An old privacy law is driving new litigation risk. Since 2020, the federal Driver's Privacy Protection Act (DPPA) has become the basis for a growing number of lawsuits, with the most recent cases focused on the commercial use of automated license plate readers (ALPRs). These cases represent an additional area of concern for any business that relies on personal data like names and addresses legally sourced from state DMV records to conduct routine business operations.
What Is the Driver's Privacy Protection Act?
Congress enacted the DPPA in 1994 in the wake of high-profile misuses of residential addresses obtained from state DMV records, most notably the 1989 murder of actress Rebecca Schaeffer at her home, after her address was obtained from the California DMV.
The DPPA prohibits state DMVs from disclosing personal information about any individual obtained by the DMV in connection with a motor vehicle record, unless one of 14 "permissible uses" applies. One of those, "for use in the normal course of business by a legitimate business or its agents," is frequently used, but is limited to certain enumerated business operations. Those include verifying the accuracy of personal information submitted to the business and, if such information is not correct, obtaining the correct information, but only for fraud prevention or debt recovery.
Other permissible uses include:
- Use in connection with motor vehicle or driver safety and theft
- Use in certain insurance activities
- Use in connection with litigation or investigation in anticipation of litigation, or when the individual has provided written consent
Any resale or redisclosure of lawfully obtained information also must fall within the scope of a permissible use. Violations of the DPPA are enforceable by civil litigation, with statutory penalties of a minimum of $2500 per violation. In addition to the DPPA, some states have enacted analogous laws, with some imposing additional restrictions on the use and disclosure of data from their DMV record.
Since the DPPA applies on its face to state DMVs, the law has historically been of limited concern to commercial entities. It is commonplace for companies to leverage DMV data for use in various day-to-day business operations. However, plaintiffs' DPPA class action lawyers who are eager to exploit the DPPA's substantial liquidated damages clause are now attempting to develop creative legal theories to apply the DPPA in ways not previously contemplated to a broader group of users of DMV data.
DPPA Litigation Has Accelerated in Recent Years
Since 2020, there has been a marked uptick in litigation alleging DPPA violations. Such litigation has followed different theories, as counsel has become bolder in asserting the DPPA against downstream uses of DMV data.
The first wave of litigation used data breaches as a precipitating event, alleging that the exposure of DMV data in breach incidents violated the DPPA. For example, class action litigation has been filed against an insurance company that suffered an attack on its online "instant quote" feature that exposed driver's license numbers to hackers.
In another class action filed against a breached insurance company, the DPPA claims were expanded beyond just exposure to hackers to also include the alleged impermissible use of DMV data for undefined sales and marketing. From there, litigation shifted to focus on the sale of DMV data to third parties. Cases have been filed against various sellers of DMV data, generally making the claim that the sellers were providing data for uses inconsistent with the DPPA's permissible uses.
Automated License Plate Readers (ALPRs) and the New Frontier of DPPA Lawsuits
The most recent wave of lawsuits has focused on users of ALPRs—technology commonly and widely used by various types of operators who deal with vehicle traffic control: commercial parking operations, hotels, private security, or homeowners' associations. ALPRs are regulated in a small number of states, which has led to the widespread use of such technology in a variety of commercial contexts.
For example, private parking operators frequently use ALPRs to scan license plates of vehicles. This use is generally visible to consumers, as the technology is signaled by prominent signage or notice to drivers. Private parking operators may match license plate numbers with DMV records to obtain the vehicle owner's name and address and send a parking violation to the owner's home.
Starting in 2024, plaintiffs' class action lawyers have been filing numerous lawsuits against parking management companies that use DMV data to send these parking citations. These cases allege, among other things, that the use of DMV data in this context falls outside of the "normal course of business" permissible use exception in the DPPA and thus is unlawful. As these cases slowly work their way through court systems around the country, business owners face uncertainty and new risks.
Conclusion
DPPA litigation provides another example of how privacy risk may be created and exploited by enterprising plaintiffs' counsel taking novel positions under older laws. These lawsuits represent yet another aspect of the widening interest in the privacy of data related to vehicles generally, including vehicle telematics and geolocation. Businesses that handle vehicle data should continue to monitor developments such as these to develop their privacy programs to address emerging risks.
If you have questions about the rise in DPPA litigation, please reach out to Venable's Privacy & Data Security Group for assistance.