DPPA (Driver's Privacy Protection Act)

What DPPA actually does

The DPPA (18 USC §§2721-2725) passed in 1994 as part of the Violent Crime Control and Law Enforcement Act. Congress named the law for the 1989 murder of actress Rebecca Schaeffer, her stalker had paid a Tucson detective agency $250 to pull her home address from California DMV records. The 1999 Amy Boyer case, where a different stalker paid Docusearch for a workplace address, prompted Remsburg v. Docusearch (NH 2003), the first state-supreme-court ruling that brokers owe a duty of care to the people whose data they sell.

The default rule is simple. State DMVs cannot disclose your personal information without a permitted purpose. Anyone downstream who got DMV-derived data is bound by the same restriction. Violate it and you're liable.

What's covered

The statute defines two tiers. Standard "personal information" includes your name, home address, phone, SSN, driver ID number, photo, height, weight, gender, age, and medical or disability info from your driving record. "Highly restricted personal information" is a narrower subset: SSN, photograph, and medical or disability information. Highly restricted info requires express written consent for almost any use, the carve-outs that apply to standard info don't apply here.

What's not covered: traffic violations, accident reports, license status. Those run through state public-records law, not DPPA. If your home address is in a publicly filed accident report, DPPA doesn't reach it, the state vehicle-records statute might.

The 14 permitted purposes

DPPA at 18 USC §2721(b) lists 14 permitted purposes. The full list, with what each one looks like in practice:

1. Government agency function. Your own agency pulling records for legitimate work. The most common path.
2. Verifying matters in motor vehicle or driver records, fraud prevention. A bank verifying your DL number on a loan application.
3. Normal course of business by legitimate business. Verifying personal info you provided is accurate.
4. Civil, criminal, administrative, or arbitral proceedings. Process service, court orders, expert witnesses.
5. Research activities. Studies that don't publish individual records.
6. Insurance underwriting and claims investigation. Insurer running your driving history.
7. Notifying owners of towed or impounded vehicles. Self-explanatory.
8. Licensed private investigators. Acting for a permitted purpose, not the catch-all the industry treats it as.
9. Employer verification of CDL information. Trucking and bus companies running their drivers.
10. Toll transportation operations. EZ-Pass and equivalents.
11. With express consent of the individual. Writing your own permission slip.
12. Bulk distribution for surveys, marketing. Only with express opt-in consent.
13. Use by private investigators for permitted purposes. Same as 8, restated.
14. Other use specifically authorized by state law. State-by-state carve-outs.

Purposes 5 (research), 8 (PIs), and 13 (PIs again) are the ones brokers and aggregators have tried to ride. Some lost. The Eighth Circuit and others have held that "research" doesn't include compiling commercial people-search databases.

Reno v. Condon (2000) and constitutional challenges

When DPPA passed, South Carolina sued the federal government, arguing the law violated the Tenth Amendment by commandeering state DMV operations. The Supreme Court rejected the challenge unanimously in Reno v. Condon, 528 U.S. 141 (2000). Chief Justice Rehnquist wrote that DPPA regulates the states as owners of databases, not as sovereigns, and Congress can regulate the interstate commerce of motor vehicle records. That ruling locked in DPPA as a permanent federal floor under state DMV practice.

That matters because every constitutional challenge since has run into Reno v. Condon. The statute is settled law. The fight has moved to who counts as a permitted user and what constitutes a permitted purpose.

Recent enforcement, the ALPR wave

Civil DPPA suits have been steady. The new front in 2025-2026 is automated license plate readers. ALPR vendors and the police agencies that buy from them are facing a wave of DPPA litigation over plate-data sharing pipelines that arguably leak DMV-derived info beyond permitted purposes. Venable's February 2026 analysis catalogs the pattern: a vendor pulls plate-to-name data for one permitted purpose, then sublicenses to a second client whose use isn't covered. That second leg violates DPPA.

The 2026 Joplin case is the cautionary tale on the inside. An officer ran ALPR pulls on a personal target. The agency settled the DPPA claim. If your agency runs ALPR data through a private vendor, the legal risk on that pipeline is no longer theoretical. The same data flows that protect officers in their work can expose them through aggregator sharing.

How to spot a DPPA-violating disclosure

Most officers won't see a DPPA violation directly. The pattern looks like this: you get a piece of mail or a call referencing your registered vehicle make and plate at your home address, and the sender has no plausible permitted purpose. Or your name and address show on a broker site with the source labeled as "DMV records," "vehicle registration," or "VIN-linked."

