"WE WANT YOU BACK!" Many of us have received, through phone calls, emails, texts, and the post, the plaintive entreaties of companies with whom we have decided to cease doing business, seeking recommencement of our patronage. Such was the experience of James Andrews, who, after the dealership from which he bought a used car provided his personal information to Sirius XM Radio Inc. (Sirius XM), received unsolicited advertisements asking him to renew his radio subscription.
The primary question before us is whether Sirius XM's use of personal information derived from Andrews's driver's license violated the Driver's Privacy Protection Act of 1994 (DPPA), 18 U.S.C. §§ 2721 - 2725. Because we conclude that the DPPA does not apply where the source of personal information is a driver's license in the possession of its owner, rather than a state Department of Motor Vehicles (DMV), we affirm the district court's grant of summary judgment in favor of Sirius XM. We also affirm the district court's denial of Andrews's motion to amend his complaint to add a claim under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030.
FACTUAL AND PROCEDURAL BACKGROUND
I. Factual Background
On January 14, 2017, Andrews purchased a pre-owned 2012 Chevy Equinox from Auto Source, a small used car lot in Banning, California. He presented the dealership with his California driver's license, from which it obtained his name and PO Box address. He also filled out a California DMV Form 262-"Vehicle/Vessel Transfer and Reassignment Form"-a multipurpose form that serves as an odometer disclosure, bill of sale, and power of attorney. On the Form 262, Andrews provided *1256his telephone number, street address, PO Box, and name. Auto Source input this information into its dealer management system (DMS), which ran on a database platform operated by a third party, AutoManager.
Andrews's Equinox came equipped with Sirius XM radio, a subscription-based satellite radio service. Gail Berger, Sirius XM's Vice President of Auto Remarketing, attested that her company has agreements with thousands of automotive dealerships across the country pursuant to which Sirius XM offers trial subscriptions for pre-owned vehicles and, in return, dealers provide Sirius XM with the names and addresses of customers who purchase or lease XM-equipped vehicles. According to Berger, Auto Source enrolled in Sirius XM's pre-owned program in 2015. The terms of the agreement provided that Sirius XM "requires the use of data that exists in [Auto Source's DMS], including customer data to activate [its] customers' SiriusXM Trial Service and to communicate with customers regarding their Trial Subscriptions and options to extend their SiriusXM services following the Trial Subscriptions." It also permitted Auto Source's DMS provider, AutoManager, "to extract and share [its] DMS data with SiriusXM." A separate agreement between Sirius XM and AutoManager specified that this information included "Customer Data."
Berger stated that, following Andrews's purchase, AutoManager provided Sirius XM with a record of the sale. This electronic record included his name and street address. According to a Sirius XM manager, however, Andrews's PO Box was not provided by AutoManager; instead, Sirius XM obtained that information through a separate contractor that used the U.S. Postal Service's National Change of Address database. Andrews asserted that he gave neither Auto Source nor anyone else permission to share his personal information with Sirius XM.
Within days of Andrews's purchase, the deluge began. Sirius XM sent various letters to Andrews's PO Box between January and August 2017, imploring him-"We Want You Back!"-to resume his Sirius XM service after the subscription included with his car purchase ended. Sirius XM also telephoned him for the same purpose.
II. Procedural Background
On August 24, 2017, Andrews filed a putative class action complaint in the district court, alleging violations of the DPPA and seeking an injunction and statutory damages of $2,500 for each violation.
In his complaint, Andrews-apparently unaware of the agreements between Auto Source, AutoManager, and Sirius XM pursuant to which his personal information was shared-alleged that Sirius XM "obtained [his] name and address, as well as his phone number, from the motor vehicle records, most likely the registration documents submitted to the DMV after he purchased the car." Prior to filing its motion for summary judgment, Sirius XM's counsel explained to Andrews's counsel that, contrary to Andrews's allegations, it had obtained his personal information not from the DMV, but instead from Auto Source and the Change of Address database. Subsequently, Andrews moved to file an amended complaint to add a claim for violation of the CFAA, based on Sirius XM's access to Auto Source's DMS.
