dissenting.
While I do not take issue with the majority’s conclusion that nothing in the Drivers Privacy Protection Act (“DPPA” or the “Act”), 18 U.S.C. § 2721, et seq., prohibits the bulk disclosure of personal information contained in drivers’ records, I respectfully dissent from the majority’s determination that the disclosure of such records to Shadowsoft by officials at the Ohio Department of Public Safety and the Ohio Bureau of Motor Vehicles (collectively, “BMV Officials”), without reasonably inquiring into whether Shadowsoft was a legitimate business using the records for a permissible purpose, was not a violation of a clearly established statutory requirement.
While, as the majority notes, we have no binding case authority to guide us in addressing the claims raised in this case, we do have the statutory language of the DPPA. Under the factual scenario and procedural posture of the ease now before us, I agree with the district court that the language of the DPPA is, in itself, sufficient to defeat qualified immunity for Defendants.1
Defendants argue that the DPPA does not impose on them any obligation to verify how the information that they disclose will be used. Instead, if they disclose information that is used for an impermissible purpose, then “a driver may seek relief against the entity that violated the DPPA, not the State.” (Defs.’ Br. at 15.) Plaintiffs counter that “[t]he DPPA is clear: if the Defendants disclosed information for a purpose that did not meet an exception to the DPPA, then they are in violation of the Statute.”2 (Pis.’ Br. at 10.)
*618The majority opinion circumvents the legal question of what duty the DPPA imposes on Defendants by making the finding that Defendants disclosed drivers’ information to Shadowsoft “for an explicitly permissible purpose,” though Shadow-soft later used the information impermissibly. (Maj. Op. at p. 611-12 (emphasis omitted).) In doing so, the majority reasons that as long as a requestor represents to BMV Officials that it will use drivers’ personal information in accordance with a DPPA exception, BMV Officials do not violate the Act if they then knowingly disclose that information.
There are two insurmountable problems with the majority’s approach. The first is simple, but dispositive — the record, on this judgment on the pleadings, is too vastly underdeveloped for the majority to make the factual findings necessary to logically support its conclusion. The evidence in the record insufficiently addresses any number of necessary questions, such as: what is Shadowsoft’s legal status? What is Shadowsoft’s relationship to PublicData? What did Shadowsoft represent to BMV Officials during contract negotiations? What did BMV Officials actually know about Shadowsoft at the time of disclosure? Did Shadowsoft impermissibly use the information that it received? With each of these material factual questions still in dispute, a grant of qualified immunity to Defendants is inappropriate. See Harrison v. Ash, 539 F.3d 510, 517 (6th Cir.2008) (“[T]o the extent that the denial of qualified immunity is based on a factual dispute, such a denial falls outside of the narrow jurisdiction of this Court.”) Secondly, the majority’s reading of the DPPA not only contradicts the “straightforward and commonsense meaning[]” of the Act, see Henry Ford Health Sys. v. Shalala, 233 F.3d 907, 910 (6th Cir.2000), but if accepted also renders much of the language of the DPPA completely superfluous. See Hibbs v. Winn, 542 U.S. 88, 101, 124 S.Ct. 2276,159 L.Ed.2d 172 (2004) (“A statute should be construed so that effect is given to all its provisions, so that no part will be inoperative or superfluous, void or insignificant.”) (citing 2A N. Singer, Statutes and Statutory Construction § 46.06, pp. 181-186 (rev. 6th ed.2000)).
Under the majority’s reading of the DPPA, the Act places no actual duty upon BMV Officials, other than the ministerial task of soliciting rote representations from prospective requesters. In the majority’s view, as long as BMV Officials receive such rote representations, then they have complied with the DPPA.
It is difficult to reconcile this reading of the Act by the majority with the very next conclusion reached in its opinion. Because the majority continues by holding that even when a requestor does not provide a representation that it is acting in accordance with the DPPA — for instance, that the requester is a “legitimate business” under 18 U.S.C. § 2721(b)(3) — BMV Officials still do not violate the Act by knowingly disclosing information to that requestor.
