# DPPA & FCRA Driver Consent: What the Law Requires (with Sample Language)

Canonical: https://www.fastdriverscreening.com/guides/dppa-driver-consent
Category: Compliance
Published: 2026-04-15
Updated: 2026-05-01
Read time: 8 min

## TL;DR

> Pulling an MVR or CDLIS check without the driver's signed written consent is a federal violation under the DPPA (18 USC §2721) and the FCRA (15 USC §1681b). Get the consent form right once and you can reuse it on every driver — sample language included.

## Key takeaways

- DPPA §2721(b)(9) lets carriers pull an MVR on a CDL holder for §391.23/§391.25 purposes; §2721(b)(2) covers non-CDL commercial drivers.
- FCRA §1681b(b)(2) requires a stand-alone, clear-and-conspicuous written disclosure plus written authorization before pulling a "consumer report" for employment.
- A single consent document drafted to satisfy both statutes is the practical solution; it must be stand-alone (not buried in the application) and signed by the driver.
- DPPA §2724 penalties start at $2,500 per violation; FCRA §1681n adds $100–$1,000 per willful violation plus actual damages and attorney's fees.
- Retain the signed consent in the §391.51 file for the duration of employment plus three years.

## Cited entities

- Driver's Privacy Protection Act (18 USC §2721) (https://www.law.cornell.edu/uscode/text/18/2721)
- Fair Credit Reporting Act (15 USC §1681) (https://www.law.cornell.edu/uscode/text/15/1681)
- 49 CFR §391.23 (https://www.ecfr.gov/current/title-49/section-391.23)
- 49 CFR §391.25 (https://www.ecfr.gov/current/title-49/section-391.25)
- 49 CFR §391.51 (https://www.ecfr.gov/current/title-49/section-391.51)
- Motor Vehicle Record (MVR)
- Commercial Driver's License Information System (CDLIS)

## Excerpt

Pulling a [Motor Vehicle Record](/glossary/mvr) on a commercial driver without first obtaining the driver's signed written consent is a federal civil violation. The consent requirement comes from two overlapping laws that govern, separately, the DMV record itself and its use for employment screening: the [Driver's Privacy Protection Act (DPPA)](/glossary/dppa) at 18 USC §§2721–2725, and the [Fair Credit Reporting Act (FCRA)](/glossary/fcra) at 15 USC §1681. Each law has independent requirements, each carries independent penalties, and each is enforceable in private civil litigation by the driver whose record was pulled. The fix is straightforward: a clean, dated, signed consent on file before the pull. Get the form right once and you can reuse it on every driver.

This guide explains what each law requires, where the requirements overlap and where they diverge, and shows what compliant consent language looks like. Use it as a reference when you build your DQ file template.

## The Driver's Privacy Protection Act (DPPA)

The DPPA is the federal law that governs DMV records as a category. It was enacted in 1994 and has been amended several times since.

> 18 USC §2721(a) — A State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity personal information, as defined in 18 USC §2725(3), about any individual obtained by the department in connection with a motor vehicle record, except as provided in subsection (b) of this section.

The general rule: DMV records are private, and the state cannot release them, period. The exceptions in §2721(b) are what allow employer screening:

> 18 USC §2721(b)(2) — For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research a

[...truncated — read full article at canonical link above.]

Full article: https://www.fastdriverscreening.com/guides/dppa-driver-consent