Opinion
CIVIL ACTION NO. 6:23-CV-5004-KDB
2023-02-14
Kyle KEOGH, on behalf of himself and all others similarly situated, Plaintiff, v. META PLATFORMS, INC., Defendant.
Blake Garrett Abbott, Paul J. Doolittle, Poulin Willey Anastopoulo LLC, Charleston, SC, Stefan Bogdanovich, Pro Hac Vice, Bursor and Fisher PA, Walnut Creek, CA, for Plaintiff. Allie Aleece Maples, Joshua S. Whitley, Smyth Whitley, LLC, Charleston, SC, Darcy Caitlyn Harris, Pro Hac Vice, Lauren R. Goldman, Gibson Dunn and Crutcher LLP, New York, NY, Elizabeth Katharine McCloskey, Pro Hac Vice, Gibson Dunn and Crutcher LLP, San Francisco, CA, Jonathan Charles Bond, Pro Hac Vice, Gibson Dunn and Crutcher LLP, Washington, DC, for Defendant.
Blake Garrett Abbott, Paul J. Doolittle, Poulin Willey Anastopoulo LLC, Charleston, SC, Stefan Bogdanovich, Pro Hac Vice, Bursor and Fisher PA, Walnut Creek, CA, for Plaintiff. Allie Aleece Maples, Joshua S. Whitley, Smyth Whitley, LLC, Charleston, SC, Darcy Caitlyn Harris, Pro Hac Vice, Lauren R. Goldman, Gibson Dunn and Crutcher LLP, New York, NY, Elizabeth Katharine McCloskey, Pro Hac Vice, Gibson Dunn and Crutcher LLP, San Francisco, CA, Jonathan Charles Bond, Pro Hac Vice, Gibson Dunn and Crutcher LLP, Washington, DC, for Defendant. ORDER Kenneth D. Bell, District Judge
In this putative class action, Plaintiff seeks to hold Defendant Meta Platforms, Inc. ("Meta") liable to all Facebook account holders in the United States who visited South Carolina DMV's ("SCDMV") website since October 2019 for alleged violations of the Drivers' Privacy Protection Act, 18 U.S.C. § 2721, et seq. ("DPPA"). More specifically, Plaintiff alleges that by tracking computer "cookies" generated when Facebook members visit the SCDMV website, Meta unlawfully obtains personal information (Facebook ID numbers), which it then uses in its advertising efforts. In response to the Complaint, Meta has moved to dismiss the action, arguing that Plaintiff has not alleged a violation of the statute as a matter of law. See Doc. No. 10.
The Court has carefully considered this motion, the parties' briefs and exhibits and oral argument on the motion from the parties' counsel on February 13, 2024. In practical effect, Plaintiff contends that simply by visiting the SCDMV website for any purpose (or even by mistake) every Facebook account holder suffers a violation of the DPPA. But, the statute does not sweep nearly that broadly. Rather, its proscription is limited to obtaining or disclosing statutorily defined "personal information from a motor vehicle record" for a use not permitted by the statute. See 18 U.S.C. § 2722. Because the Court finds that, at a minimum, the Complaint fails to sufficiently assert that the alleged personal information obtained by Meta came "from a motor vehicle record" Plaintiff's allegations fall short of a violation of the DPPA. Therefore, Meta's motion will be granted and this case dismissed.
I. LEGAL STANDARD
Under Rule 8(a)(2) of the Federal Rules of Civil Procedure, a complaint must contain a "short and plain statement of the claim showing that the pleader is entitled to relief." Rule 12(b)(6) of the Federal Rules of Civil Procedure authorizes the dismissal of a complaint if it fails to state a claim upon which relief can be granted. The purpose of Rule 12(b)(6) is to expose deficient allegations "at the point of minimum expenditure of time and money by the parties and the court." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 558, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007).
To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must plead facts sufficient to "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citing Twombly, 550 U.S. at 570, 127 S.Ct. 1955). "A claim has facial plausibility when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. (citing Twombly, 550 U.S. at 556, 127 S.Ct. 1955). In evaluating whether a claim is sufficiently stated, "[the] court accepts all well-pled facts as true and construes these facts in the light most favorable to the plaintiff," but does not consider "legal conclusions, elements of a cause of action, . . . bare assertions devoid of further factual enhancement[,] . . . unwarranted inferences, unreasonable conclusions, or arguments." Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250, 255 (4th Cir. 2009); see Twombly, 550 U.S. at 555, 127 S.Ct. 1955 (A claim will not survive a motion to dismiss if it contains nothing more than "labels and conclusions, and a formulaic recitation of a cause of action's elements."). That said, "a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof of those facts is improbable, and that a recovery is very remote and unlikely." Id. (internal citation and quotation marks omitted). In other words, a motion to dismiss under Rule 12(b)(6) determines only whether a claim is stated; "it does not resolve contests surrounding the facts, the merits of a claim, or the applicability of defenses." Republican Party v. Martin, 980 F.2d 943, 952 (4th Cir. 1992).
