You’ve seen these kinds of provisions before, the ones that say “you must comply with applicable federal and state laws, including the Driver’s Privacy Protection Act (DPPA) and its state equivalents.” If you were the one tasked with reviewing these, you might have occasionally paused over “Driver’s Privacy Protection Act (DPPA) and its state equivalents.” How different can these state laws be from the federal law?
Pretty different, it turns out. Although many states have patterned their state motor vehicle record (MVR) privacy statutes and regulations on the federal DPPA, others barely resemble their federal counterpart. In reality, MVR compliance is a labyrinth of federal statutes, state statutes and regulations, and state and vendor contracts.
So what might have initially seemed like something straightforward starts to look like a frat house: Cluttered with impedimenta and stuffed with gross surprises concealed in crevices. How different they can be from the federal DPPA, indeed.
That’s why you need a solid compliance approach to help you navigate this labyrinth. Thanks to Tessera’s nearly 40 years of experience in MVRs, we’re used to guiding people through these twists and turns and making sense of the clutter.
One way we do this is by using our crack compliance team, which thinks of MVR compliance as a geologist thinks of the Earth’s layers. The Earth, you might recall, has four main layers—the inner core, outer core, mantle, and crust. As with planetary geology, so with MVR compliance: It has four layers of regulation, with each one representing a different set of compliance obligations.
The Risks of Noncompliance
Understanding these layers is important for any business relying on MVRs. Without that knowledge, compliance mistakes could harm your business in the following ways:
- Interruptions in service
- Reputational damage
- Customer churn
- Data subject complaints to regulators or self-regulatory bodies
- Vendor- or state-imposed remediation
- Account suspension or termination
- Placement on a DMV’s blacklist
- Invasive vendor- or state-conducted audits
- Federal and state criminal liabilities
- Enforcement actions by state attorneys general or other state regulators
- Contractual and tort liabilities to your vendor
- Contractual and tort liabilities to your customers
- Single-plaintiff or class-action liability for violations of federal and state law
These aren’t remote, abstract possibilities, either. States, for instance, have imposed year long suspensions on companies for noncompliance, which become matters of public record. Think of the goodwill you’d lose during that time, not to mention the lost revenue.
With a list of business risks the length of the negative side effects you’d hear at the end of a pharmaceutical commercial, you need to know how to conquer each compliance layer, and fast.
To that end, let’s give you a sense of how Tessera views MVR compliance. We’ll show you how these compliance layers, if considered properly, can fit together as snuggly as the parts of a Russian nesting doll.
The Inner Core: The Federal DPPA
At the core is the federal DPPA, the foundational law for MVR compliance. Some legal subtleties aside, it applies whenever you obtain, use, or disclose an MVR containing personal information or personal information derived from an MVR. So when we talk about “MVRs” here, we mean MVRs that include personal information.
If the federal DPPA applies, it exempts such MVRs from states’ public records laws. This is a laudable legislative accomplishment because, back in the early 1990s, over 30 states considered MVRs no different from property records or any other kind of public records. You could basically walk into a department of motor vehicles (DMV) demanding someone else’s MVR for “it’s none of your business,” and all the desk clerk would ask is, “Cash or credit, well-intentioned sir?”
Now, the federal DPPA generally prohibits DMVs and similar governmental agencies from disclosing your MVR except in a limited set of circumstances, often called “permissible purposes.” Many of these permissible purposes are pretty intuitive.
For instance, it makes sense that an employer may obtain its employees’ commercial driver’s license information to comply with the federal Commercial Motor Vehicle Safety Act. After all, although Congress wanted to protect people’s privacy, it didn’t want to obstruct law enforcement and legitimate business practices like these.
The Outer Core: State Versions of the Federal DPPA
At the outer core, you’ll find that most states have their own version of the federal DPPA, either as a statute or regulation. A few states, such as Pennsylvania and Washington, have created laws and regulations that are more stringent than the federal DPPA, usually by narrowing the circumstances under which someone may obtain another person’s MVR. The states are free to enact such laws since the federal DPPA establishes only a minimum standard that the states may exceed.
While stricter state laws and regulations might be permissible, it doesn’t make your business’s tasks any simpler when trying to chart where the federal and state laws and regulations align and where they diverge. Closer inspection, though, reveals that states typically follow one of five general approaches when creating these state laws and regulations:
- Mirroring
- Gap Filling
- Substitution
- Addition
- Deletion
We’ll discuss each of these approaches.
