From Casetext: Smarter Legal Research

Wiles v. Worldwide Info., Inc.

United States District Court,W.D. Missouri,Western Division.
Aug 15, 2011
809 F. Supp. 2d 1059 (W.D. Mo. 2011)

Opinion

Case No. 09–4164–CV–C–NKL.

2011-08-15

Sam WILES and Carol Watkins, Individually and on Behalf of All Others Similarly Situated, Plaintiffs, v. WORLDWIDE INFORMATION, INC., Defendant.

Don P. Saxton, Mitchell L. Burgess, Burgess & Lamb, P.C., Ralph K. Phalen, Kansas City, MO, for Plaintiffs. Andrew P. Botti, McLane, Graf, Raulerson & Middleton, PA, Woburn, MA, Brett J. Coppage, James Moloney, V., Richard N. Bien, Lathrop & Gage LLP, Kansas City, MO, for Defendant.


Don P. Saxton, Mitchell L. Burgess, Burgess & Lamb, P.C., Ralph K. Phalen, Kansas City, MO, for Plaintiffs. Andrew P. Botti, McLane, Graf, Raulerson & Middleton, PA, Woburn, MA, Brett J. Coppage, James Moloney, V., Richard N. Bien, Lathrop & Gage LLP, Kansas City, MO, for Defendant.

ORDER

NANETTE K. LAUGHREY, District Judge.

This case concerns the sale by Missouri of its driver's license database to Worldwide Information, Inc. (“Worldwide”), which in turn markets the personal information to third parties. The first question presented is whether the Driver's Privacy Protection Act (“DPPA”) permits a reseller to obtain drivers license information from a state when its sole purpose is to resell the information to third parties. The second question presented is whether a reseller can disclose the entire database to a business or individual having only a potential future use for some of the information sold, so long as there is no evidence of specific misuse, such as identity theft or stalking. The majority of courts which have decided these questions have concluded that the DPPA permits the practices. The Court disagrees.

I. The Driver's Privacy Protection Act

In 1994, Congress enacted the DPPA to protect the privacy of drivers. The DPPA makes it generally “unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.” 18 U.S.C. § 2722(a). Section 2721(b) is the first of two sections central to this case. It lists the fourteen permissible uses that are exceptions to the general rule prohibiting obtainment and disclosure of drivers' personal information. Those uses are:

(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.

(2) For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.

(3) For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only

(A) to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and

(B) if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.

(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.

(5) For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.

(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.

(7) For use in providing notice to the owners of towed or impounded vehicles.

(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.

(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49.

(10) For use in connection with the operation of private toll transportation facilities.

(11) For any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains.

(12) For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains.

(13) For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.

(14) For any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety. 18 U.S.C. § 2721(b).

The second section in dispute provides that an “authorized recipient” may resell driver's license information under certain limited circumstances:

(c) Resale or redisclosure.—An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under subsection (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under subsection (b)(11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request. 18 U.S.C. § 2721(c).

The majority of courts reading these sections have concluded that they permit wholesale resellers to obtain in bulk every driver's personal information so long as there is no evidence of specific misuse. See, e.g., Taylor v. Acxiom Corp., 612 F.3d 325 (5th Cir.2010). In other words, a reseller is not limited to obtaining personal information only for a specific customer qualified to use it by the DPPA, nor need the reseller itself have a right to the information under one of the fourteen exceptions to the DPPA's rule of nondisclosure. In addition, the information can be sold in bulk to purchasers, even though the purchaser is only authorized under the DPPA to receive one piece of information. For example, according to the reasoning of Taylor and the majority of courts, since the DPPA permits drivers license information to be disclosed “for use in providing notice to the owners of towed or impounded vehicles”, 18 U.S.C. § 2721(b)(7), a Cabool, Missouri, tow truck operator may obtain the entire license database, including highly restricted personal information such as social security numbers, because one day the tow truck operator might need a single piece of information from the database. The majority of courts reason that so long as the private information is not actually used in a “prohibited” manner there is no violation of the DPPA. Yet the DPPA never explicitly lists any prohibited uses; rather, it generally prohibits all but the fourteen permissible uses enumerated in section 2721(b).

Having reviewed the language of the DPPA and its legislative history, the Court concludes that Congress did not intend the DPPA to authorize this widespread dissemination of private information untethered from the very uses that Congress listed in the DPPA.

II. Factual Record

Defendant Worldwide, a wholly owned subsidiary of LocatePlus Holdings Corp., is in the business of purchasing for resale state motor vehicle and driver's license records. Worldwide obtains motor vehicle and driver's license records from states such as Massachusetts, Maine, Wisconsin, Idaho, and Missouri. Not all states grant companies like Worldwide such broad access to these department of motor vehicle (“DMV”) records.

Worldwide began receiving DMV records from Missouri in 1999, and its last request for such information was in late 2009 and was for the entire Missouri driver's license database. The data file acquired by Defendant from the Missouri Department of Revenue (“DOR”) included Missouri drivers' names, addresses, height, weight, eye color, organ donor information, driver's license numbers, and some social security numbers. [Doc. # 48, Ex. 3.] Following the filing of this suit, Worldwide now runs a query searching for nine-digit numbers to identify social security numbers, which it eliminates from the information it sells to its customers. Since March 2010, after receipt of the Missouri DMV records and prior to resale, Worldwide has eliminated all social security numbers from the information resold.

In order to receive access to Missouri's DMV records, a Form 4678, “Request for Security Access,” must be completed, signed, and submitted to the Missouri DOR for review. Form 4678 states: “A record holder's photograph, social security number, and medical or disability information may only be obtained for use 1) by any government agency in carrying out its functions,” as well as in three other limited circumstances, consistent with the DPPA.

[Doc. # 48, Ex. 4.] On at least one Form 4678 that it submitted to the State of Missouri, Defendant Worldwide represented that it was “seeking information ... [a]s a government agency (federal, state, or local) or employed by such.” Id. Shannon Civitarese, Defendant's representative, has testified that Worldwide is not a government agency of any kind, nor an employee or agent of a government agency. [Doc. # 48, Ex. 2 at 90–91.]

Section 2721(a)(2) creates an even higher level of protection for “highly restricted personal information”—defined as “an individual's photograph or image, social security number, medical or disability information”—which may be obtained or disclosed only with the consent of the individual or pursuant to the limited “uses permitted in subsections (b)(1), (b)(4), (b)(6), and (b)(9).” 18 U.S.C. §§ 2721(a)(2), 2725(4).

When Worldwide's customers requested data, they were provided with the entire database for all Missouri drivers—including the social security numbers of thousands of Missourians—even if the customers only needed one individual's record. Defendant's customers completed a “Vehicle/Driver CD–ROM Request” form requiring them to check a box indicating which DPPA exception they met in order to obtain the entire database. At least some of these forms submitted to Worldwide indicated that its customers did not claim to be authorized to use “highly restricted personal information” under the DPPA. [Doc. # 48, Exs. 7–9.] Nonetheless, the entire database was sold to them, including social security numbers. World Wide has never received authorization from any Missouri resident to obtain their DMV data.

III. Summary Judgment Standard

Before the Court are cross-motions for summary judgment [Docs. # 47, 48]. Summary judgment is proper “if the pleadings, the discovery and disclosure materials on file, and any affidavits show that there is no genuine issue as to any material fact and that the movant is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(c). The moving party “bears the initial responsibility of informing the district court of the basis for its motion” and must identify “those portions of [the record] which it believes demonstrate the absence of a genuine issue of material fact.” Celotex Corp. v. Catrett, 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986). If the moving party satisfies its burden, Rule 56(e) requires the non-moving party to respond by submitting evidentiary materials that designate “specific facts showing that there is a genuine issue for trial.” Matsushita Elec. Indus. Co. v. Zenith Radio Corp., 475 U.S. 574, 587, 106 S.Ct. 1348, 89 L.Ed.2d 538 (1986). In determining whether summary judgment is appropriate, a district court must look at the record and any inferences to be drawn from it in the light most favorable to the non-moving party. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). Summary judgment is not proper if the evidence is such that a reasonable fact-finder could return a verdict for the non-moving party. Id. at 248, 106 S.Ct. 2505.