II. FACTS AND PROCEDURAL HISTORY
Plaintiff is a South Carolina citizen with a Facebook account who alleges that he visited the SCDMV's website in September 2022 to complete various kinds of online "private business" with the agency. Doc. No. 1 at ¶¶ 6, 43-44. Plaintiff does not allege that he visited any particular webpage or clicked any particular button on the site. Further, while he generally alleges that Meta used information related to his online visit to the SCDMV "to help it in its advertising efforts," he does not describe or even allege that he received any advertising from Meta concerning his DMV visit. See id. at ¶ 46.
For example, although he makes generalized allegations about how Meta could use its "Pixel" software to collect information about a person's application for an operator's permit or disabled parking placard on a DMV website, Plaintiff never alleges he applied for such a permit or placard.
With respect to Meta's connection to the SCDMV, Plaintiff alleges that the DMV uses the "Meta Pixel" on its website. Id. at ¶ 20. The Meta Pixel "is a piece of code" that third-party web developers can "integrate into their website." Id. at ¶ 17. Developers can then use the Pixel to (1) measure certain actions users take on the developers' own sites, such as the webpages users view and the buttons they click, and (2) send that information to Meta to help assess and improve the effectiveness of the developers' advertising. Id. at ¶¶ 16-17. Plaintiff alleges the DMV "transmits two distinct events to Meta" through the Pixel: "PageView" and "Button Click." Id. at ¶ 20. The first event (PageView) "tells Meta which specific website URL the driver has navigated to." Id. at ¶ 21. The second event (Button Click) tells Meta "when a driver clicks on a particular button on a webpage, along with the text of that button." Id. at ¶ 22.
Plaintiff alleges that "[w]hen [he] was navigating the South Carolina DMV website, Meta obtained and used his personal information, along with various event data, including PageView, microdata and Button Click." Id. at ¶ 45. The "personal information" plaintiff alleges Meta obtained consists of "identifiers for [plaintiff] including the c_user and fr cookies . . . on his web browser." Id.; see also id. at ¶¶ 57, 59 ("The Facebook ID numbers [contained in the c_user and fr cookies] are 'personal information.' ").
Contractual "Terms of Service" and related disclosures govern Plaintiff's relationship with Facebook. When users sign up for a Facebook account, they agree to Meta's Terms of Service, Privacy Policy and Cookies Policy. Doc. No. 10-2 (Terms of Service), 10-3 (Privacy Policy) and 10-4 (Cookies Policy). The Terms state that Meta shows users "personalized ads, offers, and other sponsored or commercial content to help [them] discover content, products, and services that are offered by the many businesses and organizations that use Facebook and other Meta Products." Id. To provide these services, the Terms explain, Meta "collect[s] and use[s] your personal data." Id. The Terms link to the Privacy Policy for more information.
Consideration of extrinsic documents by a court during the pleading stage of litigation improperly converts the motion to dismiss into a motion for summary judgment." Zak v. Chelsea Therapeutics Int'l, Ltd., 780 F.3d 597, 606 (4th Cir. 2015). However, when deciding a motion to dismiss, "a court may consider the pleadings and any materials 'attached or incorporated into the complaint" so long as they are integral to the complaint and authentic. Fitzgerald Fruit Farms LLC v. Aseptia, Inc., 527 F. Supp. 3d 790, 796 (E.D.N.C. 2019) (quoting E.I. du Pont de Nemours & Co. v. Kolon Indus., Inc., 637 F.3d 435, 448 (4th Cir. 2011)). In addition, "courts are permitted to consider facts and documents subject to judicial notice without converting the motion to dismiss into one for summary judgment." Zak, 780 F.3d at 607. Meta's Cookies Policy (which itself incorporates/references Meta's Privacy Policy) is specifically referenced in plaintiff's Complaint. Doc. No. 1 at n.24. Also, Plaintiff references and relies on Facebook's account opening requirements, which state on the "Sign Up" page that "By clicking Sign Up you agree to the Terms, Privacy Policy and Cookies Policy"(with links to all documents). See Doc. No. 1 at ¶ 13, n. 8. Therefore, the Court may consider these policies, but, as discussed below, does not reach the issue of "consent" for which Meta urges the Court to consider them (and to which Plaintiff objects to their consideration).
