December 8, 2022
You might have a problem with your motor vehicle record (MVR) compliance, and that problem might be knowing when the Driver’s Privacy Protection Act (DPPA) starts to apply and, perhaps more important, when it stops.
Tessera has been working with MVRs for, what, nearly 40 years now, and we still occasionally hear such faulty claims as the DPPA is triggered only when a state department of motor vehicles (DMV) directly discloses an MVR to you. Once you have that MVR, the assumption goes, the DPPA, along with all its protections, evaporates. Whatever you do with the MVR from there is your affair.
If you share this perspective, you might want to call your insurance broker and make sure your policy doesn’t exclude DPPA or similar claims. As several courts have noted, the DPPA covers all disclosures of personal information if it’s derived from an MVR, regardless of whether you get it straight from the desk clerk at the DMV or identity thieves on the dark web.
Not knowing whether this statute and its state counterparts apply to you could affect whether you disclose an MVR to your customer for a permissible purpose, which could affect what records you’re keeping, which could affect how you’ll fare in an audit by your vendor or state regulator, which, ultimately, could affect whether you’ll continue to have access to the data you need to keep your business thriving.
So varied and unexpected are these ramifications that they begin to resemble the steps in the Rube Goldberg machines you see in cartoons like Tom and Jerry. But since confusing topics like this can take time away from your ability to address other pressing issues that keep your business competitive, the experts at Tessera will make this simple by taking you through three unanticipated results of MVR noncompliance. In doing so, Tessera will do one of the things it does best for its customers: Eliminate false assumptions and invoke clarity.
If you want to avoid the parade of horribles we mentioned earlier, the place to start is establishing whether the DPPA applies to you. As we suggested in a previous blog post, knowing when a particular privacy or consumer protection law governs your services can be of central importance to your business. That’s why this section will likely be the densest portion of the blog post. To make this more manageable, we’ll divide this section into two parts.
Generally, a disclosure’s legality under the DPPA is a combination of subject matter (personal information) and source (a motor vehicle record). We can distill this to a simple addition equation, with Personal Information and MVR as the addends and DPPA Applicability as the sum. For self-indulgent boosterism, let’s call it the Basic Tessera Theorem.
Personal Information + MVR= DPPA Applicability
Fortunately, the DPPA provides definitions for our equation’s two addends. Unfortunately, these definitions are less than clear, if even that, and have sparked some fairly recent litigation. Most of those lawsuits concern accident reports and whether the DPPA applies to them, an issue that can get pretty complicated and that won’t concern us here.
Suffice it to say that, apart from a minority of courts’ interpreting the MVR definition as encompassing a mere driver’s license, the majority of courts have held that, for the DPPA to apply, the initial disclosure of personal information must originate with your or your vendor’s request for personal information from the DMV’s databases. In other words, if the personal information doesn’t come from the DMV or a similar governmental entity, the DPPA isn’t relevant.
Matters become more complicated, though, when you remove that personal information from its MVR packaging in which it’s received. Many courts and governmental regulators have had the opportunity to decide the fate of personal information once plucked from its MVR origins, which they’ve expressed in rather touristy terms.
As one court put it, “[i]f the original source of the other government agency’s information is the state department of motor vehicles, the DPPA protects the information throughout its travels.” Similarly, the Minnesota Department of Administration said “the classification of the data ‘travels’ with the [personal information derived from an MVR].” I suppose you can take the personal information out of the MVR, but you can’t take the MVR out of the personal information.
Besides clearly gesturing toward these governmental employees’ desire to travel, these two quotations suggest that extracting personal information from an MVR, even if you later commingle that information with data from other sources, doesn’t extinguish that personal information’s DPPA protection. So, for example, placing personal information into a consumer report with non-DMV data, such as Uniform Commercial Code (UCC) filings, doesn’t cause FCRA to supplant the DPPA. If anything, the DPPA would add yet another compliance layer on top of FCRA.
Granted, a small handful of courts, specifically those from Connecticut and Arkansas, have apparently taken the opposite approach. For them, once MVR-derived information arrives at a state governmental agency other than the DMV, the DPPA and its state counterparts cease to apply. Basically, if these courts have their way, the DPPA’s protections and MVR-derived personal information won’t be inseparable travel companions anymore.
