Janice COOK, on behalf of themself and all others similarly situated, et al., Plaintiffs–Appellants, v. ACS STATE & LOCAL SOLUTIONS, INC., Defendant–Appellee, Listco West, Defendant, Samba Holding, Inc.; Aristotle International, Inc., Defendants–Appellees, E–Infodata.com, Inc., Defendant, Insurance Information Exchange; St. Louis Post–Dispatch; Worldwide Information, Inc., Defendants–Appellees. Coalition for Sensible Public Records Access; Consumer Data Industry Association; West Publishing Corporation, Amici on Behalf of Appellees.
Plaintiffs bring this class action suit against a variety of defendants, alleging that each improperly obtained personal driver information from the Missouri Department of Revenue (“DOR”) in violation of the Driver's Privacy Protection Act (“DPPA”), 18 U.S.C. §§ 2721–2725. Plaintiffs base their claims on two separate theories: (1) The bulk obtainment of personal information, which allows a company to “stockpile” information for the sake of convenience when a permissible purpose to use that information arises, is a per se violation of the DPPA; and (2) obtaining an entire database of personal information for the sole purpose of reselling that information to others is also a violation of the DPPA. The district court1 found that neither theory stated a valid claim under the DPPA and granted Defendants' Rule 12(b)(6) motions to dismiss. For the reasons stated below, we affirm.
Plaintiffs represent a putative class of licensed Missouri drivers alleging injury under the DPPA. Missouri drivers are required by law to submit certain personal information to the DOR. Under Missouri law and the federal regulatory scheme of the DPPA, the DOR is permitted to sell that information to individuals or entities who certify that they have a permitted purpose for the information. Defendants2 are an assortment of businesses that purchase driver information pursuant to Missouri law.
On February 25, 2010, Plaintiffs filed suit alleging that Defendants improperly obtained the entire database of drivers' information from the Missouri DOR. Plaintiffs amended their complaint on April 29, 2010, advancing claims that some Defendants obtained the database to “stockpile” information for future use and that other Defendants obtained the database merely to resell information to third parties. In either scenario, Plaintiffs alleged that Defendants did not have an immediate use for the information, and therefore did not obtain it for any permitted purpose under the DPPA. Defendants challenged Plaintiffs' standing to sue and asserted that Plaintiffs failed to state a valid claim under the DPPA. The district court found that Plaintiffs alleged a proper injury and had the standing conferred by Congress under the DPPA. However, the court determined that neither theory advanced by Plaintiffs established a claim upon which relief could be granted. The district court noted that Plaintiffs' claims were the same as those rejected by the Fifth Circuit in Taylor v. Acxiom Corp., 612 F.3d 325 (5th Cir.2010). Though not bound by the Fifth Circuit's decision, the district court found Taylor's analysis to be persuasive and granted Defendants' 12(b)(6) motions to dismiss. Plaintiffs now appeal.
Plaintiffs argue that the district court erred in dismissing their suit on the ground that the complaint failed to state a claim under the DPPA. We review the district court's grant of a motion to dismiss de novo. Schaaf v. Residential Funding Corp., 517 F.3d 544, 549 (8th Cir.2008). Dismissal is proper where the plaintiffs' complaint fails to state a claim upon which relief can be granted. Fed.R.Civ.P. 12(b)(6). The court accepts as true all factual allegations but is “ ‘not bound to accept as true a legal conclusion couched as a factual allegation.’ ” Ashcroft v. Iqbal, 556 U.S. 662, 129 S.Ct. 1937, 1950, 173 L.Ed.2d 868 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).
