Plaintiffs' Bar Files More Lawsuits Under Driver’s Privacy Protection Act

3 min readSources: National Law Review

Lawsuits invoking the Driver’s Privacy Protection Act are rising, targeting misuse of driver data.

Why it matters: As vehicle-related data becomes more regulated, legal and compliance teams must navigate increasing privacy enforcement risks around DMV information and automated license plate readers.

  • The DPPA was enacted in 1994 after a high-profile misuse of DMV data led to a murder.
  • Since 2020, there’s a notable rise in DPPA litigation focusing on commercial use of license plate reader data.
  • In 2024, multiple class actions targeted parking companies using DMV data for issuing citations outside permissible DPPA uses.
  • Seven states passed new privacy laws in 2024, totaling 20 states with comprehensive privacy regulations affecting data practices.

The Driver's Privacy Protection Act (DPPA), enacted in 1994 after actress Rebecca Schaeffer was murdered due to unauthorized DMV data disclosure, prohibits the release of personal information from motor vehicle records except under 14 specific permitted uses. Violations carry statutory penalties starting at $2,500 per incident.

Since 2020, the legal landscape has seen a surge in DPPA lawsuits, primarily targeting the commercial use of Automated License Plate Readers (ALPRs). These devices collect and use license plate data, which has become a focal point for privacy claims. In 2024 alone, plaintiffs' class action lawyers have filed numerous lawsuits against parking management companies that used DMV data to send parking citations—alleging these activities fall outside the DPPA's "normal course of business" exception.

Kelly DeMarchis Bastide and Roy Auh highlight in their analysis that these lawsuits reflect a growing interest in privacy of vehicle-related data, including telematics and geolocation. They also note that plaintiffs’ bar may exploit older laws like the DPPA by asserting novel legal positions, increasing privacy litigation risk.

The broader context includes a sharp increase in privacy lawsuits broadly: nearly 4,000 online privacy-related suits were filed in 2024 compared to just over 200 in 2023. Seven states enacted new comprehensive privacy laws in 2024, raising the total to 20 states with such regulations. These developments signal heightened regulatory and litigation pressures on how vehicle and driver data are handled.

Separately, government surveillance programs have expanded the use of license plate readers to monitor travel patterns—raising further privacy and Fourth Amendment concerns as reported by AP News. Advocacy groups criticize these programs, emphasizing that such surveillance "does not make communities safer."

Given the evolving risks and legal scrutiny, corporations and legal counsel should critically assess their compliance frameworks for handling DMV and vehicle-related data to mitigate potential litigation and regulatory penalties.

By the numbers:

  • $2,500 — statutory penalty per DPPA violation
  • 7 states — passed comprehensive privacy laws in 2024, totaling 20 states
  • 4,000 — online privacy-related lawsuits filed in 2024, up from 200+ in 2023

What's next: Watch for continued DPPA litigation around ALPR data and evolving state privacy laws through 2026.