If this sounds promising, suppress your optimism for a moment. These courts’ legal analyses are easy enough to counter, and the majority of courts that have considered similar issues have reached the opposite conclusion, often through direct criticism of those courts. The most prudent course, it’d seem, would be to follow the majority approach and view this minority position as a small constellation of one-off holdings unworthy of being the foundation for important compliance and business decisions.
If we adopt the majority approach, then our once-tidy Basic Tessera Theorem starts to morph into an algebraic expression, with Personal Information, MVR, and DPPA Applicability as our constants and X as our variable representing information from other sources. The Advanced Tessera Theorem, you might call it. We can mathmetize it this way:
(Personal Information+ MVR) – MVR + X = DPPA Applicability
To solve this correctly, though, you’ll need to recall (gulp!) the order of operations’ first rule: solve the operation within the parentheses first; everything else, including addition and subtraction, comes afterward. That way, you know if the DPPA is relevant before looking at anything else in the algebraic expression, even if the MVR constant is later subtracted.
The upshot, then, is that whether we express DPPA applicability as a matter of addition or, to account for the introduction of non-DMV information, as a matter of algebra, the result is the same—the DPPA likely applies. This subtlety matters for two reasons.
First, the DPPA’s scope of protection differs from federal privacy laws like the Health Insurance Portability and Accountability, known more commonly as HIPAA, whose obligations essentially disappear the moment someone that isn’t a “covered entity” or “business associate” lawfully receives “protected health information” from such entities. By contrast, the DPPA’s protective cloak it drapes over MVR-derived personal information isn’t snatched away the moment that information is removed from its original MVR, no matter how far that personal information strays from the MVR it used to call home.
Second, it also contrasts with popular privacy and consumer laws like FCRA, which the Federal Trade Commission (FTC) has interpreted expansively. To illustrate, aside from data like credit header information, the FTC has said in one of its advisory letters that if a consumer reporting agency (CRA) uses a single database for servicing both FCRA and non-FCRA customers, FCRA applies not only to data provided to FCRA customers, but also all data in the database, regardless of whether a FCRA customer actually used those data.
In this respect, FCRA’s coverage is like a virus in a kindergarten classroom: if one child has it, you should plan on the rest of her classmates getting it, too. Far from a benign interpretation confined to the advisory letter’s addressee, this logic was later ostensibly the basis for at least one FTC enforcement action back in the 1990s. Since then, some plaintiff’s counsel have premised their FCRA claims on the FTC’s reasoning, as well.
However, the DPPA functions differently. For it, the comingling of DPPA-protected personal information with non-DPPA personal information doesn’t transform the non-DPPA information into DPPA-protected personal information, whether those data appear together in a consumer report or are stored in the same database. One court phrased it better when it held that the DPPA doesn’t “protect information derived from non-DMV sources even when that information is included in a record containing personal information obtained from DMV records.”
So if we return to our previous example of the consumer report, the MVR-derived personal information’s DPPA protection wouldn’t extend to the UCC filings. It stays contained within the MVR-derived personal information and never spreads to the variable X in our Advanced Tessera Theorem.
So what Congress created with the DPPA, not to mention the statutory and regulatory offspring it inspired among the states, is unlike many privacy and consumer protection laws you usually encounter when processing personal information. Its boundaries aren’t always apparent, and other more sprawling privacy laws can easily eclipse its importance. As a result, you can’t apply the same interpretive grids you’ve used for analyzing other previous privacy and consumer protection issues. You need a new compliance framework that’s just as dynamic as your business.
Our Basic and Advanced Tessera Theorems can be part of such frameworks. But if they’re going to work, we need to know how to identify “personal information.” The DPPA defines this term as “information that identifies an individual.” It then provides the following list of data elements that automatically constitute “personal information”:
This is not an exhaustive list. Some state statutes, state attorneys general, and courts have expanded this definition to include things like email addresses, tax identification numbers, truncated social security numbers, digital signatures, and even physical attributes. Hence, classifying data elements in an MVR as personal and non-personal information is hardly a mechanical, straightforward task.
