IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION
December 23, 2009
LISA M. GRACZYK, MATTHEW M. JORGE, AND BRIAN WILLINGHAM, INDIVIDUALLY AND ON BEHALF OF OTHERS SIMILARLY SITUATED, PLAINTIFFS,
WEST PUBLISHING CORP., A MINNESOTA CORPORATION, DEFENDANT.
The opinion of the court was delivered by: Judge Robert W. Gettleman
MEMORANDUM OPINION AND ORDER
Lead plaintiffs Lisa M. Graczyk, Matthew M. Jorge, and Brian Willingham have brought a three count putative class action complaint against defendant, West Publishing Corporation, alleging violation of the Driver's Privacy Protection Act ("DPPA"), 18 U.S.C. § 2722 et seq., (Count I), unjust enrichment (Count II), and a claim for injunctive relief (Count III). Defendant has moved to dismiss the entire complaint for failure to state a claim under Fed. R. Civ. P. 12(b)(6) and for lack of standing pursuant to Fed. R. Civ. P. 12(b)(1). For the reasons explained below, defendant's motions are granted.
Plaintiffs allege that defendant acquired motor vehicle records and the corresponding "personal information" and/or "highly restricted personal information" of millions of licensed drivers, including plaintiffs, from the department of motor vehicles of various states*fn1 (and/or entities that acquired this information from those states) under the pretense that the data would be used only for legitimate purposes outlined in the DPPA. Defendant then allegedly made the information in the records available for search and sale on the internet.
I. Driver's Privacy Protection Act
State Departments of Motor Vehicles ("DMVs") require drivers and motor vehicle owners to supply personal information, such as their names, addresses, telephone numbers, Social Security numbers, photographs, medical conditions, and vehicle descriptions when applying for a driver's license or registering a vehicle. Reno v. Condon, 528 U.S. 141, 143 (U.S. 2000). In 1993 Congress enacted the Driver's Privacy Protection Act ("DPPA") to protect these individuals' privacy by setting limits on how state DMVs can share this personal information.*fn2
The DPPA generally prohibits state DMVs, their officers, employees, or contractors from "knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information . . . or highly restricted personal information about any individual obtained by the department in connection with a motor vehicle record."*fn3 18 U.S.C. § 2721(a). The DPPA also provides a private right of action whereby: "[A] person who knowingly obtains, discloses or uses information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States District Court." 18 U.S.C. § 2724(a).
The DPPA's general prohibition on disclosure of personal information is subject to 14 exceptions which allow for the limited disclosure of personal information. 18 U.S.C. § 2721(b) provides:
Permissible Uses - Personal information referred to in subsection (a) shall be disclosed for use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, and removal of non-owner records from the original owner records of motor vehicle manufacturers to carry out the purposes of titles I and IV of the Anti Car Theft Act of 1992, the Automobile Information Disclosure Act
(15 U.S.C. 1231 et seq.), the Clean Air Act (42 U.S.C. 7401 et seq.), and chapters 301, 305, and 321-331 of title 49, and, subject to subsection (a)(2), may be disclosed as follows:
(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.
(2) For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
(3) For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only--
(A) to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and
(B) if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.
(5) For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
(7) For use in providing notice to the owners of towed or impounded vehicles.
(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49 [49 USCS §§ 31301 et seq.].
(10) For use in connection with the operation of private toll transportation facilities.
(11) For any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains.
(12) For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains.
(13) For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.
(14) For any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety.
In addition, § 2721(c) of the DPPA permits "authorized recipient[s]" of personal information to resell or redisclose this information:
(c) Resale or redisclosure. An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b) (11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under subsection (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under subsection (b)(11)) that resells or rediscloses personal information covered by this chapter [18 USCS §§ 2701 et seq.] must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.
The complaint is based on the principal allegation that defendant is not an "authorized recipient" because authorized recipients are limited to those who have a permissible use for the information as provided by § 2721(b). Notably, the DPPA does not define "authorized recipient." Defendant has moved to dismiss the complaint for lack of standing under Fed. R. Civ. P. 12(b)(1) and for failure to state a claim under Rule 12(b)(6). Because the standing inquiry is dependent on the outcome of the court's analysis of the Rule 12(b)(6) motion, the court will consider the latter issue first.
