The Business Model: Buying Your Record, Selling Your Address

Carfax built its reputation on a simple promise: know the history of the car before you buy it. That reputation earned the company a position of trust in the lives of ordinary Americans. When you got into an accident, you thought the police report existed for insurance purposes, for the officer’s paperwork, for official government functions. You did not think it was becoming inventory in a commercial database to be bought and sold for profit.

The federal complaint filed in the U.S. District Court for the District of Maryland lays out a picture that should make anyone who has ever been in an accident in the United States deeply uncomfortable. Carfax has assembled a national database built from data collected across more than 139,000 sources, including the Department of Motor Vehicles for every U.S. state and the District of Columbia, plus more than 5,000 police departments. Within that database sit more than 1.5 million police accident reports. Each report contains information like your name, your home address, your driver identification number, and potentially your medical information, all fields that federal law classifies as protected “personal information” under the Driver’s Privacy Protection Act.

The mechanism Carfax allegedly used to monetize this data is direct. The complaint alleges Carfax purchased crash reports directly from law enforcement agencies, then turned around and offered those same reports for sale on websites including www.crashdocs.org and www.CarfaxForClaims.com. No one asked you. No one told you. The sale happened, and your home address potentially traveled from a police department database to an unknown buyer’s screen without your consent.

Plaintiff Benjamin Lucas is a resident of Prince George’s County, Maryland. On December 4, 2023, he was involved in a motor vehicle accident. After the crash, an investigating law enforcement officer used Lucas’s driver’s license and vehicle registration to collect his driver identification number and residential address. Those records were transmitted to the Maryland Motor Vehicle Administration for the creation of an official Crash Report. That report was then transmitted back to the investigating officer’s agency, where, the complaint alleges, Carfax purchased it and subsequently sold it and its contents to third parties.

Lucas is one person. The class he seeks to represent is everyone in the United States whose records were treated the same way within the last four years. Given that Carfax’s own database holds 1.5 million police reports, the population potentially affected is enormous.

The Non-Financial Ledger: What $2,500 Can’t Measure

There is a specific reason Congress passed the Driver’s Privacy Protection Act in 1993. It was not an abstract policy decision about data governance. It was a direct response to a murder. Actress Rebecca Schaeffer was shot and killed at her own front door by a stalker who had obtained her home address from the California Department of Motor Vehicles. Her killer used a legal channel, a licensed private investigator, to pull a document that contained the one piece of information he needed to find her. The DPPA was written to close that channel. It drew a hard line: personal information in motor vehicle records is off-limits for commercial use, full stop, with only fourteen narrowly defined exceptions.

Congressional testimony recorded during the passage of the DPPA revealed the scope of who this law was designed to protect. Domestic violence survivors who had fled abusive partners were named explicitly. Law enforcement officers whose home addresses in vehicle registrations could expose them to retaliation were named explicitly. Ordinary citizens who had no reason to suspect their DMV records were circulating in commercial markets were the entire point of the legislation. The complaint in this case invokes that history directly, because the conduct alleged is a precise reproduction of the threat Congress was responding to: personal information flowing from government motor vehicle records to private commercial buyers, with no inquiry made as to who those buyers are or what they intend to do with the data.

Think about who gets into car accidents. Everyone does. The college student driving home late. The single mother in a crowded intersection. The domestic violence survivor who fled to a new city and registered a new car. The off-duty police officer. The immigrant worker whose documentation situation makes any government record feel like a liability. When Carfax allegedly sold a crash report, the company did not know which of these people it was exposing. The complaint makes clear that Carfax failed to make a reasonable inquiry as to whether third-party purchasers were permitted under the DPPA to possess the personal information at all. They just sold it. The due diligence the federal law explicitly requires was, according to the lawsuit, simply not done.

The violation here is one of basic civic trust. Your home address lives inside your driver’s license and vehicle registration because the government requires it for legitimate, specific public safety purposes. You hand that address to the DMV because the law demands it. You do not hand it to Carfax. You do not consent to it appearing on a commercial website where anyone with a credit card and an internet connection can purchase it under the guise of a “crash report.” The address that appears on that police report is where you sleep. It is where your children live. It is the physical location of your most unguarded moments. Selling that without consent, to buyers whose identities and intentions are unverified, transforms a public safety record into a targeting tool.

