Opinion
2:23-cv-00142-JES-NPM
08-04-2023
OPINION AND ORDER
This case comes before the Court on defendant Bank of America, N.A.'s Motion to Dismiss Plaintiff's Complaint With Incorporated Memorandum of Law (Doc. #9) filed on April 17, 2023. Plaintiff George Werner Dillmann filed a Response in Opposition (Doc. #15) on May 15, 2023. For the reasons set forth, the motion is denied.
I.
The Complaint contains the following factual allegations: George Werner Dillmann (Plaintiff) is a citizen of Austria and the United States; he resides and is domiciled in Clearwater, Florida. (Doc. #1, ¶ 4.) Plaintiff holds a Florida driver's license and owns a recreational vehicle registered in Florida. (Id., ¶¶ 2829.) On or about November 23, 2018, Plaintiff visited the Florida's Department of Highway Safety and Motor Vehicles (DHSMV) website and paid $92.35 to renew his Florida driver's license and his recreational vehicle registration. (Id., ¶ 31.) Plaintiff paid the fee through his credit card that was issued by the Card Complete Service Bank AG (“CCSB”) in Vienna, Austria. (Id., ¶ 32.)
Plaintiff later received his renewed driver's license, but not his renewed vehicle registration tag. (Id., ¶ 33.) Plaintiff contacted the DHSMV about his missing vehicle registration tag, however, he was unable to resolve the issue. (Id., ¶ 34.) As a result, Plaintiff notified the CCSB that he was disputing $42.35 being charged to his credit card, which is the amount attributable to the renewal of the vehicle registration. (Id.) CCSB contacted Bank of America (Defendant or BOA), who processes the credit card transactions for the DHSMV's website. (Id., ¶¶ 35-36.) In turn, BOA contacted the DHSMV for documentation of Plaintiff's credit card transaction. (Id., ¶ 37.) On March 20, 2019, the DHSMV responded to BOA's request, and in doing so, provided BOA with Plaintiff's name, photograph, social security number, driver identification number, address, medical/disability information, and possibly more. (Id., ¶ 38.) BOA then shared that information with the CCSB in connection with the disputed credit card charge. (Id., ¶ 67.)
Plaintiff filed a six-count Complaint against multiple defendants, including BOA, for violation of the Driver Privacy Protection Act (DPPA), 18 U.S.C. § 2721 et seq. and 42 U.S.C. § 1983. (Doc. #1.) Plaintiff asserts a single cause of action (Count V) against BOA, alleging that BOA violated § 2772(a) of the DPPA by “knowingly . . . obtain[ing] or disclos[ing] personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.” (Id., p. 14.) BOA moves to dismiss Count V, arguing that Plaintiff has failed to state a claim upon which relief may be granted pursuant to Federal Rule of Civil Procedure 12(b)(6). (Doc. #9, pp. 1-2.)
II.
Under Federal Rule of Civil Procedure 8(a)(2), a Complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief." Fed.R.Civ.P. 8(a)(2). This obligation "requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) (citation omitted).
To survive dismissal, the factual allegations must be "plausible" and "must be enough to raise a right to relief above the speculative level." Id. See also Phx. Entm't Partners, LLC v. Casey Rd. Food & Bev., LLC, 728 Fed.Appx. 910, 912 (11th Cir. 2018). This requires "more than an unadorned, the-defendant-unlawfully-harmed-me accusation." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citations omitted).
In deciding a Rule 12(b)(6) motion to dismiss, the Court must accept all factual allegations in a complaint as true and take them in the light most favorable to plaintiff, Erickson v. Pardus, 551 U.S. 89, 127 S.Ct. 2197, 167 L.Ed.2d 1081 (2007), but
"[l]egal conclusions without adequate factual support are entitled to no assumption of truth." Mamani v. Berzain, 654 F.3d 1148, 1153 (11th Cir. 2011) (citations omitted). "Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Iqbal, 556 U.S. at 678. "Factual allegations that are merely consistent with a defendant's liability fall short of being facially plausible." Chaparro v. Carnival Corp., 693 F.3d 1333, 1337 (11th Cir. 2012) (internal citations omitted). Thus, the Court engages in a two-step approach: "When there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief." Iqbal, 556 U.S. at 679.
III.
A. General Principles Of The Driver's Privacy Protection Act
The DPPA provides that “[a] State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity” an individual's personal information or highly restricted information.” 18 U.S.C. §§ 2721(a)(1)-(2)(footnotes added). The purpose of the DPPA is to “regulate[] the disclosure of personal information contained in the records of state motor vehicle departments (DMVs). Disclosure of personal information is prohibited unless for a purpose permitted by an exception listed in 1 of 14 statutory subsections.” Maracich v. Spears, 570 U.S. 48, 52, 133 S.Ct. 2191, 2195 (2013) (citing 18 U.S.C. §§ 2721(b)(1)-(14)). See also Baas v. Fewless, 886 F.3d 1088, 1091 (11th Cir. 2018). The DPPA creates a “private right of action against persons who knowingly obtain, disclose or use personal information, from a motor vehicle record, for a purpose not permitted under the DPPA.” Thomas v. George, 525 F.3d 1107, 1109 (11th Cir. 2008) (quoting Reno v. Condon, 528 U.S. 141, 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000)); see 18 U.S.C. § 2724(a).
