California Expanded Mobile ID—and Built an Interstate Driver-Data Rail

The state’s press release sold the phone wallet. The chaptered text also authorizes a multi-state identity and driver-history exchange with names, birth dates, credential numbers, Social Security pointer data, and audit machinery that will not fully report to the public until 2028.
California did not merely expand a mobile driver’s license pilot on July 13.
SB 169 also authorized the Department of Motor Vehicles to participate in the American Association of Motor Vehicle Administrators’ State-to-State Verification Service. That separate provision allows California to verify and exchange driver’s-license, identification-card, and driver-history records with other participating jurisdictions.
The Governor’s announcement highlighted the wallet. It said the optional mobile-ID pilot can now reach 60% of licensed drivers instead of 15%. It praised convenience, efficiency, digital government, fewer mailed notices, and less paperwork.
The release did not mention AAMVA, interstate data exchange, Social Security pointer data, request logs, subpoenas, anomaly detection, or the state audit due by 2030.
That omission is not proof of a secret program. The chaptered bill is public, and the statute includes stronger privacy language than most identity-infrastructure stories do. It is proof that government marketing and government architecture are different documents. Read the second one.
Two systems traveled in one bill
The mobile-ID pilot and the State-to-State exchange are related identity infrastructure. They are not the same system.
Vehicle Code §13020 governs the optional mobile or digital alternative to a physical license. SB 169 raises its enrollment ceiling to 60% of licensed drivers. Participation remains voluntary. Participants still receive a physical credential and can keep using it. The law says a person or business cannot give preferential service because somebody uses the digital version.
The pilot has meaningful protections. Remote access requires “express, affirmative, real-time consent” for each requested piece of information. The app cannot collect movement or location data merely because it is an ID. A participant may leave and request deletion of data associated with pilot participation; DMV and pilot contractors then have ten days to delete data collected or maintained because of that participation.
That is not an order to erase the person’s underlying DMV licensing record. It is a pilot-data deletion rule. Source records, records required under other law, backups, and legal holds are separate questions.
Vehicle Code §1808.3 creates the other rail. It authorizes DMV to use AAMVA’s State-to-State Verification Service, or a successor, “for the sole purpose of verifying and exchanging driver’s license, identification card, and driver history records with participating jurisdictions.”
The phone wallet is voluntary. The interstate verification system concerns DMV records whether or not a driver installs a wallet. Collapsing those two provisions into one “mobile ID” story makes the consequential part harder to see.
What California may exchange
The statute says shared information must be the minimum necessary and limits the permitted categories. They include:
- true full name, including notice that prior true full names in DMV records will be shared;
- date of birth;
- the last five digits of a Social Security number as pointer information;
- state of record;
- driver’s-license or ID-card number;
- credential type;
- REAL ID indicator;
- Commercial Driver’s License Information System indicator; and
- specified driver-history and issuance information, including accident, conviction, withdrawal, class, endorsement, and restriction records.

Kyber Intel architecture map based on chaptered SB 169, Vehicle Code §1808.3. It shows statutory authority and required controls—not a verified live interface or proof that California data are already moving.
The exclusions matter too. Unless federal law requires otherwise, DMV may not disclose through this service:
- address;
- photograph;
- gender marker;
- biometric data, including fingerprints; or
- whether the person holds a license or ID issued under California’s AB 60 provision.
That final protection attempts to keep the State-to-State system from directly exposing whether a credential was issued under the section used by people who cannot prove lawful presence.
Do not turn that safeguard into a guarantee it cannot support. The words “unless otherwise required by federal law” remain in the statute. Court orders, subpoenas, sealed process, exports, partner assistance, and other authorities will need to be tested against the final agreement and real operating procedures.
SB 169 does not prove ICE has access. It does not authorize a general federal fishing expedition merely by creating §1808.3. It also does not prove that compelled disclosure can never happen.
The 14-day rule is not a universal delete button
Before participating, California DMV must sign an AAMVA agreement consistent with the new section. The agreement must require participating jurisdictions to restrict access to authorized people who need it for official duties and to audit user access.
It must also require recipients to retain information for the minimum time necessary or 14 days, whichever is shorter, and to keep only the minimum information needed for the section’s purposes. The agreement must prohibit AAMVA and participating jurisdictions from sharing, selling, or otherwise making the information available unless federal law requires it.
Those are real restrictions. They are not “all DMV data disappear after two weeks.”
The clause governs information retained by participating jurisdictions under the required agreement. It does not by itself erase California’s source database, audit logs, exports created as evidence, backups, or records preserved under a legal hold. Source-data retention and query-log retention are not interchangeable just because both live near a database.
The contract will determine whether the statutory language becomes an enforceable operating rule or decorative compliance wallpaper. DMV must publish its AAMVA agreements and provide at least 30 days’ notice to legislative committees before executing material new or modified agreements governing data use, retention, or collection.
As of this publication cutoff, Kyber has verified the authority and the required contract terms in the chaptered law. We have not verified an executed agreement, operational launch, first data transfer, active jurisdiction list, query interface, or deployed access controls.
California wrote an accountability test into the law
The oversight provisions are unusually specific:
- DMV must maintain and analyze request audit logs.
- It must investigate anomalous or irregular requests.
- It must be able to limit, delay, or decline batch, bulk, list-based, pattern-based, automated, or exploratory requests.
- It must refer reasonably suspected unauthorized use to the state Department of Justice.
- After a confirmed unauthorized request or use, it must notify AAMVA, DOJ, and affected people without unreasonable delay, subject to operational, technical, investigative, or other sensitive needs.
- AAMVA must temporarily suspend jurisdictions in specified cases involving unauthorized use, contract violations, or system integrity.
- The California Attorney General receives a path to seek an injunction when the statutory conditions are met.
Auditability is useful. It is retrospective by design. A log can show that somebody ran a query; it does not prove the control prevented the query, that the query returned a match, or that no export escaped the normal retention window.
The monitoring plan is where the abstractions must become procedure. An advisory group is due to meet by November 1, 2026. DMV owes legislative committees a draft plan by February 1, 2027 and a final plan by July 1, 2027. Annual public reports begin February 1, 2028. The California State Auditor must audit compliance by January 1, 2030.