That’s why we won’t spend time further parsing this definition here. What’s more important for our purposes is knowing what isn’t personal information when you’re reviewing an MVR. During this review, you’ll find things that, by themselves, probably don’t seem especially “personal,” such as accident information, equipment and moving violations, and even some criminal information in states that haven’t decriminalized certain traffic offenses.
The DPPA accounts for this by excluding the following information from the definition of “personal information”:
Some states, such as Montana, have expanded this exclusion to include information like a person’s registration status and a vehicle’s insurance status.
You might assume, then, that this non-personal information is basically a public record, available for whatever uses you have in mind. Granted, some state caselaw and a North Carolina attorney general opinion might provide support for that assumption in the public records context. But four reasons prevent us from treating this non-personal information like shared property in an anarchist commune.
First, the scope of these exclusions are unclear since the DPPA doesn’t define what constitutes, for instance, “information on driving violations.” This has triggered a handful of some pretty detailed interpretive jousts.
In an especially tedious case involving the interaction between the DPPA and Iowa Open Records Act, the court held that a list of people who received citations after an automated traffic enforcement camera captured them speeding wasn’t “information on driving violations.” The reason was that, interestingly enough, because the police didn’t report the citations to the Iowa Department of Transportation, the citations didn’t appear on people’s MVR. So these exclusions hardly facilitate a sure-footed reading.
Second, even if you are confident in your interpretation of these exclusions, some state versions of the DPPA might nonetheless protect all information that appears in a motor vehicle record, personal or not. Take Washington’s RCW 46.52.130, for instance. There, the statute announces its scope as covering “information contained in an abstract of a person’s driving record.” Although some new Washington regulations might provide additional obligations for personal information in driver abstracts, the statute doesn’t apply its protection selectively to personal information to the neglect of non-personal information. Its protection is total.
Third, state contracts your vendor must sign with certain DMVs might impose limitations on all data in an MVR. For example, a state contract might require your vendor to apply certain information safeguards to all MVRs in your possession, even if the DMV has redacted those records’ personal information. This could affect you directly if your vendor has flown obligations like these down to you in your customer contract.
Fourth, if you’re operating as a CRA, FCRA might restrict the kind of non-personal information you may disclose to customers. To illustrate, if you see a traffic offense in an MVR from a state that doesn’t consider such matters criminal and the offense is more than seven years old, FCRA says you generally may not publish that information as part of a consumer report to your customer. Whether the information is personal information under the DPPA is inconsequential.
The thrust here is that although non-personal information doesn’t necessarily figure into any of the Tessera Theorems, that doesn’t mean this information is always easy to classify or without restriction. So before you want to use this non-personal information, make sure you review applicable state law and vendor contracts, in addition to talking to your FCRA or privacy counsel.
Establishing when the DPPA might be an issue is only the first step, though. What flows next from the DPPA’s applicability is navigating the limited circumstances, often called “permissible purposes,” under which you may disclose MVR-derived personal information. Generally, a “permissible purpose” is a statutorily or regulatorily established reason that allows you to obtain, use, and disclose someone else’s MVR. Even though some DPPA permissible purposes are relatively clear in their application, they still seem to cause confusion for companies, especially in two situations.
First, as we’ve discussed in one of our previous blog posts, most states and the District of Columbia have enacted their own statutes or promulgated their own regulations that build on the foundation laid by the DPPA. Because the DPPA preempts only state statutes and regulations that offer a weaker level of protection, states are welcome to impose more stringent requirements.
Read more: 10 Steps to Begin Conquering State-by-State MVR Compliance
And so they have. In fact, statutes from states like Arkansas, Hawaii, and Washington hardly favor their federal parent. Consequently, the DPPA’s 14 permissible purposes don’t always comply with these stricter state laws and regulations, making a uniform nationwide approach to MVR compliance impossible.
Second, some companies, particularly those who operate as CRAs, believe that invoking one of FCRA’s permissible purposes under 15 U.S.C. § 1681b automatically fulfills whatever obligations the DPPA and similar laws might impose. This frequently arises with customers’ interpretation of “employment purposes” under FCRA, and the reason is understandable.