The Privacy Policy "describes the information [Meta] process[es] to provide Meta Products," including Facebook and the Meta Business Tools (which include the Meta Pixel). Doc. No. 10-3. Among other things, the Privacy Policy tells users that Meta "receive[s] information using cookies and similar technologies, like the Meta Pixel or Social Plugins, when you visit other websites and apps that use our Business Tools or other Meta Products," and specifically explains that Meta can receive "a variety of your information and activities on and off our Products," including "[y]our device information," "[h]ow you use [third-party websites'] products and services," and "[w]ebsites you visit and cookie data, like through . . . the Meta Pixel." Id. The Privacy Policy links to the Cookies Policy for additional information. Id. The Privacy Policy also discloses that Meta then uses this information "to personaliz[e] features, content and recommendations, such as your Facebook Feed, Instagram feed, Stories, and ads." Id. Meta gives users the option of turning off "ads based on [their] activity on other websites." Id.
Cookies are "small pieces of text used to store information on web browsers." Doc. No. 10-4. They "store and receive identifiers and other information on computers, phones and other devices," and they can serve a number of different functions—for example, "personalizing content, tailoring and measuring ads, and providing a safer experience." Id. Meta's Cookies Policy tells users that Meta "use[s] cookies if you have a Facebook or Instagram account, use the Meta Products, including our website and apps, or visit other websites and apps that use the Meta Products." Id. The policy explains that cookies allow Meta to "understand the information that we receive about you, including information about your use of other websites," and that Meta "use[s] cookies to help us show ads and to make recommendations for businesses and other organizations to people who may be interested in the products, services, or causes they promote." Id. The Cookies Policy also describes the two cookies at issue here, the "c_user" and "fr" cookies. Id. The c_user cookie is used to authenticate users and keep them logged in as they navigate between Facebook pages, and to remember a browser, so that users "don't have to keep logging in to Facebook and . . . can more easily log in to Facebook via third-party apps and websites." Id. It "contains [a user's] unencrypted Facebook ID," a number associated with a person's Facebook account. Doc. No. 1 at ¶¶ 28-30. The "fr" cookie is "used to deliver, measure and improve the relevancy of ads," so that (for example) users "don't see the same ad over and over again." Doc. No. 10-4. This cookie contains "an encrypted Facebook ID and browser identifier." Doc. No. 1 at ¶ 32.
Plaintiff filed this action in October 2023 asserting a single claim under the DPPA. He seeks certification of a class of "all persons in the United States who have a Facebook account and visited https://scdmvonline.com after October 5, 2019" and monetary and injunctive relief for himself and the class. Doc. No. 1 at ¶ 48. Defendant's motion to dismiss has been fully briefed and the parties given an opportunity to present oral argument to the Court on the merits of the motion. It is now ripe for the Court's decision.
III. DISCUSSION
A. The DPPA
At its core, the DPPA is a public safety statute designed to protect citizens from the danger and annoyance that may result from the unnecessary disclosure of their personal information. Enacted in 1994 as a result of the stalking and, in some cases, murders of women whose assailants obtained their addresses and other personal information from state DMV offices, the DPPA is a seemingly straightforward statute that has proven to be decidedly less so in its application to commercial efforts to monetize this information as well as the now commonplace digital tracking of online activities, such as the conduct challenged here. See Gaston v. LexisNexis Risk Sols., Inc., 483 F. Supp. 3d 318 (W.D.N.C. 2020). Given the possibility of a generous liquidated damages remedy for any sizeable class and attorneys' fees, the statute has enjoyed "zealous" private enforcement. This complaint is a remedy in search of a violation.
In Section 2721, the DPPA prohibits state DMV departments and their officers, employees and contractors from, inter alia, disclosing or otherwise making available "personal information" obtained by the DMV in connection with a "motor vehicle record" for any purpose not specifically listed in 18 U.S.C. § 2721(b). See 18 U.S.C. § 2721(a)(1). The statute also expressly prohibits private individuals from "knowingly . . . obtain[ing] or disclos[ing] personal information, from a motor vehicle record, for any use not permitted under section 2721(b)." 18 U.S.C. § 2722(a). "Personal information" is defined in the statute as "information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status." 18 U.S.C. § 2725(3). A "motor vehicle record" includes "any record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identity card issued by a department of motor vehicles." 18 U.S.C. § 2725(1).