IV. Statutory Construction Standard

Plaintiffs suggest that the DPPA “must be given a liberal construction consistent with its overriding purpose” to protect drivers' privacy. [Doc. # 52 at 15 (quoting United States v. Naremco, Inc., 553 F.2d 1138, 1141 (8th Cir.1977)) (citations omitted).] Even though some courts have referred to the DPPA as remedial, “[t]he mere fact that a statute is characterized as ‘remedial’ ... is of little value in statutory construction unless the term ‘remedial’ has for this purpose a more discriminate meaning” than simply providing legal remedies. 3 Norman J. Singer & J.D. Shambie Singer, Statutes and Statutory Construction § 60:2, at 267 (7th ed.2008) [hereinafter Sutherland Statutory Construction ]. For purposes of statutory construction, “[u]sually ‘remedial’ is used in connection with legislation which is not penal or criminal in nature....” Id. at 268. Within the DPPA, section 2723(a) provides for the possibility of a “Criminal fine.” 18 U.S.C. § 2723(a).

On the other hand, the mere fact that one of the DPPA's possible enforcement mechanisms is a criminal fine does not trigger a lenient interpretation. Even for statutes that are entirely penal in nature:

In most respects, the interpretation of penal laws does not differ from the construction of other statutes. The standard of decision is either the intent of the legislature or what the statute means to others, and the determination of such relies on other canons of statutory construction. A court's primary objective is to ensure that the purpose of the legislature is accomplished. Sutherland Statutory Construction, supra, § 59:8, at 226. As the Eighth Circuit has explained: “[T]he rule that a penal statute is to be strictly construed in favor of persons accused, is not violated by allowing the language of the statute to have its full meaning, where that construction supports the policy and purposes of the enactment.” Wilson v. United States, 77 F.2d 236 (8th Cir.1935) (citations omitted); see also United States v. R.L.C., 915 F.2d 320, 325 (8th Cir.1990) (“The rule of lenity states that a court cannot interpret a federal criminal statute so as to increase the penalty that it places on an individual when such an interpretation can be based on no more than a guess as to what Congress intended.” (internal quotation and citation omitted)).

Because neither the remedial statute rule of liberal construction nor the criminal law rule of lenity apply to these circumstances, the Court declines to give either a liberal construction or a lenient construction to the statute. Instead, the Court interprets the DPPA in accordance with its plain language and legislative purpose. This “plain meaning” or “plain language” rule of statutory interpretation “requires examining the text of the statute as a whole by considering its context, ‘object, and policy.’ ” Harmon Indus., Inc. v. Browner, 191 F.3d 894, 899 (8th Cir.1999) (quoting Pelofsky v. Wallace, 102 F.3d 350, 353 (8th Cir.1996)). Resort to legislative history is appropriate when a statute is ambiguous or to show that the plain reading of the text would be “demonstrably at odds with the intentions of its drafters, and those intentions must be controlling.” Owner–Operator Indep. Drivers Ass'n v. United Van Lines, LLC, 556 F.3d 690, 695 (8th Cir.2009) (quoting Griffin v. Oceanic Contractors, Inc., 458 U.S. 564, 571, 102 S.Ct. 3245, 73 L.Ed.2d 973 (1982)).

V. Plaintiffs' Claims and Worldwide's Defenses

Plaintiffs bring this class action under section 2724(a) of the DPPA: “A person who knowingly obtains, discloses, or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.” 18 U.S.C. § 2724(a). Worldwide presents two primary arguments in its defense: (1) it legally obtained the DMV records because the state of Missouri authorized it to receive personal information; and (2) there is no evidence that it obtained or disclosed information for an impermissible purpose, even though it routinely sold every Missouri driver's personal information to customers with, at most, a permissible use for some drivers' information.

VI. Did Worldwide Legally Obtain Missouri Driver's License Database Because the State of Missouri Gave it to Worldwide

It is undisputed that Worldwide did not obtain the entire Missouri driver's license database because it qualified under one of the fourteen exceptions to the DPPA's default rule of nondisclosure. [Doc. # 48 at 4, ¶ 13.] Instead, Worldwide, as a reseller, relies on section 2721(c) for its authority to obtain Missouri's database of personal information. That section states:

(c) Resale or redisclosure.—An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under subsection (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under subsection (b)(11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request. 18 U.S.C. § 2721(c). Worldwide argues that it is “an authorized recipient because the state of Missouri—like many other states—statutorily and contractually authorized Worldwide to obtain records for resale.” [Doc. # 50 at 14.]

A. The Plain Meaning of the Text

Based on the language of the DPPA, the Court concludes that Congress used the term “authorized recipient” in section 2721(c) to refer to those persons or entities that obtained the information pursuant to one or more of the fourteen exceptions immediately preceding the reference to “authorized recipient.” Rather than writing “an individual or entity obtaining personal information for uses authorized by the preceding section,” Congress wrote “authorized recipient”—not a particularly surprising shorthand in the annals of statutory construction. This conclusion is grounded in the express language of the DPPA as well as its legislative history.

First, sections 2721(a) and 2722(a) make nondisclosure of personal information the default rule. See 18 U.S.C. § 2721(a) (“In general” prohibiting disclosure of personal information “except as provided in subsection (b)”); 18 U.S.C. § 2722(a) (“It shall be unlawful for any person knowingly to obtain or disclose personal information ... for any use not permitted under section 2721(b) of this title.”). Section 2721(b) then lists fourteen exceptions to nondislosure and there is no exception for wholesale resellers. One would expect that if Congress intended to make a fifteenth exception to the nondisclosure rule, it would have mentioned it when listing exceptions to the rule of nondisclosure.

Second, the language of section 2721(c) supports the Court's conclusion. According to that section, “[a]n authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)). An authorized recipient under (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under section (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12).” 18 U.S.C. § 2721(c). In each sentence of section 2721(c) Congress linked the term “authorized recipient” to the specific section of 2721(b), that had authorized the release of the information to the recipient. The only explanation for this is that Congress intended authorized recipients to be individuals or entities, or their agents, qualified to receive the information by the terms of section 2721(b). To read section 2721(c) otherwise would lead to the absurd result that resellers could obtain all of the personal information in the database simply by calling themselves resellers, while everyone else—including law enforcement—would have to justify their receipt of personal information under the 2721(b) exception applicable to them.

Similarly, as discussed further below, Worldwide's interpretation produces the absurd result of resellers having far greater latitude to obtain and disclose information than do persons who obtain information under section 2721(b)(12) for bulk distribution of commercial surveys and solicitations. Section 2721(b)(12) is the only DPPA exception which makes reference to “bulk distribution,” and it requires that individuals opt in by providing their express consent to such bulk release for marketing and solicitation. Because the release is dependent on the person's consent, section 2721(c) does not permit the resale of this information for any purpose except marketing and solicitation. See 18 U.S.C. § 2721(c) (“An authorized recipient under section (b)(12) may resell or redisclose personal information [only] pursuant to subsection (b)(12).”). Thus, according to the plain language of section 2721(c), a law enforcement agency cannot obtain personal information which was obtained in bulk based on the owner's express consent under (b)(12), even though law enforcement agencies are authorized recipients under section 2721(b)(1). This is because Congress was being careful to limit resale to the exact purpose that the Missouri citizen had consented to. But under Worldwide's interpretation, a reseller need not qualify under any one of section 2721(b)'s exceptions and thus is not limited by any of these 2721(c) restrictions. It makes no sense to give such latitude to resellers and simultaneously restrict 2721(b)(12) recipients.

