerated powers.13 Such federal prohibitions against state action have an extensive pedigree: federal law has often said to the States, "Don't do any of these things." See FERC, 456 U.S. at 793 n.30 (O'Connor, J., concurring in part and dissenting in part) (quoting Henry M. Hart, Jr., The Relations Between State and Federal Law, 54 Colum. L. Rev. 489, 515 (1954)). Thus, even in the context (unlike here) in which the anti-commandeering rule does apply-where the federal government attempts to dictate how the States regulate private conduct-the Constitution permits federal laws that prohibit the States from regulating that conduct at all, in order to prevent interference with federal interests and protections afforded by federal law. Similarly here, the anti-commandeering rule of New York and Printz does not cloud Congress's authority to prevent the States from taking action in a field of legitimate federal concern.
2. Even though the court of appeals recognized that the DPPA does not have the same defect as the statutes at issue in New York and Printz, it nonetheless concluded that state officials must "administer" the DPPA, and that the Act runs afoul of the Constitution for that reason. The panel's conception of the manner in which state officials must "administer" the DPPA is not entirely clear, but it appears to have believed that the DPPA is unconstitutional because state officials must, as a practical matter, take affirmative steps to comply with the details of the substantive dictates of the DPPA's disclosure prohibitions. That conclusion, however, is directly contrary to this Court's decision in South Carolina v. Baker, 485 U.S. 505 (1988).
In South Carolina v. Baker, the Court rejected a Tenth Amendment challenge to a federal statute that, in effect, prohibited States from issuing bearer bonds, and required that state debt instruments be issued in the form of registered bonds. See 485 U.S. at 511. The law was challenged on the ground that it allegedly "commandeer[ed] the state legislative and administrative process by coercing States into enacting legislation authorizing bond registration and into administering the registration scheme." Id. at 513. The Court found no such defect in the challenged statute, however, because the law "regulate[d] state activities; it [did] not * * * seek to control or influence the manner in which States regulate private parties." Id. at 514. Further, in turning aside the argument that the challenged provision was unconstitutional because "state officials had to devote substantial effort to determine how best to implement a registered bond system," the Court explained:
Such "commandeering" is, however, an inevitable consequence of regulating a state activity. Any federal regulation demands compliance. That a State wishing to engage in certain activity must take administrative and sometimes legislative action to comply with federal standards regulating that activity is a commonplace that presents no constitutional defect.
Id. at 514-515; see also FERC, 456 U.S. at 762 (observing that Court has "upheld federal statutory structures that in effect directed state decisionmakers to take or to refrain from taking certain actions").
To be sure, a state DMV may find it appropriate to institute procedures to ensure that it complies with the requirements of the DPPA. For example, a state agency may determine that it should train its employees so that they are aware of the limitations on permissible disclosure under the Act, and that they can make informed judgments as to whether a request for disclosure is covered by Act's provisions for permissible disclosure. Such training, however, would not itself be required by federal law; it would merely be an incidental effect of a requirement to comply with a federal prohibition on disclosure, which does not itself involve any commandeering of state governments.
Moreover, in many situations in which a federal statute permissibly regulates state activity, a state agency may find it appropriate to institute procedures and train its employees to ensure compliance with the federal law. The Fair Labor Standards Act of 1938 (FLSA), for example, imposes maximum hours on employment by state agencies, and requires state agencies either to pay overtime pay or to provide compensatory time off for work in excess of those maximum hours. See 29 U.S.C. 207(a) and (o) (1994 & Supp. III 1997). The maximum-hours provisions of the FLSA, however, do not apply to "any employee employed in a bona fide executive, administrative, or professional capacity." 29 U.S.C. 213(a)(1). Thus, a state entity subject to the FLSA will have to make judgments as to whether particular employees are employed in executive, administrative, or professional capacities, including making responses to individual employees' requests for overtime pay or compensatory time off. Cf. Auer v. Robbins, 519 U.S. 452 (1997) (examining whether public-sector employees were professional employees under FLSA). For those employees who are covered by the FLSA, state entities may need to institute procedures to ensure that such employees receive either overtime pay or compensatory time off when they are required to work overtime. The incidental burden of making such decisions and ensuring such compliance, however, has never been held to constitute a Tenth Amendment violation.
3. In Garcia, this Court abandoned the effort, begun in National League of Cities v. Usery, 426 U.S. 833 (1976), to expound "affirmative limits on the Commerce Clause power in terms of core governmental functions and fundamental attributes of state sovereignty." 469 U.S. at 556; see id. at 547-548. It bears note, however, that the DPPA is particularly respectful of state prerogatives. The DPPA does not prevent state and local governments from using the information contained in DMV records for governmental purposes. To the contrary, the Act expressly permits DMVs to disclose personal information in their records for use "by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions." 18 U.S.C. 2721(b)(1). The Act also permits disclosure for use "in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency." 18 U.S.C. 2721(b)(4). And it permits disclosure of information for any use "related to the operation of a motor vehicle or public safety." 18 U.S.C. 2721(b)(14).
The DPPA therefore does not inhibit the States' authority to license drivers, register vehicles, or remove dangerous drivers and vehicles from the roads. Nor does it restrict the authority of state DMVs to collect information from persons wishing to be licensed to drive or to register their motor vehicles. In sum, the DPPA does not impede the States' authority or ability to regulate the primary conduct of their citizens. Accordingly, nothing in the DPPA contravenes the proposition that "our federalism requires that Congress treat the States in a manner consistent with their status as residuary sovereigns and joint participants in the governance of the Nation." Alden, slip op. 39.14
C. The DPPA Permissibly Regulates State Activity Even If It Does Not Regulate Similar Private Activity