The district court granted Sirius XM's motion for summary judgment, and denied Andrews's motion to file an amended complaint. As to the DPPA claim, the court determined, "[l]ike the Supreme Court and the vast majority of other courts to have analyzed the issue," that "the DPPA's definition of 'motor vehicle record' [ ] requir[es]
*1257that the DMV be the source of the 'record.' " Because the court found that Sirius XM obtained Andrews's personal information from his driver's license and the Form 262-neither of which, it determined, constituted a DMV record-it concluded that "the undisputed facts establish that [Sirius XM] did not 'use' 'personal information' 'from a motor vehicle record,' " and that Sirius XM was therefore entitled to summary judgment on the DPPA claim. Turning to Andrews's motion for leave to amend, the district court concluded that amendment would be futile because the proposed amended complaint "fail[ed] to allege that he ha[d] suffered a 'loss' or 'damage' cognizable under the CFAA."
This timely appeal followed.
JURISDICTION AND STANDARD OF REVIEW
We have jurisdiction pursuant to 28 U.S.C. § 1291. We review de novo a district court's grant of summary judgment. WildEarth Guardians v. Provencio , 923 F.3d 655, 664 (9th Cir. 2019). "A court's denial of leave to amend is reviewed for an abuse of discretion." Ebner v. Fresh, Inc. , 838 F.3d 958, 963 (9th Cir. 2016).
ANALYSIS
I. DPPA
Andrews contends that the district court erred when it granted summary judgment in favor of Sirius XM, arguing that the company violated the DPPA's prohibition on using and disclosing personal information derived from DMV records when it obtained his name, address, and phone number from his driver's license and the Form 262. He urges us to "issue a limited ruling holding that where a plaintiff can establish that a third party accessed a report (whether it be an accident report or dealership record of sales) containing information from a [driver's license] issued by a state DMV ... the plaintiff can state a claim for violation of the DPPA." We decline to adopt such a holding, and instead conclude that Sirius XM's conduct fell outside the scope of the DPPA.
A. Origins and Scope of the DPPA
Congress enacted the DPPA in 1994, in response to a troubling phenomenon that occurred throughout the 1980s and early 1990s-state DMVs' practice of selling or freely disclosing drivers' personal information, which led to unfortunate consequences ranging from the trivial (onslaughts of random solicitations) to the tragic (the murders of several people by stalkers or ex-spouses). See, e.g. , 140 Cong. Rec. H2,518, H2,522-24 (daily ed. Apr. 20, 1994) (statement of Rep. Moran) ("In Iowa, a gang of thieves copied down the license plate numbers of expensive cars they saw, found out the names and addresses of the owners and robbed their homes at night. In Virginia, a woman regularly wrote to the DMV, provided the license plate numbers of drivers and asked for the names and addresses of the owners who she claimed were stealing the fillings from her teeth at night."); 139 Cong. Rec. S15,745, S15,766 (daily ed. Nov. 16, 1993) (statement of Sen. Harkin) (recounting the story of a woman who visited an obstetrics clinics and received a "venomous letter" from anti-abortion activists who "got her name and address from department of transportation records, after they spotted her car parked near [the] clinic"); Protecting Driver Privacy: Hearing on H.R. 3365 Before the Subcomm. on Civil & Constitutional Rights , 1994 WL 212698 (Feb. 3, 1994) (statement of Rep. Moran) ("While the release of this information to direct marketers does not pose any inherent *1258safety risks to people, it does present, to some people, an invasion of privacy.").1 At that time, "[u]nder the law in over 30 States, it [was] permissible to give out to any person the name, telephone number, and address of any other person if a drivers' license or vehicle plate number [was] provided to a State agency." 139 Cong. Rec. at S15,765 (statement of Sen. Biden).
Accordingly, "[c]oncerned that personal information collected by States in the licensing of motor vehicle drivers was being released-even sold-with resulting loss of privacy for many persons, Congress provided federal statutory protection" through the DPPA. Maracich v. Spears , 570 U.S. 48, 51-52, 133 S.Ct. 2191, 186 L.Ed.2d 275 (2013). As characterized by the Supreme Court, the purpose of the DPPA is to "regulate[ ] the disclosure and resale of personal information contained in the records of state DMVs." Reno v. Condon , 528 U.S. 141, 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000) ; see also id. at 144, 120 S.Ct. 666 ("The DPPA establishes a regulatory scheme that restricts the States' ability to disclose a driver's personal information without the driver's consent."). Consistent with this primary objective, the first part of the DPPA expressly focuses on a state's own records. It prohibits "[a] State department of motor vehicles" from "knowingly disclos[ing] or otherwise mak[ing] available ... personal information ... about any individual obtained by the department in connection with a motor vehicle record." 18 U.S.C. § 2721(a).2
The DPPA's second part, by contrast, concerns not DMVs themselves, but instead those who illicitly seek information from motor vehicle records. Section 2722 makes it unlawful "for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b),"3 and "for any person to make false representation to obtain any personal information from an individual's motor vehicle record." Id. § 2722. It is this provision-along with the section that confers a private cause of action on those injured by violations of the statute, id. § 2724-on which Andrews relies to argue that Sirius XM's conduct violated the DPPA.
