The Driver's Privacy Protection Act (DPPA), 18 USC §2721, is the federal statute that restricts who may obtain personal information from a state Department of Motor Vehicles, requiring a permissible purpose for any release of an MVR or driver record.

What it is

DPPA was passed in 1994 after the murder of actress Rebecca Schaeffer, whose stalker had obtained her home address from the California DMV. The statute makes it unlawful for a state DMV to disclose personal information from a motor vehicle record except for one of fourteen enumerated permissible purposes - including use by employers to verify CDL information (§2721(b)(9)), use by insurance companies, use in legal proceedings, and use with the express written consent of the driver (§2721(b)(13)). Civil penalties for unauthorized release run up to $2,500 per disclosure, plus actual damages and attorneys' fees.

How it applies

For carriers, the operative permissible purposes are §2721(b)(9) - verifying employment-related driver records - and §2721(b)(13) - the driver's express written consent. A reputable MVR provider will require attestation of permissible purpose before processing the order, and many also require the driver's signed consent to be on file. A pull without a permissible purpose is technically illegal even if no one notices; if the driver later complains or sues, DPPA damages stack with FCRA damages and any state-law privacy damages.

Why it matters

DPPA compliance is the legal backbone of every legitimate MVR pull. It is also why no reputable provider lets a member of the general public buy an MVR on someone else without paperwork - the chain of permission has to be traceable. Carriers should keep the signed driver consent in the DQ File alongside the MVR itself.

DPPA (Driver's Privacy Protection Act)

What it is

How it applies

Why it matters

Related terms

Need a Motor Vehicle Record?