1. Mirroring
Most states have chosen to mirror at least one of the permissible purposes as they appear in the federal DPPA. To illustrate, the majority of states have codified some form of 18 U.S.C. §§ 2721(b)(1), (6), (9), and (13). We call this practice “partial mirroring.”
Other states, though, have decided to copy the federal DPPA completely or otherwise let it serve as the default standard for MVR compliance. The result is that DMVs in states such as Florida, Maine, and Wyoming will disclose MVRs under the same permissible purposes as the federal DPPA. We call this “total mirroring,” which typically comes in three varieties:
- True Mirrors: A state enacts a law or promulgates a regulation that, apart from maybe some minor linguistic differences and legal technicalities, is the same as the federal DPPA.
- Cross-Reference Mirrors: A state enacts a law merely announcing that the state will disclose MVRs only in accordance with the federal DPPA.
- Default Mirrors: A state decides not to create its own counterpart to the federal DPPA, instead opting for the federal DPPA to operate as a default rule.
Regardless of whether a state has engaged in total or partial mirroring, it still might interpret a federal permissible purpose differently from other states with that same purpose. So before invoking a federal permissible purpose to apply across all partial- or total-mirroring states, you should review those states’ caselaw, attorney general opinions, DMV policies and memoranda, and other interpretations of that purpose to make sure they encompass your use case.
2. Gap Filling
Since the federal DPPA is hardly comprehensive, some states and the District of Columbia have chosen to address issues not covered in the federal DPPA. For example, the federal DPPA doesn’t tell us what “legitimate business” means when the term appears in 18 U.S.C. § 2721(b)(3).
The Oregon Department of Transportation, though, decided to fill this gap by promulgating a regulation that defined “legitimate business” as “a lawful business enterprise operating in compliance with federal, state and local law.” Presumably, this means the Oregon Department of Transportation may not disclose Oregon MVRs to someone working at, say, www.identitytheives.com under Oregon’s version of 18 U.S.C. § 2721(b)(3). (That domain name is actually available for purchase at the time of writing, by the way.)
3. Substitution
A few states keep most of the federal DPPA’s language but substitute different terms. Take New Mexico, for example. It codified 18 U.S.C. § 2721(b)(3) almost to the letter. But unlike the federal DPPA, the New Mexico Legislature replaced “legitimate business” in that provision with the following entities:
- An insured state-chartered or federally chartered credit union
- An insured state or national bank
- An insured state or federal savings and loan association
- An insured savings bank
As a result, only these kinds of financial institutions may use New Mexico MVRs for activities described in 18 U.S.C. § 2721(b)(3). So companies that are relying on this permissible purpose for their nationwide obtainment, use, or disclosure of MVRs should consider whether they would still qualify to obtain MVRs under New Mexico’s version of this permissible purpose. Otherwise, they might need to find a different purpose under the New Mexico statute.
4. Addition
A few states have included permissible purposes that don’t explicitly appear in the federal DPPA. To illustrate, rather than rely on one of the more elastic federal permissible purposes to cover rental car agencies, Arkansas, Michigan, and Virginia added a purpose just for these businesses.
In this respect, additions can be the most helpful of the state approaches since they often enhance clarity and reduce time normally spent interpreting whether a broadly worded federal permissible purpose, such as 18 U.S.C. § 2721(b)(3), encompasses a particular use case.
5. Deletion
Deletion is one of the most common approaches among the states and the District of Columbia. Several of them have decided not to codify various federal permissible purposes. Here’s a rough breakdown* of which federal permissible purposes are the frequent victims of state legislators’ erasers.
So you see that deletion is a popular approach, with most states discarding at least a few of the federal permissible purposes. Examples here include Delaware, Illinois, Montana, North Carolina, and Texas. We call this practice “light deletion.”
Others like Pennsylvania, however, used the delete key so extensively that their statutes and regulations hardly resemble the federal DPPA. Of those, an even smaller number of states, such as Arkansas, Hawaii, and Washington, differ even more significantly, often because their statutes predate the federal DPPA. We call both cases of such deletion “hard deletion.”
With such varying approaches, MVR compliance among the states is as diverse as the states themselves. But regardless of how a state crafts its statutes or regulations, you should carefully determine if you have a permissible purpose covering your use case in each jurisdiction from which you’re obtaining MVRs.
If a jurisdiction has deleted your desired purpose, you’ll need to search for a different one that could apply. That’s when additions such as those we discussed for car rentals businesses become essential. Without such additions, though, you might have to find an alternative type of data, such as traffic court data or other types of public records, to fulfill your purposes.
