Twenty-Five-Year-Old Privacy Law is Being Used to Target Public Entities in Civil Lawsuits
By Patrick Kasson and Tom Spyker, attorneys at Reminger Co., LPA
More and more, public entities are becoming the target of privacy-based lawsuits. A little-known federal law, the Driver’s Privacy Protection Act (“DPPA”) is being used to pursue these actions. In courts across the country, routine municipal activities are being challenged under the DPPA.
There is a common thread to these lawsuits. In each case the plaintiff alleged that records obtained from a State’s department of motor vehicles (“DMV”) were improperly obtained or used. In recent years these suits have been on the rise.
What is the DPPA?
If this is your first time reading about the DPPA, you are not alone. Despite this law’s high-profile origin, many people today – even most attorneys – are unfamiliar with the DPPA and the liability exposure it creates. The law was enacted to address a troubling trend—States selling motor vehicle records containing personal information.
The protected information includes an individual’s photograph, Social Security number, driver’s license number, name, address (but not the five-digit zip code), telephone number, and medical or disability information.
Third-party liability exposure under the DPPA
The DPPA also governs third parties that use DMV records. Under the “Additional Acts” provision of the DPPA, it is unlawful “for any person knowingly to obtain or disclose personal information, from a motor vehicle record,” unless it is for a purpose permitted under the DPPA.
Under the DPPA, protected personal information may only be obtained or disclosed for one of the fourteen “permissible uses” outlined in the statute. Two of these uses directly relate to public entities, (1) the DPPA grants broad, general usage to any government agency in carrying out its functions; and (2) use is permitted when connected to any civil, criminal, administrative, or arbitral proceeding in state or local court.
Under the statue, when a person’s information is obtained or used for a non-permissible purpose that person can recover:
· Any actual damages caused by the disclosure;
· Liquidated damages of $2,500.00(per each non-permissible use);
· Punitive damages;
· Reasonable attorney’s fees; and
· Injunctive relief.
Under this scheme, even minor disclosures can result in large awards.
Public Record Requests and the DPPA
Case law in this area is still developing, but one area to watch is public records requests. Numerous courts have found that responding to a public records request is not a permissible use under the DPPA.
If a public records request includes DMV records held by your entity, for whatever reason, it would be a prudent precaution to redact any DPPA protected personal information before producing the record. But remember, the DPPA only offers this protection to DMV records—it does not create a broader obligation to protect that same information in other records not obtained from a State DMV.
For example, when hiring a new employee, a township may require two documents, (1) a general application, and (2) a certified driving record from the DMV. The applicant’s name and address would appear on both documents – but the DPPA only protects this information on the driving record, not the application. In responding to a public records request, a best practice would be to redact protected information from the driving record, even though some of that same information appears unredacted in the application.
Best Practice: Be cautious with DMV records
As DPPA civil suits continue to rise, courts’ application of the law is quickly developing. As this area of law develops, it is best to handle these records with an abundance of caution. Public entities should identify which records they maintain that could qualify for protection under the DPPA. These could include: driving record print outs, copies of driver’s licenses, and motor vehicle registration forms. When handling these records, proceed with caution and redact any protected information prior to producing to the public.
Pat Kasson and Tom Spyker practice out of Reminger’s Columbus office representing public entities in a wide variety of matters. They recently defended a pool member from a DPPA claim and obtained summary judgment in the member’s favor. If you have questions about the DPPA, Pat and Tom can be reached at 614-228-1311.