1. The court of appeals also held that the restrictions on information disclosure imposed by the DPPA could not be validly applied to state DMVs because the DPPA is not a "generally applicable" law. Pet. App. 18a. This Court has, of course, upheld the application of numerous federal statutes to state activity where those statutes also applied to similar private activity. Contrary to the court of appeals' view, however, no constitutional principle of federalism imposes a rule that state activities in or affecting commerce, and hence otherwise within the scope of Congress's power, may be subject to federal regulation only if Congress also imposes identical or closely similar regulation on similar activities of private enterprises in the same statute.15 Rather, this Court's decisions establish that, although Congress may not commandeer the States in the implementation of a federal regulatory program by requiring them to enact legislation (as in New York) or by conscripting state officials to participate in the enforcement of federal law against, or application of federal law to, third parties (as in Printz), Congress may directly regulate state activity in or affecting commerce. That is so whether or not it also regulates similar private activity. Because the state activity in this case is unquestionably subject to Congress's Commerce Clause power (see pp. 21-23, supra), the DPPA is constitutional.
In several cases in which this Court rejected Tenth Amendment challenges to the application of federal regulatory statutes to state entities, the Court observed that such application merely brought state activities within the reach of a law that was also applicable to private entities. See EEOC v. Wyoming, 460 U.S. at 233; United Transp. Union v. Long Island R.R., 455 U.S. 678, 686- 690 (1982); Fry v. United States, 421 U.S. 542, 548 (1975); Maryland v. Wirtz, 392 U.S. 183, 196-199 (1968).16 This Court did not, however, uphold the application of those statutes merely because as a formal matter they applied to the activities of private enterprises as well as state entities. Rather, a federal statute that applies equally (or similarly) to private and state activities in or affecting commerce is inherently a regulatory act of the federal government only, and does not commandeer or conscript state governments in their own regulatory role. As Judge Phillips observed in dissent below, those statutes were held "immune to Tenth Amendment challenge not so much-if at all-because they applied equally to state and private actors as because they directly regulated state activities rather than using the States as implements of regulation of third parties." Pet. App. 32a (internal quotation marks omitted).
Thus, in New York v. United States, the Court distinguished cases such as Garcia, "in which Congress has subjected a State to the same legislation applicable to private parties," 505 U.S. at 160, from the litigation before it, which "concern[ed] the circumstances under which Congress may use the States as implements of regulation; that is, whether Congress may direct or otherwise motivate the States to regulate in a particular field or a particular way," id. at 161. Although that distinction is an important one, the court of appeals erred in extrapolating from it the principle that "Congress may only 'subject state governments to generally applicable laws.'" Pet. App. 15a (emphasis added).17 This Court's reasoning supports no such rigid constitutional rule. Rather, when this Court in New York distinguished federal regulatory requirements, with which state entities must comply, from requirements that state entities exercise their own power to regulate private persons, it recognized that statutes of general applicability do not contravene the anti-commandeering principle because generally applicable laws, by their nature, do not require the States to participate in the regulation of private persons. The Court did not suggest that all other statutes applicable to state entities run afoul of the Tenth Amendment, whether or not they violate the proscription against commandeering. In fact, the Court's decision in New York echoed its decision in South Carolina v. Baker, where it sustained the federal restriction against bearer bonds and observed that the challenged law "regulate[d] state activities [and did not] seek to control or influence the manner in which States regulate private parties," and thus did not present "a commandeering of state regulatory machinery." 485 U.S. at 514.
The DPPA, therefore, is not constitutionally infirm on the ground that it regulates only information held in state DMV records and not also similar information held in private databases. As was true of the statute upheld in South Carolina v. Baker, the DPPA "regulates state activities"; it does not "seek to control or influence the manner in which States regulate private parties." 485 U.S. at 514. The DPPA regulates how state DMVs may disseminate their own data; it does not require the States to impose any restrictions on private dissemination or to pursue any remedies or to assure compliance by taking action against or with respect to anyone outside state government. Further, the DPPA applies to private persons' redisclosure of information from state DMV records as well as the initial disclosure by the state DMV. And the federal government, not the States, is responsible for prosecuting violators. See p. 11, supra.
The court of appeals' rule is also difficult to square with this Court's preemption jurisprudence. Congressional preemption of state regulatory authority, by definition, applies only to the States, since there is no analogous private regulation. Yet, as we have explained (see pp. 29-30, supra), federal preemption of state law has long been understood to present no constitutional difficulty, and preemption certainly has never been thought constitutionally problematic merely because it applies only to the States.18 To the contrary, federal preemption is constitutional even though "such congressional enactments obviously curtail or prohibit the States' prerogatives to make legislative choices respecting subjects the States may consider important." Hodel v. Virginia Surface Mining & Reclamation Ass'n, 452 U.S. 264, 290 (1981).19
2. Not only is the rule articulated by the panel majority without support in this Court's precedents; it also is inconsistent with the structure of the Constitution, which vests in Congress the power to fashion laws in the manner it believes most appropriate to respond to the problems affecting commerce-and which imposes no obligation on Congress to act only through laws of general applicability when it seeks to respond to such problems resulting from the activities of the States.
a. This Court has consistently recognized that a legislature is not required to "strike at all evils at the same time," Semler v. Oregon State Bd. of Dental Exam'rs, 294 U.S. 608, 610 (1935), and that "reform may take one step at a time, addressing itself to the phase of the problem which seems most acute to the legislative mind." Williamson v. Lee Optical, Inc., 348 U.S. 483, 489 (1955). That point has been markedly true in the privacy area, for Congress has perceived that privacy concerns raised by the dissemination of personal information do not readily lend themselves to regulation that must, like Procrustes' bed, fit all. Congress has thus far proceeded cautiously in regulating disclosure of personal information, and has addressed privacy issues on a sector-by-sector basis.20 Rather than adopting across-the-board privacy regulations for all databases in or affecting commerce, Congress has enacted privacy protections targeted at problems arising in specific commercial fields.21 Each of these provisions is quite involved, for each attempts to accommodate both privacy concerns and countervailing interests in disclosure. Also, each responds to different privacy concerns; problems raised by unrestricted disclosure of personal financial information to government authorities are manifestly not the same as those raised by unrestricted dissemination of the results of medical examinations or polygraph tests. The DPPA is in line with this "long-standing tradition" of "address[ing] privacy issues affecting the private sector on a sectoral basis." 1994 WL 212834 (Feb. 3, 1994) (Prof. Mary J. Culnan, Georgetown University).22