Given the strict linkage between the method of obtainment and the restrictions on resale, Congress could not have intended to create a gaping hole in the statute for resellers by authorizing them to obtain the entire driver's license database simply by identifying themselves as a reseller. At a minimum, if Congress sought to create a separate exception for resellers, it would have at least mentioned “resellers” and added a qualifying adjective such as “legitimate,” as it did with respect to business use of personal information. 18 U.S.C. § 2721(b)(3) (personal information may be disclosed “[f]or use in the normal course of business by a legitimate business” (emphasis added)). In fact, given that wholesale resellers are businesses which sell information, Congress could easily have added a subsection (C) to 18 U.S.C. § 2721(b)(3) to permit such businesses to obtain DMV records for resale. It did not. Instead, all of the language of the statute, as well as the absence of any reference to wholesale resellers, shows that Congress did not intend for those resellers to have uniquely unfettered access to DMV records.

B. The Legislative History

Even assuming that the text leaves any ambiguity regarding the limitations placed on “authorized recipients,” the DPPA's legislative history also supports the Court's conclusion. According to the statement made by Congressman James P. Moran, the DPPA's sponsor in the House of Representatives:

Careful consideration was given to the common uses now made of this information and great efforts were made to ensure that those uses were allowed under this bill. Among those who will continue to have unfettered access are federal and state governments and their contractors, for use in auto recalls, by businesses (such as an insurance company) to verify the accuracy of personal information submitted by a licensee, for use in any civil or criminal proceeding, in research activities, and in marketing activities as long as the individual has been given the opportunity to opt out.

Protecting Driver Privacy: Hearings on H.R. 3365 Before the Subcomm. on Civil and Constitutional Rights of the House Comm. on the Judiciary, 103d Cong., 2d Sess., 1994 WL 212698 (Feb. 3, 1994) [hereinafter Statement of Rep. Moran ]. There is no mention here of the need for resellers to obtain drivers' personal information. Instead, the Congressman referred exclusively to the permissible uses listed in section 2721(b).

As Taylor explains, “[t]he ‘opt out’ provisions of the original legislation with respect to bulk distribution” under subsection (b)(12) “were changed to the ‘opt in’ provisions now in § 2721(b)(11) and (12) by the October 1999 amendments to the DPPA.” 612 F.3d at 337 n. 10 (citing Pub.L. No. 106–69, 113 Stat. 986 (Oct. 9, 1999)). This amendment was clearly intended to provide even greater protection for drivers' privacy.

In the same statement, Congressman Moran focused primarily on “the need for individuals to have some control over how personal information about them is used.” Id. He explained that the DPPA “prohibit[s]” the disclosure of personal information “about a licensee unless there is a specific, approved reason for doing so.Id. (emphasis added). Congressman Moran concluded his statement by asserting that “privacy is ... a basic human right to which every person is entitled.” Id. As this peroration suggests, while the DPPA strikes a balance with legitimate business and governmental concerns through the exceptions enumerated in section 2721(b), the overriding purpose of the statute is plain by its title: The Driver's Privacy Protection Act. It would be inconsistent with this purpose to permit wholesale resellers to obtain all of the personal information that Congress sought to shield simply because they planned to resell it in the open market.

C. Counterarguments in Taylor and ChoicePoint

Critics of the Court's interpretation have asked “why Congress would require resellers to actually use the records before reselling the records.” Taylor, 612 F.3d at 338. But this question has no relevance because there is no contention that the information has to be used before resale. Congress did not require that the information had to be used before it was resold—nor did this Court intend to suggest that no information could be resold before it was used. Roberts v. Source for Public Data, No. 08–CV–C–04167–NKL, 2008 WL 5234675, *1, *3 (W.D.Mo. Dec. 12, 2008) (rejecting the “conten[tion] that section 2721(c) of the DPPA allows for re-sale or re-disclosure of personal information by a business entity, no matter the purpose for which that entity obtained the information”). Indeed, the Court's interpretation in Roberts never precluded a true agent from obtaining information for the purpose of facilitating its customer's permissible use and never held that an authorized recipient must use the information before reselling it.

The more relevant question is why Congress would limit resale to persons or entities that had obtained the information pursuant to one of the fourteen specific permissible uses. The answer is not surprising. Congress, like its constituents, feared that private information widely circulated in vast databases would be intentionally or inadvertently leaked, and there would be no practical way to identify the source of the leak. Nor would there be a viable way to know whether unscrupulous individuals within recipient organizations were secretly trolling through drivers' personal information to learn about a neighbor or ex-girlfriend. Indeed, the DPPA's House sponsor recognized that the advent of computer technology made it increasingly difficult to control information: “Computers have enabled individuals with a click of a button to pull up a DMV record ... [which] makes it more important that safeguards are in place to protect personal information.” Statement of Rep. Moran, supra. By limiting the release of information to persons or entities with specific permissible purposes, the DPPA also limits the numbers of persons with access to personal information and maintains the balance between privacy and the societal needs expressed in the fourteen exceptions. This reasoning does not read the provision on resale out of existence, but it does prevent wholesale retailers' access to DMV databases containing every driver's private information, a result that is consistent with the language and structure of the legislation as well as its legislative history.

With respect to its interpretation of “authorized recipient,” Taylor relied on Russell v. ChoicePoint Services, Inc., 300 F.Supp.2d 450 (E.D.La.2004). See Taylor, 612 F.3d at 338 (noting ChoicePoint's “careful analysis of ‘authorized recipient’ ”). The ChoicePoint opinion concluded that “authorized recipient” in section 2721(c) of the DPPA refers to anyone authorized by a state DMV to purchase personal information from it. ChoicePoint, 300 F.Supp.2d at 457. The judge reasoned that dictionaries commonly define the term “authorize” as a grant of authority—e.g., by a state or municipal agency—and

[i]t is doubtful that Congress employed the term “authorized” to refer to the DPPA directly sanctioning a recipient because the Act otherwise speaks in terms of “use” rather than “user” and provides no process or guidelines for authorization. More likely, Congress intended to leave the recipient authorization process to the states. Id. at 456 (emphasis added).

ChoicePoint also relies on legislative history to support its conclusion. By its logic, because Congress was aware that states sold driver's license information to resellers and wanted to “strike ‘a critical balance between legitimate governmental and business needs for this information and the fundamental right of our people to privacy and safety’,” Congress must have intended to permit states to decide which recipients should obtain the information. Id. at 456 (citing 139 Cong. Rec. § 15, 763 (1993)). Hence, all those selected by the state to purchase personal information from it automatically become “authorized recipients” under section 2721(c) of the DPPA.

There are several problems with the analysis and conclusions in the ChoicePoint opinion. First, while stating that it relies on the plain language of the DPPA, ChoicePoint does not discuss the language of section 2721(c) that categorizes authorized recipients based on the subsection of 2721(b) “under” which the information is obtained. Section 2721(c)'s multiple references to section 2721(b) cannot be ignored. As previously explained, section 2721(c)'s careful treatment of (b)(11) and (b)(12) is inconsistent with the notion that Congress intended to give more latitude to wholesale resellers than to entities obtaining information under an enumerated permissible use in section 2721(b). Moreover, ChoicePoint's statement that the DPPA provides “no process or guidelines for authorization,” id. at 456, is contrary to the express language in section 2721(b) listing fourteen exceptions to the general rule that drivers' personal information may not be sold.