Pursuant to the DPPA, personal information is defined as:
information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status.18 U.S.C. § 2725(3).
Highly restricted information under the DDPA is “an individual's photograph or image, social security number, medical or disability information[.]” 18 U.S.C. § 2725(4).
“To establish a DPPA violation, a plaintiff must show ‘that a defendant (1) knowingly obtained, disclosed or used personal information, (2) from a motor vehicle record, (3) for a purpose not permitted.'” Baas, 886 F.3d at 1093 (citing Thomas v. George, Hartz, Lundeen, Fulmer, Johnstone, King, & Stevens, P.A., 525 F.3d 1107, 1111 (11th Cir. 2008)). "The plain meaning of the third factor is that it is only satisfied if shown that obtainment, disclosure, or use was not for a purpose enumerated under § 2721(b)." Thomas, 525 F.3d at 1111.
B. Plaintiff's DPPA Claim
Plaintiff alleges that BOA violated the DPPA by knowingly obtaining his personal information from a motor vehicle record from the DHSMV and knowingly disclosing such information to the CCSB for a non-permitted use. (Doc. #1, ¶¶ 64-67.) BOA asserts that Plaintiff's DDPA claim fails because: (1) BOA's actions of obtaining and disclosing Plaintiff's personal information constitute a permissible use pursuant to § 2271(b)(1); and (2) Plaintiff's claim improperly attempts to stretch the DPPA beyond its intended bounds. (Doc. #9, pp. 8-14.) The Court will address each argument in turn.
BOA does not concede that it knowingly obtained or disclosed Plaintiff's personal information (as defined by the DPPA), but assumes Plaintiff's allegation, stating the same is true for purposes of its motion to dismiss. (Doc. #9, p. 2.) The Court does as well.
(1) Whether BOA's Actions Constitute A Permissible Use
BOA is correct that "not all obtainment, disclosure, or use of personal information from motor vehicles is wrongful.” Thomas, 525 F.3d at 1109. As mentioned above, Sections 2721(b)(1)-(14) provide fourteen “permissible uses.” One permissible use “colloquially known as the ‘Government Function Exception'”, Baas, 886 F.3d at 1091, allows “[p]ersonal information [as defined in the statute to] be disclosed for use in connection with matters of motor vehicles . . . for use by any government agency, including . . . any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions." 18 U.S.C. § 2721(b)(1). Plaintiff bears the burden of showing this exception under § 2721(b)(1) does not apply to his DPPA claim. See Thomas, 525 F.3d at 1110-13 (finding the “permissible uses” listed in § 2721(b) are not affirmative defenses, and that the burden of proving that an exemption does not apply falls upon the plaintiff).
BOA argues that the allegations in the Complaint establish that the Government Function Exception applies. (Doc. #9, pp. 914.) The Complaint alleges that BOA was acting “as an agent for” the DHSMV (a state agency) “to process credit card transactions.” (Doc. #1, ¶¶ 2, 35.) In Response, Plaintiff does not dispute that BOA may have been “acting in some capacity on behalf of the government” (Doc. #15, p. 5), or that a “function” of the DHSMV is to issue vehicle registration renewals (and processing payments and associated disputes thereof). Rather, Plaintiff argues that the obtainment and disclosure of his personal information was not permissible on the grounds “that disclosure of photograph, social security number and other information to an outside party was irrelevant to, and not useful for BOA's investigation of disputed credit card charges.” (Id., p. 4; Doc. #1, ¶¶ 65-67.) In other words, Plaintiff argues that just because BOA may have been acting on behalf of the DHSMV (pursuant to its license and motor vehicle registration activities/functions) when it disclosed Plaintiff's personal information, does not necessarily mean that it was “ipso facto for use of a government agency”, and thus proper. (Doc. #15, pp. 6.) The Court agrees with Plaintiff.
What an agency's appropriate activities are is determined by state law. Baas, 886 F.3d at 1091. Florida law tasks a division within the DHSMV with the “receiving and accounting of all license funds and their payment into the State Treasury . . . .” Fla. Stat. § 322.21. The DHSMV is similarly responsible for collecting payment upon any renewal of vehicle registration. Fla. Stat. § 320.08.