The complaint describes a structural failure of accountability that compounded the harm. Carfax is classified as a “reseller” under the DPPA, which means federal law imposes a specific and non-negotiable duty of care: make a reasonable inquiry to ensure every disclosure goes only to someone with a permitted purpose. The lawsuit alleges that duty was breached systematically, across the entirety of a 1.5-million-record database, affecting a class of people whose exact size will only become known when Carfax’s own records are opened under discovery. The individuals in that class did not receive a notice. They did not receive an apology. They did not receive a call. Many of them do not know this happened to them at all. The only reason the lawsuit exists is because one person, Benjamin Lucas, found out and had the resources to retain counsel and fight back.

What the law allows is real accountability. Liquidated damages of $2,500 per class member exist specifically because the individual harm of a single privacy violation is diffuse and hard to quantify in dollars. Congress built that floor into the statute because the harm is real even when it is invisible. But the deeper ledger, the one that does not appear in any damages calculation, is the accumulated anxiety of people who will never know whether their address ended up in the wrong hands after their worst day on the road. They were already dealing with the aftermath of an accident: the insurance calls, the medical appointments, the car repairs, the fear of driving past the same intersection. On top of all of that, their most sensitive personal data was allegedly being packaged and sold, without a single word to them about it.

Legal Receipts: Straight From the Complaint

Every quote below is taken directly from Case 8:25-cv-00632-JRR, Document 1, filed February 25, 2025, in the U.S. District Court for the District of Maryland, Southern Division. Nothing has been paraphrased. Nothing has been invented.

“Carfax is in the business of collecting and selling data from more than 139,000 sources, including the Department of Motor Vehicles (‘DMV’) for every U.S. state and the District of Columbia, as well as more than 5,000 police departments across the country. Carfax collects, markets, and sells not only vehicle history data, but also police reports relating to motor vehicle accidents. Specifically, Carfax maintains, markets, and sells access to a national database of more than 1.5 million police reports that contain ‘personal information’ derived from ‘motor vehicle records’ (as such terms are defined under the DPPA), which reports are available to purchase from Carfax through various websites, including but not limited to www.crashdocs.org and www.CarfaxForClaims.com.” Complaint, ¶ 2

“Carfax sells, discloses, or otherwise makes available the police accident reports containing information protected from disclosure under the DPPA (the ‘Crash Reports’) to third parties, without the consent of the individuals whose protected information is contained in the Crash Reports (including Plaintiff), and without ascertaining (or making a reasonable effort to ascertain) whether the third-party purchasers are permitted to possess the protected information therein under the DPPA.” Complaint, ¶ 3

“Carfax knowingly authorized, directed, ratified, approved, acquiesced, or participated in the conduct underlying this class action. Carfax obtained Plaintiff’s and Class Members’ motor vehicle records to use, process, store, disclose, and resell Plaintiff’s and Class Members’ personal information, to market and solicit, directly or indirectly, Plaintiff’s and Class Members’ personal information without their express consent and without ascertaining whether the purchasers were permitted under the DPPA to possess the personal information. Carfax did so for purposes not permitted under the DPPA, including its own commercial gain.” Complaint, ¶ 4

“At its core, the DPPA is a public safety statute designed to protect citizens from the danger and annoyance that may result from the unnecessary disclosure of their personal information.” Complaint, ¶ 11

“Congress enacted the DPPA in 1993 in response to safety and privacy concerns stemming from the ready availability of personal information contained in state motor vehicle records. The DPPA was passed against the backdrop of the murder of actress Rebecca Schaeffer, whose murderer obtained her unlisted home address through the California DMV. Congressional testimony revealed additional concerns regarding the privacy interest of domestic violence victims and law enforcement officers, among other safety concerns relating to personal information contained in motor vehicle records.” Complaint, ¶ 12

“To address these concerns, the default rule under the DPPA is non-disclosure. Sections 2721(a)(1) and 2722(a) generally prohibit the release and use of personal information from motor vehicle records, and Section 2721(b) enumerates fourteen specific exceptions to the general prohibition. Marketing, solicitation efforts, and commercial gain are not permissible purposes under the statute.” Complaint, ¶ 13

“The DPPA defines ‘personal information’ as ‘information that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver’s status.’ 18 U.S.C. § 2725(3).” Complaint, ¶ 14

“The DPPA imposes a duty on resellers to exercise reasonable care in responding to requests for personal information derived from motor vehicle records. This duty requires resellers to make a reasonable inquiry as to whether the requested disclosure will be used by third-party purchasers only for an authorized purpose under the DPPA.” Complaint, ¶ 16