It strains credulity even further to suggest that, in enacting federal legislation to limit the states' sales of their drivers' personal information, Congress delegated to the states the power to authorize any business to purchase from them and resell entire DMV databases (provided the resellers' customers check a box promising to comply with the DPPA). After all, the DPPA begins with the general prohibition: “A State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity ... personal information ... except as provided in subsection (b) of this section.” 18 U.S.C. § 2721(a). The Supreme Court's Reno v. Condon decision has become part of the Constitutional Law canon, teaching law students that the Tenth Amendment is no bar to federal regulation of states' sales of drivers' personal information. Reno v. Condon, 528 U.S. 141, 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000) (“hold[ing] that in enacting this statute Congress did not run afoul of the federalism principles”). Yet ChoicePoint now suggests that Congress intended to delegate such regulation of the states to the states—the very sellers of drivers' personal information that Congress saw fit to restrict (“Congress intended to leave the recipient authorization process to the states.” ChoicePoint, 300 F.Supp.2d at 456).

Finally, the ChoicePoint opinion observes that in other consumer protection statutes Congress limited the distribution of information to specific persons (such as “a law enforcement agency” or “consumer” or “any person”) and Congress did not do so in the DPPA. Therefore, in the DPPA Congress must not have been concerned with who gets the information; Congress was only concerned with misuse of the information.

In fact, in the DPPA Congress did authorize specific types of persons to receive the information just as it did in the consumer statutes relied on by ChoicePoint. See, e.g., 18 U.S.C. § 2721(b)(6) (insurance companies), (b)(1) (government agencies or law enforcement), (b)(3) (legitimate businesses), (b)(8) (private investigation agencies). But, because the DPPA is quite detailed and many types of entities or persons could qualify under some of the exceptions, it was not practical to list them all. See, e.g., 18 U.S.C. §§ 2721(b)(7) (for use in providing notice to owners of towed vehicles); 2721(b)(4) (for use in connection with any civil or criminal proceeding). It does not follow from this linguistic structure that Congress intended that anyone could obtain every driver's personal information so long as they did not misuse it. Otherwise, Congress could have written a shorter statute prohibiting only the use of personal information (except for the fourteen permissible uses), and there would have been no need to prohibit obtainment and disclosure as well. See 18 U.S.C. § 2724(a) (“A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains.” (emphasis added)). Under such an alternative DPPA, when someone used a driver's personal information to stalk and kill them, the killer would face a penalty under the DPPA—no doubt an ineffective deterrent. In reality, rather than just attempting to deter stalkers by providing for their civil and criminal liability after the fact, Congress restricted the free flow of private information to prevent it from leaking out in the first place.

In summary, the Court interprets “authorized recipient” as any individual or entity, or their agent, that obtains personal information from DMV records for one of the permissible uses under section 2721(b). This reading of section 2721(c) is supported by dicta in Reno v. Condon. After listing section 2721(b)'s fourteen permissible purposes, Chief Justice Rehnquist equated authorized recipients under section 2721(c) with “private persons who have obtained drivers' personal information for one of the aforementioned permissible purposes to further disclose that information for any one of those purposes.” Reno v. Condon, 528 U.S. at 146, 120 S.Ct. 666 (citing 18 U.S.C. § 2721(c)). This is also the most logical conclusion based on the language of the DPPA, the purpose of the statute, the legislative history, and common sense. The DPPA does not delegate to the states the decision of who is an “authorized recipient” as that term is used in the DPPA.

The Taylor court—apparently recognizing the problems with the reasoning in ChoicePoint—cites it approvingly without delving into the details of its analysis, adding only: “An authorized recipient would be under ‘subsection (b)(12),’ for example, if the state gives him the data for the purpose of reselling it to a person who uses it for marketing in conformity with (b)(12).” Taylor, 612 F.3d at 339 (emphasis added). Taylor seems to reason that because the state could disclose personal information pursuant to one of the DPPA exceptions, Congress cross-referenced 2721(b) in every sentence of 2721(c) merely to suggest to the states that they might consider 2721(b) in deciding whether to designate under which 2721(b) exception the information was being given. The Court sees no other way to reconcile Taylor's reliance on ChoicePoint with the ambiguous explanation quoted above. However, this opaque construction of section 2721(c) means that Congress was only making suggestions to the states about how to disclose the information, an interpretation that is at odds with normal congressional behavior and the purpose of the DPPA. Regardless, it is simply illogical that Congress intended to delegate to the states the right to decide who could purchase the DMV records, since the DPPA was passed specifically to restrict the states' sales of those DMV records.

For the reasons stated above, Worldwide's first argument fails. Worldwide is not “an authorized recipient because the state of Missouri—like many other states—statutorily and contractually authorized Worldwide to obtain records for resale.” [Doc. # 50 at 14.]

VII. Are Bulk Sales Generally Permissible under the DPPA?

Even if Worldwide qualified as an authorized recipient, “[a]n authorized recipient of personal information ... may resell or redisclose the information only for a use permitted under subsection (b) ” of the DPPA. 18 U.S.C. § 2721(c) (emphasis added). Worldwide maintains that it complies with the DPPA's requirements as long as each of its customers has a permissible use for the personal information of at least one driver out of the millions of drivers whose information Worldwide sells on its CD–ROMs. An analysis of the text, structure, and legislative history of the DPPA again refutes Worldwide's argument.

A. Textual Analysis of Section 2721(b)

Although acknowledging the ambiguity of section 2721(b), Taylor ultimately concludes that “Congress intended bulk distribution.” 612 F.3d at 336; see also Laura S. Underkuffler, Judicial Takings: A Medley of Misconceptions, 61 Syracuse L.Rev. 203, 209–10 (2010) (“A state's bulk sale of individuals' driver's license data to third parties, and the resale of that data to other parties, was upheld by an appellate court despite what appeared to be clear statutory law to the contrary.” (citing Taylor, 612 F.3d at 340)). According to Taylor, bulk sales of personal information are permitted by the DPPA as long as the recipient “does not actually use, or intend to use, any of the information in a manner prohibited by section 2721(b)....” 612 F.3d at 337. DMV records can always be sold in bulk even if the reseller's customer has no existing permissible use under section 2721(b). Again, the Court must disagree.

Taylor correctly notes that only subsection (b)(11) explicitly refers to “individual motor vehicle records” and only (b)(12) explicitly refers to “bulk distribution”; for “the remaining twelve permissible uses, the statute seems to have more than one reasonable interpretation: individual release, bulk release, or both.” Id. at 335. Taylor reasons that it would “not make sense that Congress would expressly limit states to individual distribution with one permissible use if Congress intended to limit all of the permissible uses to individual distribution,” and therefore concludes that Congress intended bulk distribution. Id. at 336.

In reaching this conclusion, Taylor first misapplied the maxim of expressio unius est exclusio alterius. Taylor applied its version of the rule: “Where Congress includes particular language in one section of a statute but omits it in another section of the same Act, it is generally presumed that Congress acts intentionally and purposely in the disparate inclusion or exclusion.” Id. at 336 (quoting Arif v. Mukasey, 509 F.3d 677, 681 (5th Cir.2007)). However, the expressio unius maxim—“the expression of one thing is the exclusion of another”

does not apply to every statutory listing or grouping. It has force only when the items expressed are members of an associated group or series, justifying the inference that the items not mentioned were excluded by deliberate choice.... [For example, a] statute which provides that a thing shall be done in a certain way carries with it an implied prohibition against doing that thing in any other way. 2A Sutherland Statutory Construction, supra, § 47:23, at 405–413. Moreover, “there should be some evidence the legislature intended its (expressio unius) application lest it prevail as a rule of construction despite the reason for and the spirit of the enactment.” Id. § 47:25, at 437 (internal quotation omitted).

The fact that only subsection (b)(11) explicitly refers to “individual motor vehicle records,” only (b)(12) explicitly refers to “bulk distribution,” and the twelve remaining subsections are silent on the manner of distribution does not justify Taylor's inference that Congress could not have intended to generally limit the permissible uses to individual distribution. One could more plausibly infer that Congress would not expressly permit states to distribute personal information in bulk for just one permissible use if Congress intended to permit bulk distribution for all of the permissible uses. Such an interpretation is far more consistent with the DPPA's primary purpose—to protect drivers' privacy.