There are fourteen permissible purposes described in 18 U.S.C. § 2721(b), including, for example, to allow governmental agencies and law enforcement to carry out their functions and to inform vehicle owners of safety recalls. The DPPA also allows "use by any requester" of information pursuant to "written consent of the individual to whom the information pertains." 18 U.S.C. § 2721(b)(13). Significantly, however, marketing and solicitation efforts are not permissible purposes under the statute. See Maracich v. Spears, 570 U.S. 48, 60-61, 133 S.Ct. 2191, 186 L.Ed.2d 275 (2013).
Finally, in Section 2724 (entitled "Civil Action"), the DPPA provides a "cause of action" that makes any person who "knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under [the statute] . . . liable to the individual to whom the information pertains." 18 U.S.C. § 2724 (a). A person who brings a civil action under this section, can recover "(1) actual damages, but not less than liquidated damages in the amount of $2500; (2) punitive damages . . . ; (3) reasonable attorneys' fees and . . . costs . . . ; and (4) such other preliminary and equitable relief as the court deems to be appropriate." 18 U.S.C. § 2724 (b).
B. Analysis of Plaintiff's Claim under the Statute
Moving beyond the colorful language of the Complaint and briefing accusing Meta (and its counsel) of "surreptitious" conduct, etc., the parties agree that the disputed elements of Plaintiff's DPPA claim are whether 1) a Facebook ID number constitutes "personal information" under the statute; 2) SCDMV's website is a "motor vehicle record"; 3) the alleged personal information came "from" the website; and 4) Plaintiff gave "written consent" to Meta to use the information obtained (so the use was permitted under the statute). There is no dispute that if Meta prevails on any element then Plaintiff cannot maintain his claim.
As noted in the facts above, Plaintiff's characterization of Meta's conduct as "surreptitious" (which the Court need not and does not address on the merits) appears inapt based on the detailed disclosures made available to Facebook account holders.
1. "Personal Information"
The threshold question before the Court is if Meta obtained "personal information" as defined in the DPPA. Although the Complaint speculates that Meta could use the Meta Pixel software to receive "highly restricted personal information" such as information related to a person's disability, Plaintiff's only allegation related to his own experience is that his Facebook ID number contained in the "c_user" and "f" "cookies" discussed above is the "personal information" on which his claim depends. See Doc. No. 1 ¶ 29; Pichler v. UNITE, 542 F.3d 380, 390-92 (3d Cir. 2008) (plaintiffs may not assert DPPA claims based on other individuals' motor vehicle records); Spokeo, Inc. v. Robins, 578 U.S. 330, 338 n.6, 136 S.Ct. 1540, 194 L.Ed.2d 635 (2016) (named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they allegedly belong).
The Court finds that a "Facebook ID number" at least plausibly satisfies the statutory definition of "Personal information." That definition turns on whether the information "identifies an individual." See 18 U.S.C. § 2725(3). A Facebook ID number is not listed among the examples of "personal information" given in the statute. However, the list is merely illustrative, see Dahlstrom v. Sun-Times Media, LLC, 777 F.3d 937, 943 (7th Cir. 2015), and - consistent with the DPPA's public safety purpose - the definition of "personal information" should be given an "expansive reading." Id. at 944. Therefore, accepting as true the Complaint's allegations that a Facebook ID allows anybody to identify a person through their Facebook page by typing www.facebook.com/[FacebookID] into a web browser (which will then load that individual's Facebook page), it plausibly qualifies as "personal information" that can identify an individual. Accordingly, Plaintiff has satisfied the first element of his DPPA claim.
At oral argument, Meta's counsel conceded that a Facebook ID number could qualify as "personal information."
2. "Motor Vehicle Record"
The second fundamental element in an alleged DPPA violation is whether any personal information was obtained "from a motor vehicle record." 18 U.S.C. § 2724(a). Plaintiff argues that the South Carolina DMV's website itself is a "motor vehicle record," and that his Facebook ID number came "from" the website through the "c_user" and "f" cookies. See Doc. No. 1 at ¶ 59. The Court disagrees.
