Recent Decisions and Trends Regarding the Bulk Obtainment, Disclosure, and Reselling of Personal Information Under the Drivers’ Privacy Protection Act

The December 15, 2011 decision in Cook v. ACS State & Local Solutions, Inc. (Case No. 10-3818) from the United States Court of Appeals for the Eighth Circuit is the latest ruling permitting bulk obtainment of data under the Driver’s Privacy Protection Act (“DPPA”).  Since 2002, plaintiffs have filed lawsuits against the consumer data industry in an effort to obtain damages for legitimate uses under the DPPA.  All but two courts, however, have consistently rejected plaintiff’s position that the DPPA prohibits the bulk obtaining of regulated data for the sole purpose of reselling data to individual users who have a permitted use.  With recent decisions from the Fifth, Sixth, Seventh, Eighth, and Ninth Circuits, the issue may be finally resolved.

Congress enacted the DPPA in 1994 in response to safety concerns about the access and disclosure of personal information and the use of this information for commercial purposes by direct marketers.  The DPPA generally prohibits any state department of motor vehicles from “knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information . . . about any individual obtained by the department in connection with a motor vehicle record.”  18 U.S.C. § 2721(a).  The DPPA applies not only to states; it prohibits private individuals from knowingly “obtain[ing] or disclos[ing] personal information, from a motor vehicle record, for any use not permitted under section 2721(b).”  18 U.S.C. § 2722(a).  The DPPA also regulates the resale and redisclosure of drivers’ personal information by “authorized recipients.”  18 U.S.C. § 2721(c).  The DPPA’s general prohibition on disclosure is subject to a number of exceptions, including fourteen enumerated uses for which disclosure is permissible.  18 U.S.C. § 2721(b).

The DPPA attracted the attention of plaintiffs’ counsel after a 2002 Iowa Supreme Court decision that held that pure resellers (i.e., companies that do not use the information directly) are prohibited by the DPPA.  Locate.Plus.Com, Inc. v. Iowa Dept. of Transp., 650 N.W.2d 609 (Iowa 2002).  Plaintiffs’ counsel was attracted to DPPA litigation because the law provides for statutory damages of $2,500 per violation, attorney’s fees, and injunctive relief.

Initially, it appeared that the Iowa Supreme Court was going to heavily influence the rest of the country regarding DPPA litigation.  In 2004, however, things started to change as our firm began working on cases relating to the DPPA.  In Russell v. ChoicePoint Services, Inc., 302 F. Supp. 2d 654 (E.D. La. 2004), Ron Raether, a partner at Faruki Ireland & Cox P.L.L., argued on behalf of the defendants to successfully convince a court that the Iowa Supreme Court was wrong and that the DPPA permits pure resellers.  This case was the catalyst for a shift away from the Iowa Supreme Court’s ruling.  Although there has been a single recent case following the Iowa Supreme Court, the majority of courts have followed Russell, including the Fifth, Sixth, Seventh, and Ninth Circuit.

In Cook, the Eighth Circuit joined with the other circuit courts in finding the DPPA permits bulk obtaining by companies whose sole purpose is to resell that information to users with a permissible use.  Cook and others filed a class action suit against a variety of defendants, alleging that each improperly obtained personal driver information from the Missouri Department of Revenue in violation of the DPPA.  Plaintiffs based their claims on two separate theories:  (1) the bulk obtainment of personal information, which allows a company to stockpile information for the sake of convenience when a permissible purpose to use that information arises, is a per se violation of the DPPA; and (2) obtaining an entire database of personal information for the sole purpose of reselling that information to others is also a violation of the DPPA.  In either scenario, Plaintiffs alleged that Defendants did not have an immediate use for the information, and therefore did not obtain it for any permitted purpose under the DPPA.  The district court found that neither theory stated a valid claim under the DPPA and granted defendants’ motion to dismiss.  The district court noted that Plaintiffs’ claims were the same as those rejected by the Fifth Circuit in Taylor v. Axiom Corp., 612 F.3d 325 (5th Cir. 2010).

The Eighth Circuit affirmed finding that the DPPA permits bulk obtainment of data even if there is no immediate need for the data.  The Eighth Circuit held that “[b]ulk obtainment of driver information for a permissible purpose does not violate the DPPA.  Plaintiffs cannot establish a violation of the DPPA if all the defendants have done is obtain driver information in bulk for potential use under a permissible purpose.”  According to the Eighth Circuit, “Section 2721(c) explicitly permits the resale of drivers’ information, and it does not require that resellers must first use the information themselves.”  Thus, “Plaintiffs cannot establish a DPPA violation by alleging that Defendants obtained personal information with the sole purpose of selling it to third parties who have permissible section 2721(b) uses for the information.”

In addition to our involvement in Russell, our firm took a leadership role in Taylor and filed amicus briefs in the various circuit courts on behalf of the Coalition for Sensible Public Records Access and the Consumer Data Industry Association.  In the briefs, FI&C relied on its success in Taylor v. Acxiom Corp., 612 F.3d 325 (5th Cir. 2010) and Russell v. ChoicePoint Services, Inc., Nos. 03-1994, 03-2040 (E.D. La.), to inform the circuit courts that adoption of Plaintiffs’ extremely narrow interpretation of the DPPA would disrupt the balance between privacy and the legitimate governmental and business uses desired by Congress and thwart the long-standing practices that serve many segments of society that urgently need access to motor vehicle information for permitted uses.  The circuit courts – including the most recent case from the Eighth Circuit – are following this reasoning and allowing the bulk obtainment of personal information for legitimate uses.  After eleven years of litigation, the issues originally addressed by the Iowa Supreme Court are likely finally resolved.


Posted by Andy Reitz
Data Security
January 31, 2012