The California Department of Motor Vehicles (DMV) has requested more than $55 million in additional funding for costs related to uploading information about every California drivers license or state-issued ID card to the national REAL-ID database, SPEXS.

The DMV Budget Change Proposal is accompanied by a “policy” bill, AB-2156, introduced in February on an “urgency” basis to take effect as soon as enacted, that would override the provisions of California motor vehicle and privacy law that currently prohibit this upload.

Both the budget and policy proposals have the support of the DMV and Governor Newsom. It will be up to members of the state legislature — and public pressure — to stop them before they are enacted into state law and have to be challenged in court.

These budget and policy proposals will need to go through both the Assembly and Senate Budget and Transportation committees. The first hearing on the budget proposal is expected to be this Thursday, March 19th, in the Senate Budget and Fiscal Review Committee. The first hearing on the policy bill is tentatively expected to be April 15th in the Assembly Committee on Transportation.

The DMV is asking for  $32M in fiscal year 2026-2027 and $23M in 2027-2028 for what it describes as a “State-to-State Verification System (S2S) Project”:

The Department of Motor Vehicles (DMV) requests additional funding and personnel resources to continue DMV’s compliance with the REAL ID Act of 2005 by implementing the State to State (S2S) Program. California’s compliance date for State to State (S2S) is February 16, 2027, and the core DMV systems will interface and connect the driver license (DL)/identification card (ID) S2S data elements with the American Association of Motor Vehicle Administrators (AAMVA) electronic verification and history exchange.

This summary is in parts inaccurate, in parts misleading, and in parts incomplete.

Inaccurate, because California is not in compliance with the REAL-ID Act and, as the proposal is written, this project would not bring the state into compliance.

Misleading, because it doesn’t mention the SPEXS national ID database that is central to this system; characterizes as a “state-to-state” system what is actually a hub-and-spoke network in which data is shared between states and AAMVA, not directly between states;  and downplays the role of AAMVA from the owner and controller of the database to the mere operator of an “exchange”.

Incomplete, because it doesn’t explain that the “compliance date” it refers to was set by AAMVA (and could be changed or eliminated by AAMVA), not by any law; says nothing about the status of AAMVA as a private, non-governmental, out-of-state organization not subject to any of the open meetings, public records, due process, privacy, etc. laws that would apply to a Federal or state government agency; and doesn’t consider whether the proposals violate the state constitution.

The policy bill, AB-2156, has similar defects in addition to internal contradictions. These suggest that the drafters of the legislation didn’t fully understand what it would mean, why it’s so much worse than it appears, or that they have a real choice about whether to keep chasing the moving goalposts of Federal demands for REAL-ID “compliance”.

AB-2156 would authorize disclosure of social security numbers or ineligibility for a social security number (which might indicate undocumented status as an immigrant) for the purpose of “Participation in the State-to-State Verification Service, or any successor system, operated by the American Association of Motor Vehicle Administrators.” This provision is clearly intended to authorize uploading this data to the SPEXS database. But the wording is crafted to avoid any explicit mention of  the existence of a national ID database.

AB-2156 says that “Information disclosed pursuant to this paragraph shall only pertain to individuals who have been issued a REAL ID-compliant driver’s license or identification card and only to the minimum extent necessary to comply with federal law.” Read literally, this would mean that no information could be disclosed at all, since Federal law does not (and could not) require states to comply with the REAL-ID Act.

If this provision is interpreted or revised to authorize whatever disclosure of information is needed for California to be deemed by the Federal government to be “compliant” with the voluntary provisions of the REAL-ID  Act, that would amount to pre-authorization for whatever expanded disclosure the Department of Homeland Security (DHS) later demands. This would be the epitome of preemptive compliance  without limits.

The REAL-ID Act leaves it to the Secretary of Homeland Security to promulgate regulations establishing criteria for REAL-ID compliance. Do the government or people of the state of California really want to cede to whomever may in the future be appointed Secretary of Homeland Security the power to decide, in their discretion, which driver’s license data may be shared? Californians would be outraged if they knew that this was being considered.

The DMV’s justification for its proposal is  “To continue compliance with the REAL ID Act of 2005.” What is this supposed to mean? None of the requirements of the REAL-ID Act are about to change. If the state were already in compliance, this proposal wouldn’t be needed for continued compliance. In fact, the state isn’t in compliance, and this proposal wouldn’t bring it into compliance, even if it were enacted.

The confusion about the criteria for compliance stems from the fact that both the DMV Budget Change Proposal and AB-2156 mention one of the two data-sharing mandates in the REAL-ID Act and regulations, but not the other.

The DMV budget request refers to “the requirement for California to verify REAL ID compliant DL and ID cards with the state of issuance (6 CFR § 37.13)”. The Legislative Counsel’s digest of AB-2156 refers to the requirement in those regulations “to check with all other states to determine if an applicant currently holds a REAL ID driver’s license or REAL ID identification card in another state.”

But neither the budget request nor the bill mention the other data sharing mandate in the REAL-ID statute: “To meet the requirements of this section, a State shall… Provide electronic access to all other States to information contained in the motor vehicle database of the State [and] maintain a State motor vehicle database that contains, at a minimum… all data fields printed on drivers’ licenses and identification cards issued by the State.”

The law couldn’t be plainer: to be “compliant”, a state must share ALL data in ALL records of ALL drivers’ licenses and state-issued ID cards. A state that withholds any of this data about any licenses or IDs is not compliant. States can’t pick and choose which data to share or upload to the SPEXS database, if they want to be compliant.