To start, the SCDMV website is not a "record" under the DPPA. The statute defines a "motor vehicle record" as "any record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles." 18 U.S.C. § 2725(1). "Congress intended the DPPA to reflect the Privacy Act of 1974, which defines a 'record' as 'information about an individual that is maintained by an agency.' " Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1260 (9th Cir. 2019) (citation omitted). Therefore, a governmental agency's website which provides information to the public and perhaps a means to communicate with the agency or link to its services is not a "record." It does not in any manner "maintain information about an individual." Indeed, Plaintiff has not alleged otherwise or cited to any authority holding that a website can be a "record" under the DPPA.
Plaintiff's counsel acknowledged at oral argument there is no allegation that the SCDMV even maintains a record of the identity of those who visit its website. And, even if such information were maintained, such a "record" would, as discussed, still not constitute a "motor vehicle" record under the statute.
Plaintiff relies heavily on Gershzon v. Meta Platforms, Inc., 2023 WL 5420234 (N.D. Cal. Aug. 22, 2023), a recent case in which a Plaintiff's DPPA complaint against Meta involving the Meta Pixel and the California DMV survived a motion to dismiss. See Doc. No. 12 at 1. However, Gershzon involves meaningfully different facts (on this point and others) so it is not persuasive here. In Gershzon, the plaintiff alleged that he "provided [his personal information] to the DMV through his 'MyDMV' online account," that "the DMV maintained this information," and that "the information [that was sent to Meta] comes 'from a motor vehicle record' because the information 'derives from the DMV database.' " 2023 WL 5420234, at *7-8 (quoting Gershzon complaint). It was only in that context - in which plaintiff alleged the DMV kept records in its "database" of information with respect to his online account - that the Gershzon court concluded plaintiff had sufficiently alleged a DPPA violation. Id. There was no claim and certainly no holding in Gershzon that a DMV website itself is a "motor vehicle record."
Further, even if the SCDMV website was a "record," it is not a "motor vehicle" record under the statutory definition, which is limited to records pertaining to "a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card." 18 U.S.C. § 2725(1). Plaintiff argues "every single webpage on the South Carolina Department of Motor Vehicles website has some kind of a 'connection with driving.' " Doc. No. 12 at 4. This argument is both plainly untrue and, in any event, is not helpful to Plaintiff. Even a cursory review of the publicly available SCDMV website, of which the Court can take judicial notice, reveals that the website contains abundant information unrelated to "driving." For example, the website provides information about employment opportunities at the DMV, motor vehicle dealer regulations, a form to report fraud and even the SCDMV book drive. More directly, the DPPA definition of a motor vehicle record does not include all records "connected to driving." Rather, the statute only includes records related to the four specific types of records listed above.
Viewing the Complaint with respect to only the relevant records, it is clear that Plaintiff has not alleged that any of his personal information was obtained from or "pertains" (relates) to a "motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card." As explained more below, Plaintiff's Facebook ID number has no connection at all to any of these types of records. And, disclosure of the fact that a person simply visited a website page where motor vehicle records might or might not be accessed does not violate the DPPA. In sum, the DPPA does not create a right to privacy with respect to every interaction that a citizen may have with the DMV website. See, e.g., Andrews, 932 F.3d at 1260-61 (rejecting "expansive conception of the DPPA [that] does not align with the statute's clear purpose" and would produce "absurd results"). Instead, it provides important protection for specific information in specific types of records, none of which are alleged here. Internet and location tracking software (and associated advertising) may well be personally intrusive and objectionable to many but it doesn't inevitably violate the DPPA. Therefore, the Court concludes that the SCDMV website is not a "motor vehicle record" as defined by the DPPA.
"Pertain to" or "pertain" is a broad term which means with "reference to" or "related to" and is frequently used in statutes and legal writing. See, e.g., FCC v. AT & T Inc., 562 U.S. 397, 131 S.Ct. 1177, 179 L.Ed.2d 132 (2011); Webster's Third New International Dictionary of the English Language (2020) ("To have reference"); Black's Law Dictionary (11th ed. 2019) ("To relate directly to; to concern or have to do with"). See Gaston, 483 F. Supp. 3d at 337 (holding that accident report which indicated "Same address as driver's license" "pertains" to a driver's license).
