The Court of Appeals for the Second Circuit ruled today in Gordon v. Softech that under the Driver Privacy Protection Act data brokers may be liable for the use of personal information that they obtain from DMVs and then sell to others. "Based on the language of the statute, its structure, and its legislative history, we conclude that the DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information drawn from motor vehicle records," the federal appeals court announced. The court cited the sensitivity of the personal information available through motor vehicle records, including social security numbers, medical or disability information, and home addresses. In reversing the decision of the lower court, the appeals court said It is not enough for a reseller to simply provide a "drop down list" of permissible purposes. EPIC filed an amicus brief arguing that strict liability was necessary to ensure that resellers take adequate precautions to avoid impermissible downstream uses of sensitive personal data that individuals are required to provide to obtain a drivers license. The court essentially adopted a position between the lower court decision and the position urged by EPIC. For more information, see EPIC: Gordon v. Softech Int'l, Inc.
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a by-monthly newsletter highlighting emerging privacy issues.