Congress should be free to respond to privacy (and other) concerns as they become apparent, without being restricted by an artificial constraint requiring legislation affecting States to be "generally applicable," in the sense suggested by the court of appeals. A constitutional rule precluding Congress from regulating state activity in or affecting commerce unless and until it enacts a law covering similar private activity would deprive Congress of the much-needed ability to experiment in addressing regulatory concerns in complex fields such as this one, and could have highly undesirable results. As the Seventh Circuit observed, such a restriction on Congress's authority to regulate the field of information disclosure would hardly be salutary: "A statute covering all databases would rival the Internal Revenue Code for complexity without offering states any real defense from the cost and inconvenience of regulation. * * * Brobdignagian legislation is not the Constitution's objective, even when consolidation is feasible." Travis v. Reno, 163 F.3d 1000, 1006 (1998), petition for cert. pending, No. 98-1818; cf. Nixon v. Administrator of Gen. Servs., 433 U.S. 425, 471 (1977) (Constitution does not put Congress "to the choice of legislating for the universe * * * or not legislating at all").
Under the constitutional rule adopted by the court of appeals-requiring Congress to address privacy concerns in all private and public records in a single statute-the result would be legislation that was unmanageably complex (if Congress perceived a need to accommodate countervailing interests in disclosure individually for each type of database), or excessively rigid (if it decided that all databases should be governed by a uniform rule, which would have to be either the least or the most restrictive rule appropriate to any database in the economy), or framed at an extraordinarily high level of generality, requiring extensive administrative development of its application to particular sectors (which would undermine the "general applicability" of the law).23 Or, the result might be no legislation protecting privacy at all.
The Constitution should not be read to preclude Congress from addressing regulatory concerns within the scope of its enumerated powers that arise only, or first, or most especially, from activity undertaken by state entities. Indeed, in some situations, Congress may perceive a need to regulate state activity that simply has no private analogue. For example, the federal government may issue security and safety directives to govern the operation of the nation's major airports. The validity of such directives would not turn on whether state and local governments happened to control all of those airports. Similarly, Congress unquestionably has the constitutional authority to prohibit state and local officials from questioning or prosecuting foreign nationals and diplomats. Such restrictions could not be unconstitutional merely because, by their nature, they could apply only to officers of state and local governments.
The Constitution grants Congress the power "To make all Laws which shall be necessary and proper for carrying into Execution" its enumerated powers, Art. I, § 8, Cl. 18 (emphasis added), including, of course, the power to regulate commerce, id. Cl. 3. Nothing in those plenary grants of power suggests that Congress may only enact some laws-those of general applicability-when it acts in matters affecting the States, or that only laws of general applicability are "proper" in that setting. To the contrary, the breadth of the Clause confirms that it vests in Congress the inherent discretion normally possessed by legislative bodies to adapt their laws to the problems they confront, including the flexibility to choose between laws of general and particular applicability.
b. In addition to conflicting with the affirmative grants of powers to Congress in Article I of the Constitution, the rigid rule adopted by the court of appeals finds no support in the constitutional structure of federalism insofar as this structure protects the sovereign powers of the States. The Tenth Amendment provides: "The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people." If particular state activity in or affecting commerce may, consistent with the Constitution, be brought within the reach of a regulatory law of the United States when that law is generally applicable, then the power to address that particular state activity necessarily does lie within the powers "delegated to the United States by the Constitution." Nothing in the text of the Tenth Amendment suggests that Congress is automatically divested of that power if it seeks to act through a law directed only to that state activity rather than through a law of broader applicability.
Nor do the principles of federalism underlying the Tenth Amendment support the rule announced by the court of appeals. As this Court explained in Printz, after adoption of the Constitution, the States "retained 'a residuary and inviolable sovereignty.'" 521 U.S. at 919 (quoting The Federalist No. 39, at 245 (James Madison) (Clinton Rossiter ed., 1961)). It is well established, however, that that principle preserves in Congress the power to "legislate[] in matters affecting the States." Alden, slip op. 49. The question here, then, is whether the particular legislation that respondents challenge-the DPPA-impermissibly interferes with the "residuary and inviolable sovereignty" of the States. The answer to that question turns on an assessment of the law as it affects the powers of the States themselves. It is irrelevant to that inquiry whether private parties are also subject to the same legislation.24 Accordingly, if (as the court of appeals appeared to acknowledge) the protections of personal privacy provided for in the DPPA would not impermissibly intrude upon the exercise of the sovereign powers of the States if those protections were contained in a law that also applied to private parties, then they do not do so in a law that applies only to the States.
As the Court further explained in Printz, the Framers' experience under the Articles of Confederation persuaded them to reject a constitutional structure under which Congress would "us[e] the States as instruments of federal governance." 521 U.S. at 919. Instead, the Framers separated the powers of the United States and the States. "The separation of the two spheres is one of the Constitution's structural protections of liberty." Id. at 921. "'In the compound republic of America, the power surrendered by the people is first divided between two distinct governments, and then the portion allotted to each subdivided among distinct and separate departments. Hence a double security arises to the rights of the people. The different governments will control each other, at the same time that each will be controlled by itself.'" Id. at 922 (quoting The Federalist No. 51, supra, at 323 (James Madison)). A constitutional absolute requiring that a federal statute that applies to state activity also address private conduct bears no relation to those important values of diffusion of power and protection of personal liberty. That is especially so here, where Congress perceived a distinct threat to personal privacy resulting from state activities integrally related to commerce, and acted within its sphere of power to afford "security * * * to the rights of the people" by preventing the States from releasing personal information that they require individuals to submit as a condition of engaging in activity-owning and operating a motor vehicle-that is integrally related to commerce generally and also to personal autonomy and economic well-being.
3. It is thus irrelevant to the Constitution that Congress decided to address the particular threats to privacy raised by dissemination of and commerce in information held in state motor vehicle records in a single, focused statute, rather than in a statute addressing analogous issues in other databases, private and public, as well. Rather, federal regulation of state activity in or affecting commerce does not disturb the "balance between the supremacy of federal law and the separate sovereignty of the States" (Alden, slip op. 48) if that regulation does not coerce the States into performing as instruments of federal governance. The DPPA does not conscript the States in the enforcement or execution of federal law. Accordingly, the DPPA is constitutional.

CONCLUSION

The judgment of the court of appeals should be reversed.
Respectfully submitted.

SETH P. WAXMAN
Solicitor General
DAVID W. OGDEN
Acting Assistant Attorney General
EDWIN S. KNEEDLER
Deputy Solicitor General
PAUL R.Q. WOLFSON
Assistant to the Solicitor
General
MARK B. STERN
ALISA B. KLEIN
DANIEL L. KAPLAN
Attorneys

JULY 1999

1 The DPPA was enacted as part of an omnibus crime control law, the Violent Crime Control and Law Enforcement Act of 1994, Pub. L. No. 103-322, Tit. XXX, § 300002, 108 Stat. 2099. The Subcommittee on Civil and Constitutional Rights of the House Judiciary Committee held hearings on the DPPA on February 3 and 4, 1994. Those hearings were never printed, and we are informed by the Clerk of the Judiciary Committee that the Committee no longer has documents or transcripts relating to the DPPA hearings. The principal prepared submissions to the Subcommittee are available on WESTLAW. See Protecting Driver Privacy: Hearings on H.R. 3365 Before the Subcomm. on Civil and Constitutional Rights of the House Comm. on the Judiciary, 103d Cong., 2d Sess., available at 1994 WL 212813, 212822, 212833, 212834, 212835, 212836, 212696, 212698, 212701, 212712, 212720 (Feb. 3-4, 1994).