3. "From" a Motor Vehicle Record
Also, the Court finds that Plaintiff's personal information (his Facebook ID number) was not obtained "from" a motor vehicle record. The Complaint is unclear as to how the relevant "cookies" are generated. On the one hand, Plaintiff alleges:
• "Meta installs tracking code, called the Meta Tracking Pixel, onto [Plaintiff's] web browser" (Doc. No. 1 at ¶ 2);And, on the other, he alleges:
• "[T]he South Carolina DMV website compels a visitor's browser to transmit an identifying "computer cookie" to Meta called "c_user," for every single event sent through Meta Tracking Pixel. The c_user cookie contains that visitor's unencrypted Facebook ID." (Id. at ¶ 28); and
• "By compelling a visitor's browser to disclose the c_user and fr cookies alongside event data, the South Carolina DMV website knowingly discloses personal information and highly restricted personal information to Meta. (Id. at ¶ 38).
• "[t]he Meta Tracking Pixel uses both first- and third-party cookies. A first-party cookie is 'created by the website the user is visiting' - i.e., https://payments.ncdot.gov. (Id. at ¶ 36); and
• by collecting the c_user and fr cookies as first-party cookies, Meta is collecting a drivers' Facebook ID number from the South Carolina DMV website directly. (Id. at ¶ 39)
However, the Court need not decide the technical question of how the "cookies" are generated. Plaintiff's Facebook ID number, even if plausibly considered to be "personal information," does not relate to DMV business. That is, there is no allegation (plausible or otherwise) that Plaintiff had to be a Facebook user to visit the SCDMV website or transact business. The clear intent of the DPPA is to not allow the DMV to require that personal information be provided to obtain DMV services such as a driver's license or vehicle registration and then sell or allow others to use that information for non-permitted uses, such as marketing. However, the DPPA explicitly does not make unlawful disclosure or use of all DMV related information. See 18 U.S.C. § 2725(3). Significantly, disclosures not prohibited by the DPPA include information/records connected with events that a person might well want to remain private, such as accident reports, driving violations and driver status reports, which are the result of a driver's actions, not a DMV requirement. Id.
Hence, the importance of the statutory requirement that the information come from one of the listed DMV "motor vehicle records." Here, the Facebook ID number that Plaintiff contends is the basis for Meta's DPPA violation did not come "from" a motor vehicle record any more than a cell phone's record of its user's location comes "from" the place the cell phone was used. Indeed, Plaintiff's Facebook ID number was neither required by nor provided to the DMV as a necessary part of DMV business. Rather, it is merely a byproduct of Plaintiff's voluntary decision to be a Facebook user and the practice of internet tracking that pervades modern life (particularly in circumstances such as Facebook in which users willingly trade browsing privacy in return for what they perceive to be Facebook's benefits). Therefore, Plaintiff's Facebook account number did not come "from" a "motor vehicle record" - regardless of how the "cookies" which included the number were generated.
Presumably, the cell phone location would also be tied to the cell phone number within the cell phone carrier's records, which would be "personal information" under the DPPA. This example only further emphasizes the significant overreach of Plaintiff's interpretation of the DPPA.
4. Consent to Obtain / Use the Information
The final foundational element of a DPPA violation is that the personal information obtained from the motor vehicle record be used "for a purpose not permitted" under the DPPA. 18 U.S.C. § 2724(a). Meta contends that three of the DPPA's fourteen permissible uses apply here: (1) assisting the DMV "in carrying out its functions"; (2) use "in connection with . . . motor vehicle market research activities"; and (3) use pursuant to "written consent." Id. § 2721(b)(1), (b)(2), (b)(13). Plaintiff says that none of those exceptions apply.
With respect to the first two cited uses, whether or not the DMV could assert one or more "permissible uses" with respect to its governmental use of Meta's services, that does not allow Meta to avoid compliance with the statute with respect to its own conduct. See Gaston, 483 F. Supp. 3d at 348 ("Defendants cannot wrap their profit seeking efforts in the mantle of "public service" to avoid compliance with the DPPA."). Therefore, the Court finds neither of those uses insulates Meta from liability.
The third alleged permissible use based on "consent" raises a much more serious challenge. However, Plaintiff argues that there are factual disputes related to his "written consent" under the statute, and even Meta concedes that "targeted discovery" and an "evidentiary hearing" may be required for it to prove its allegations. See Doc. No. 18 at 9. Therefore, the Court finds that this issue is not ripe for resolution and, having already determined that Plaintiff has failed to state a viable DPPA claim, the Court declines to reach this issue in ruling on the pending motion.
IV. ORDER
NOW THEREFORE IT IS ORDERED THAT:
1. Defendant's Motion to Dismiss (Doc. No. 10) is GRANTED; and
2. The Clerk is directed to close this matter in accordance with this Order.
SO ORDERED ADJUDGED AND DECREED.