Indeed, “[t]he enumeration of exclusions from the operation of a statute indicates that the statute should apply to all cases not specifically excluded.” Id. § 47:23, at 418. As previously explained, the specific uses permitted under section 2721(b) are enumerated exceptions to a general rule banning the sale of drivers' personal information. See 18 U.S.C. § 2721(a) (“In general” prohibiting disclosure of personal information “except as provided in subsection (b)”). That general rule of nondisclosure must be applied to all uses not specifically excluded by section 2721(b), and bulk distribution is only specifically excluded in subsection (b)(12).

Even assuming that Congress did not intend to limit all of the permissible uses to individual distribution, it does not follow that bulk distribution is always permissible under the statute so long as the recipient “does not actually use, or intend to use, any of the information in a manner prohibited by section 2721(b)....” Taylor, 612 F.3d at 337. Again, there is no listing of “prohibited” uses under section 2721(b), which is entitled “Permissible uses” and lists only exceptions to the general rule against disclosure. 18 U.S.C. § 2721(b). In fact, nowhere does the DPPA enumerate any “prohibited purposes” or “prohibited uses.” Rather, the statute generally prohibits all but the fourteen permissible uses enumerated in section 2721(b). The title of the entire section 2721 is “Prohibition on release and use of certain personal information from State motor vehicle records”—again illustrating that prohibition is the general rule, not the exception as Taylor would have it. 18 U.S.C. § 2721.

The DPPA is not a model of statutory drafting, but if it means anything at all it is this: A potential stalker cannot walk into a Missouri DMV to obtain every Missouri driver's name, address, height, weight, eye color, driver's license number, and social security number without a specific permissible use under the DPPA. See Taylor, 612 F.3d at 336 (explaining that the immediate impetus for the DPPA was “the murder of actress Rebecca Schaeffer at the hands of a stalker”). It is not enough for him to smile, nod, and promise to comply with the DPPA in the future. Rather, he must at least be able to articulate a specific permissible use from among the closed universe of permissible uses under section 2721(b), beyond which all uses are impermissible. If the same standard is not applied to resellers, then the DPPA does not prevent them from selling everyone's personal information on websites such as www. publicdata. com, so long as the purchaser promises not to misuse it.

The DPPA creates a private right of action for “the individual” whose personal information was knowingly obtained, disclosed, or used “for a purpose not permitted” under section 2721(b). 18 U.S.C. § 2724(a). “It shall be unlawful for any person knowingly to obtain or disclose personal information ... for any use not permitted under section 2721(b) of this title.” 18 U.S.C. § 2722(a) (emphasis added). And an “authorized recipient ... may resell or redisclose the information only for a use permitted under subsection (b)....” 18 U.S.C. § 2721(c). Therefore, the sale of any individual's personal information—the quantum of data used throughout the statute—violates the DPPA whenever it is not matched with an identifiable permitted use that is relevant to “the individual to whom the information pertains.” 18 U.S.C. § 2724(a).

B. The Structure of Section 2721(b)

To interpret the DPPA, it is necessary to view each permissible use under section 2721(b) in the context of all fourteen of those exceptions to the general rule prohibiting the obtainment, use, and disclosure of drivers' personal information. As previously discussed, those fourteen exceptions are:

(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.

(2) For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.

(3) For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only

(A) to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and

(B) if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.

(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.

(5) For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.

(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.

(7) For use in providing notice to the owners of towed or impounded vehicles.

(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.

(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49.

(10) For use in connection with the operation of private toll transportation facilities.

(11) For any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains.

(12) For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains.

(13) For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.

(14) For any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety. 18 U.S.C. § 2721(b) (emphasis added).

The structure of section 2721(b) is relatively straightforward. Subsections (b)(1) through (10) identify specific uses of personal information that are permissible under the DPPA—e.g., “to verify the accuracy of personal information submitted by the individual to the business ... and ... if such information as so submitted is not correct or is no longer correct, to obtain the correct information....” 18 U.S.C. § 2721(b)(3). Subsections (b)(11) through (14), however, provide for potentially less-restrictive exceptions, therefore adding heightened requirements. Subsection (b)(11) directly follows the ten specific uses of individuals' DMV records, providing a catch-all exception “[f]or any other use in response to requests for individual motor vehicle records,” but only with the individual's express consent. 18 U.S.C. § 2721(b)(11). Subsection (b)(13) allows any “requester” to walk into a DMV to obtain an individual's personal information, but only with the individual's written consent. 18 U.S.C. § 2721(b)(13). Subsection (b)(14) provides a catch-all exception “[f]or any other use specifically authorized under the law of the State” and relating to motor vehicles or public safety. 18 U.S.C. § 2721(b)(14). The other potentially less-restrictive exception, subsection (b)(12), allows bulk distribution for commercial purposes, but only with the individual's express consent—indicative of the atypicality of commercial bulk distribution among the permissible purposes. 18 U.S.C. § 2721(b)(12).

In fact, as previously discussed, two of these more open-ended exceptions with heightened requirements, subsections (b)(11) and (12), are singled out for special treatment in section 2721(c). Most tellingly, “[a]n authorized recipient under (b)(12)”—i.e., a recipient of the information of individuals who have expressly consented to bulk distribution for surveys, marketing, or solicitations—“may resell or redisclose personal information pursuant [only] to subsection (b)(12).” 18 U.S.C. § 2721(c); see 2A Sutherland Statutory Construction, supra, § 47:23, at 398–404 (“As the [ expressio unius ] maxim is applied to statutory interpretation, where a form of conduct, the manner of its performance and operation, and persons and things to which it refers are designated, there is an inference that all omissions should be understood as exclusions.”). Unlike every other permitted use of personal information, the information pertaining to an individual who has expressly consented to bulk distribution may not be diverted for any other permissible use, even those uses that would never have required the individual's express consent. The only reason for such a provision is that Congress intended to limit commercial bulk distribution, absent consent. The Supreme Court has expressed a “preference for avoiding surplusage constructions,” Lamie v. United States Trustee, 540 U.S. 526, 536, 124 S.Ct. 1023, 157 L.Ed.2d 1024 (2004), yet Taylor's interpretation of the DPPA would render mere surplusage section 2721(c)'s cautious treatment of bulk distribution under (b)(12). At oral argument, counsel for Defendant “d[id]n't know why Congress constructed [the third sentence of section 2721(c) ] that way.” [Doc. # 63 at 43.]

It should be noted that subsection (b)(5) may also envision bulk distribution, but only for research purposes, and only “so long as the personal information is not published, redisclosed, or used to contact individuals.” 18 U.S.C. § 2721(b)(5). Certain government functions or motor-vehicle-related activities could also conceivably entail bulk transfers. See 18 U.S.C. § 2721(b). However, in such cases, by definition, all drivers would fit within the identifiable permissible use at the moment of obtainment and disclosure. Commercial bulk distribution would still be prohibited when based on the mere possibility that an individual could fit within some permissible use at some point in the future.

C. The Legislative History

To the extent that the DPPA text is ambiguous with respect to the bulk sales issue, and in case the statute's title is not clear enough, the legislative history reveals the overriding purpose of the DPPA: to protect drivers' privacy. Given such a purpose, the interpretation most consistent with Congressional intent requires that disclosure of personal information be narrowly tailored to a specific permissible purpose.

It is true, as Taylor notes, that Congressman Moran stated:

Among those who will continue to have unfettered access are federal and state governments and their contractors, for use in auto recalls, by businesses (such as an insurance company) to verify the accuracy of personal information submitted by a licensee, for use in any civil or criminal proceeding, in research activities, and in marketing activities as long as the individual has been given the opportunity to opt out. The bill would allow DMVs to continue to sell DMV information in bulk as long as every driver in that state had been given the opportunity to restrict the sale of their name for marketing purposes. Statement of Rep. Moran, supra (emphasis added). Congressman Moran simply referred, in order, to subsections (b)(1) (government agencies), (b)(2) (auto recalls), (b)(3) (legitimate businesses to verify the accuracy of information submitted to it), (b)(4) (civil or criminal proceedings), (b)(5) (research activities), and (b)(12) (bulk distribution for marketing activities). See 18 U.S.C. § 2721(b).