2 Representative Moran, a sponsor of the DPPA, observed: "Currently, in 34 States across the country anyone can walk into a DMV office with your tag number, pay a small fee, and get your name, address, phone number and other personal information-no questions asked." 140 Cong. Rec. H2522 (daily ed. Apr. 20, 1994); see also 139 Cong. Rec. 29,466 (1993) (statement of Sen. Boxer); id. at 29,468 (statement of Sen. Warner); id. at 29,469 (statement of Sen. Robb); 1994 WL 212834 (Feb. 3, 1994) (statement of Prof. Mary J. Culnan, Georgetown University); 1994 WL 212813 (Feb. 3, 1994) (statement of Janlori Goldman, American Civil Liberties Union).

3 See 1994 WL 212698 (Feb. 4, 1994) (statement of Rep. Moran); 1994 WL 212822 (Feb. 3, 1994) (statement of David Beatty, National Victim Center); 1994 WL 212833 (Feb. 3, 1994) (statement of Donald L. Cahill, Fraternal Order of Police); 139 Cong. Rec. 29,469 (1993) (statement of Sen. Robb); id. at 29,470 (statement of Sen. Harkin).

4 The DPPA also provides that personal information in motor vehicle records "shall be disclosed" for certain specific purposes pursuant to other federal statutes. 18 U.S.C. 2721(b) (1994 & Supp. III 1997). As we explain below (pp. 28-29 n.12, infra), that provision does not impose any new disclosure requirements, but rather makes clear that the DPPA does not bar disclosures otherwise required by federal law.

5 Since the panel's decision was issued, panels of the Seventh and Tenth Circuits have upheld the DPPA against similar Tenth Amendment challenges, while an Eleventh Circuit panel has held that the DPPA contravenes the Tenth Amendment. See Travis v. Reno, 163 F.3d 1000 (7th Cir. 1998), petition for cert. pending, No. 98-1818; Oklahoma v. United States, 161 F.3d 1266 (10th Cir. 1998), petition for cert. pending, No. 98-1760; Pryor v. Reno, 171 F.3d 1281 (11th Cir. 1999), petition for cert. pending, No. 99-61.

6 See Fair Credit Reporting Act, 15 U.S.C. 1681b (1994 & Supp. III 1997); Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g(b); Right to Financial Privacy Act of 1978, 12 U.S.C. 3401-3422; Cable Communications Policy Act of 1984, 47 U.S.C. 551; Electronic Communications Privacy Act of 1986, 18 U.S.C. 2702; Video Privacy Protection Act of 1988, 18 U.S.C. 2710; Employee Polygraph Protection Act of 1988, 29 U.S.C. 2008; Americans with Disabilities Act of 1990, 42 U.S.C. 12112(d)(3); see also pp. 40-41, infra.

7 See Privacy Act of 1974, 5 U.S.C. 552a (1994 & Supp. III 1997); 26 U.S.C. 6103 (1994 & Supp. III 1997) (confidentiality of tax returns); 13 U.S.C. 9 (1994 & Supp. III 1997) (confidentiality of census data).
8 The DPPA's provisions for allowing individuals to provide consent to disclosure of their personal information were taken directly from the Video Privacy Protection Act of 1988. See 1994 WL 212698 (Feb. 4, 1994) (Rep. Moran); see also 1994 WL 212834 (Feb. 3, 1994) (Prof. Mary J. Culnan, Georgetown University) (noting that approach used in Video Privacy Protection Act "has become the model" for direct marketing).

9 See Pet. App. 8a ("Thus, the question before this Court is not whether the DPPA regulates commerce, but whether it is consistent with the system of dual sovereignty established by the Constitution."). Respondents' complaint raised only Tenth and Eleventh Amendment challenges to the DPPA; it did not challenge the DPPA on the ground that personal information in DMV records is not subject to Congress's regulatory power under the Commerce Clause. See J.A. 9, 12-13. In their court of appeals brief, respondents cited the Commerce Clause case of United States v. Lopez, 514 U.S. 549 (1995), only once and in a footnote, where they stated obliquely that it was "doubtful" that the DPPA is a valid exercise of Congress's Commerce Clause power. See Resp. C.A. Br. 8 n.3; see also Pls.' Mem. in Opp. to Mot. to Dismiss 10 n.4 (similar footnote).

10 See, e.g., 1994 WL 212836 (Feb. 3, 1994) (Richard A. Barton, Direct Marketing Association) ("The names and addresses of vehicle owners, in combination with information about the vehicles they own, are absolutely essential to the marketing efforts of the nation's automotive industry."); 1994 WL 212834 (Feb. 3, 1994) (Prof. Mary J. Culnan, Georgetown University) (explaining how motor vehicle information is used by commercial database compilers, direct-marketing companies, and fundraisers to develop targeted mailing lists).

11 It is not entirely clear whether the court of appeals considered the fact that the DPPA is not "generally applicable" to be an independent ground for the DPPA's asserted unconstitutionality, or rather a reason why, in its view, cases like Garcia did not answer the constitutional concerns raised by the fact that the DPPA supposedly requires state entities to "administer" the Act. As we explain below (pp. 34-47, infra), the fact that the DPPA may not be "generally applicable" is in any event not determinative of the constitutionality of the DPPA. Although this Court has held that, if a federal statute is generally applicable to state and private activity in or affecting commerce, that fact is sufficient to overcome arguments that the statute impermissibly commandeers the States into participating in the enforcement of federal law, the Court has never held that a federal statute must be generally applicable to be constitutional.

