Opinion
Case No. 08-4167-CV-C-NKL.
December 12, 2008
ORDER
Plaintiffs Emily Roberts and Sarah E. Smith ("Plaintiffs") brought this putative class action against Defendants The Source for Public Data, L.P. ("Public Data"), Shadowsoft, Inc. ("Shadowsoft"), Omar Davis, Director of the Missouri Department of Revenue ("Davis") and other unnamed individual defendants who acted as agents of the Missouri Department of Revenue. Plaintiffs claim violations of the Drivers Privacy Protection Act ("DPPA"), 18 U.S.C. §§ 2721, et seq., 42 U.S.C. § 1983, and the Missouri Merchandising Practices Act. Plaintiffs' claims against Defendants Public Data and Shadowsoft (collectively, Defendants") stem from their alleged violations of Plaintiffs' statutory privacy rights created by the DPPA. Pending before the Court is the Defendants' Motion to Dismiss [Doc. # 21], and Plaintiffs' Motion for leave to file Supplemental Authority in Opposition to Defendants' Motions to Dismiss [Doc. # 33]. For the reasons stated herein, both motions are denied.
I. Background
The Court treats the allegations in Plaintiffs' Complaint as true for purposes of the Defendants' motion to dismiss.
Plaintiffs allege that Shadowsoft acquired a large database from the Missouri Department of Revenue by falsely representing that this information was to be used to verify the accuracy of information of individuals doing business with Shadowsoft. This database contained information about Plaintiffs and putative class members, including their social security numbers. Shadowsoft then transferred this database to Public Data, who made the information, including social security numbers, available for sale at its website, www.publicdata.com. Public Data sold information from the database Shadowsoft obtained from the Department of Revenue, including social security numbers.
Plaintiffs claim that the Defendants' actions listed above were in violation of their and the putative class members' statutory privacy rights created in the DPPA, and that these actions further violated the Missouri Merchandising Practices Act and unjustly enriched the Defendants under Missouri law. The DPPA prohibits the knowing disclosure of "highly restricted personal information," defined to include social security numbers, without the express consent of the person to whom the information pertains, unless one of four statutory exceptions applies. 18 U.S.C. § 2721(a)(2). Plaintiffs argue that none of these exceptions were applicable to the Defendants' actions. Plaintiffs further claim the Defendants violated the DPPA by making false representations about their purposes in obtaining the database to the Missouri Department of Revenue in order to obtain the Plaintiffs' and putative class members information.
II. Discussion
In their motion, the Defendants argue that the allegations against them in Count II fail to state a claim upon which relief can be granted under the DPPA because, they argue, Plaintiffs have failed to allege that the Defendants acted with an impermissible purpose for obtaining their information under the DPPA. They further argue that Plaintiffs lack standing to bring a cause of action under the DPPA. Their motion does not discuss the Plaintiffs' claims under Missouri law for violation of the Missouri Merchandising Practices Act (Count IV) and for unjust enrichment (Count V).
In their suggestions in support, the Defendants do state, in a heading, that "Plaintiffs have no claim for `false representation under the DPPA or the MPPA.'" This may be a reference to Plaintiffs' Count IV, for violation of the Missouri Merchandising Practices Act ("MMPA"), but even if so, the argument that follows contains no further references to the MMPA or the "MPPA," and there is no mention of either in the Defendants' reply suggestions. Finally, Plaintiffs' claim for unjust enrichment is nowhere mentioned in either party's briefs on this motion. Therefore, the Court treats this motion, as a motion to dismiss only Count II — Plaintiffs' claims brought under the DPPA — for failure to state a claim and lack of standing.
On a motion to dismiss, the Court views the allegations in the Complaint in the light most favorable to Plaintiffs. Scheuer v. Rhodes, 416 U.S. 232, 236, 94 S.Ct. 1683 (1974), overruled on other grounds by Davis v. Scherer, 468 U.S. 183, 104 S.Ct. 3012 (1984). The Court must accept "the allegations contained in the complaint as true and draw all reasonable inferences in favor of the nonmoving party." Coons v. Mineta, 410 F.3d 1036, 1039 (8th Cir. 2005). A motion to dismiss for failure to state a claim must be granted if the Complaint does not contain "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 127 S. Ct. 1955, 1974 (2007).
A. Motion to Dismiss Count II for Failure to State a Claim
The Defendants first argue that Count II fails to state a claim under the DPPA because it fails to allege an essential element of a DPPA claim — that the Defendants obtained or disclosed the Plaintiffs' information for an impermissible purpose under the DPPA. The Defendants contend that under the DPPA, companies are not prohibited from re-selling and re-disclosing information to individuals who have a permissible use, and therefore the Plaintiffs' allegations — that the Defendants' purpose in obtaining and disclosing the information was to provide the information for sale to the general public — cannot support a DPPA claim. The Defendants' argument fails on a plain reading of the statute.