The majority, in determining whether BMV Officials are liable to Plaintiffs because they disclosed information that was used for an impermissible purpose, holds that BMV Officials are immune because they disclosed the information in reliance on Shadowsoft’s arguably false representations. But in determining whether BMV Officials are liable to Plaintiffs because *619they disclosed information to an arguably illegitimate business, the majority holds that BMV Officials are entitled to immunity, even though Shadowsoft made no actual representations that would invite the reliance of BMV Officials. Under this interpretation of 18 U.S.C. § 2721(b)(3), whether BMV Officials relied on false representations, or none at all, is of no actual consequence. The majority seemingly holds that the DPPA permits state officials such as those at the BMV to ask nothing and require no salient information, but to disclose everything.
Clearly, any interpretation of the DPPA that would require a requestor to make an affirmative statement of illegal intent or bad purpose in order for disclosure liability to attach to BMV Officials is inconsistent with both the language and the purpose of the Act. While the DPPA may not mandate that BMV Officials conduct an actual investigation into an entity requesting drivers’ information, or verify that entity’s purpose, it clearly imposes some kind of duty upon the state and state officials. If it did not, then subjecting the state to a penalty for having a “policy or practice of substantial noncompliance” with the DPPA would be nonsensical, because as a practical matter a state (or its officials) could not fail to comply with an Act that imposes no actual duty upon it. See 18 U.S.C.A. § 2728(b).
Therefore, a proper reading of the DPPA compels the conclusion that the Act imposes upon the state (and its officials) a duty of reasonable inquiry. In this case, the permissible use that Defendants claim allows BMV Officials to knowingly disclose drivers’ personal information to a certain type of requestor' — -“a legitimate business” — for certain purposes — -“to verify the accuracy of personal information” and “to obtain ... correct information” to prevent fraud or pursue other legal remedies. 18 U.S.C. § 2721(b)(3). Consequently, the Act sets forth a requirement that BMV Officials reasonably inquire into the dual questions of the identity of the requestor and the purpose for which information protected under the Act is being disclosed.
The content of the Record Request form (“Form 1173”) created by BMV Officials to ensure compliance with the DPPA confirms that BMV Officials understood that the DPPA imposed this duty of reasonable inquiry. This understanding is apparent from the fact that Form 1173 requires that a requester submit both information about itself and information about the basis for the request. (See R. 13; Ex. A, B.)
On the two Form 1173s completed by Shadowsoft, the company provided none of the required information about itself, with the exception of an out-of-state mailing address. As the district court highlighted, “while [Form 1173] included places for Shadowsoft to provide its tax identification number, vendor number, professional license number, and license, Shadowsoft never completed this part of the form.” (Dist. Ct. Op. at 21.) Nor did Shadowsoft provide any information regarding its status as a business in the contract that it subsequently entered into with BMV Officials, which did not request such information. (R. 13; Ex. A, B.)
Not inconsequently, it appears from the record that BMV Officials conducted this transaction with Shadowsoft via fax. So not only did BMV Officials not require Shadowsoft to represent that it was a licensed or incorporated business, it did not even require any actual contact with Shadowsoft. (Id.) There is no indication that BMV Officials even verified the identity of the individual requestor listed on the Form 1173s, Cara Hill, nor did she provide her personal driver license or social security number, as required by the forms. In practical terms, less verification was de*620manded of Shadowsoft, in order to receive the personal information of every driver in Ohio, than would be requested of any judge on this panel to write a personal check while shopping at any major retailer in this country.