II. Motion to Dismiss Count I
A. Rule 12(b)(6)
Ruling on a motion to dismiss for failure to state a claim under Fed. R. Civ. P. 12(b)(6), the court accepts the complaint's well-pleaded factual allegations as true and draws all reasonable inferences in the plaintiff's favor. Sprint Spectrum L.P. v. City of Carmel, Indiana, 361 F.3d 998, 1001 (7th Cir. 2004). The complaint must describe the claim in sufficient detail to give the defendant fair notice of what the claim is and the grounds on which the claims rest. The allegations must plausibly suggest that the plaintiff has a right to relief, raising the possibility above the "speculative level." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 127 S.Ct. 1955, 1964-73, 167 L.Ed.2d 929 (2007).
Plaintiffs allege that defendant obtained, disclosed, and used their personal information for a purpose not permitted under the DPPA, namely resale of drivers' personal information for a profit without their consent. Under their reading of the statute, an "authorized recipient" is a recipient with at least one of the permissible uses listed in § 2721(b). Defendant argues that the plain language of § 2721(c) clearly contradicts any intent by Congress to prohibit a data aggregator, like defendant, to obtain and resell plaintiffs' personal information as an authorized recipient. According to defendant, it qualifies as an "authorized recipient" despite not having a "permissible use" listed in § 2721(b) because Congress did not specify that "authorized recipients" must be "permissible users." Defendant further argues that it never "used" plaintiffs' personal information because it merely facilitated the process by which persons and entities with permissible uses gained access to the information. Finally, defendant cites numerous policy reasons in support of its interpretation of the DPPA's language. The court will consider each argument in turn, starting with a statutory analysis of the term "authorized recipients."
1. Language of the Statute
The court begins with the language of the DPPA itself. Perrin v. United States, 444 U.S. 37, 42 (1979). It is a fundamental canon of statutory construction that, "unless otherwise defined, words will be interpreted as taking their ordinary, contemporary, common meaning." Id. Although the statute does not provide a definition of "authorized recipient," the meaning of the term can readily be inferred from its ordinary meaning and the context in which it appears. Read in the context of the DPPA, "authorized recipient" unambiguously refers to an individual or entity authorized to receive personal information for sale or resale.
This interpretation is embraced in the majority of federal court decisions that have already considered this issue. See Russell v. ChoicePoint Services, Inc. 300 F. Supp. 2d 450 (E.D. La. 2004)("Russell I"); Russell v. ChoicePoint Services, Inc., 302 F. Supp. 2d 654 (E.D. La. 2004)('Russell II") (reaffirming analysis of Russell I); Taylor v. Acxiom Corporation, 2:07-cv-0001 (E.D. Tex. Sept. 8, 2008)(same). The plaintiff in Russell I alleged that the defendant had illegally obtained personal information from the Louisiana DMV for the impermissible purpose of disclosure and distribution by resale. The Russell I court dismissed the claim under Rule 12(b)(6) on the ground that if the defendant (a data aggregator) was an "authorized recipient" of the plaintiff's personal information, then resale of this information to an entity with a permissible use was itself permitted under 2721(c). The court also held that "[t]he plain language of the DPPA permits entities like [defendant] to obtain drivers' personal information" to "subsequently resell that information to third parties with a permissible use." Russell I, 300 F. Supp. 2d at 455. In reaching its decision, the Russell I court engaged in a lengthy analysis, distinguishing the dictionary definition of the words "recipient" and "user," and concluded that "[i]f Congress had intended to require that the 'authorized recipient' of personal information also be a user of that information, it could have written the DPPA exceptions explicitly to that effect." Id. at 457. The court agrees.
The DPPA is written to restrict uses of personal information rather than users of that information. In keeping with this use-based orientation, Section 2721(c) unambiguously allows for resale or redisclosure of personal information for uses permitted under section 2721(b). The only restriction on resale or redisclosure is that it must be done by an authorized recipient. Because the DPPA is silent on who may be designated as an authorized recipient and nothing in the text of the requires that such a recipient also have a permissible use, the logical conclusion is that individual states can make this designation. While it may be conceivable that Congress could have deliberately intended "authorized recipient" to mean "authorized user," this interpretation becomes untenable when the overall statutory scheme is considered.