“As a company that regularly handles motor vehicle records as part of its business model, Carfax was aware that such records contain personal information, the improper disclosure of which would be injurious to the individuals whose personal information is contained therein.” Complaint, ¶ 18

“Carfax knowingly purchased the Crash Report about Plaintiff’s accident from the investigating officer’s law enforcement agency and, upon information and belief, sold the Crash Report and its contents to third parties within the last four years, without Plaintiff’s consent and without ascertaining whether the third-party purchasers were permitted under the DPPA to possess the personal information therein.” Complaint, ¶ 22

“Upon information and belief, Carfax failed to make a reasonable inquiry as to whether the Crash Report about Plaintiff’s accident would be used by third-party purchasers only for an authorized purpose under the DPPA. Based on such failure, Carfax breached its duty as a reseller under the DPPA to exercise reasonable care in responding to requests to purchase personal information derived from motor vehicle records.” Complaint, ¶ 24

“Each record of personal information knowingly obtained from motor vehicle records is a separate and distinct violation of the DPPA, remediable under the DPPA.” Complaint, ¶ 41

“Carfax knowingly obtained and/or disclosed Plaintiff’s and Class Members’ personal information, which came from motor vehicle records, for its own commercial gain, in violation of the DPPA.” Complaint, ¶ 44

“Upon information and belief, Carfax continues to regularly and knowingly obtain and disclose personal information from motor vehicle records for its own commercial gain, in violation of the DPPA.” Complaint, ¶ 48

“Pursuant to 18 U.S.C. § 2724(b)(1)-(4), Plaintiff seeks, on behalf of himself and the Class (1) actual damages, not less than liquidated (statutory) damages in the amount of $2,500 per Class Member; (2) punitive damages; (3) reasonable attorneys’ fees and costs; (4) a permanent injunction prohibiting Defendant from obtaining and disclosing personal information from motor vehicle records for its own commercial purposes; and (5) such other relief as the Court determines to be appropriate.” Complaint, ¶ 50

The Numbers: How Big Is Carfax’s Data Operation?

Societal Impact Mapping

Environmental Degradation

The direct environmental footprint of a data privacy lawsuit is less obvious than, say, a chemical spill, but the infrastructure that makes Carfax’s alleged conduct possible has real environmental costs that deserve naming. A database containing more than 1.5 million police reports, fed by 139,000 data sources including every state DMV and more than 5,000 police departments, requires substantial server infrastructure, data storage, processing power, and network transmission capacity. Data centers are among the most energy-intensive facilities in the modern economy. Every time Carfax sells a crash report through crashdocs.org or CarfaxForClaims.com, that transaction runs on infrastructure with a real energy budget.

More broadly, the commodification of government records through private commercial resellers represents a specific kind of environmental and civic degradation: the hollowing out of public institutions. When law enforcement agencies sell police reports to private data brokers rather than maintaining them purely for public safety purposes, the transactional logic of extraction seeps into the function of government itself. The complaint establishes that Carfax purchased crash reports directly from law enforcement agencies, meaning that public safety data generated by publicly funded officers, using publicly maintained record systems, became revenue for a private corporation. That is a transfer of public resource value into private hands that parallels the logic of resource extraction more broadly, a pattern that has environmental and institutional consequences well beyond any single data transaction.

Public Health

The DPPA’s legislative history, reproduced in the complaint, draws a direct and explicit line to public health and personal safety. The law was written after Rebecca Schaeffer was murdered at her front door by a stalker who used a DMV record to find her. Congressional testimony that shaped the statute specifically named domestic violence victims as people whose safety depended on the protection of their home addresses inside government motor vehicle records. When Carfax allegedly sold crash reports to unverified third-party purchasers, the company was selling a field on each report that contained a physical home address, a direct safety threat to anyone who depends on that address remaining private.

Domestic violence is a public health crisis. The Centers for Disease Control and Prevention categorizes intimate partner violence as a serious public health problem affecting millions of Americans. A significant portion of domestic violence safety planning involves physical separation and address confidentiality. Survivors who successfully relocate, register a car at a new address, and obtain a new license in a new state are placing their lives in the assumption that this information will be held with appropriate care. The DPPA encodes that assumption into federal law. The complaint alleges Carfax violated it, at scale, without checking who was buying. The public health implications of that failure, particularly for the subset of class members who are domestic violence survivors or who have obtained address confidentiality protections, are profound and cannot be reduced to a dollar figure.

