Carfax, Inc. faced an early loss in a closely-watched privacy case under the federal Driver’s Privacy Protection Act (DPPA), after a judge in Maryland refused to throw out a proposed class action alleging the company sold drivers’ personal information sourced from crash and vehicle records. The plaintiff alleges that Carfax obtained his DPPA-protected personal information from a crash report tied to a 2023 auto accident and then sold that data to third parties. He claims this happened without his consent and without Carfax ensuring that downstream recipients were entitled to receive the information under the DPPA.

On Monday, Judge Julie R. Rubin of the U.S. District Court for the District of Maryland denied Carfax’s motion to dismiss. The court held that the plaintiff plausibly alleged Carfax obtained and sold his DPPA-protected information for an impermissible purpose under the statute. Importantly, Judge Rubin signaled that this is not the final word on the merits. She denied the motion to dismiss without foreclosing Carfax from reasserting its arguments later. The company can renew its legal challenges at summary judgment, once there is a “full record” showing how the crash report was actually prepared and handled.

Carfax argued that the crash report at issue was not covered by the DPPA because it was obtained from a police department, not from a department of motor vehicles. The plaintiff responded that the report should still qualify as a covered “motor vehicle record” because it was generated by the Maryland Motor Vehicle Administration before being provided to police. Judge Rubin acknowledged that the case law is mixed on this issue, and she described Carfax’s argument as “well-taken” and raising “serious questions (if not doubts)” about the plaintiff’s ability to ultimately prevail. Still, she concluded the uncertainty in the law did not justify dismissal at the pleading stage, especially without a developed factual record clarifying the report’s creation and flow. Carfax also argued that the plaintiff’s claim that Carfax lacked a permissible purpose was too conclusory. Judge Rubin agreed the allegations “could certainly be more robust,” but found them sufficient when considered alongside the allegations about Carfax’s business model and practices. The complaint, as described, alleges Carfax collects and sells vehicle history and accident data from thousands of sources and markets access to a database of more than 1.5 million police reports. At this stage, that context helped bridge the gap between “possible” and “plausible.”

This ruling is a reminder of a practical reality in privacy class actions. Motions to dismiss often fail when the dispute turns on how data was sourced, processed, and sold, since those details frequently sit with the defendant and emerge in discovery. For companies that traffic in large-scale driver and crash datasets, the opinion also highlights two recurring DPPA pressure points: (1) whether a document is a covered “motor vehicle record” can depend on provenance and process, not just where a defendant says it got the record; and (2) even if a company claims a DPPA-compliant use, plaintiffs may survive early dismissal by alleging the seller did not verify that purchasers were entitled to receive the data.