In 1989, an obsessed fan fatally shot actress Rebecca Schaeffer in the doorway of her West Hollywood home. He had obtained her address from the California Department of Motor Vehicles. The murder prompted Congress to pass the Drivers Privacy Protection Act (DPPA).
DPPA prohibits state DMVs from releasing drivers’ personal information without the express authorization of the driver. It applies to DMVs and individuals authorized to receive personal information and imposes record-keeping requirements. The penalty for noncompliance is a civil penalty of up to $5,000 a day for each day of substantial noncompliance. This is in addition to criminal fines and potential liability in private actions by the drivers, including liquidated damages of at least $2,500 for each violation. The Supreme Court held DPPA constitutional in Reno v. Condon.
DPPA carves out exceptions for permissible uses. These include:
Government agencies carrying out their functions
Insurance companies underwriting policies
Employers who need to verify their employees’ commercial driver’s license information
In court and litigation proceedings.
The litigation exception had been read expansively until the 2013 Supreme Court decision in Maracich v. Spears. Maracich held that an attorney’s solicitation of prospective clients constituted an impermissible purpose for disclosure under the DPPA.
The Maracich decision has underscored the potential risk for businesses and municipalities relying on such data. For instance, companies selling extended car warranties, who may identify prospective clients based on data partially derived from DMV records may breach DPPA. Likewise, many attorneys have long relied on DMV records to identify prospective clients involved in recent auto accidents or who have recently received speeding tickets, and Maracich would seem to be the death knell for those kinds of solicitations.
In another example, drivers sued a town, contending that its placement of parking tickets containing drivers’ information under windshield wipers constituted an impermissible disclosure of information under DPPA (Senne v. Village of Palatine). Two unions were accused of violating DPPA by obtaining worker’s addresses by tracing the registrations of vehicles parked outside the employer’s facility during an organizing drive in Pichler v. UNITE. A class action lawsuit alleged that certain parties violated DPPA when they purchased DMV records in bulk (Taylor v. Acxiom Corp.).
More ominously, a New Yorker whose family was purportedly harassed after a road rage incident sued the record reseller who had supplied his motor vehicle information to the alleged harasser (Gordon v. Softech Int'l, Inc.). Several Minnesota celebrities, such as television reporters, have sued municipalities alleging officers improperly accessed their records (Rasmusson v. Chisago County). A witness in a murder case was allegedly able to locate the prosecutor’s home address and mail her an empty envelope in Cowan v. Ernest Codelia, PC.
Plaintiffs have not always prevailed on DPPA claims. Defendants often have compelling defenses, such as statutes of limitation or permissible purpose. Nevertheless, since DPPA carries potential criminal penalties and significant daily civil penalties, civil damages and an attorney’s fees provision, vigilance is warranted.
As an easy first step, companies, vendors and municipalities should institute training, processes and procedures to ensure DPPA compliance. Most DPPA violations stem from honest ignorance rather than malicious intent. Often, the information itself is generally accessible; retrieving it from readily available DMV records can offer a tempting, but potentially precarious path. In Dahlstorm v. Sun-Times Media LLC, the court ruled that publishing otherwise publicly available police officer information violated the DPPA when the data was retrieved from DMV records.
Municipalities and corporations can and have been sued for the actions of employees or contractors. Therefore, as a second step, controls and monitoring must be in place to ensure adherence to DPPA-compliance policies. A policy only offers a reliable shield if ongoing enforcement efforts are in place. Specifically, a readily available audit trail will go a long way in alleviating potential DPPA threats. In the DPPA context, as in life, an ounce of prevention is worth a pound of cure.
In a securities fraud case, Justice Rehnquist once quipped that Rule 10b-5 was “a judicial oak which has grown from little more than a legislative acorn.” DPPA has similarly grown from a relatively succinct anti-stalking law (notably in the pre-Internet era when DMVs were much more important repositories of personal information) into a source of significant potential liability arising from a wide variety of commercial activities. In defense of the courts, this growth can be attributed largely to the statute’s sweeping language rather than judicial “fertilization.” While DPPA could use pruning to return to its anti-stalking roots, neither the Supreme Court nor Congress has shown any intent or inclination to pick up the shears.