2. Legislative History and Policy Considerations
"When statutory language is unambiguous, it is presumed to express the legislative purpose and resort to the legislative history is not necessary." United States v. One Parcel of Real Estate Commonly Known as 916 Douglas Ave., 903 F.2d 490, 493 (7th Cir. 1990) (citing American Tobacco Company v. Patterson, 456 U.S. 63, 68, 71 L.Ed. 2d 748, 102 S.Ct. 1534 (1982)). Nonetheless, the court may look beyond the express language of the statute to give force to Congressional intent "where a literal interpretation would thwart the purpose of the over-all statutory scheme or lead to an absurd result." United States v. Tex-Tow, Inc., 589 F.2d 1310, 1313 (7th Cir. 1978) (quoting International Telephone and Telegraph Corporation v. General Telephone & Electronics Corp., 518 F.2d 913, 917-918 (9th Cir. 1975).
Defendant argues that "subjecting a company to potential billion-dollar liability when it merely helped accomplish the lawful use of information is an absurd result." It also argues that the DPPA expressly permits the resale of personal information and does not require resellers to have their own permissible use in order to obtain personal information for resale. Defendant further contends that "plaintiff's interpretation of § 2721(c) -- that resellers need their own permissible uses to obtain data -- would render § 2721(c) meaningless."
Specifically, defendant argues that the Congressional Record clearly reflects Congress' intention to restrict disclosure of personal information only for reasons totally incompatible with the reasons for which it was collected. It contends that defendant's resale and redisclosure of the plaintiffs' personal information was compatible with the authorized purposes because it was ultimately released only to persons or entities with permissible uses under the DPPA. Defendant again relies on Russell I, where the court dismissed a similar claim noting that if a bulk purchaser is an "authorized recipient" of the information, then resale to a person with a permissible use is itself permitted.*fn4 The gravamen of defendant's argument is that state-authorized bulk purchasers can obtain drivers' personal information for resale or redistribution to other entities with a permissible use under § 2721(b), but not for its own use. Under this reading of the statute, obtaining and reselling the data do not qualify as "uses" of the information. The court agrees.
A thorough review of the Congressional Record strongly suggests that a literal interpretation, as discussed above, would thwart the purpose of the over-all statutory scheme and lead to absurd results. The comments made during the Senate and House debates of the DPPA indicate a clear intention to prevent unfettered access to personal information and to give individuals more control over the disclosure of their personal information, while continuing to allow state DMVs to disclose the information for legitimate government and business needs. Various senators and representatives, including the amendment's sponsors, further acknowledged that the DPPA was intended to allow state DMVs to continue selling personal information to direct marketers so long as individuals are given the opportunity refusing to allow the state to sell their personal information for "reasons that are totally incompatible with the purpose for which the information was collected." 139 Cong. Rec. S15745-01, S15763 (Nov. 16, 1993)(statement of Senator Boxer). These concerns are explicitly reflected in the final text of §§ 2721b(11) and b(12) as consent clauses. The emphasis of the consent clauses was to allow individuals a measure of control over the disclosure of their personal information for uses unrelated to the purpose(s) for which it was collected." 139 Cong. Rec. S15745-01, S15763 (Nov. 16, 1993)(statement of Senator Warner). In keeping with this intention to ensure that data is only sold or redisclosed to individuals or entities with permissible uses, § 2721(c) provides the additional safeguard that authorized recipients must keep records of the persons and entities that receive the information and the permitted purposes for which the information will be used.
Additionally, although not binding authority, the court notes that the DOJ and numerous states, including Illinois, have interpreted the DPPA to allow DMVs to authorize data aggregators to receive and resell data to facilitate efficient compilation and dissemination of personal information between and among users with permissible purposes across the country. If the court were to read the statute as barring data aggregators from reselling and redisclosing personal information to entities with permissible uses, many crucial government and legitimate business efforts, including criminal investigations, consumer protection, and driver safety, would be thwarted.
Moreover, if defendant was found liable for obtaining plaintiffs' and class members' personal information without a permissible use, its liability under § 2724 would potentially be in the billions of dollars in liquidated damages. This is an absurd result not in keeping with the plain language, intent, or spirit of the DPPA. Having considered the clear legislative intent of Congress is passing the DPPA, the purpose of the over-all statutory scheme, the court grants defendant's motion to dismiss Count I for failure to state a claim.