Disclosures under the DPPA must be for a “proper purpose.” Welch v. Theodorides-Bustle, 677 F.Supp.2d 1283, 1286 (N.D. Fla. 2010). This is so, because “[i]f any disclosure by a public official was automatically proper, there could never be a claim under the Act against a public official. The statutory language does not support such a conclusion, and the law of the circuit is to the contrary.” Id. (citing Collier v. Dickinson, 477 F.3d 1306 (11th Cir. 2007)(emphasis added)). See also Maracich, 570 U.S. at 59-60 (stating that the DPPA's exceptions should be read narrowly so as to not exempt “all uses of personal information with a remote relation” to an exception or just “whenever any connection” exists.) As the Seventh Circuit explained:
Specifically, when the statutory language says that a disclosure is authorized "[f]or use by a[] . . . law enforcement agency[] in carrying out its functions," 18 U.S.C. § 2721(b)(1) (emphasis added), that language means that the actual information disclosed-i.e., the disclosure as it existed in fact-must be information that is used for the identified purpose. When a particular piece of disclosed information is not used to effectuate that purpose in any way, the exception provides no protection for the disclosing party. In short, an authorized recipient, faced with a general prohibition against further disclosure, can disclose the information only in a manner that does not exceed the scope of the authorized statutory exception. The disclosure actually made under the exception must be compatible with the purpose of the exception. Otherwise, the statute's purpose of safeguarding information for security and safety reasons, contained in the general prohibition against disclosure, is frustrated.Senne v. Vill. of Palatine, 695 F.3d 597, 606 (7th Cir. 2012)(rejecting the defendant's position that as long as it could identify an exception under Section 2721(b) where “some disclosure was permitted,” then “any disclosure of information otherwise protected by the statute is exempt, whether it serves an identified purpose or not.”). The reasoning in Senne is similar to that of the Eleventh Circuit in Baas, which discussed whether the disclosure was “related directly” to the government function. Baas, 886 F.3d at 1092.
Plaintiff has sufficiently alleged that the disclosure of his personal information was for an impermissible purpose, which is sufficient to survive dismissal at this stage of litigation. See Dobruck v. Borders, No. 8:16-cv-1869-T-33JSS, 2016 U.S. Dist. LEXIS 169840, at *9 (M.D. Fla. Dec. 8, 2016)(finding an allegation that the defendant accessed the plaintiff's information for an “impermissible purpose” was sufficient to state a claim under Rule 12(b)(6)). Furthermore, Plaintiff has plausibly alleged that the disclosure of his social security number, photograph, and disability information, among other things, does not directly relate to resolving the disputed credit card charge. Such allegations are sufficient to establish the third element of Plaintiff's DPPA claim. Defendant's motion is therefore denied.
(2) Whether Plaintiff's Claim Improperly Attempts To Stretch The DPPA Beyond Its Intended Bounds
BOA argues that “this Court should decline to extend the DPPA to limit this type of disclosure, as it was not the intent of the DPPA.” (Doc. #9, p. 14.) BOA reasons that Congress passed the DPPA with the intent to only target “stalkers,” “criminals,” and “businesses engaged in direct marketing and solicitation”. (Id., quoting Maracich, 570 U.S. at 57. Since BOA does not fall under any of these categories, BOA argues the DPPA does not apply to this claim. (Id.) The Court is not persuaded by BOA's argument.
“In construing a statute we must begin, and often should end as well, with the language of the statute itself.” United States v. Steele, 147 F.3d 1316, 1318 (11th Cir. 1998)(en banc)(quoting Merritt v. Dillard, 120 F.3d 1181, 1185 (11th Cir. 1997)). “The DPPA generally prohibits any state DMV, or officer, employee, or contractor thereof, from ‘knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information about any individual obtained by the department in connection with a motor vehicle record.'” Reno v. Condon, 528 U.S. 141, 144 (2000) (alteration in original)(emphasis added)(quoting 18 U.S.C. § 2721(a)). “The Act also regulates the resale and redisclosure of drivers' personal information by private persons who have obtained that information from a state DMV.” Id. at 146 (citing 18 U.S.C. § 2721(c)). Persons is defined in the statute as “an individual, organization or entity, but does not include a State or agency thereof.” 18 U.S.C. § 2725(2).
Plaintiff alleges that BOA obtained personal information from the Florida DHSMV for an impermissible use, and in turn, BOA disclosed such information to the CCSB. (Doc. #1, ¶¶ 38, 67.)
Because Florida's DHSMV is a state DMV and BOA is a private entity, this action falls squarely within the realm of the DPPA. The DPPA is “unambiguous[]” and it “sets forth the contours and limits of the right clearly . . . ." Collier v. Dickinson, 477 F.3d 1306, 1310-11 (11th Cir. 2007). And since “the statutory text is unambiguous, [the Court] will enforce the statute as written and no further inquiry is necessary.” Leal v. Sec'y, U.S. Dep't of Health & Hum. Servs., 620 F.3d 1280, 1285 (11th Cir. 2010); Conn. Nat'l Bank v. Germain, 503 U.S. 249, 254 (1992) (“When the words of a statute are unambiguous . . . judicial inquiry is complete.” (quotation marks and citation omitted)). Therefore, Defendant's motion is denied.
Accordingly, it is now
ORDERED:
Defendant Bank of America, N.A.'s Motion to Dismiss Plaintiff's Complaint With Incorporated Memorandum of Law (Doc. #9) is DENIED.