As Izzy McLean remarked in another blog post about FCRA, this permissible purpose “is perhaps not aptly named.” 15 U.S.C. § 1681b(h) gives “employment purposes” a broad definition, covering pre- and post-employment matters, essentially the whole lifecycle of someone’s employment. Despite some sparse caselaw to the contrary, the FTC has broadened this definition’s reach even further, interpreting “employment purposes” to contemplate “individuals who are not technically employees,” such as independent contractors and volunteers. Inaptly named, indeed.
But the DPPA has no exact linguistic counterpart to 15 U.S.C. § 1681b(h), though, really, you can likely achieve comparable coverage with 18 U.S.C. §§ 2721(b)(3), (9), and (13). The states have made this even more flummoxing by sometimes dramatically modifying their versions of the DPPA. RCW 46.52.130(2)(b), (c), and (k), for instance, lists “employment,” “volunteer organizations,” and “transportation network companies” as separate permissible purposes, each with different compliance obligations.
That means that, unlike the FTC’s interpretation of FCRA, RCW 46.52.130 has distinct purposes for employment, volunteers, and independent contractors, not just one. Therefore, being conversant with only FCRA won’t automatically carry you through MVR compliance. They’re distinct compliance obligations.
All these semantics can matter if you’re sued under one of these state laws or if a state DMV requires your vendor to audit the purposes under which you’re obtaining MVRs from that state. In the latter case, an audit finding could jeopardize your ability to obtain the MVRs you need to maintain revenue.
If you aren’t tracking which of these federal and state permissible purposes you’re using to justify your receipt and disclosure of MVRs, you’ll cause record-keeping glitches when trying to account for your disclosures to customers.
Under the DPPA, if you want to disclose an MVR to a customer, you have to keep records that include at least the following:
Not only that, but you must keep these records for five years from the date you disclosed the MVR and make them available for the DMVs’ inspection if requested. This information will be key audit evidence in the DMVs’ and, at their direction, your vendor’s efforts to police downstream processing of MVRs.
But this federal mandate is only the minimum standard of compliance. As with permissible purposes, some states have exceeded that standard by adding other items that must appear in your records. For example, the Montana Driver Privacy Protection Act requires you to keep the following information:
That’s three more items than the DPPA demands. So if you’re disclosing Montana MVRs to a customer, your records must contain this information. Relying solely on the DPPA’s record-keeping items or record-keeping obligations under other statutes like FCRA aren’t sufficient.
While the DPPA and its state versions don’t provide a private right of action for violating the record-keeping provisions—and, for what it’s worth, courts are typically unwilling to imply a right of action where the statutory violation involves only a record-keeping provision—these records are often audit evidence for your vendor and state regulators. If something is amiss with that information, it could result in audit findings, a subsequent corrective action plan, and even account suspension or termination, none of which are good for trade.
But let’s not even arrive at that point of noncompliance with MVRs. Let’s take a proactive approach to MVR compliance by giving the Basic and Advanced Tessera Theorems a try. For even better results, you could pair it with our 10-step MVR compliance gauge. It’s our gift to you, and it can be your gift to yourself.
After all, every day you don’t know whether the DPPA and its state analogues apply to your services is another day you might be enlarging your litigation portfolio and imperiling your access to data vendors you need. As DMVs and other state regulators are increasing, not decreasing, the frequency of their audits of vendors and their customers, compliance gaps in your operations have never been more likely to surface.
It’s a worrying prospect, but our penchant for systematizing all things MVR has served our customers well. We do this because we know that our customers are busy and that MVR compliance is one more commitment on their already demanding schedule. Let Tessera’s decades of experience with MVR compliance make it quick and easy for you.
If you want to work with a skilled MVR vendor, contact us to get started.
In this blog post, Tessera isn’t giving you any legal advice, creating an attorney-client relationship between you and its legal counsel, or suggesting that this blog’s treatment of motor vehicle record privacy is comprehensive. If you’d like more comprehensive legal advice on the material in this blog post, we recommend that you consult your own legal counsel.