Carfax Accused of Illegal Crash Report Sales, Violating Driver Privacy

Case Overview: A lawsuit alleges Carfax illegally sells police accident reports, disclosing personal driver information without consent and violating federal law.

Consumers Affected: U.S. consumers whose personal information was disclosed by Carfax over the past four years.

Court: U.S. District Court for the District of Maryland, Southern Division

Carfax, the popular vehicle history report provider, illegally sells police accident reports containing personal information, violating federal privacy laws, a new lawsuit alleges. 

The lawsuit claims Carfax has been disclosing protected driver information without consent, allegedly prioritizing profits over privacy, and also without verifying whether the buyers are legally permitted to access such details under the Driver’s Privacy Protection Act (DPPA), a federal law designed to shield motorists' personal data from misuse.

According to the complaint, Carfax maintains a database of over 1.5 million crash reports sourced from more than 5,000 police departments across the U.S. These reports are then made available for purchase through Carfax-owned platforms like CrashDocs.org and CarfaxForClaims.com. Lucas argues that Carfax knowingly profits from selling this sensitive data to third parties, often without due diligence on how the information is used.

Carfax Accused of Selling Sensitive Driver Data

Maryland resident Benjamin Lucas filed the proposed class action lawsuit accusing Carfax of collecting, marketing, and selling police reports tied to motor vehicle accidents—records that contain personal information such as driver identification numbers and residential addresses. 

Lucas was involved in a car accident in December 2023. His personal information, collected by police during the investigation, was included in an accident report filed with the Maryland Department of Transportation Motor Vehicle Administration (MVA).

The lawsuit alleges that Carfax purchased the crash report from law enforcement and later sold it to unknown third parties—without Lucas’ consent or proper verification of the buyers' intentions. If true, this practice would violate the DPPA, which restricts the commercial sale of personal driver information, Lucas argues.

Lawsuit Alleges Violation of Federal Privacy Law

Enacted in 1993, the DPPA was designed to prevent unauthorized access to driver information, especially after high-profile cases like the murder of actress Rebecca Schaeffer, whose stalker obtained her home address through DMV records, the lawsuit explains.

The law generally prohibits the release and use of personal details from motor vehicle records, with limited exceptions. Selling such information for marketing, solicitation, or commercial purposes is strictly forbidden.

The lawsuit claims that as a reseller of motor vehicle records, Carfax has a legal duty to exercise “reasonable care” when handling personal information. Instead, it allegedly failed to confirm that buyers were using crash reports for permitted purposes, putting drivers at risk of identity theft, harassment, or other privacy violations.

Data Privacy Concerns Mount Against Vehicle and Tech Companies

Carfax isn’t the only company under fire for allegedly mishandling consumer data. Insurance giant Allstate is facing a lawsuit for secretly compiling a massive driving behavior database using mobile apps and in-car devices—without drivers’ knowledge.

Meanwhile, General Motors and its OnStar subsidiary recently faced Federal Trade Commission action for allegedly collecting and selling precise geolocation and driving behavior data to third parties, including insurers, without properly informing consumers. Under a proposed settlement, GM and OnStar will be banned from sharing such data with consumer reporting agencies for five years.

Even the rental car industry is seeing data privacy concerns. A lawsuit against Avis claims that a recent data breach exposed the personal information of over 300,000 customers, including driver’s license numbers and payment details.

In his lawsuit, Lucas wants to represent anyone in the US who has had their personal information disclosed by Carfax over the past four years. He is suing for violations of the Driver’s Privacy Protection Act of 1994 and is seeking damages, not less than $2,500 per occurrence, injunctive relief, costs, fees, and interest.

Case Details

• Lawsuit: Lucas v. Carfax, Inc.
• Case Number: 8:25-cv-00632-JRR
• Court: U.S. District Court for the District of Maryland, Southern Division 

Plaintiffs' Attorneys

• Michael Burns (Hilgers Graben PLLC)
• Edward H. Zebersky (Zebersky Payne LLP)

Have you used Carfax? Are you concerned about your personal information in crash reports? Share your thoughts below.