Statutory accountability calendar from Vehicle Code §1808.3. Dates show deadlines in the chaptered law; they do not imply that California has already launched the exchange.
The obvious defect is latency. The law can become operational before the first annual public report appears. “We will publish the audit later” is the government version of a software company promising documentation after deployment.
The state’s case—and the civil-liberties objection
California officials say the exchange is needed for REAL ID compliance. CalMatters reported that officials describe the system as person-specific: an authorized user supplies information for one applicant, and ordinary bulk searching is not available. The state Department of Finance says the safeguards limit sharing to the minimum necessary.
That is the strongest counterargument. Duplicate-license detection and interstate driver-history verification are legitimate administrative functions. A system with field minimization, no photo or biometric exchange under ordinary authority, access audits, anomaly review, recipient retention limits, public contracts, suspension, notice, and attorney-general enforcement is not the same as an unrestricted national identity database.
It is still identity infrastructure operated across jurisdictions through a private association. Its practical limits depend on contracts, software behavior, legal-process handling, and enforcement by institutions with incentives to keep the rail running.
Civil-liberties and immigrant-rights advocates quoted by CalMatters acknowledged that lawmakers improved the proposal. They remain concerned that court orders or other compelled process could require disclosure, that Social Security pointer data are sensitive, and that the 2030 audit arrives too late to serve as a launch gate.
Those are risk claims, not proof of misuse. No abuse, immigration-enforcement query, bulk disclosure, breach, or false match caused by California’s new authority has been established here.
What California should publish before data move
A trustworthy launch should not require the public to wait for the 2028 report. DMV should publish a live implementation file containing:
- the signed AAMVA agreement and every amendment;
- the date the system becomes operational and the date of the first transfer;
- the exact fields transmitted, including treatment of missing SSNs and prior names;
- the participating-jurisdiction list;
- the query workflow, role permissions, contractor access, and rejected-query rules;
- source-data, pointer-data, audit-log, export, backup, and legal-hold retention separately;
- the number and category of direct requests, batch attempts, anomalies, delays, denials, suspensions, and confirmed misuse events;
- subpoena, sealed-order, and gag-order handling;
- notification timing and every statutory reason for delay; and
- independent verification that deployed controls match the contract.
The falsifiable thesis is simple: California wrote guardrails strong enough to measure. Now the state has to publish the contract and operating evidence before asking residents to trust the rail.
Practical exits without fantasy
Keep the physical credential
Mobile ID remains optional under this law. Do not let convenience marketing convince you the phone version is mandatory. Keep the physical credential and use it when it reduces device dependence or avoids handing an unlocked phone into an identity interaction. The law says the holder cannot be required to turn over the device to use a digital credential.
Treat wallet deletion and DMV deletion as different things
Removing an app or leaving the pilot can reduce wallet-related data. It does not erase a lawful licensing record. Read deletion promises narrowly and ask what happens to provider logs, backups, and derived records.
Do not surrender a license as a “privacy fix”
Driving without a required license is illegal, and surrendering a credential does not necessarily erase historical records. The lawful response is oversight: contracts, records requests, legislative pressure, litigation where appropriate, and documented implementation testing.
Ask your state what it sends
If your jurisdiction participates in S2S, ask for the operative agreement, data dictionary, retention schedule, request and audit-log policy, contractor list, suspension history, and aggregate direct-query counts. Do not accept “14 days” without asking which record class the answer covers.
Keep mobile ID out of unrelated access gates
SB 169 does not make California’s wallet a universal age-verification credential or mandatory login. Regulators and businesses should not quietly convert an optional government credential into the default key for lawful reading, speech, commerce, or platform access.
Bottom line
California did not make mobile ID mandatory, create an unrestricted federal database, or prove that anybody misused driver records.
It did expand optional digital credentials to a far larger population while authorizing a separate interstate identity and driver-history exchange through AAMVA. The statute specifies data fields, exclusions, retention restrictions, logs, anomaly controls, notices, contracts, enforcement, reports, and deadlines.
That is better than a blank check. It is not self-enforcing.
The press release sold an ID on your phone. The law built a rail between databases. The public should see the contract, the data path, and the logs before the train leaves the station.
Internal reading
- Remote Attestation Is How Your Phone Becomes a Permission Slip
- Automated Moderation Is the New Platform Border Patrol
- Congress Blocked a Retail Fed CBDC Until 2031. Digital-Dollar Control Is Still Alive.