Three signals to look for:

• Source labeling. Broker sites that disclose source feeds will sometimes label DMV-derived data. That's a strong signal.
• VIN, make, model, year tied to your home address. Court records and accident reports rarely include all four. DMV records do.
• Lookups by plate to identity. If a stalker references your plate, they got it from somewhere upstream of DMV.

If you have one of those, document it. Save the listing, the URL, and any contact that referenced the data. That's the evidence package an attorney needs to file.

Penalties and damages in practice

DPPA penalties are real. State DMVs face civil fines up to $5,000 per day for non-compliant disclosure pipelines. Knowing individual violations under 18 USC §2723 can run up to $10,000 in criminal fines. The private right of action under 18 USC §2724 gets you actual damages with a $2,500 floor per violation, plus punitive damages and attorney's fees if it's willful.

The math compounds the same way Daniel's Law math compounds. A broker that pulled your DMV record once and shared with five downstream affiliates is staring at six $2,500 violations minimum, more if any of the affiliates re-shared. Aggregate damages in DPPA class actions have run into the millions.

One active interpretive question in DPPA litigation: courts have split on whether each impermissible access of a record is a separate violation (supporting aggregated damages) or whether a single course of conduct counts as one violation. This matters because a private investigator who pulls 50 records on the same target over a year could face $125K in liquidated damages on the per-access reading or $2,500 on the per-course-of-conduct reading. If you're filing a DPPA suit, consult counsel on the relevant Circuit's interpretation.

State-level overlays

DPPA is a federal floor. Several states layer on stronger DMV confidentiality:

• California — Vehicle Code §1808.4 lets active and retired peace officers, judges, prosecutors, and their families flag DMV records confidential. Permanent for retired peace officers. See /states/california.
• New Jersey — §39:2-3.4 flags DMV records of judges, prosecutors, LEOs. See /states/new-jersey.
• Texas — Gov. Code §552.130 and Transportation Code Ch. 730 layer on top. See /states/texas.
• Most other states — DMV confidentiality is available to officers in some form. See your state page from /states.

If you're an active or retired officer in one of these states, file the state-level confidentiality designation in addition to using us. Belt and suspenders.

What it doesn't reach

DPPA binds the DMV's disclosure pipeline. It doesn't reach:

1. Data brokers that obtained DMV-equivalent data through other channels. Vehicle registration data sometimes appears in commercial broker files sourced from leaks, breaches, or third-party aggregators that were never bound to a permitted-purpose certification.
2. Voter rolls, property records, court filings, and other public-records sources that overlap with DMV data. State public-records law governs those, not DPPA.
3. Brokers operating outside the US. DPPA enforcement runs through federal court. Offshore actors are practically out of reach.
4. Information you put into circulation yourself. If you posted your address publicly, DPPA can't claw it back.

Common questions

Can my own agency be sued under DPPA? Yes, and they have been. Agencies are liable when an officer pulls a record for a non-permitted personal use, the Joplin matter is one of the more recent examples. Agency policy that permits broad personal-use lookups is a DPPA exposure for the department.

Can I sue if a private investigator pulled my record? Yes if the PI didn't have a permitted purpose. The PI carve-out in §2721(b)(8) only covers PIs acting on behalf of a permitted user, it's not a blank check.

What about insurance companies running my MVR? Permitted under §2721(b)(6). Underwriting and claims are explicit carve-outs.

Does DPPA apply to license plate readers? It depends on the data flow. If the ALPR vendor enriches plate data with DMV-derived name and address, that's DMV-derived data and DPPA reaches the downstream sharing. If the ALPR system only stores plate and timestamp, it's outside DPPA but inside other state and federal privacy regimes.

What we do

We can't sue brokers for DPPA violations on your behalf, that's a separate legal action. But we can clear the broker-side exposure that DPPA was supposed to prevent. Standard opt-outs across 200+ broker sites, re-checked every two weeks. We also flag listings that look DMV-sourced so you can hand the package to an attorney if you want to pursue the federal claim. Officers chasing DMV-sourced exposure use recurring opt-outs across the DMV-fed broker pipeline without filing per-broker themselves.

If you have evidence a specific broker pulled your DMV record without a permitted purpose, that's a DPPA case for an attorney. The federal courthouse is the venue.