12 The DPPA also provides that personal information from motor vehicle records "shall" be disclosed to carry out the purposes of other federal statutes, including the Anti Car Theft Act of 1992, Pub. L. No. 102-519, 106 Stat. 3384; the Automobile Information Disclosure Act, 15 U.S.C. 1231 et seq.; the Clean Air Act, 42 U.S.C. 7401 et seq.; and certain provisions in Title 49 relating to motor vehicle safety and regulation, 49 U.S.C. 30101-30169, 30501-30505, 32101-33118 (1994 & Supp. III 1997). See 18 U.S.C. 2721(b) (1994 & Supp. III 1997). That provision, however, does not impose any new reporting requirements on the States. Rather, it makes plain that the DPPA does not qualify any obligation to disclose motor vehicle information that might exist under other provisions of federal law. Respondents have not challenged this aspect of the DPPA or any other reporting requirements, and any such reporting requirements could not in any event provide a basis for a challenge to the DPPA's restrictions on information disclosure. Further, as the Court recognized in Printz, reporting requirements imposed on state entities do not involve the same issues as those raised by "the forced participation of the States' executive in the actual administration of a federal program." 521 U.S. at 918; see id. at 936 (O'Connor, J., concurring) ("the Court appropriately refrains from deciding whether other purely ministerial reporting requirements imposed by Congress on state and local authorities pursuant to its Commerce Clause powers are similarly invalid").

13 The latter principle derives directly from the Supremacy Clause of the Constitution, Art. VI, Cl. 2, and this Court's preemption precedents. See Printz, 521 U.S. at 913 (noting that, under the Supremacy Clause, "all state officials" have a duty "to enact, enforce, and interpret state law in such fashion as not to obstruct the operation of federal law," and "the attendant reality" is that "all state actions constituting such obstruction, even legislative acts, are ipso facto invalid"); Hodel v. Virginia Surface Mining & Reclamation Ass'n, 452 U.S. 264, 290 (1981) ("[I]t is clear that the Commerce Clause empowers Congress to prohibit all-and not just inconsistent-state regulation of such activities [i.e., private activity affecting commerce]."); see also New York, 505 U.S. at 167; FERC, 456 U.S. at 764.

14 Indeed, the Seventh Circuit observed in Travis v. Reno, 163 F.3d 1000, 1003 (1998), petition for cert. pending, No. 98-1818, that the DPPA would pass constitutional muster even under the analysis that was applied under National League of Cities, before that decision was overruled by Garcia. Under National League of Cities, federal regulation of state activity was impermissible only if it "directly impair[ed]" the State's ability to "structure integral operations in areas of traditional governmental functions." See EEOC v. Wyoming, 460 U.S. at 239; South Carolina v. Baker, 485 U.S. at 529 (Rehnquist, C.J., concurring in the judgment). Because the DPPA accommodates the needs of state and local government in using the information held in DMV files, it cannot be said to "portend[] * * * [a] wide-ranging and profound threat to the structure of state governance." EEOC v. Wyoming, 460 U.S. at 240. In fact, the district court observed that respondents had offered "no specific interest (other than historical) to justify its need to allow its motor vehicle records to be publicly disseminated" on an unqualified basis. Pet. App. 67a.

15 Although the DPPA is constitutional even if it is not a "generally applicable" law, it is questionable whether the court of appeals correctly concluded that the DPPA is not generally applicable. It is true that the DPPA does not regulate the dissemination of personal information such as names, addresses, and social security numbers across the economy from wherever such information may be stored (be it in private or public files). The DPPA does generally apply, however, to regulate the sale and disclosure of personal information originally collected by state DMVs, even after that information has been disseminated to private persons. As we have explained, if a state DMV does not adopt an alternative, opt-out procedure under Section 2721(b)(11) to permit individuals to object to unrestricted disclosure of their personal information, then the DMV may disclose information only for particular purposes, and anyone-even a private entity-who receives the information for such purposes may resell or redisclose it only for similar, specified permissible purposes. See pp. 9-10, supra. The DPPA's civil remedy and criminal fine provisions, moreover, would apply to a private person who made a redisclosure that was not authorized by the Act.

16 Maryland v. Wirtz was overruled by National League of Cities, 426 U.S. at 853-855, but National League of Cities was in turn overruled by Garcia, 469 U.S. at 557.

17 As the Seventh Circuit noted in Travis, 163 F.3d at 1006, the word "only" in the court of appeals' opinion quoted in the text "comes from the [F]ourth [C]ircuit rather than the Supreme Court."