The Mantle: State Contracts
We now arrive at the mantle, where you’ll find contracts your vendor has with the DMVs in all 50 states and the District of Columbia. To receive MVRs electronically from a particular state DMV, your vendor must complete an application and, if approved, establish a contract with that DMV. This documentation will often require the vendor to select all the permissible purposes under which it wants to obtain MVRs.
But choosing a permissible purpose here isn’t like picking your sandwich toppings at your local deli. Vendors usually must select from a truncated list of state permissible purposes. 18 U.S.C. §§ 2721(b)(1), (11), and (12) are frequent victims of such exclusion. So even if a state legislature codified a particular permissible purpose, the DMV’s documentation might not list it as a selectable option.
Once a vendor has picked an available permissible purpose, it has to receive the DMV’s approval for it, and getting that approval isn’t certain. All told, it’s a maddening process that’s not for the impatient.
The Crust: Vendor Contracts
This is why your vendor contracts, which represent the crust of MVR compliance, might require you to choose a specific permissible purpose for certain states. As the DMVs see it, you may obtain MVRs only for the permissible purpose for which your vendor was approved.
Obtaining MVRs for other reasons, even if allowed under the state or federal versions of the DPPA, could subject you to audits from your vendor and even state regulators. Worse, your vendor might suspend or terminate your access to MVRs or sue you for breaching your vendor contract or misrepresenting your purpose.
10 Steps to Gauge Your Compliance
Because of this vortex of challenges, you should have a comprehensive, systematic approach to your MVR compliance. So before you accidentally disclose MVRs to the swindlers at www.identitytheives.com, pause to gauge your current MVR compliance and identify areas of opportunity with these 10 steps:
Step 1: Catalog your current use cases for data from your vendor.
Step 2: Determine whether any of those data are MVRs or MVR-derived personal information.
Step 3: If you’re using MVRs or MVR-derived personal information, identify the permissible purposes in the federal DPPA that could apply to your use cases.
Step 4: Identify from which states you’re obtaining MVRs or MVR-derived personal information.
Step 5: Determine whether those states’ statutes and regulations have the same permissible purposes as the ones you identified in your federal DPPA analysis. To aid your analysis, look for total or partial mirrors, gap fillers, substitutions, additions, and light and hard deletions.
Step 6: If they do have those permissible purposes, determine whether those states interpret them to cover your use case.
Step 7: If any of these states don’t have the same permissible purposes or interpret them in ways that don’t cover your use cases, see if alternative permissible purposes could apply. If you don’t see such alternative permissible purposes, try to find comparable data that aren’t MVRs or MVR-derived personal information.
Step 8: If federal and state laws and regulations cover your use cases, review your vendor contract and accompanying documentation to see which permissible purposes you’ve been approved for.
Step 9: If you don’t see the permissible purposes you need, ask your vendor if it’s eligible to obtain MVRs or MVR-derived personal information under that purpose.
Step 10: If your vendor is eligible, request its approval for that purpose.
Tessera as the Next Step
Sure, you could perform this analysis yourself. Or you could use a vendor like Tessera, which has a niche aptitude for MVRs and MVR-related services, such as our Driver History. As you’ve seen, we drill through the layers for our customers so companies like yours have the access to data they need.*
While we can’t give you specific legal advice, we’re available to consult with you on helping you find which permissible purpose might be appropriate for your use case. If you’re ready to work with a seasoned MVR vendor, contact us to get started with Tessera.
* This breakdown is only a thumbnail sketch of state trends for implementing (or not implementing) federal DPPA permissible purposes. In classifying these state approaches for this bar graph, our classifications likely involved some measure of subjective analysis. For example, some people might disagree on whether to classify certain state’s treatment of 18 U.S.C. §§ 2721(b)(1) and (14) as instances of substitution, addition, or deletion. If you want a more precise account of these trends, we recommend that you consult your own counsel.
*In this blog post, Tessera isn’t giving you any legal advice, creating an attorney-client relationship between you and its legal counsel, or suggesting that this blog’s treatment of motor vehicle record privacy is comprehensive. If you’d like more comprehensive legal advice on the material in this blog post, we recommend that you consult your own legal counsel. We also aren’t claiming or implying that Tessera is approved or will be able to receive approval for every permissible purpose under the laws and regulations discussed in this blog. We cannot control what permissible purposes states offer or approve.