B. Rule 12(b)(1)
Defendants have also moved to dismiss the complaint pursuant to Fed. R. Civ. P. 12(b)(1) arguing that because plaintiffs have not alleged that they suffered any actual injury in fact, the court lacks subject matter jurisdiction over their DPPA claims.
To establish standing, a plaintiff must show: (1) injury in fact, meaning an invasion of a legally protected interest that is concrete and particularized, actual or imminent, and not conjectural or hypothetical; (2) a causal connection between the injury and the conduct complained of such that the injury is fairly traceable to the defendant's actions; and (3) that a favorable decision is likely to redress the injury. Tobin for Governor v. Ill. State Bd. of Elections, 268 F.3d 517, 527-28 (7th Cir. 2001) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61, 112 S.Ct. 2130, 119 L.Ed. 2d 351 (1992)). Abstract injury is not enough to establish injury in fact; the plaintiff must establish that he has sustained or is immediately in danger of sustaining some direct injury. See City of Los Angeles v. Lyons, 461 U.S. 95, 101-02, 103 S.Ct. 1660, 75 L.Ed. 2d 675 (1993).
The complaint alleges that defendant obtained and disseminated plaintiffs' and proposed Class members' personal information and/or highly restricted personal information for search and sale on the internet in violation of the DPPA. In light of the discussion above, these allegations fall woefully short of establishing standing. First, because plaintiffs have not alleged or pled any facts showing that defendant improperly obtained and/or used their personal information, plaintiffs have failed to show that they have suffered an injury-in-fact. Second, plaintiffs have not pled a causal connection between defendant's alleged violations of the DPPA and the alleged harm plaintiffs' suffered. Finally, plaintiffs have failed to demonstrate that a favorable decision in the instant case is likely to redress their alleged injury. Accordingly, plaintiffs' have failed to establish standing, and defendant's motion to dismiss pursuant to 12(b)(1) is granted.
III. Motion to Dismiss Count II - Unjust Enrichment
Defendant has moved to dismiss Count II of the complaint under Fed. R. Civ. P. 12(b)(6) arguing that plaintiffs do not and cannot explain how they have suffered any detriment as a result of defendant's resale of their personal information to entities with permissible uses.
Under Illinois law, "to state a cause of action based on a theory of unjust enrichment, a plaintiff must allege facts supporting the conclusion that the defendant unjustly retained a benefit to the plaintiff's detriment, and that the defendant's retention of the benefit violates the principles of justice, equity, and good conscience." HPI Health Care Services, Inc. v. Mt. Vernon Hospital, Inc., 131 Ill. 2d 145, 160 (Ill. 1989). Additionally, there must be an independent basis that establishes a duty on the part of the defendant to act and the defendant must have failed to abide by that duty. Martis v. Grinnel Mut. Reinsurance Co., 388 Ill. App. 3d 1017, 1025 (2009).
Plaintiffs have alleged that pursuant to the DPPA defendant had a duty to refrain from obtaining their personal information for an impermissible use, and that defendant financially benefited to plaintiffs' detriment when it violated this duty by acquiring plaintiffs' personal information and selling it on the internet for a profit. However, as discussed above, even if defendant had a duty to refrain from obtaining plaintiffs' personal information for an impermissible use, plaintiffs cannot show that defendant unjustly retained a benefit to plaintiffs' detriment because plaintiff fails to show that defendant was not an authorized recipient under the DPPA. As such, plaintiffs have failed to alleged the requisite elements of an unjust enrichment claim, and defendant's motion to dismiss Count II is granted.
IV. Motion to Dismiss Count III - Injunctive Relief
Defendant seeks dismissal of Count III of the complaint because injunctive relief is a remedy and not a stand-alone cause of action. The court agrees. Moreover, to the extent that plaintiffs' request is for post-judgment relief, the request for equitable relief fails because all other counts of the complaint have been dismissed. Consequently, defendant's motion to dismiss Count III is granted.
For the reasons discussed above, defendant's motion to dismiss the entire complaint is granted.
Robert W. Gettleman United States District Judge