A three-decade-old federal privacy law is emerging as a significant litigation tool, with plaintiffs increasingly invoking the Driver’s Privacy Protection Act against private businesses.
The Driver’s Privacy Protection Act, known as the DPPA, was originally designed to regulate state departments of motor vehicles and limit how they disclose personal information from motor vehicle records.
However, plaintiffs’ lawyers are now deploying the statute far more broadly, targeting companies that collect, buy, sell or otherwise use vehicle- or driver-related data in their ordinary business operations.
Critically, the DPPA is not limited to businesses that obtain records directly from state DMVs, creating exposure for companies that receive such data through third-party intermediaries or data vendors.
Any business whose workflows involve personal information that originated from a motor vehicle record may face liability, even if the company never interacted directly with a government DMV.
The statute authorises liquidated damages of at least $2,500 per violation, plus punitive damages, attorneys’ fees, costs and equitable relief, making it a powerful vehicle for class action litigation.
Permitted uses under the DPPA are tightly defined and include claims investigation, antifraud activity, insurer underwriting and rating, vehicle safety and recall activities, and providing notice to owners of impounded vehicles.
Businesses operating outside those permitted purposes, or without the written consent of the individual concerned, risk private litigation with significant financial consequences across potentially large plaintiff classes.
The rapid adoption of automated license plate reader technology, known as ALPR, is providing plaintiffs’ lawyers with an additional factual basis for DPPA claims against private commercial entities.
While license plate numbers are not generally understood to be personal information from a motor vehicle record, companies using ALPR data often match plates with DMV records to identify vehicle owners, creating fresh DPPA exposure.
Courts are also examining adjacent claims under state laws, with at least one California court recently allowing claims to proceed under Cal. Civ. Code section 1798.90.5, which governs private ALPR operators and end-users.
Legal uncertainty is compounding the risk, as courts have not been uniform in interpreting key DPPA provisions, including the precise scope of “motor vehicle record” and “personal information” under the statute.
Industries with traditional exposure to DPPA risk include auto insurers, vehicle manufacturers, towing companies, trucking companies, private investigators, parking and tolling operators, and data brokers.
More broadly, any organisation that collects, licenses, purchases, enriches, sells or rediscloses driver- or vehicle-related data should urgently assess whether its activities implicate the statute.
Compliance experts at Polsinelli PC advise businesses to map whether any data originates from DMV records, identify the permitted DPPA purpose for each use, and review vendor and customer contracts for resale restrictions and audit rights.
In many downstream or historical-data workflows, obtaining DPPA-compliant consent may be impractical, making data-source diligence and permitted-use documentation the most critical lines of defence for businesses.

