As if buying a car is not complicated enough, at least one BMW dealer in California has added yet another layer of complication to the activity. A well-spoken blogger in California wrote about her attempted car buying experience that culminated in a “No Sale” all because the dealership refused to sell her the vehicle unless she first provided her right thumbprint.

In her quest to purchase a BMW X3 (a nice vehicle, I might add), Lorna furnished her driver’s license and marriage certificate (her name had changed), and her credit report was run by the dealership — although she asserts it was done without her knowledge. I’m not suggesting this is untrue, but she must have supplied her social security number on the purchase application (the forms usually have a pre-printed section requiring one to fill out that information) or the dealership would have had to have obtained her SSN somehow to run the credit history. Perhaps California is a state that still has a driver’s social security number stamped on its face. (I have always been puzzled by the fact that Departments of Motor Vehicles and state universities thought it was a great idea to use one’s SSN as a driver’s license or student identification number. They simply helped create the identity theft debacle now at hand.)

Nonetheless, Lorna, of lornamatic.com, discovered that the BMW dealership refused to sell her the X3 unless she voluntarily provided her right thumbprint and authorized the dealership to obtain her DMV Driver’s License Record — which, of course, would contain a copy of her right thumbprint that she had to supply to the California DMV to obtain her driver’s license. Lorna was doubly surprised to find that the dealership intended to keep the copies of her personal information, but the personnel there were unable to provide her with information regarding the company’s privacy policy and data security procedures.

I was intrigued by Lorna’s experience, so I took a look to see what I could find about California’s laws on the subject. Here’s what I discovered:

    1. The California Constitution, Article I, Section 1, ensures citizens of that State a right to privacy.
    2. California has enacted its Information Practices Act to provide protection from the dissemination of personal information. Cal Civ Code § 1798.81.5, however, does not apply to activities taken by “(4) An entity that obtains information under an agreement pursuant to Article 3 (commencing with Section 1800) of Chapter 1 of Division 2 of the Vehicle Code and is subject to the confidentiality requirements of the Vehicle Code.”
    3. Cal Veh Code § 1808.5 states that, “Except as provided in Section 22511.58, all records of the department relating to the physical or mental condition of any person, …are confidential and not open to public inspection.”
    4. Perkey v. DMV, 42 Cal. 3d 185; 721 P.2d 50; 228 Cal. Rptr. 169 (1984) held that the California DMV could properly require the provision of a thumbprint as a prerequisite to obtaining a driver’s license, but that the the thumbprint was confidential pursuant to the California Vehicle Code and the Information Practices Act.

While in the past this provision has generally been applied to protect the confidentiality of what might ordinarily be termed “medical” information — such as information relating to an applicant’s eyesight (see 55 Ops.Cal.Atty.Gen. 122 (1972); 26 Ops.Cal.Atty.Gen. 136 (1955)) — a reasonable interpretation of the provision affords protection of that portion of a driver’s license application that reveals the applicant’s fingerprint.

Such an interpretation does not conflict with the statutory language because a fingerprint clearly relates to the “physical condition” of the applicant. Also, it furthers the general underlying purpose of the provision, which is to protect the confidentiality of information revealed by a driver’s license application where exposure will improperly infringe the applicant’s privacy rights.

Id. at 194, 721 P.2d at 55, 228 Cal. Rptr. at 174.

So, now we know that her thumbprint could not be obtained by the dealership from the DMV indiscriminately, the operative question is whether she can consent to the release of that personal information. It seems highly likely that she can, which again raises a question as to the dealer’s personal information data privacy and security policy. Clearly the dealer has an obligation to protect the information Lorna provided to it as a requirment of the Information Practices Act. Had the dealer obtained information about her from the DMV, then the dealer would have to maintain the information securely as a requirement of the Vehicle Code.

These, of course, are only my observations and I would welcome any additional information or thoughts from my colleagues who practice in California. Lorna’s experience is just a little too much like living in a totalitarian regime for my taste. After all, if we weren’t so busy collecting all of this information about people, we wouldn’t be able to use it to pose as the upstanding citizen that the data collection says we are. Don’t forget, Big Brother is watching you.Š