Monday, October 10, 2011

Courts Differ on Whether Publisher’s Purchase, Use of Data Violated Driver’s Privacy Protection Act

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

A class of Missouri residents could go forward with claims under the federal Driver’s Privacy Protection Act (DPPA) against West Publishing Co. for acquiring and disseminating personal information derived from driver’s license records from various states, the federal district court in Jefferson City, Missouri has ruled.

However, a class of Illinois residents could not pursue a DPPA class action against West Publishing for the same conduct, the U.S. Court of Appeals in Chicago has held.

Missouri Action

The federal district court held that the class representative had standing under the DPPA and granted the representative’s motion to certify the class.

According to the district court, the DPPA did not
(1) permit the publisher to obtain driver’s license information from the state when its sole purpose was to resell the information to third parties or

(2) permit the publisher to disclose the entire driver’s license database to a business or individual having only a potential future use for some of the information sold.

The Missouri residents were not required to present evidence of specific misuse of their personal information, according to the court. The publisher obtained, and continued to obtain, large databases of motor vehicle records from several states. The databases contained personal information belonging to millions of licensed drivers.

The DPPA made nondisclosure of personal information the default rule. Under the statute, states were permitted to disclose driver’s license information only to “authorized recipients” who obtained information for one of the permissible uses under the DPPA, and not simply a recipient whom the state had authorized to receive information.

The DPPA did not delegate to the states the decision of who was an “authorized recipient.” The publisher, therefore, was not an “authorized recipient” of the information based on its mere purported purpose of reselling information for permissible uses, in the district court’s view.

Rather than specifically listing prohibited uses for driver’s license information, the statute generally prohibited all but 14 permissible uses. Bulk resale was not included in those permissible uses. Only one DPPA exception made reference to “bulk distribution,” and that provision required that individuals opt in by providing their express consent to such bulk release for marketing and solicitation.

Given the strict linkage between the method of obtaining data and the restrictions on resale, Congress could not have intended to create a “gaping hole” in the statute for resellers by authorizing them to obtain the entire driver’s license database simply by identifying themselves as resellers, in the court’s opinion. Congress could have created a separate exception for resellers, but it did not.

Class Certification

The class consisted of all persons who registered a motor vehicle in or were issued a driver’s license or state identification card by 29 states and the District of Columbia since February 19, 2006, and whose personal information was obtained, disclosed, or sold by the publisher. There was no dispute as to the numerosity requirement for class certification.

The publisher’s business model for obtaining and then selling information was a question of fact common to all class members, the court said. This was true regardless of whether this business model resulted in some individual sales for uses that were authorized by the DPPA.

Class action litigation was the superior method for adjudicating the claims, according to the court. Given the large number of potential plaintiffs and the commonality of their claims, certifying the class would allow a more efficient adjudication of the controversy than would individually litigating the claims.

The decisions are Johnson v. West Publishing Co., CCH Privacy Law in Marketing ¶60,672 and ¶60,673.

Illinois Action

The Seventh Circuit held that the publisher’s acquisition of personal information contained in the motor vehicle records conduct did not violate the DPPA. The DPPA did not prohibit the publisher from reselling the residents’ personal information to third parties with permissible uses for the data under the statute.

The Illinois residents asserted that the publisher acquired the personal information contained in motor vehicle records of millions of drivers from state DMVs for resale. The residents, failed, however to state a DPPA claim.

The DPPA authorized the acquisition and resale of personal information by “authorized recipients” for 14 “permissible uses.” There was no allegation that the ultimate users of the records compiled and sold by the publisher lacked a permissible use for the records. The publisher did not have to have an immediate permissible use of its own in order to be an authorized recipient of the data, the appeals court said.

The decision in Graczyk v. West Publishing Co., will appear in CCH Privacy Law in Marketing.

Further information about CCH Privacy Law in Marketing appears here.

No comments: