A class action filed this month alleges that car warranty company NRRM LLC used information obtained from Department of Motor Vehicles (“DMV”) records to market to consumers in violation of the Driver’s Privacy Protection Act (“DPPA”).

The complaint alleges that NRRM’s third-party data suppliers provide it with personal information about drivers and their cars that they receive from state DMVs. NRRM then markets automobile service and repair warranties to these drivers using this information.

The DPPA restricts the uses that can be made of personal information derived from motor vehicle records. Permissible uses include use in the normal course of business by a legitimate business, but only to verify the accuracy of personal information or to correct information. Such information can also be used when written consent of the individual is provided, among other exceptions. The alleged advertising at the core of this lawsuit would not have fallen within any of the DPPA’s exceptions.

Takeaway: When using consumer information to target advertising, advertisers should always ask how the information was obtained and where it came from. Importantly, in the case of the DPPA, even if an advertiser itself did not obtain personal information from motor vehicle records, it can still be held accountable for prohibited uses if its third-party data supplier did.