DPPA (Driver's Privacy Protection Act)

What DPPA actually does

The DPPA (18 USC §§2721-2725) passed in 1994. Congress named the law for the 1989 murder of actress Rebecca Schaeffer — her stalker had paid a Tucson detective agency $250 to pull her home address from California DMV records. The 1999 Amy Boyer case, where a different stalker paid a different broker for a workplace address, prompted Remsburg v. Docusearch (NH 2003), the first state-supreme-court ruling that brokers owe a duty of care to the people whose data they sell. The trigger: actress Rebecca Schaeffer was murdered by a stalker who paid a PI to pull her home address from the California DMV.

It restricts what every state DMV can disclose about you — name, home address, phone, SSN, driver ID number, photo, height, weight, gender, age, and medical or disability info from your driving record. SSN, photo, and medical or disability info are flagged as "highly restricted" — express written consent is required for most uses.

The default rule: none of that can be sold or disclosed by the DMV or by anyone downstream who got it from the DMV. The exceptions are listed as "permitted purposes" — specific situations the law allows.

Permitted purposes (the carve-outs)

The statute lists 14 carve-outs — mostly government use, fraud verification, insurance, and court use. The full list is in 18 USC §2721(b).

The three you're most likely to run into:

• Government agency use — your own agency pulling records for legitimate work.
• Fraud verification — businesses confirming a person's identity to prevent fraud.
• Insurance underwriting and claims — insurers checking your driving record.

The "research" exception and the "fraud verification" exception have been the contested ones in court. Brokers have tried various permitted-purpose arguments. Some lost.

Recent enforcement

Civil DPPA suits have been steady, but the new front in 2025–2026 is automated license plate readers. ALPR vendors and the police agencies that buy from them are facing a wave of DPPA litigation over plate-data sharing pipelines that arguably leak DMV-derived info beyond permitted purposes. If your agency runs ALPR data through a private vendor, the legal risk on that pipeline is no longer theoretical.

DPPA penalties are real. State DMVs face civil fines up to $5,000 per day. Knowing individual violations can run up to $10,000 in criminal fines. The private right of action — your right to sue them yourself — gets you actual damages with a $2,500 floor per violation, plus punitive damages and attorney's fees if it's willful.

What it doesn't reach

DPPA is a federal statute that binds the DMV's disclosure pipeline. It doesn't reach:

1. Data brokers that obtained DMV-equivalent data through other channels. Vehicle registration data sometimes appears in commercial broker files sourced from leaks, breaches, or third-party aggregators that were never bound to a permitted-purpose certification.
2. Voter rolls, property records, court filings, and other public-records sources that overlap with DMV data. These are governed by state laws, not DPPA.
3. Brokers operating outside the US. DPPA enforcement runs through federal court — that's the legal basis to file. Offshore actors are practically out of reach.

What we do

We can't sue brokers for DPPA violations on your behalf — that's a separate legal action. But we can clear the broker-side exposure that DPPA was supposed to prevent. Standard opt-outs across 200+ broker sites, re-checked every two weeks. If you're an active or retired officer in a state with DMV-confidentiality flags (CA Vehicle Code §1808.4, NJ §39:2-3.4, others), file the state-level confidentiality designation in addition to using us. Belt and suspenders.

If you have evidence a specific broker pulled your DMV record without a permitted purpose, that's a DPPA case for an attorney.