Driver’s License Data Sold by Third Party Not Protected

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

A person’s name, address, and driver’s license number— as scanned or written down by police from a license handed over by a driver— isn’t subject to a federal law limiting the sharing of motor vehicle record data, a federal trial court held recently ( Whitaker v. Appriss, Inc. , 2017 BL 249900, N.D. Ind., No. 3:13-cv-826, 7/18/17 ).

The ruling provides companies that contract with states to process data, including driver’s license numbers, a means to escape federal privacy liability if the driver’s license information isn’t collected from state databases.

Appriss Inc., a company hired by the Indiana State Police to process vehicle crash records, isn’t prohibited by the federal Driver’s Privacy Protection Act (DPPA) from selling driver’s license and contact information to chiropractors and personal injury law firms, the U.S. District Court for the Northern District of Indiana held July 18.

The DPPA prohibits state motor vehicle departments from disclosing personal information contained in a “motor vehicle record”—except for uses explicitly allowed in the statute, including use by any government agency “in carrying out its functions.”

But a driver’s license is the motor vehicle operator’s permit, not a relevant motor vehicle record, Judge Robert L. Miller said, granting Appriss summary judgment on class DPPA claims.

Decisive Factor

According to the class complaint, the state police contracted with Appriss to maintain a uniform accident report system. Police officers had two options to populate Indiana’s standard crash report with drivers’ personal information: manually type in the information or use a handheld device to scan bar codes on the backs of driver’s licenses. The bar-code method never accessed the state Bureau of Motor Vehicles’ driver database; it only obtained information encoded in the bar codes.

Appriss made completed crash reports available for a fee, and remitted a portion of the fees to the state police, the court said. Plaintiffs alleged that Appriss violated the DPPA by disclosing their information in the accident reports to third-party businesses that used the information to solicit drivers involved in crashes without their consent. Appriss moved for summary judgment. The court said that, although an accident report isn’t a motor vehicle record, a disclosure of personal information obtained by and from a state motor vehicles department may violate the DPPA. The decisive factor is whether the police officer obtained the driver’s license from the department or—as in the case here—from the plaintiffs themselves, it said.

“When the holder of a driver’s license hands over her personal information to an entity other than a DMV, even when that information is printed onto a driver’s license, the DPPA doesn’t protect it,” the court concluded.

It rejected the plaintiffs’ argument that Indiana’s law requires disclosure of a driver’s license to the police after an accident, and that they didn’t disclose it voluntarily.

Attorneys for the plaintiffs and Appriss didn’t immediately respond to Bloomberg BNA’s requests for comment.

Dicello Levitt & Casey LLC and Starr Austen & Miller LLP represented the plaintiffs. DLA Piper LLP (US) and Pence & Ogburn PLLC represented Appriss.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

For More Information

Full text of the court's opinion is available at http://src.bna.com/qXD.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security