In the same statement, Congressman Moran explained that the DPPA was “designed to give individuals control over the release of their personal information and give them the opportunity to make choices as to whether this information is released, not just for individual look-ups, but also for release in bulk.” Statement of Rep. Moran, supra. He even went so far as to spell out the core values behind the DPPA:

The basic concept behind this legislation is the philosophy first coined by Congressman Ed Markey: knowledge, notice, and no. Knowledge: individuals should have knowledge of how personal information about them will be used. Notice: they should have notice when personal information about them is sold/resold. No: they should have the right to object to those uses/reuses.

Id.

Taylor's interpretation of the DPPA turns the requirement of a “specific, approved reason” on its head, depriving individuals of “knowledge, notice, and no.” Id. First, individuals would have little knowledge of how their personal information is used, as it moves in bulk from the DMV toward internet clearinghouses such as www. publicdata. com. Second, individuals would have no “notice when personal information about them is sold/resold.” Id. And third, it is important to note that individuals originally had to object to bulk sale of their personal information for commercial purposes under section 2721(b)(12). “The ‘opt out’ provisions of the original legislation with respect to bulk distribution” was “changed to the ‘opt in’ provisions now in § 2721(b)(11) and (12) by the October 1999 amendments to the DPPA.” Taylor, 612 F.3d at 337 n. 10 (citing Pub.L. No. 106–69, 113 Stat. 986 (Oct. 9, 1999)). In other words, the DPPA originally put the burden on individuals to avail themselves of “[t]he ‘opt out’ provisions ... with respect to bulk distribution,” but Congress later shifted that burden to provide even greater privacy to drivers. Id. Drivers must now “opt in” to (b)(12), which is the only reference to bulk distribution in the DPPA and is treated with great care by section 2721(c). Since Congress intended to allow individuals to object to bulk distribution of their personal information by opting out (and it subsequently strengthened privacy protection by allowing for commercial bulk distribution only when individuals opt in), it is illogical to now claim that Congress always intended bulk distribution for all exceptions listed in 2721(b).

It is hard to imagine an interpretation of the DPPA less in keeping with Congressional intent than one which allows bulk sales of personal information as the default rule. In practice, Taylor's interpretation means that the vast majority of the personal information sold is not put to an authorized use. It strikes no balance at all to allow resellers to mass produce CD–ROMs containing millions of drivers' personal information. Instead, by focusing on “specific, approved reasons,” Congress accommodated particular commercial needs while preventing wholesale distribution of personal information for which there is only a hypothetical use. Statement of Rep. Moran, supra.

Furthermore, while Congressman Moran in 1994 referred to the DPPA's exceptions for legitimate “common uses now made of this information,” id., Taylor condones novel uses of personal information that could be facilitated by bulk distribution without the individual's consent. While Congressman Moran warned that advances in computer technology “make[ ] it more important that safeguards are in place to protect personal information,” id., Taylor argues:

At a checkout line at a grocery store or similar establishment, when a customer wishes to pay by (or cash) a check, and presents a driver's license as identification, it is obviously wholly impractical to require the merchant for each such customer to submit a separate individual request to the state motor vehicle department to verify the accuracy of the personal information submitted by the customer, under section 2721(b)(3). 612 F.3d at 337. Thus, Taylor assumes that a business has the right to possess an individual's personal information even if that individual never walks into its store; it also apparently assumes that any employee working a cash register could access the personal information of every driver in the state. In reality, when an individual pays by check or credit card at the grocery store, the cashier rarely asks for identification. When they do, the employee merely confirms that the names on the cards match and that the individual resembles the photograph on the driver's license. For other transactions—e.g., purchasing an automobile or applying for a credit card—a business would have time to avail itself of subsection 2721(b)(3) to verify the identity of an individual.

Such a process of matching individuals to specific permissible uses should not “flood the state department with more requests than it could possibly handle.” Id. at 337. This empirical claim—offered as evidence of Congressional intent—simply has not been proven. Other states have found workable methods of disclosing drivers' personal information in compliance with the DPPA. Defendant concedes that in Tennessee, for example, “on line requests can only be made for a single driver record.” [Doc. # 66 at 4.] While the parties have not conducted an exhaustive review of every state's policies, Plaintiffs note that Westlaw offers motor vehicle information for approximately 28 states and driver's license information for only 6 states—Florida, Michigan, Minnesota, Tennessee, Texas, and Wisconsin—while PublicData.com offers current driver's license information for only 3 States—again, Florida, Texas, and Wisconsin. [Doc. # 65, Exs. 1–2.] As Defendant concedes, although “Missouri, Texas, Florida, Illinois, Washington, and other states allow bulk purchase and resale of driver's license and motor vehicle records,” it seems that most States “have adopted different methods to implement the DPPA.” [Doc. # 66 at 1.]

In fact, as of August 2009, Missouri's Form 4678, “Request for Security Access,” provided for only the following authorization to obtain personal information under section 2721(b)(3) of the DPPA:

For use as a legitimate business in verifying accuracy of the personal information submitted by the individual to the business or its agents, employees, or contractors and/or to obtain correct information but only for purposes of preventing fraud, pursuing legal remedies, or collecting debts. (For individual requests only.) [Doc. # 48, Ex. 5 at 5 (emphasis added).] Thus, Missouri apparently now declines to disclose personal information in bulk for commercial purposes under 18 U.S.C. § 2721(b)(3).

Taylor warned: “Ninety thousand [credit card] applications are processed daily. That alone may be 90,000 requests that a state would have to individually verify every day.” Taylor, 612 F.3d at 338 n. 12. Aside from its failure to divide by fifty, Taylor's suggestion that the states must be at the beck and call of credit card companies is misleading. As other states' policies illustrate, technology exists which would allow authorized recipients to download specific individuals' personal information from a secure site to sell to customers having a specific permissible use. Even if the cost of protecting drivers' privacy is that a credit card company is momentarily delayed before issuing some of the thousands of cards approved daily, such a balance is consistent with Congressional intent. Furthermore, there are many other ways to gather consumer data. Understandably, it is more convenient to obtain every drivers' personal information in one reliable place. But Congress recognized that consumers have an interest in maintaining the privacy of their coerced personal information until there is a reason to release it. Again, as of August 2009, Missouri's Form 4678, “Request for Security Access,” limited “use as a legitimate business in verifying accuracy of the personal information submitted by the individual to the business” to “individual requests only.” [Doc. # 48, Ex. 5 at 5.]

The final specter raised by Taylor is “vast potential liquidated damages.” Taylor, 612 F.3d at 330. According to section 2724(b):

The court may award

(1) actual damages, but not less than liquidated damages in the amount of $2,500;

(2) punitive damages upon proof of willful or reckless disregard of the law;

(3) reasonable attorneys' fees and other litigation costs reasonably incurred; and

(4) such other preliminary and equitable relief as the court determines to be appropriate. 18 U.S.C. § 2724(b). As the Eleventh Circuit has explained:

Section 2724(b) begins, “[t]he Court may award.” The use of the word “may” suggests that the award of any damages is permissive and discretionary.... [W]e conclude that the use of the word “may” implies a degree of discretion. Thus, the district court, in its discretion, may fashion what it deems to be an appropriate award. Kehoe v. Fid. Fed. Bank & Trust, 421 F.3d 1209, 1216–17 (11th Cir.2005) (citations omitted). As the Eleventh Circuit suggests, the DPPA grants the Court discretion in fashioning an appropriate remedy sufficient to deter future violations. There is no reason to expect that if courts enforce the DPPA as written that they will make large (or any) damage awards. The goal is compliance with the law, not windfall rewards. Further, just because damages are authorized by a statute does not mean the language of the statute and the intent of Congress can be ignored. If Congress makes a mistake, it is their responsibility to fix it. It is not the role of the courts to rewrite the legislation.

