A November 22, 2011 lawsuit against Best Buy (Siegler v. Best Buy Co. of Minnesota, Inc.) alleging violations of the federal Driver's Privacy Protection Act (DPPA) has generated interest and discussion about this frequently forgotten privacy law.
The DPPA attracted the attention of class counsel after the Iowa Supreme Court 2002 opinion which held that pure resellers, i.e., companies that do not use the information directly, are prohibited by the DPPA. Locate.Plus.Com, Inc. v. Iowa Dept. of Transp, 650 N.W.2d 609 ( Iowa 2002). The attraction for class counsel is easily understood. The DPPA provides for statutory damages of $2,500 per violation, attorney’s fees and injunctive relief. With such uniform remedies, especially after Murray v. GMAC, 434 F.3d 948 (7th Cir. 2006), the DPPA eliminates some of these issues that complicate motions for class certification in other cases.
The DPPA prohibits the use, disclosure or obtainment of personal information from motor vehicle departments except for 14 exceptions. 18 U.S.C. § 2721(b). The DPPA also permits an "authorized recipient" to resell or redisclose the information, but only for a use permitted under 18 U.S.C. § 2721(b). It was this last requirement which was litigated in Locateplus in 2002 that generated class action interest. For full disclosure, I argued on behalf of the defendants to successfully convince a court that the Iowa Supreme Court was wrong and that the DPPA permits pure resellers in Russell v. ChoicePoint Services, Inc., 302 F. Supp. 2d 654 (E.D. La. 2004). While there has been a single recent case following the Iowa Supreme Court, Wiles v. LocatePlus Holdings Corp, the majority of courts have followed Russell, including the Fifth, Sixth, Seventh, and Ninth Circuit. The Eight Circuit will decide this issue shortly and the future of class actions on this issue will be decided.
As a result, class counsel have turned to other theories, including the one made against Best Buy which concerns the collection of driver license information at the point of sale from customers. Specifically, plaintiff alleges that Best Buy’s return policy, which required cashiers to swipe the customer's driver's license during a return, violates the DPPA by "taking, storing, using and/or sharing customer's personal or highly restricted personal information, without consent, when customers make a normal return of Best Buy merchandise." Best Buy's receipt states that it "tracks exchanges and returns ... and some of the information from your ID may be stored in a secure, encrypted database of customer activity that Best Buy and its affiliates use to track exchanges and returns." The plaintiff alleges that Best Buy had no permissible use under the DPPA to obtain his driver information as the receipt did not (a) indicate what information was captured, (b) explain where the information is stored or for how long, or (c) describe how the information is used.
Putting aside the question of whether Best Buy’s practice comes within the identity verification permissible use (18 U.S.C. § 2717(b)(3)), the lawsuit wrongfully assumes that the DPPA even applies. What this plaintiff forgets is that the DPPA regulates a “State department of motor vehicles, and any officer, employee, or contractor thereof, [from] knowingly disclos[ing] or otherwise mak[ing] available to any person or entity” personal information. As many courts have already decided, when the driver’s data comes from the consumer either orally or from a copy of their driver’s license, the DPPA does not apply. See, Mattivi v. Russell, No. 01-WM-533 (BNB), 2002 U.S. Dist. LEXIS 24409 (D. Col. Aug. 2, 2002) (holding that an accident report created by the state patrol is not a motor vehicle record under the DPPA); O'Brien v. Quad Six, Inc., 219 F. Supp. 2d 933 (N.D. Ill. 2002) (holding that a private business does not violate the DPPA when it takes personal information from driver's license provided by plaintiff and uses the information to send promotional materials because Congress enacted the DPPA to regulate information collected from citizens by the state, not transactions between private businesses and their customers); Ocasio v. Riverbay Corp., No. 06 Civ. 6455 (PAC) (KNF), 2007 U.S. Dist. LEXIS 44751 (S.D.N.Y. June 19, 2007) (holding that when the plaintiff provides the defendant with his personal information, the plaintiff cannot state a claim under the DPPA based on the defendant’s disclosure of the personal information); Figueroa v. Taylor, No. 06 Civ. 3676 (PAC) (KNF), 2006 U.S. Dist. LEXIS 76961 (S.D.N.Y. Oct. 24, 2006) (same).
While I am skeptical that this theory will survive, I do think that there are other theories that could prove more successful. Please feel free to call me if you would like to discuss.