The DPPA makes it unlawful for a person to "knowingly . . . obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b)" of the Act, and further states that "[a] person who knowingly obtains, discloses, or uses [such information] for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains[.]" 18 U.S.C. § 2724(a).
The DPPA defines "person" to include entities. 18 U.S.C. § 2725(2).
Section 2721(b) contains fourteen permissible purposes for obtaining, disclosing, or using the information — exceptions to the DPPA's general rule against obtaining or disclosing personal information from a motor vehicle record. 18 U.S.C. §§ 2721(a), 2721(b), 2722, and 2724. Section 2721(a)(2) states that "highly restricted personal information" — which under section 2725(4) includes social security numbers — may be disclosed only if the individual to whom the information applies consents to the disclosure, or if the disclosure is pursuant to "uses permitted in subsections (b)(1), (b)(4), (b)(6), and (b)(9)." 18 U.S.C. §§ 2721(a)(2), 2725(4). Those four subsections provide exceptions for obtaining or disclosing highly restricted personal information:
(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.
. . . .
(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.
. . . .
(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, or underwriting.
. . . .
(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49.18 U.S.C. §§ 2721(b)(1), (4), (6), (9).
The Defendants suggest that the Plaintiffs' allegation that they obtained the Plaintiffs' highly restricted personal information for the purpose of sale to the general public is insufficient to state a claim under the DPPA. They do not argue that obtaining the information for this purpose is included in the four exceptions listed above, but rather contend that section 2721(c) of the DPPA allows for re-sale or re-disclosure of personal information by a business entity, no matter the purpose for which that entity obtained the information, so long as the re-sale or re-disclosure is to individuals who have a permissible purpose for obtaining the information under section 2721(b).
Section 2721(c) does not create an additional exception to the DPPA's general rule of non-disclosure; it simply provides that once an "authorized recipient" obtains the personal information, that person or entity may only re-sell or re-disclose that information if that resale or re-disclosure is also for a purpose permitted under section 2721(b). See 18 U.S.C. §§ 2721(b) and (c). While the DPPA does not define "authorized recipient," it is clear from the context in section 2721(c) that an authorized recipient is one who has received the information pursuant to one of the 2721(b) exceptions. Section 2721(c) states, in full:
"(c) Resale or redisclosure. — An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under (b)(11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request."18 U.S.C. § 2721(c) (emphasis added). From the context of section 2721(c), and the references therein to recipients being authorized under particular section 2721(b) exceptions, it is clear that a recipient becomes authorized only by virtue of obtaining the information for a reason listed in section 2721(b).
Defendants cite to a district court decision from the Eastern District of Louisiana which basically holds that, because Congress used the phrase "authorized recipient," rather than "authorized user," in section 2721(c), Congress must have understood that some "authorized recipients" would be individuals or entities other than those who were authorized to use the information under an exception listed in section 2721(b). See Russell v. ChoicePoint Servs., Inc. et al., 300 F.Supp.2d 450, 455-461 (E.D. La. 2004).
The Russell court's interpretation of section 2721(c) is inconsistent with the plain language of the DPPA, which makes it unlawful for business entities to "obtain . . . personal information . . . for any use not permitted under section 2721(b)[.]" 18 U.S.C. § 2722. Section 2722's prohibition on obtaining information for any purpose other than one listed in section 2721(b) makes no sense if under section 2721(c) a business entity is allowed to receive personal information for the purpose of re-selling or re-disclosing it to others whose uses would fall under exceptions in section 2721(b) — a purpose for which there is no exception in section 2721(b). Congress could not have intended to prohibit obtaining personal information for a purpose not listed in section 2721(b) while at the same time authorizing the receipt of personal information by entities who wished to use the information in a way not contemplated by that section. The words obtain and receive both indicate that one has taken or acquired possession of some thing. BLACK'S LAW DICTIONARY 1078, 1268 (6th ed. 1990); Webster's II New College Dictionary 756, 924-925 (Margery S. Berube et al. eds. 1995). Thus, an "authorized recipient" is one authorized to receive (or obtain) something; one who is prohibited from obtaining something cannot also be an "authorized recipient" of it.