18 This point is perhaps most clearly demonstrated by federal statutes, such as the Airline Deregulation Act of 1978, Pub. L. No. 95-504, 92 Stat. 1705, that prohibit state regulation of a commercial area but do not replace it with federal regulation covering the same area. See 49 U.S.C. 41713(b)(1) (preempting state law related to any price, route, or service of an air carrier); Morales v. Trans World Airlines, Inc., 504 U.S. 374 (1992). Such express preemption of state regulatory authority cannot be meaningfully described as a generally applicable law, and yet under this Court's preemption jurisprudence, it is unquestionably constitutional.

19 Similarly, this Court has held that Congress may direct the States to "op[en] [the] doors" of their quasi-adjudicative machinery to claimants seeking reliance on federal law in a field that Congress could have preempted, and to apply substantive federal law in disputes before their administrative agencies, even though such a directive by definition applies only to the States, and not to private parties. See FERC, 456 U.S. at 760-761.

20 That "sectoral" approach strongly influenced Congress's decision, when it enacted the Privacy Act of 1974, 5 U.S.C. 552a (1994 & Supp. III 1997), not to regulate personal information in the private sector at that time, but rather to confine the Privacy Act's reach to information held by the federal government, and to establish a Privacy Protection Study Commission to address broader privacy issues concerning personal information. See S. Rep. No. 1183, 93d Cong., 2d Sess. 19-20, 23-24 (1974). The Commission's study, in turn, took a sectoral approach to privacy questions, separately addressing (for example) privacy issues in insurance, employment, and medical care contexts. See U.S. Privacy Protection Study Comm'n, Personal Privacy in an Information Society 155-317 (1977). The sectoral tradition of privacy regulation in the United States is well recognized by commentators, including those who favor more comprehensive regulation. See, e.g., Colin J. Bennett, Regulating Privacy: Data Protection and Public Policy in Europe and the United States 114 (1992); David H. Flaherty, Protecting Privacy in Surveillance Societies 306 (1989); Joel R. Reideberg, Setting Standards for Fair Information Practice in the U.S. Private Sector, 80 Iowa L. Rev. 497, 500-501, 508 (1995); The EC Privacy Directive and the Future of U.S. Business in Europe: A Panel Discussion, 80 Iowa L. Rev. 669, 670 (1995) (comments of Marc Rotenberg).

21 The Fair Credit Reporting Act, Pub. L. No. 91-508, Tit. VI, § 601, 84 Stat. 1129, restricts the circumstances in which credit agencies may disseminate consumer credit reports, see 15 U.S.C. 1681b (1994 & Supp. III 1997). The Family Educational Rights and Privacy Act of 1974, Pub. L. No. 93-380, Tit. V, § 513, 88 Stat. 571, restricts the release of education records, without the consent of a student's parents and except under specific circumstances, from educational institutions receiving federal financial assistance, see 20 U.S.C. 1232g(b). The Right to Financial Privacy Act of 1978, Pub. L. No. 95-630, Tit. XI, 92 Stat. 3697, restricts the circumstances under which financial institutions may disclose information to government authorities, see 12 U.S.C. 3401-3422. The Cable Communications Policy Act of 1984, Pub. L. No. 98-549, § 2(c), 98 Stat. 2794, restricts the circumstances in which a cable television provider may disclose information about subscribers, see 47 U.S.C. 551(c). The Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848, restricts disclosure of stored electronic communications, see 18 U.S.C. 2511(3). The Video Privacy Protection Act of 1988, Pub. L. No. 100-618, 102 Stat. 3195, restricts the disclosure of video tape rental and sale records, see 18 U.S.C. 2710. The Employee Polygraph Protection Act of 1988, Pub. L. No. 100-347, § 9, 102 Stat. 652, restricts disclosure of the results of polygraph tests administered to employees, see 29 U.S.C. 2008. And the Americans with Disabilities Act of 1990, Pub. L. No. 101-336, Tit. I, § 102, 104 Stat. 331, restricts the disclosure of the results of medical examinations administered to applicants for employment, see 42 U.S.C. 12112(d)(3).

22 Indeed, when Congress enacted the DPPA, it paid particular attention to differences between motor vehicle records and other public records containing similar information, which it decided not to regulate. One concern that motivated enactment of the DPPA was that personal information in motor vehicle records, including names and addresses, is keyed to license plate numbers, which drivers must display to the general public. "Unlike with license plate numbers, people concerned about privacy can usually take reasonable steps to withhold their names and address[es] from strangers, and thus limit their access to personally identifiable information" in other records. 140 Cong. Rec. H2523 (daily ed. Apr. 20, 1994) (statement of Rep. Edwards); ibid. (statement of Rep. Moran). Further, even if individuals' names and addresses can be searched in other public records, such as voter registration records and land records, that information is not necessarily so readily accessible as information in motor vehicle records. Indeed, "[t]here was no evidence before the subcommittee that other public records are vulnerable to abuse in the same way that DMV records have been abused." Ibid. (Rep. Edwards). That is not to say that abuses of other kinds of public records could never occur, but Congress is not required to anticipate every potential or speculative abuse in advance as a condition to addressing already well-documented abuses.