*1259B. Andrews's Claim
To prevail on his DPPA claim, Andrews must satisfy § 2722(a) and prove that (1) Sirius XM knowingly obtained his personal information (2) from a motor vehicle record (3) for a nonpermissible use. See Taylor v. Acxiom Corp. , 612 F.3d 325, 335 (5th Cir. 2010). The first and third elements are undisputed here: Sirius XM obtained and used Andrews's name and telephone number-"personal information" as defined by the DPPA-for nonpermissible promotional purposes. See 18 U.S.C. §§ 2721(b), 2725(3). Accordingly, the key issue on appeal is whether the documents from which Sirius XM obtained Andrews's personal information-specifically, his driver's license and the Form 262-qualify as "motor vehicle records" pursuant to the statute. We conclude that they do not.
The DPPA defines a "motor vehicle record" as "any record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles." Id. § 2725(1). Sirius XM argues that "a driver's license cannot qualify under that definition," citing to the district court's analysis:
[A] driver license, although it contains "personal information" contained in the records of the DMV, is not itself a "record" "contained in the records" of the DMV. Nor does it make sense to include a driver license as a "motor vehicle record" when a "motor vehicle record" is defined as "any record that pertains to a motor vehicle operator's permit." Interpreting the statute as [Andrews] suggests and construing a "motor vehicle record" to include a driver license would render the definition's use of both "record" and "pertains to" as surplusage because the driver license would be "pertaining" to itself and ignore the requirement that [it] also be a "record."
We are not wholly persuaded by this linguistic analysis of the DPPA. Sirius XM argues, as the district court concluded, that "construing a 'motor vehicle record' to include a driver license would render the definition's use of both 'record' and 'pertains to' as surplusage," but a "record" is defined as, among other things, "[i]nformation that is inscribed on a tangible medium." Record , Black's Law Dictionary (11th ed. 2019); see also Webster's Third New International Dictionary 1,898 (2002) (defining "record" as "evidence, knowledge, or information remaining in permanent form (as a relic, inscription, document)"). A driver's license is a tangible document that serves as proof of an individual's permission to operate a motor vehicle, and can therefore be considered a "record." And, although Sirius XM raises a fair point as to whether "pertains to" would be rendered surplusage, it would make little practical sense that a photocopy of a driver's license-which is indisputably a "record that pertains to a motor vehicle operator's permit"-could be a qualifying motor vehicle record, but the actual license lying right next to it on the desk at the DMV, containing identical personal information, could not. We are therefore unconvinced that a driver's license is not a "record" based solely on the wording of the statute's definition.
But just because a driver's license is a "record" does not necessarily mean it is a "motor vehicle record." Reading § 2722's words "in their context and with a view to their place in the overall statutory scheme," Davis v. Mich. Dep't of Treasury , 489 U.S. 803, 809, 109 S.Ct. 1500, 103 L.Ed.2d 891 (1989), we conclude that a driver's license in the possession of its owner is not a qualifying "motor vehicle record" under the DPPA.
It is clear, from the legislative history and case law, that Congress was motivated *1260to enact the DPPA by the "growing threat from stalkers and criminals who could acquire personal information from state DMVs ," as well as "the States' common practice of selling personal information to businesses engaged in direct marketing and solicitation." Maracich , 570 U.S. at 57, 133 S.Ct. 2191 (emphases added). With this purpose in mind, we interpret § 2721-prohibiting DMVs from "knowingly disclos[ing] ... personal information," 18 U.S.C. § 2721(a) -as covering one side of the prohibited transaction. Section 2722, by contrast, covers the other side of that same transaction, by creating liability for the person who "obtain[s] or disclose[s] personal information" from the DMV's records. Id. § 2722(a).
