In response to the federal government’s vast immigration detention and deportation machine,1 state and local governments have found ways to protect undocumented residents, including by making driver’s licenses available to all. Recently, California went one step further by enacting Assembly Bill 17662 (AB 1766), which makes state identification cards (IDs) available to all Californians, regardless of immigration status.3 As the first legislation to make state IDs — and not just driver’s licenses — available to undocumented residents, AB 1766 should serve as a model for other states. But its privacy protections fall short, exposing undocumented ID holders to a heightened risk of detention and deportation. California, and other states like it, can and must supplement universal-ID legislation with comprehensive privacy protections for data held by the Department of Motor Vehicles (DMV).
Without a state ID,4 it is difficult, or even impossible, to open a bank account, register a child for school, sign a lease, or access basic services.5 To ensure that all residents can access these services, some state and local governments have made city IDs6 and driver’s licenses7 available regardless of immigration status. For example, in 2013 California passed AB 60, making driver’s licenses available to all residents.8 While AB 60 was crucial in providing many undocumented Californians with a state ID and a means to drive without fear of criminalization,9 it excluded approximately 1.6 million undocumented Californians who were otherwise ineligible for a license.10
In September 2022, California filled this gap with AB 1766, becoming the first state to make non–driver’s license state IDs available to undocumented residents.11 AB 1766 was the product of organizing on the part of a number of immigrant-rights groups, including the California Immigrant Policy Center, Asian Americans Advancing Justice–California, the Coalition for Humane Immigrant Rights, and the Immigrant Legal Resources Center, all of which cosponsored the bill.12 The California Assembly was overwhelmingly in favor of the bill, with only fourteen members — all Republicans — voting no.13
Although AB 1766 provides important protections for undocumented Californians, it also puts undocumented residents at risk of detention and deportation. U.S. Immigration and Customs Enforcement (ICE) relies heavily on a vast network of state and private databases to surveil and arrest immigrants.14 ICE has used DMV databases, in particular, both to identify immigrants to target for deportation, and to find the addresses and license plate numbers of individuals who the agency has already identified.15 Applying for an ID means giving the California government a host of information — including a picture and a home address — that could be used for immigration enforcement.16 Although California law contains some protections for this data, gaps persist.
Today, the data collected by California’s DMV (including the data that will be submitted in AB 1766 applications) is accessible to the Department of Homeland Security (DHS) in four ways.17 First, government agencies can create Government Requestor Accounts with the DMV, allowing them to request information directly.18 Second, DMV information is part of the California Law Enforcement Telecommunications System (CLETS), a network of California law enforcement databases to which ICE has access.19 Third, DHS can request some information from the National Law Enforcement Telecommunications System (Nlets) — a database created and maintained by the fifty states.20 Finally, DHS can access DMV data if it is made available to commercial requestors, such as LexisNexis, which aggregate data and sell it to ICE.21 Internal documents showed in 2020 that the California DMV was passing data to 98,000 commercial and government entities.22
There are limits to the data DHS can request through these avenues. First, government agencies cannot make “bulk” requests (requests for the information of all individuals in a particular category) through CLETS, Nlets, or the DMV system.23 This means that the agency must already have some information about an individual to request more. Second, because DHS’s stated purpose in creating a Requester Account and seeking access to CLETS is criminal investigations,24 it should only request information for that purpose. But neither the DMV nor CLETS require DHS to provide a justification for individual data requests, raising significant compliance concerns.25 Furthermore, because there is very little publicly accessible information about access to Nlets,26 it is unclear whether there are even nominal limits on the purposes for which DHS can use DMV data accessed through that database.
AB 1766, like California’s earlier “driver’s licenses for all” law, contains data-privacy provisions, which provide some additional protection from immigration enforcement. First and foremost, the DMV does not keep a record of who has an AB 1766 or a non–AB 1766 ID.27 It also does not keep scans of the IDs and licenses it issues, or data on the documents individuals submit as part of their application for licenses.28 While the DMV does keep copies of the documents applicants submit with their license and ID applications, these documents can only be accessed with a court order, criminal subpoena, or “certification from law enforcement attesting to an urgent health or safety need.”29 But key pieces of information, such as addresses, license plate numbers, and photographs, are collected by the DMV and accessible without a judicial order or law enforcement certification.30
One final state-level source of privacy protection is the California Values Act31 (SB 54). Under SB 54, California law enforcement agencies are barred from informing federal immigration enforcement of an individual’s release date from custody, or from sharing an “individual’s home address or work address unless that information is available to the public” for purposes of civil immigration enforcement.32 The original version of SB 54 would have prohibited law enforcement databases from being made “available to anyone or any entity for the purpose of immigration enforcement.”33 As a result of significant law enforcement pressure, however, this provision was removed from the final bill.34
Gaps in SB 54’s protection and a lack of compliance have placed undocumented Californians at risk. But there are solutions. California should adopt legislation to prevent the federal government from using local and state data to police undocumented immigrants. Such laws are constitutional as a matter of law and necessary as a matter of policy.