23 The European Union has adopted a Directive on the privacy of personal data that applies to all sectors of the economy. See Council Directive 95/46/EC on the Protection of Individuals With Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31. The EU Directive, however, sets forth general minimum standards for the protection of personal data, and requires member countries to address the details of implementation in national law. See id. art. 5 ("Member States shall, within the limits of the provisions of this Chapter, determine more precisely the conditions under which the processing of personal data is lawful."). Moreover, the approach taken by the EU Directive--an instruction to member states to enact statutes or regulations in conformity with the Directive, see id. arts. 1(1), 32-is precisely the approach that Congress cannot adopt under this country's system of dual sovereignty, as explicated in New York v. United States.

24 Thus, as the Seventh Circuit observed in Travis, 163 F.3d at 1004, if a State operated a video rental store, it would be subject to the restrictions on disclosure of personal information in the Video Privacy Protection Act of 1988, 18 U.S.C. 2710, and the application of that statute (which happens to be "generally applicable") to the State's activity would present no Tenth Amendment difficulty. But if the federal regulation of the state activity of renting videos would present no constitutional difficulty when effected pursuant to a generally applicable law, it is difficult to see why the same regulation of the same activity would be constitutionally questionable if framed in a statute addressed specifically to state commercial activity, and similar private activity were addressed in a separate statute.

 

APPENDIX
The Driver's Privacy Protection Act of 1994, 18 U.S.C. 2721-2725 (1994 & Supp. III 1997), provides:
§ 2721. Prohibition on release and use of certain personal information from State motor vehicle records
(a) IN GENERAL.-Except as provided in subsection (b), a State department of motor vehicles, and any officer, employee, or contractor, thereof, shall not knowingly disclose or otherwise make available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record.
(b) PERMISSIBLE USES.-Personal information referred to in subsection (a) shall be disclosed for use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, and removal of non-owner records from the original owner records of motor vehicle manufacturers to carry out the purposes of titles I and IV of the Anti Car Theft Act of 1992, the Automobile Information Disclosure Act (15 U.S.C. 1231 et seq.), the Clean Air Act (42 U.S.C. 7401 et seq.), and chapters 301, 305, and 321-331 of title 49, and may be disclosed as follows:
(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.
(2) For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
(3) For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only-
(A) to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and
(B) if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.
(5) For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
(7) For use in providing notice to the owners of towed or impounded vehicles.
(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49.
(10) For use in connection with the operation of private toll transportation facilities.
(11) For any other use in response to requests for individual motor vehicle records if the motor vehicle department has provided in a clear and conspicuous manner on forms for issuance or renewal of operator's permits, titles, registrations, or identification cards, notice that personal information collected by the department may be disclosed to any business or person, and has provided in a clear and conspicuous manner on such forms an opportunity to prohibit such disclosures.
(12) For bulk distribution for surveys, marketing or solicitations if the motor vehicle department has implemented methods and procedures to ensure that-
(A) individuals are provided an opportunity, in a clear and conspicuous manner, to prohibit such uses; and
(B) the information will be used, rented, or sold solely for bulk distribution for surveys, marketing, and solicitations, and that surveys, marketing, and solicitations will not be directed at those individuals who have requested in a timely fashion that they not be directed at them.
(13) For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.
(14) For any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety.
(c) RESALE OR REDISCLOSURE.-An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b) (11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under subsection (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under subsection (b) (11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.
(d) WAIVER PROCEDURES.-A State motor vehicle department may establish and carry out procedures under which the department or its agents, upon receiving a request for personal information that does not fall within one of the exceptions in subsection (b), may mail a copy of the request to the individual about whom the information was requested, informing such individual of the request, together with a statement to the effect that the information will not be released unless the individual waives such individual's right to privacy under this section.
§ 2722. Additional unlawful acts
(a) PROCUREMENT FOR UNLAWFUL PURPOSE.-It shall be unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.
(b) FALSE REPRESENTATION.-It shall be unlawful for any person to make false representation to obtain any personal information from an individual's motor vehicle record.
§ 2723. Penalties
(a) CRIMINAL FINE.-A person who knowingly violates this chapter shall be fined under this title.
(b) VIOLATIONS BY STATE DEPARTMENT OF MOTOR VEHICLES.-Any State department of motor vehicles that has a policy or practice of substantial noncompliance with this chapter shall be subject to a civil penalty imposed by the Attorney General of not more than $5,000 a day for each day of substantial noncompliance.
§ 2724. Civil action
(a) CAUSE OF ACTION.-A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.
(b) REMEDIES.-The court may award-
(1) actual damages, but not less than liquidated damages in the amount of $2,500;
(2) punitive damages upon proof of willful or reckless disregard of the law;
(3) reasonable attorneys' fees and other litigation costs reasonably incurred; and
(4) such other preliminary and equitable relief as the court determines to be appropriate.
§ 2725. Definitions
In this chapter-
(1) "motor vehicle record" means any record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles;
(2) "person" means an individual, organization or entity, but does not include a State or agency thereof; and
(3) "personal information" means information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status.