A driver's license, though issued by the DMV, becomes the possession of an individual , not the DMV that issued it.4 Congress intended the DPPA to reflect the Privacy Act of 1974, see Protecting Driver Privacy , 1994 WL 212698 (statement of Rep. Moran) ("The bill incorporates [ ] the intent of the 1974 Privacy Act."), which defines a "record" as "information about an individual that is maintained by an agency ." 5 U.S.C. § 552a(a)(4) (emphasis added); see also Wilborn v. Dep't of Health & Human Servs. , 49 F.3d 597, 600 (9th Cir. 1995) ("[I]f a party discloses information obtained independently of any records, such a disclosure does not violate the [Privacy] Act, even if identical information is contained in the records."), abrogated on other grounds by Doe v. Chao , 540 U.S. 614, 124 S.Ct. 1204, 157 L.Ed.2d 1122 (2004). A driver's license in the possession of its owner is no longer maintained by the DMV, and so such a record is outside the bounds of the DPPA. The same is true of the Form 262 at issue here, which did not even pass through the DMV before the information made its way to Sirius XM.
Put another way, we conclude that where, as here, the initial source of personal information is a record in the possession of an individual, rather than a state DMV, then use or disclosure of that information does not violate the DPPA. This conception of the DPPA's scope is consistent both with its clear purpose, see Maracich , 570 U.S. at 51-52, 133 S.Ct. 2191 (noting Congress's specific concern with the release of personal information by States ), and with two other circuits that have previously interpreted the statute, albeit in unpublished opinions.5
Andrews contends that Sirius XM's conduct violated the literal text of the statute. But, even if the statute could be read to cover this conduct, we will not adopt "a literal interpretation [that] 'would thwart the purpose of the overall statutory scheme or lead to an absurd result.' " Wilshire Westwood Assocs. v. Atl. Richfield Corp. , 881 F.2d 801, 804 (9th Cir. 1989) (quoting Brooks v. Donovan , 699 F.2d 1010, 1011 (9th Cir. 1983) ); see also *1261Nixon v. Mo. Mun. League , 541 U.S. 125, 138, 124 S.Ct. 1555, 158 L.Ed.2d 291 (2004). As discussed above, Andrews's expansive conception of the DPPA does not align with the statute's clear purpose. And, although both Andrews and Sirius XM utilized a considerable quantity of briefing ink trading hypotheticals and parading various horribles in support of their respective positions, we conclude that Andrews's position yields the more absurd results.
It would be patently unreasonable, for example, to penalize a security guard's use of a driver's license photograph-"personal information" under the DPPA, 18 U.S.C. § 2725(3) -on temporary security badges in office buildings and other locations.6 After all, "[t]he DPPA sought to 'strike[ ] a critical balance between an individual's fundamental right to privacy and safety and the legitimate governmental and business needs for this information.' " Gordon v. Softech Int'l, Inc. , 726 F.3d 42, 50 (2d Cir. 2013) (second alteration in original) (quoting 140 Cong. Rec. at H2,522 (statement of Rep. Moran)). In light of this practical mindset, we will not subject a range of commonplace and innocuous activities involving driver's licenses to potential DPPA liability.7 Accordingly, given that the statute was clearly intended to prevent the unauthorized, nonconsensual, and involuntary disclosure of personal information from DMV records, we conclude that Andrews's driver's license was not a "motor vehicle record" pursuant to the DPPA.
We acknowledge the potential abuses-such as the intrusive behavior Andrews experienced in this case-that can result from exploitation of personal information contained on an individual's driver's license. But we ultimately agree with the conclusion of the district court in O'Brien v. Quad Six, Inc. , which considered the use of a plaintiff's personal information after he presented his driver's license as identification at a nightclub:
We are sympathetic to plaintiff's concerns about the way businesses collect and use personal information, and its implications for all of our privacies. But that is not what Congress intended the DPPA to regulate. This statute seeks to control dissemination of information collected using the coercive power of the state. It does not regulate information freely given by consumers to private businesses, such as when plaintiff tendered his driver's license to [the nightclub].
219 F. Supp. 2d 933, 934-35 (N.D. Ill. 2002). Aggrieved plaintiffs, Andrews included, might have other statutory remedies to rectify alleged abuses of their personal information. But the DPPA-a statute concerned solely with the actions of state DMVs and those who illicitly retrieve *1262information from them-is not the proper vehicle for such redress, where, as here, the source of that information is a driver's license in its owner's possession.8
* * *
Sirius XM correctly observes that "[t]he DPPA was not designed to remedy every misuse of personal information that happened to come from a driver's license." Instead, its scope is limited to impermissible disclosures by state DMVs to those who seek information from them. Andrews concedes that neither Sirius XM nor anyone else requested or acquired his information from the California DMV. Therefore, we conclude that Sirius XM's conduct, annoying as it might have been, did not violate the DPPA.