The risks of AB 1766 are not hypothetical: California’s driver’s-licenses-for-all program has already been used to target undocumented immigrants. In 2019, San Diego news outlets reported that undocumented Californians were being pulled over by ICE agents holding copies of their AB 60 license pictures.35 Journalists reported, based on interviews with DMV officials, that if DHS agents already had an individual’s name, they could use a Requestor Account or CLETS searches to identify that person’s address and license information.36 Allowing ICE to access this information “is a profound betrayal of . . . trust”37 that deters undocumented residents from accessing basic services and puts people at risk of deportation.38
States should opt out of this vast surveillance network. In California, protecting AB 1766 ID applicants would require repealing the state’s blanket DMV-data-access provision for all law enforcement, which the agency has relied on to justify information sharing with immigration enforcement,39 and passing affirmatively protective legislation that covers all information sharing, including through databases and third parties. Furthermore, because criminal prosecutions of immigration violations are rising,40 information sharing restrictions must encompass more than just “civil” immigration enforcement.41
Unsurprisingly, however, the federal government insists that states must cooperate with immigration enforcement. In its view, state efforts to restrict information sharing violate 8 U.S.C. § 1373,42 which forbids state and local governments from “prohibit[ing], or in any way restrict[ing], any government entity or official from sending to . . . [immigration enforcement] information regarding the citizenship or immigration status . . . of any individual.”43 In United States v. California,44 the Ninth Circuit held that § 1373 applies only to “a person’s legal classification under federal law,” and therefore does not cover the kind of information the DMV stores, such as addresses, images, and license plate numbers.45 But that question remains open in other circuits.
Even assuming that § 1373 is constitutional, states can protect DMV data. In City of New York v. United States,46 the Second Circuit upheld § 1373,47 becoming the only circuit court to do so.48 But City of New York left open the possibility of creating a broad confidentiality policy that includes, but is not limited to, immigration status, so long as it is “necessary to the performance of legitimate municipal functions.”49 There are a host of state and municipal functions that states may invoke in support of confidentiality. First, states like California have an interest in ensuring that all individuals living within the state can access basic services, including education, housing, and health care. Because these services are often inaccessible without an ID,50 and because privacy concerns are likely to deter immigrant residents from applying for universal IDs under legislation like AB 1766,51 a generalized confidentiality policy would increase access to resources. In the context of driver’s licenses, states also have a strong interest in ensuring all drivers are licensed to improve road safety.52 Furthermore, data sharing with immigration enforcement undermines trust between immigrant communities and state and local governments.53 This trust is crucial to advancing legitimate governmental goals, including public health initiatives like COVID-19 vaccination.54 Thus, under City of New York, states can implement broad confidentiality policies protecting DMV data.
Now consider § 1373’s constitutionality. The court in City of New York affirmed § 1373 based on an understanding of the anticommandeering doctrine55 that is now outdated. To uphold § 1373, the Second Circuit distinguished between “invalid federal measures that seek to impress state and local governments into the administration of federal programs” and “valid federal measures that prohibit states from compelling passive resistance to particular federal programs.”56 But in 2018, the Supreme Court decided Murphy v. National Collegiate Athletic Ass’n,57 explicitly rejecting that rationale.58 Assessing the constitutionality of a federal law that prohibited states from authorizing sports gambling, the Court held that the distinction between “precluding state action and affirmatively command[ing] it . . . is empty.”59 Writing for the majority, Justice Alito declared that “[t]he basic principle — that Congress cannot issue direct orders to state legislatures — applies in either event.”60 As the Ninth Circuit and other courts have since held, Murphy’s rejection of a distinction between federal laws that prohibit and those that command renders § 1373 unconstitutional.61
In arguing that § 1373 remains constitutional, the United States has relied on Reno v. Condon.62 There, the Supreme Court held that the Driver’s Privacy Protection Act of 1994, which restricted “the disclosure and resale of personal records contained in the records of state DMVs,”63 was constitutional because it applied to private parties as well as states.64 The Supreme Court affirmed this principle in Murphy: “The anticommandeering doctrine does not apply when Congress evenhandedly regulates . . . States and private actors.”65 As established in California, however, this reasoning does not apply to § 1373 because “it is the state’s responsibility to help enforce federal law . . . that is at issue.”66
A policy protecting the confidentiality of DMV data is crucial to ensuring that undocumented residents can safely apply for identification cards under legislation like AB 1766, and is well within the states’ power. To make the protections of universal ID provisions meaningful, a privacy policy must restrict not only direct data sharing, but also sharing through databases and third parties, both private and public. And the need for data privacy does not end with DMV data. States can exert control over other data as well, including utility company records, which are routinely sold to ICE via large data corporations like LexisNexis and Thompson Reuters.67 If state governments are serious about protecting undocumented communities, they must ensure that ICE cannot take advantage of the vast networks of data within state control to target immigrant communities.