Congress could have included an additional exception in section 2721(b) to allow business entities to obtain highly restricted personal information for the purpose of re-selling or re-disclosing it to others with permissible uses; it did not do so. See Locate.Plus.Com, Inc. v. Iowa Dep't of Transp., 650 N.W.2d 609 (Iowa 2002). Because there is no such exception, obtaining personal information for this purpose is not permitted under the DPPA. Further, because section 2721(c) only allows "authorized recipients" to disclose highly restricted personal information for a purpose permitted under section 2721(b), and because the Defendants are not "authorized recipients," their subsequent disclosure to others, no matter the reason, is not permitted under the DPPA. See 18 U.S.C. § 2721(c).
Plaintiffs allege in Count II that the Defendants knowingly obtained and disclosed their highly restricted personal information from the Missouri Department of Revenue for the purpose of selling it to the general public. That purpose is not among the four reasons entities may lawfully obtain or disclose such information under section 2721(b). Plaintiffs' Complaint therefore adequately states a claim for relief under the DPPA that the Defendants unlawfully obtained and disclosed Plaintiffs' highly restricted personal information.
The Defendants also argue that Count II fails to state a claim under the DPPA under a "false representation" theory, because while section 2724(a) creates a cause of action for knowingly obtaining, disclosing, or using personal information for a use not permitted under the DPPA, it does not create a cause of action for false representation, and section 2722(b) — the DPPA provision making the use of false representations in obtaining personal information unlawful — does not create a private right of action and its enforcement is left to the United States Department of Justice. Because Count II survives the Defendants' motion to dismiss under an unlawful obtainment or disclosure theory, it is unnecessary for the Court to address this alternative argument for dismissal.
B. Motion to Dismiss Count II for Lack of Standing
Article III standing requires a plaintiff to have suffered an injury-in-fact that has a causal connection with the complained-of conduct that is likely to be redressed by a favorable decision. Pucket v. Hot Springs Sch. Dist., 526 F.3d 1151, 1157 (8th Cir. 2008) (citing Steger v. Franco, Inc., 228 F.3d 889, 892 (8th Cir. 2000); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130 (1992)). The Defendants claim that Plaintiffs lack standing to bring their DPPA claim because their Complaint: (1) fails to "allege any specific facts concerning their . . . individual harm or damage; and (2) because Plaintiffs fail to plead any "improper use or obtainment [under the DPPA] . . . Plaintiffs cannot establish the necessary causal connection, and in turn, cannot demonstrate redressability." (Sugg. Opp. 14-15).
In their Complaint, Plaintiffs allege that the Defendants "knowingly obtained, acquired, and disclosed the Plaintiffs' . . . highly restricted personal information, as defined by the DPPA, for a use not permitted under the statute — for sale to the general public — in violation of the DPPA[.]" (Compl. ¶ 48) (emphasis added). The Complaint alleges that Shadowsoft acquired the information from the Missouri Department of Revenue, and that Public Data in turn acquired the information from Shadowsoft for this unpermitted purpose. (Compl. ¶¶ 22, 24-25, 46-48). Plaintiffs have clearly alleged that they suffered an injury-in-fact caused by Defendant's violations of the DPPA. The DPPA is designed to protect personal information. Parus v. Allstate Ins. Co., No. 05-C-0063-C, 2005 WL 2240955 (W.D. Wis. Sept. 14, 2005) (citing 139 Cong. Rec. S15765 (1993)). It protects drivers' privacy by placing restrictions on the purposes for which personal information may be obtained, used, and disclosed. The Complaint's allegations that the Defendants unlawfully obtained Plaintiffs' highly restricted personal information, in violation of their privacy rights under the DPPA, suffice to establish injury-in-fact. Under the DPPA, "improperly obtaining [a] plaintiff's information [is] an injury." Id. The Defendants' argument that Plaintiffs' allegations are insufficient to establish causation or redressability are based upon their argument — rejected above — that they did not obtain or disclose Plaintiffs' information unlawfully. The Court will not dismiss Plaintiffs' Complaint for lack of standing.
II. Plaintiffs' Motion for Leave to File Supplemental Authority
Plaintiffs have moved the Court for leave to file supplemental authority in opposition to Defendants motions to dismiss [Doc. # 33]. It would be inappropriate for the Court to consider additional outside evidence on Defendants' motions to dismiss where Defendants introduced no outside evidence. Moreover, the documents Plaintiffs wish to file would have no bearing on the Court's resolution of the Defendants' motions to dismiss.
III. Conclusion
Accordingly, it is hereby
ORDERED that Defendants' Motion to Dismiss [Doc. # 21] is DENIED; it is further
ORDERED that Plaintiffs Motion for Leave to File Supplemental Authority in Opposition to Defendants' Motions to Dismiss [Doc. # 33] is DENIED.