II. CFAA
Andrews also challenges the district court's conclusion that amending his complaint to add a claim under the CFAA would have been futile.
The CFAA makes it unlawful to, among other things, "intentionally access[ ] a computer without authorization" and obtain "information from any protected computer." 18 U.S.C. § 1030(a)(2). It provides a private right of action for "[a]ny person who suffers damage or loss by reason of a violation of [the statute] ... against the violator to obtain compensatory damages and injunctive relief or other equitable relief," but "only if the conduct involves 1 of the factors set forth" elsewhere in the CFAA. Id. § 1030(g). Of the five possible factors, the only one relevant to Andrews's potential claim is that the offense caused "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value." Id. § 1030(c)(4)(A)(i)(I). As Sirius XM correctly characterizes the situation, "[w]hether Andrews could have brought a viable CFAA claim turns on whether Andrews could plausibly allege a qualifying loss."
Andrews's theory of loss is that he and his fellow class members were denied the profits they might have received from commodifying the personal information that Sirius XM allegedly obtained through unlawful means. His proposed amended complaint claimed that this information
was extremely valuable .... This information is what is called in the marketing industry a "hot lead." [Andrews] is informed and believes, and thereupon alleges, that the retail value of a "hot lead" of this nature and for the price point of [Sirius XM's] subscription plans is at least $100.
Accordingly, because Sirius XM allegedly "stole the personal information without compensating [Andrews], he lost the value of that information and the opportunity to sell it."9
The CFAA, however, defines "loss" as "any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service." Id. § 1030(e)(11). This is a narrow conception of "loss," and the definition does not include a provision that aligns with Andrews's theory.
*1263"[I]t is a commonplace of statutory construction that the specific governs the general." Morales v. Trans World Airlines, Inc. , 504 U.S. 374, 384, 112 S.Ct. 2031, 119 L.Ed.2d 157 (1992). This "canon has full application ... to statutes such as the one here, in which a general authorization and a more limited, specific authorization exist side-by-side." RadLAX Gateway Hotel, LLC v. Amalgamated Bank , 566 U.S. 639, 645, 132 S.Ct. 2065, 182 L.Ed.2d 967 (2012). In such cases, "[t]he terms of the specific authorization must be complied with," to avoid "the superfluity of a specific provision that is swallowed by the general one." Id . Accordingly, any theory of loss must conform to the limited parameters of the CFAA's definition. And although the definition does include "revenue lost," that refers only to losses that occurred "because of interruption of service." 18 U.S.C. § 1030(e)(11) ; see also Yoder & Frey Auctioneers, Inc. v. EquipmentFacts, LLC , 774 F.3d 1065, 1073-74 (6th Cir. 2014) ("[T]he plain language of the [CFAA] treats lost revenue as a different concept from incurred costs, and permits recovery of the former only where connected to an 'interruption in service.' " (alterations in original) (quoting Nexans Wires S.A. v. Sark-USA, Inc. , 166 F. App'x 559, 562 (2d Cir. 2006) )). Andrews does not-and cannot-argue that his allegedly lost revenue occurred because of an interruption of service, and so his purported injury is not cognizable under the CFAA.
We further observe that the CFAA is "an anti-hacking statute," not "an expansive misappropriation statute." United States v. Nosal , 676 F.3d 854, 857 (9th Cir. 2012) (en banc). The statute's "loss" definition-with its references to damage assessments, data restoration, and interruption of service-clearly limits its focus to harms caused by computer intrusions, not general injuries unrelated to the hacking itself. Given this circumscribed focus, and the principle that "a general statutory term should be understood in light of the specific terms that surround it," Hughey v. United States , 495 U.S. 411, 419, 110 S.Ct. 1979, 109 L.Ed.2d 408 (1990), we will not expand the CFAA's limited conception of loss to include the sort of injury pleaded in Andrews's proposed amended complaint.10
Accordingly, the district court did not abuse its discretion when it concluded that an amendment adding a CFAA claim to Andrews's complaint would have been futile.
CONCLUSION
The legislative history of the DPPA, and the decisions of the Supreme Court interpreting it, demonstrate that the purpose of the statute was to prevent the acquisition and exploitation of personal information from the records of state DMVs. We therefore conclude that Sirius XM did not violate the DPPA when it used personal information obtained from Andrews's driver's license. We further conclude that, given the CFAA's limited conception of loss, the district court did not abuse its discretion *1264when it denied Andrews leave to amend on futility grounds.
AFFIRMED.