D. The DOJ Letter

Defendant also suggests that a 1998 advisory opinion sent from the Department of Justice to the Attorney General of Massachusetts is entitled to Skidmore deference. See Skidmore v. Swift & Co., 323 U.S. 134, 65 S.Ct. 161, 89 L.Ed. 124 (1944). In Skidmore, the Supreme Court, interpreting the Fair Labor Standards Act, deferred to the Administrator, reasoning:

We consider the rulings, interpretations and opinions of the Administrator under this Act, while not controlling upon the courts by reason of their authority, do constitute a body of experience and informed judgment to which courts and litigants may properly resort for guidance. The weight of such a judgment in a particular case will depend upon the thoroughness evident in its consideration, the validity of its reasoning, its consistency with earlier and later pronouncements, and all those factors which give it power to persuade, if lacking power to control. Id. at 140, 65 S.Ct. 161.

Here, a DOJ attorney with the title of “Special Counsel to the Assistant Attorney General, Civil Division” issued a one-and-a-half-page letter in response to an inquiry regarding the DPPA from the chief of the “Government Bureau” in the office of the Massachusetts Attorney General. [Doc. # 50, Ex. 8.] The DOJ attorney explicitly stated that his opinion was “merely advisory” and “is not binding upon the U.S. Attorney General and should not be construed as creating any substantive rights or benefits under the law.” Id. The Court does not find this letter of persuasive—much less controlling—force. Regardless, the DOJ letter merely confirms what this Court has already determined: a state “may release personal information to a distributor upon reasonably concluding that the information will be used for authorized purposes only.” Id.

VIII. Application of the DPPA to Worldwide's Purchase and Sale of Every Missouri Driver's Personal Information

As explained above, Defendant Worldwide had a permissible purpose under the DPPA if, at the time of obtainment and disclosure, each individual whose information it bought and sold could be matched with a customer's existing permissible use relevant to him or her.

A. Did Worldwide Knowingly Obtain and Disclose Personal Information for an Impermissible Purpose?

It is uncontroverted that “[w]hen Defendant's customers request data, they are provided the entire database for all Missouri drivers even if they need only one record ....” [Docs. # 48 at 5, # 53 at 4.] Worldwide's corporate representative testified as follows:

Q. So you don't require that your customer have the need for everyone's information. As long as they have the need for, at least, one record, you're giving them the database, is that right?

....

A. That's correct. Because our software is investigative software, the company was built and the purpose of it is to be used for investigations, which requires multiple searching criteria. So if you are looking, you know, for a witness or for somebody who has committed a crime, you don't know exactly which record you are going for, so that it's set up so that you can cross-search and put in multicriteria that could lead you back to the person or an address. [Doc. # 48, Ex. 2 at 94.] However, even if all of Defendant's customers had been private investigative agencies or licensed security services under subsection 2721(b)(8), the need to search for an unknown individual based on one piece of information would not draw every driver in Missouri into that permissible use under (b)(8). If, for example, a private investigative agency has only an address, then it is authorized to obtain only the personal information of the individuals associated with that address.

Worldwide's corporate representative also testified:

Q. So if an attorney is trying to track down a defendant in a case and he is a subscriber of yours and he needs an individual record, you're sending him every driver's license file from the State of Missouri to him?

A. Correct.

Q. Including those socials for those people who have socials as their driver's license numbers?

A. No longer the case today, but in the past, yes. Id. at 78. Thus, it is uncontroverted that Defendant routinely disclosed the personal information of millions of Missouri drivers without a permissible use pertaining to them under the DPPA. At oral argument, Worldwide suggested that even if it had technically violated the DPPA, it did so without the knowledge that its purposes were impermissible, and therefore it could not be liable because of the statutory requirement that it act knowingly. Yet Worldwide argued in its brief: “The DPPA imposes liability when each of the following three elements is satisfied: (1) the defendant knowingly obtains, discloses or uses personal information; (2) from a motor vehicle record; and (3) the use is for a purpose not permitted under the statute.” [Doc. # 50 at 14.] This three element approach is confirmed by the statutory text: “A person who knowingly obtains, discloses, or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.” 18 U.S.C. § 2724(a). The only reason to use commas to isolate the clause “from a motor vehicle record” is to confine the adverb “knowingly” to modifying the act of obtainment, disclosure, or use. Id. Congress intended to prevent liability in a case, for example, in which a customer intended to request only one individual's record but was delivered the entire database; such obtainment would not have occurred knowingly.

In contrast, the Consumer Credit Protection Act, for example, provides for liability “for obtaining a consumer report under false pretenses or knowingly without a permissible purpose....” 15 U.S.C. § 1681n(a)(1)(B). There, “knowingly” modifies “without a permissible purpose” but not “obtaining.” Id. Congress would have used a similar formulation in the DPPA if it had not been not concerned with whether the obtainment, disclosure, or use occurred knowingly. Yet it is clear from another provision of the DPPA that Congress did have such a concern: “A State department of motor vehicles ... shall not knowingly disclose or otherwise make available ... personal information....” 18 U.S.C. § 2721(a). There too, the adverb “knowingly” modifies only the act of disclosure and not whether the purpose was permissible.

Here, a reasonable juror could not find that Defendant Worldwide did not know that it obtained and disclosed every Missouri driver's personal information. Worldwide has admitted that it routinely obtained and disclosed the entire Missouri DMV database, even when its customers requested only a single individual's information.

Worldwide has also argued that it did not obtain personal information in violation of the DPPA because it acted as an agent of its customers. The Court is dubious of this assertion. See Locate.Plus.Com, Inc. v. Iowa Dep't of Transp., 650 N.W.2d 609, 619 (Iowa 2002) (“Worldwide is not subject to control of its customers and does not act on account of its customers. The relationship, plain and simple, is one of seller and buyer, and Worldwide cannot artificially create an agency relationship by designating the relationship as an agency in its request forms.”). Nonetheless, even assuming that Defendant acted as an agent to its customers, that determination would not alter the Court's conclusion that Worldwide obtained and disclosed the entire Missouri DMV database, in bulk, in violation of the DPPA. Because Worldwide has provided no evidence that there was a permissible use relevant to any class members, no reasonable juror could find for Worldwide.

B. Did Worldwide Knowingly Obtain and Disclose Highly Restricted Personal Information for an Impermissible Purpose?

Under the DPPA, “highly restricted personal information” may be obtained or disclosed only with the consent of the individual to whom the information pertains, or pursuant to “uses permitted in subsections (b)(1), (b)(4), (b)(6), and (b)(9).” 18 U.S.C. § 2721(a)(2). Those four subsections provide the limited exceptions for obtaining or disclosing “highly restricted personal information”:

(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.

....

(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.

....

(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, or underwriting.

....

(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49. 18 U.S.C. §§ 2721(b)(1), (4), (6), (9).

The statute defines “highly restricted personal information” as “an individual's photograph or image, social security number, medical or disability information....” 18 U.S.C. § 2725(4). According to Worldwide, this definition “contains three elements: 1) images, 2) social security numbers, and 3) medical information, with alternatives for two of the elements—images and medical information.” [Doc. # 53 at 8.] In other words, Worldwide claims that the statutory definition of highly restricted personal information “is conjunctive.” Id.