The majority has strongly implied that Plaintiffs have somehow conceded that Shadowsoft operates as a “legitimate business,” and that such a concession, if existent, should have some impact on this Court’s legal analysis. (See Maj. Op. at p. 614.) On the contrary, Plaintiffs have alleged throughout the course of this litigation that BMV Officials had no basis for considering Shadowsoft a legitimate business at the time of the disclosure. (Pis.’ Br. at 12-13, 22-23.) Defendants, in their answer to the complaint, denied any knowledge of Shadowsoft’s corporate status based on their “want of information or knowledge sufficient to form a belief as to the truth of the matter.” (R. 11: Answer at 3.) On reply before this Court, Defendants state that Shadowsoft is a legitimate business, but still offer no assertion or evidence that BMV Officials were aware of or inquired into this fact, even if accurate, at the time of the disclosure. (Defs.’ Reply at 2-4.)
But whether Shadowsoft is a legitimate business is largely irrelevant.3 What is relevant is that Defendants in this case do not plead that they knew or had any reason to believe that Shadowsoft was a legitimate business at the time that they made the disclosure. At the time of the disclosure and alleged violation, Shadowsoft had neither represented itself to BMV Officials as a legitimate business, nor had BMV Officials inquired into or confirmed whether it was a legitimate business.
“The relevant, dispositive inquiry in determining whether a right is clearly established is whether it would be clear to a reasonable [official] that his conduct was unlawful in the situation he confronted.” Saucier v. Katz, 533 U.S. 194, 202, 121 S.Ct. 2151, 150 L.Ed.2d 272 (2001); see also Cooper v. Parrish, 203 F.3d 937, 951 (6th Cir.2000). Even if it were true, as the majority contends, that BMV Officials’ obligation of reasonable inquiry into a requester’s permissible use begins and ends with a check in a box on a standardized form, it cannot be the case that a state official fulfills his legal obligations, under 18 U.S.C. § 2721(b)(3), when he releases drivers’ personal information with absolutely nothing to indicate that he is releasing the information to a “legitimate business.” Under the facts as pleaded in this case, any reasonable official would have been on notice that to disclose the information requested by Shadowsoft in response to Shadowsoft’s facially deficient request would violate the DPPA.
Finally, it must be emphasized that the exceptions outlined in 18 U.S.C. §§ 2721(b)(1) — (14) are permissive, not mandatory. Holding that a state official must perform a reasonable minimal inquiry before releasing sensitive personal information to anyone with a fax machine, a pencil and two dollars does not impose an unreasonable burden. BMV Officials may decide that they do not want to face the threat of DPPA liability for disclosing drivers’ information without first inquiring into *621whom and for what purpose they are being asked to disclose. The solution is simple: when in doubt as to whether the purpose of the request comports with the requirements of the Act, BMV Officials may choose not to release drivers’ information for non-mandatory uses. After all, the purpose of the DPPA is to encourage state officials to do what they should strive to do anyway, which is to protect the personal information of state residents.
For these reasons, I would affirm the decision of the district court, and I therefore respectfully dissent from the opinion of the majority.
. The district court held that “a reasonable official would have understood that a disclosure of information for a purpose other than one permitted by the DPPA would violate the DPPA.” (Dist. Ct. Op. at 19-20.)
. As this appeal arises from a motion for judgment on the pleadings, Defendants must concede all factual allegations to Plaintiffs. Therefore, if there were a dispute regarding whether Shadowsoft permissibly used the records it obtained from BMV Officials, Plaintiff’s factual allegations must be conceded for the purposes of the qualified immunity inquiry. See JPMorgan Chase Bank, N.A. v. Winget, *618510 F.3d 577, 581 (6th Cir.2007) ("For purposes of a motion for judgment on the pleadings, all well-pleaded material allegations of the pleadings of the opposing party must be taken as true, and the motion may be granted only if the moving party is nevertheless clearly entitled to judgment.”) (internal citations and quotation marks omitted).
. Because the procedural posture of the case arises from a motion for judgment on the pleadings, no discovery was taken into the issue of Shadowsoft’s claim that it was a “legitimate business” at the time that it made the record requests. Again, the majority’s factual presumption that Shadowsoft was a "legitimate business,” and that Defendants were in a position that would have allowed them to confirm as much, is misplaced. Because material disputes exist as to both of these questions, a grant of qualified immunity which relies upon accepting Defendants' representations on these matters is unjustified.