This article originally appeared on the Tom Renz’s Newsletter and was republished with permission.

Guest post by Tom Renz

The destruction of our privacy rights in the United States is making me sick. It’s happening right under our noses, and it’s getting worse by the day. Most people seem unaware, but digital ID is now the law, and its implementation is moving forward as we speak.

This isn’t the work of a single piece of legislation; it’s a slow creep driven by updates to existing regulations, rooted in the post-9/11 “Patriot Act” mindset that trades our freedom for security. Let’s break this down academically, with the relevant laws and texts, so you can see the full scope of what’s at stake.

Foundational Federal Law: The REAL ID Act of 2005

The cornerstone of this shift is the REAL ID Act of 2005, codified in 49 U.S.C. § 30301 note. This law set minimum security standards for state-issued driver’s licenses and identification cards to be accepted for federal purposes, like boarding commercial flights. While it initially governed physical IDs, its mandates for digital features and databases laid the groundwork for what we now face with digital identification. The law was updated with the REAL ID Modernization Act, signed into law as part of a larger bill in 2020, pushing us further down this path.

The Act’s Section 202(b) outlines the minimum requirements for an acceptable ID, and it’s packed with digital components that paved the way for today’s mobile driver’s licenses (mDLs). Here’s the breakdown from the relevant text:

• Digital Photo: “(5) A digital photograph of the person, which may be the photograph taken by the State at the time the person applies for a driver’s license or identification card or may be a digital photograph of the person that is already on file with the State.”

• Machine-Readable Technology: “(9) A common machine-readable technology, with defined minimum data elements.”

Additionally, Section 202(d) sets minimum issuance standards, requiring states to build an infrastructure around digital data retention. Consider the “facial image capture” requirement: “(3) Subject each person applying for a driver’s license or identification card to mandatory facial image capture.” This is biometric identification, folks, and it’s a key piece of the digital ID puzzle. The law also mandates digital source document retention: “(1) Employ technology to capture digital images of identity source documents so that the images can be retained in electronic storage in a transferable format.”

Key Federal Regulation: 6 CFR Part 37

The Department of Homeland Security (DHS) took this further with 6 CFR Part 37, the implementing regulation for the REAL ID Act, amended to embrace digital IDs. Section 37.7 specifically addresses the acceptance of mDLs for federal purposes, moving beyond the need for a physical card. The relevant text states:

• § 37.7(a) Generally: “TSA may issue a temporary certificate of waiver to a State that meets the requirements of §§ 37.10(a) and (b).”

• § 37.7(b) State Eligibility: “A State may be eligible for a waiver only if, after considering all information provided by a State under §§ 37.10(a) and (b), TSA determines that— (1) The State is in full compliance with all applicable REAL ID requirements as defined in subpart E of this part; and (2) Information provided by the State sufficiently demonstrates that the State’s mDL provides the security, privacy, and interoperability necessary for acceptance by Federal agencies.”

This regulation formalizes the path for digital IDs, but it’s just the beginning of the problem.

The Data Sharing Nightmare: REAL ID Act Section 202(d)(12) and the S2S System

Here’s where it gets worse. The federal law mandating data sharing between states is found in Section 202(d)(12) of the REAL ID Act: “(12) Provide electronic access to all other States to information contained in the motor vehicle database of the State.” The primary purpose is to prevent one person from holding multiple REAL ID-compliant credentials by allowing states to check an applicant’s status nationwide.

The mechanism for this sharing is the State-to-State (S2S) Verification Service, managed by the American Association of Motor Vehicle Administrators (AAMVA), a private, non-profit entity. S2S is a “pointer system” that doesn’t store all data centrally but directs one state’s system to another to verify records. The platform, State Pointer Exchange Services (SPEXS), extends the system used for Commercial Driver’s Licenses (CDLIS). Data exchanged includes an individual’s name, date of birth, driver’s license number, and other fields to confirm or deny duplicate licenses. The AAMVA, being private, operates with limited public oversight, which is a red flag.

The Driver’s Privacy Protection Act (DPPA) Loopholes

The DPPA, 18 U.S.C. § 2721 et seq., governs how state DMVs can release personal information from motor vehicle records. While it prohibits public disclosure, it includes 14 exceptions that open the door for private entities. Key ones include:

• Insurance: For use in connection with motor vehicle, driver safety, or theft prevention activities.

• Legal Proceedings: For use in connection with civil, criminal, administrative, or arbitral proceedings.

• Legitimate Business: For use by any legitimate business in connection with a motor vehicle transaction initiated by the individual, specifically to verify the accuracy of submitted information.

• Express Consent: If the individual has given express consent, a common path enabled by those agreements you sign for emails or cell phones.

Other exceptions allow use for research, statistical reports (if personal information isn’t published), notifications to owners of towed vehicles, and more, as long as express consent is obtained where required.

The 2020 REAL ID Modernization Act and Private Partnerships

The 2020 REAL ID Modernization Act, signed by President Trump, accelerates this with mDLs. States will partner with private entities—big tech companies—to develop the technology. These partners will have access to your data, and depending on state contracts, may use it for their own purposes. This public-private partnership, reminiscent of the Federal Reserve model, raises serious privacy concerns.

Conclusion

The implementation of digital ID, facilitated by the REAL ID Act, its regulations, and the DPPA’s loopholes, is a deliberate erosion of our privacy. The involvement of private entities like AAMVA and potential big tech partners compounds the risk, with data reselling a real possibility. As a lawyer, I see this as a clear threat to our freedoms, and I urge you to stay informed.

If you value this analysis, please consider donating to givesendgo.com/renzlaw, and following The Tom Renz Show on X, Rumble, or TomRenz.com. We need to keep fighting for our rights.

Sources: REAL ID Act of 2005 (49 U.S.C. § 30301 note), 6 CFR Part 37, Driver’s Privacy Protection Act (18 U.S.C. § 2721 et seq.), REAL ID Modernization Act (2020).

Copyright 2025 Tom Renz

Share

The Vigilant Fox

Healthcare professional turned independent journalist. Exposing the stories mainstream outlets bury.