Beyond individual safety, there is a documented public health dimension to surveillance and privacy erosion more generally. Research has consistently linked awareness of data insecurity to anxiety, reduced engagement with healthcare and social services, and decreased trust in institutions. People who fear their personal information is circulating in uncontrolled commercial channels make different decisions: they avoid registering vehicles, they avoid seeking help, they avoid engaging with systems that might generate records. That behavioral chilling effect is a public health cost, distributed invisibly across a population that has no way of knowing which company currently holds their address.

Economic Inequality

The economics of this case follow a pattern that will be recognizable to anyone paying attention to how the data economy works. Carfax generates commercial revenue by aggregating and reselling information about people who had no say in the matter. The people whose records were sold receive nothing. If they were harmed, their only recourse is a lawsuit, which most people cannot afford to bring individually. The class action mechanism exists precisely to solve this problem, but it should not be necessary. The baseline should be that a corporation does not sell your government-issued personal information without your knowledge. That baseline, apparently, did not hold here.

The complaint notes that “the damages suffered by the individual Class Members are relatively small” compared to the aggregate, which is why class action certification is being sought. This observation, made pragmatically in the context of litigation strategy, also illuminates the economic structure of data exploitation. Each individual violation is worth $2,500 in liquidated damages under the DPPA. Across 1.5 million police reports, if even a fraction of those involved unauthorized disclosures, the aggregate exposure to Carfax runs into hundreds of millions of dollars. That is the math of a business model built on the assumption that individual victims will not organize and will not fight back. The only reason this case exists is because Benjamin Lucas did fight back, at personal cost and with no guarantee of success.

The populations most likely to be harmed by the specific disclosure alleged here are also the populations least equipped to seek legal remedy. People in low-income communities are disproportionately affected by car accidents, disproportionately likely to have police reports generated about them, and disproportionately unlikely to have access to legal counsel. People in immigrant communities have additional reasons to fear that their information is circulating in unknown channels. The data broker economy, operating largely without public scrutiny or meaningful enforcement, extracts value from these populations while returning nothing to them. The DPPA represents one of the few robust federal instruments available to challenge that extraction. The complaint in this case attempts to use it as such.

It is worth noting that Carfax’s business model sits on a foundation of public trust and public infrastructure. The DMV records that feed its database exist because states require vehicle registration and driver licensing as conditions of road use. The police reports that enter its crash database are generated by publicly funded officers using publicly funded record systems. The raw material of Carfax’s commercial product is, in a meaningful sense, a public resource. The transformation of that public resource into private commercial inventory, without the consent of the people whose lives generated the data, is a form of economic extraction that benefits a corporation and its shareholders while imposing unconsented risk on the people whose data it is.

The “Cost of a Life” Metric

What Now? Corporate Roles, Watchlists, and Your Next Move

The complaint does not name individual executives by name in the source document. The accountability structure relevant to this case runs through corporate roles and the regulatory and judicial bodies with jurisdiction over it.

What You Can Do Right Now

• Check if you are a potential class member. If you were involved in a motor vehicle accident in the United States at any point in the last four years and a police report was generated, your personal information may be in Carfax’s database. Follow the case at PACER.gov using Case No. 8:25-cv-00632-JRR.
• Contact class counsel. Michael Burns at Hilgers Graben PLLC (mburns@hilgersgraben.com, 202-985-1664) and Edward H. Zebersky at Zebersky Payne LLP (ezebersky@zpllp.com, 954-595-6059) are listed as counsel for the plaintiff class.
• File a complaint with the FTC. ReportFraud.ftc.gov accepts consumer complaints about data brokers and privacy violations. Volume of complaints influences enforcement priorities.
• Contact your state Attorney General. Especially if you live in a state with a strong consumer privacy statute (California, Virginia, Colorado, Connecticut, Texas), your state AG may have independent enforcement authority relevant to this conduct.
• Support privacy advocacy organizations. Groups like the Electronic Privacy Information Center (EPIC), the Electronic Frontier Foundation (EFF), and the Privacy Rights Clearinghouse work on exactly these issues and depend on grassroots support to sustain their work.
• Talk to your neighbors. Most people do not know data brokers are buying and selling their police reports. Spreading awareness through mutual aid networks, neighborhood associations, and local organizing is direct action. The people most at risk are the people least likely to see this article. Get it to them.
• Demand address confidentiality programs in your state. Many states operate ACP programs that allow domestic violence survivors, stalking victims, and others to register a substitute address with the government. These programs are underutilized because they are underadvertised. Push your local representatives to fund and publicize them.