The case upon which Worldwide relies most heavily in its brief applied “the common mandate of statutory construction to avoid absurd results.” Taylor, 612 F.3d at 338 (quoting Waggoner v. Gonzales, 488 F.3d 632, 638 (5th Cir.2007)). Yet, by Defendant's logic, social security numbers would need to be accompanied by an individual's medical or disability information, as well as that individual's photograph or image, in order to be highly restricted personal information—an absurd result.

It is uncontroverted that “[w]hen Defendant's customers request data, they are provided the entire database for all Missouri drivers even if they need only one record....” [Docs. # 48 at 5, # 53 at 4.] According to Worldwide, “[l]ess than 4% of the data files transferred from the Mo DOR to Defendant contained the social security numbers.” [Doc. # 53 at 2.] Missouri's Form 4678 states: “A record holder's photograph, social security number, and medical or disability information may only be obtained for use 1) by any government agency in carrying out its functions,” as well pursuant to the other very limited circumstances under the DPPA. [Doc. # 48, Ex. 4.] On at least one Form 4678 that it submitted to the State of Missouri, Worldwide represented that it was “seeking information ... [a]s a government agency (federal, state, or local) or employed by such.” Id. Shannon Civitarese, Defendant's representative, has testified that Worldwide is not a government agency of any kind, nor an employee or agent of a government agency. [Doc. # 48, Ex. 2 at 90–91.] In light of these uncontroverted facts, a reasonable juror could not find that Defendant did not obtain and disclose highly restricted personal information in violation of the DPPA.

“A person who knowingly obtains, discloses, or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.” 18 U.S.C. § 2724(a). Here, Worldwide (1) knowingly obtained and disclosed personal information; (2) from a motor vehicle record; and (3) the purpose was not permitted under the DPPA unless the social security numbers were obtained and disclosed pursuant to the purposes listed in subsections (b)(1), (b)(4), (b)(6), or (b)(9) of section 2721. See 18 U.S.C. §§ 2721(a)(2), 2721(b).

It is uncontroverted that Worldwide obtained and disclosed highly restricted personal information that many of its customers did not even claim to be authorized to use under subsections (b)(1), (b)(4), (b)(6), or (b)(9) of section 2721. [Doc. # 48, Exs. 7–9.] Worldwide is unable to match the individuals whose highly restricted personal information it obtained and disclosed with permissible uses pertaining to them. As Worldwide does not fall within the relevant exceptions to the DPPA's general rule of nondisclosure, a reasonable juror could not conclude that Worldwide did not obtain and disclose highly restricted personal information for an impermissible purpose under the statute.

IX. Plaintiffs' Claim under the DPPA for False Representation

Defendant Worldwide also moves for summary judgment with respect to Plaintiffs' claim for false representation under section 2722(b) of the DPPA. Section 2722(b) provides: “It shall be unlawful for any person to make false representation to obtain any personal information from an individual's motor vehicle record.” 18 U.S.C. § 2722(b). Worldwide argues that the DPPA does not establish a private right of action for making false representations in obtaining information.

The question of whether a statute expressly or impliedly creates a private right of action is a matter of statutory construction. Transamerica Mortgage Advisors, Inc. v. Lewis, 444 U.S. 11, 15, 100 S.Ct. 242, 62 L.Ed.2d 146 (1979). “[I]t is an elemental canon of statutory construction that where a statute expressly provides a particular remedy or remedies, a court must be chary of reading others into it.” Id. at 19, 100 S.Ct. 242.

In the DPPA, Congress allowed individuals to bring “civil action[s]” for the knowing obtainment, use, or disclosure of information for impermissible purposes. 18 U.S.C. § 2724. The plain language of that provision does not provide a private right of action for making false representations in obtaining information. Section 2723 may encompass false representations, providing for criminal fines and government enforcement for obtaining information through false representations. But section 2724 “entirely lack[s] the sort of ‘rights-creating’ language critical to showing the requisite congressional intent to create” a private right of action on false representations. Gonzaga Univ. v. Doe, 536 U.S. 273, 287, 122 S.Ct. 2268, 153 L.Ed.2d 309 (2002) (holding that a statutory prohibition on disclosing students' records did not create a private right of action); see also Miller v. Image Data LLC, 91 Fed.Appx. 122, 127 (10th Cir.2004) (“[T]he logical inference from the structure and express language of the Driver's Privacy Act reveals Congress' intent to create a private right of action under § 2722(a), but to leave the enforcement of a violation of § 2722(b) to the United States Department of Justice.”); Bailey v. Daniels, 679 F.Supp.2d 713, 723 (W.D.La.2009) (finding that section 2724(a) does not create a private right of action for false representations under the language of the DPPA).

Because section 2724 does not provide a private right of action, the Court grants summary judgment in favor of Defendant Worldwide with respect to Plaintiffs' claim for false representation under the DPPA.

X. Plaintiffs' Claim for Unjust Enrichment

Finally, Defendant Worldwide moves for summary judgment with respect to Plaintiffs' claim for unjust enrichment. Worldwide argues that Plaintiffs' unjust enrichment claim fails as a matter of law because “there simply is no cognizable claim on the facts presented.” [Doc. # 50 at 24.] Plaintiffs allege that Defendant was unjustly enriched in receiving and retaining the benefits of its improper conduct—the obtainment, disclosure, or use of Plaintiffs' personal information.

“The elements of unjust enrichment are: ‘a benefit conferred by a plaintiff on a defendant; the defendant's appreciation of the fact of the benefit; and the acceptance and retention of the benefit by the defendant in circumstances that would render that retention inequitable.’ ” Bauer Dev. LLC v. BOK Fin. Corp., 290 S.W.3d 96, 100 (Mo.Ct.App.2009) (quoting Hertz Corp. v. RAKS Hospitality, Inc., 196 S.W.3d 536, 543 (Mo.Ct.App.2006)). Unjust enrichment claims arise out of contract law; they are based on a “legal fiction” that provides a means of recovery where parties do not have an express contract. United States v. Applied Pharm. Consultants, Inc., 182 F.3d 603, 606 (8th Cir.1999) (applying Arkansas law). Thus, it is the contract-like nature of the relationship of the parties that gives rise to unjust enrichment claims. The Missouri Supreme Court has held that to state a claim for unjust enrichment, a plaintiff must allege that a benefit was conferred on the defendant by that particular plaintiff. Am. Civil Liberties Union/E. Mo. Fund v. Miller, 803 S.W.2d 592, 595 (Mo.1991) (en banc).

The evidence submitted by Plaintiffs indicates no such quasi-contractual relationship between the parties. Any benefit enjoyed by Defendant was conferred by the State of Missouri, not Plaintiffs. Therefore, the Court grants summary judgment in favor of Defendant Worldwide with respect to Count II of the Second Amended Complaint asserting a claim for unjust enrichment.

XI. Conclusion

Accordingly, it is hereby ORDERED that Plaintiffs' Motion for Summary Judgment [Doc. # 47] is GRANTED except with respect to their claims under false representation and unjust enrichment. Defendant Worldwide's Motion for Summary Judgment [Doc. # 49] is GRANTED only with respect to Plaintiffs' false representation and unjust enrichment claims; it is DENIED in all other respects.


Summaries of

Wiles v. Worldwide Info., Inc.

United States District Court,W.D. Missouri,Western Division.
Aug 15, 2011
809 F. Supp. 2d 1059 (W.D. Mo. 2011)
Case details for

Wiles v. Worldwide Info., Inc.

Case Details

Full title:Sam WILES and Carol Watkins, Individually and on Behalf of All Others…

Court:United States District Court,W.D. Missouri,Western Division.

Date published: Aug 15, 2011

Citations

809 F. Supp. 2d 1059 (W.D. Mo. 2011)

Citing Cases

Wilcox v. Swapp

Using these tools of statutory construction, several courts interpreting section 2724(a) have found that the…

LifeScience Techs. v. Mercy Health

"Thus, it is the contract-like nature of the relationship between the parties that gives rise to unjust…