But AB-2156 would provide that,  “Information disclosed pursuant to this paragraph shall only pertain to individuals who have been issued a REAL ID-compliant driver’s license or identification card.”

Since California also issues non-compliant licenses and IDs, not sharing or uploading all information about them in the DMV database would still leave California noncompliant.

If California would still not be compliant with the REAL-ID Act even if it enacted this legislation, why is the DMV asking for $55 million to send state residents’ data to AAMVA?

The DMV says that “California’s compliance date for State to State (S2S) is February 16, 2027”, which suggests a legal deadline. But the DMV later explains that, “This is the last date on AAMVA’s calendar for a state to implement S2S.” Is AAMVA’s self-determined calendar a basis for sudden “urgency” in consideration by the California legislature of a measure that the DMV has know for twenty years would eventually be required if the state chose to comply?

This should be a  red flag that AAMVA, not the state of California, is driving this project.

Who is AAMVA and why are they hosting the national ID database or setting the terms and schedule for California legislation?

It’s essential for state legislators and members of the public to understand that AAMVA is a private, non-governmental, out-of-state entity not subject to any of the “good government” rules that would apply to a Federal or state agency.

If California or another state wanted to impose contractual “guardrails” on AAMVA, it could start by requiring AAMVA or any contractor to the state providing similar services of transmitting, receiving, or hosting state data to: (1) grant individuals subject access rights to SPEXS and any other personal data about them held by AAMVA, (2) grant public access to AAMVA records, and (3) make decisions under rules equivalent to those applicable to California state agencies for subject access request for personal data, requests for public
records, and open meetings. AAMVA would presumably never agree to those terms, but that would be a way to spotlight AAMVA and the invidious outsourcing of governance functions to a private entity not subject to the same rules as any government agency.

Data uploaded to the SPEXS database (hosted who knows where by who knows what AAMVA contractor) or sent to the AMMVA S2S network hub for onward transmission to another state has no more  protection than data sent to or via any other out-of-state private (non-common carrier) commercial data network or hosting company.

Just as with any commercial data hosting or cloud services company, a Federal law enforcement agency could use a variety of existing legal mechanisms to obtain a sealed warrant or other order requiring AAMVA to hand over SPEXS data and not to tell its “users” (state agencies such as the California DMV) or data subjects (California drivers) that it had done so.   Neither California, any other state government, nor the public knows whether some Federal agency has already obtained a complete copy of the SPEXS database or handed it over to DOGE. Nor do we know if  AAMVA, in its discretion, would choose to contest such a Federal demand — or would quietly comply.

Nothing California could include in its state law could change this. The problem is inherent in outsourcing the national ID database to a private company.

When we obtained a copy of AAMVA’s privacy policy a decade ago, we found that it included no procedure for an individual to find out from AAMVA what data AAMVA has about them in the SPEXS database or other records. Today AAMVA still has no publicly-disclosed privacy policy or procedures, and we have non reason to think its practices have improved.

AAMVA doesn’t want you to know about the SPEXS database. After we wrote about SPEXS, based on documents on AAMVA’s  public website including the specifications for the database, AAMVA moved those documents to the “members-only” section of its website and threatened to sue us for copyright infringement unless we took down the copies we had legally obtained.

Californians have never heard of AAMVA or the SPEXS database. They weren’t told when they applied for a driver’s license that if they chose a “compliant” license, their information would be available to all other states and would be uploaded to a privately-held national database. They weren’t asked for consent for any of this. If they had been notified and asked, they wouldn’t have consented. Many would have chosen a noncompliant license.

Even now, under the DMV’s plan, Californians aren’t going to be given notice or a chance to opt out or go back to a noncompliant  license or ID before their data is uploaded to the SPEXS database. The DMV isn’t giving people notice because it knows that many of them would be outraged, even if they could then opt out. This expansion of data sharing to new and fundamentally different entities, without notice, consent, or opportunity to opt out, violates fundamental principles of privacy and personal information processing.

We raised all of these objections and more when we testified  at hearings before the DMV in 2017 on its proposal for REAL-ID compliance, and before the Assembly Budget Committee in 2019, where we pointed out the lack of any budget planning for the cost of eventually uploading Californians’ personal data to the SPEXS national database.

The DMV brushed off our objections and moved ahead with planning for the SPEXS upload despite having never sought funding for it until this year, and despite it being contrary to longstanding California law that the DMV is only now seeking “urgently” to change.

Nothing has changed, except the DMV ‘s self-imposed (or AAMVA-imposed) “deadline”. None of our objections have been addressed in the current proposals.

In order to be “compliant”, a state must share drivers’ license data with ALL other states. That means that if California or any other state opts out of sharing data, no state can be compliant. This isn’t a case of “California will be the only noncompliant state”.

What this really is about is a Federal threat to discriminate against Californians if the state doesn’t do what the Feds want but don’t have the legal authority to require.

The office of the Attorney General has had twenty years to prepare for this eventuality. The Attorney General should be ready, able, and committed to challenge any attempt by Federal agencies to discriminate against Californians. That litigation is — as we’ve been saying for a decade — what the legislature should be budgeting for.

We’re raising the alarm now. We’ll have more to say as these proposals move through the legislature in Sacramento, starting with the first budget hearing this Thursday, March 19th.

We’ll be there to say no to this DMV sell-out to AAMVA and to urge the legislature, the Governor, and the Attorney General to stand up to this lawless ultimatum from the DHS.