You are viewing an archived webpage. The information on this page may be out of date. Learn about EPIC's recent work at

McDonough v. Anoka County

Concerning the Applicable Statute of Limitations for DPPA Claims

Top News

  • Federal Appeals Court Revives Driver Privacy Claims: In McDonough v. Anoka County, a federal appeals court has revived several cases under the Driver's Privacy Protection Act. A lower court previously ruled that the plaintiffs, including female journalists, failed to bring the claims in time. EPIC argued as amicus that "discovery" not "occurrence" is the correct standard for time limitations in privacy cases. Although the appellate court affirmed that some claims were time barred, it permitted many of the claims to proceed. The defendants' justifications for accessing the plaintiffs' driving records, wrote the court, "are not sufficiently convincing to undermine the reasonable inference of impermissible purpose." The appellate court also acknowledged that "[EPIC] raises legitimate concerns about the ability of identity thieves to utilize sensitive personal information found in motor vehicle records and the difficulty in detecting such a crime within the applicable limitations period." (Aug. 20, 2015)
  • EPIC Urges Extended Relief for Driver Privacy Claims: EPIC has filed a "friend of the court" brief in McDonough v. Anoka County, a case involving the Driver's Privacy Protection Act. That law protects the privacy of driver record information held by state Department of Motor Vehicles. EPIC argued that a court was wrong to dismiss legal claims before people knew that their information was improperly disclosed by the DMVs. EPIC said that courts should follow the "discovery rule" so that victims can bring cases after they learn their personal information has been impermissibly accessed. EPIC has frequently defended this important federal privacy law. For more information, see EPIC - Reno v. Condon, EPIC - DPPA, EPIC - Maracich v. Spears, and EPIC - Gordon v. Softech Int'l. (Jun. 6, 2014)

History of the DPPA and EPIC's Past Involvement

The Drivers Privacy Protection Act (DPPA), Public Law No. 103-322 codified as amended by Public Law 106-69, was originally enacted in 1994 to protect the privacy of personal information assembled by State Department of Motor Vehicles (DMVs). The DPPA was passed in reaction to a series of abuses of drivers' personal information held by the government.

Reno v. Conden

The DPPA survived a Constitutional challenge in Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress' authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:

"The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes."

Maracich v. Spears

In 2012, EPIC urged the U.S. Supreme Court in another amicus brief to limit the disclosure of personal information covered by the Driver's Privacy Protection Act. At issue in Maracich v. Spears was a lower court decision to allow disclosure of information stored in state departments of motor vehicles for the solicitation of clients by lawyers. EPIC's amicus brief detailed the staggering amount of personal information available in driver's records, particularly as a consequence of the REAL ID regulations. EPIC urged the Court to construe the statutory exceptions narrowly.

The Court concluded that the "litigation exception" of the Driver Privacy Protection Act ("DPPA") did not permit attorney solicitation of clients. Writing for the 5-4 majority, Justice Kennedy stated that a broad interpretation of “in connection with” in (b)(4) should be avoided for the following reasons: (1) such indefinite phrases must have a limiting principle; (2) Congress intended the DPPA exceptions to be narrow; and (3) driver privacy should be protected because state residents cannot avoid submitting personal information to the DMV. As one of the four exceptions that allow for disclosure of not only “personal information” but “highly restricted personal information” - which includes Social Security Numbers, photographs and medical information - a narrow reading of the exception was most prudent. Accordingly, “investigation in anticipation of litigation” was also read narrowly to be limited to background research in order to determine the necessity of a complaint.

The Court's opinion in Maracich represented a strong endorsement for the general structure of privacy protecting statutes: blanket prohibitions on use of sensitive information, with narrow, targeted exceptions for permissible uses. When interpreting these statutes, the Court made clear that exceptions must be explicit and should not be read to the broadest extent allowed by the text, but rather should follow Congressional intent.

Background of McDonough v. Anoka County

The Driver's Privacy Protect Act of 1994, 18 U.S.C. §§ 2721-2725 was enacted to protect individuals from the harm caused by misuse and unauthorized disclosures of the personal information they provide to state agencies that maintain motor vehicle records. The DPPA protects Americans from both physical and financial harms. In addition, the DPPA provides important limits on the collection and use of personal information by data brokers.

In McDonough v. Anoka County, a plaintiff brought suit against the Minnesota Department of Public Safety, as well as numerous cities and counties, alleging violations of the Driver's Privacy Protection Act ("DPPA") and other laws. The plaintiff brought suit after she learned through a state DMV audit that her driver records had been accessed hundreds of times. The United States District Court of Minnesota dismissed some of McDonough's DPPA claims after it concluded that they were barred by the statute of limitations.

Issue on Appeal

Whether Plaintiff's Driver's Privacy Protection Act claims against all Defendants should be barred by the statute of limitations under 28 U.S.C. § 1658(a), applying the rule that the claim accrues upon occurrence of the acts violating the Driver's Privacy Protection Act rather than when Plaintiff discovered or in the exercise of reasonable diligence should have discovered those acts?

EPIC's Interest in McDonough v. Anoka County

EPIC has an interest in maintaining strong privacy protections for driver records and other personally identifiable data held by state DMVs. The DPPA provides an important privacy right to all Americans, but the statute of limitations rule applied by the lower court in McDonough would limit the ability of many DPPA victims to seek redress in federal court. EPIC has previously filed "friend of the court" briefs in other DPPA cases, including Maracich v. Spears, 133 S. Ct. 2191 (2013), and Gordon v. Softech International Inc., 726 F. 3d 42 (2d Cir. 2013).

Legal Documents

United States Court of Appeals for the Eighth Circuit

United States District for the District of Minnesota



News Reports

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security