State motor vehicle departments require drivers to provide personal information, such as a person's name, address, telephone number, Social Security number, and medical information as a condition of obtaining a driver's license or registering a vehicle. Reno v. Condon, 528 U.S. 141, 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000). Congress enacted the DPPA as an amendment to the Violent Crime Control and Law Enforcement Act of 1994 in response to safety concerns about the ease with which individuals could obtain this information from the state, as well as concerns about direct marketers who used this information for commercial purposes without drivers' consent. Taylor, 612 F.3d at 336–37. The DPPA regulates the disclosure of personal information contained in state motor vehicle records. The DPPA generally prohibits any state department of motor vehicles from “knowingly disclos[ing] or otherwise mak[ing] available to any person or entity personal information ․ about any individual obtained by the department in connection with a motor vehicle record .” 18 U.S.C. § 2721(a). The Act applies not only to states; it prohibits private individuals from knowingly “obtain[ing] or disclos[ing] personal information, from a motor vehicle record, for any use not permitted under section 2721(b).” 18 U.S.C. § 2722(a). The DPPA also regulates the resale and redisclosure of drivers' personal information by private individuals. The resale or redisclosure subsection provides:
An authorized recipient of personal information (except a recipient under subsection (b)(11) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(11) or (12)). An authorized recipient under subsection (b)(11) may resell or redisclose personal information for any purpose. An authorized recipient under subsection (b)(12) may resell or redisclose personal information pursuant to subsection (b)(12). Any authorized recipient (except a recipient under subsection (b)(11)) that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.
18 U.S.C. § 2721(c).
The general prohibition on disclosure under the DPPA “does not apply if drivers have consented to the release of their data.” Reno, 528 U.S. at 144. The general prohibition on disclosure is also subject to a number of exceptions. First, there are some uses of personal information connected to safety, theft, or compliance with other federal statutes for which disclosure of personal information is mandatory. See 18 U.S.C. § 2721(b). Second, there are fourteen enumerated uses for which disclosure is permissible:
(1) For use by any government agency, including any court or law enforcement agency, in carrying out its functions, or any private person or entity acting on behalf of a Federal, State, or local agency in carrying out its functions.
(2) For use in connection with matters of motor vehicle or driver safety and theft; motor vehicle emissions; motor vehicle product alterations, recalls, or advisories; performance monitoring of motor vehicles, motor vehicle parts and dealers; motor vehicle market research activities, including survey research; and removal of non-owner records from the original owner records of motor vehicle manufacturers.
(3) For use in the normal course of business by a legitimate business or its agents, employees, or contractors, but only—
(A) to verify the accuracy of personal information submitted by the individual to the business or its agents, employees, or contractors; and
(B) if such information as so submitted is not correct or is no longer correct, to obtain the correct information, but only for the purposes of preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against, the individual.
(4) For use in connection with any civil, criminal, administrative, or arbitral proceeding in any Federal, State, or local court or agency or before any self-regulatory body, including the service of process, investigation in anticipation of litigation, and the execution or enforcement of judgments and orders, or pursuant to an order of a Federal, State, or local court.
(5) For use in research activities, and for use in producing statistical reports, so long as the personal information is not published, redisclosed, or used to contact individuals.
(6) For use by any insurer or insurance support organization, or by a self-insured entity, or its agents, employees, or contractors, in connection with claims investigation activities, antifraud activities, rating or underwriting.
(7) For use in providing notice to the owners of towed or impounded vehicles.
(8) For use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.
(9) For use by an employer or its agent or insurer to obtain or verify information relating to a holder of a commercial driver's license that is required under chapter 313 of title 49.
(10) For use in connection with the operation of private toll transportation facilities.
(11) For any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains.
(12) For bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains.
(13) For use by any requester, if the requester demonstrates it has obtained the written consent of the individual to whom the information pertains.
(14) For any other use specifically authorized under the law of the State that holds the record, if such use is related to the operation of a motor vehicle or public safety.
18 U.S.C. § 2721(b).
Plaintiffs argue that these enumerated exceptions all carry an implicit requirement that the personal information obtained from the state be used immediately. According to Plaintiffs' theory, any individual or entity that obtains an entire state database of personal information and “stockpiles” it for future use has violated the DPPA.3 This also would mean a company that obtains the entire database in order to resell the information to third parties has violated the DPPA by not putting the information to an immediate section 2721(b) use.
Plaintiffs do not contend that Defendants actually misused drivers' personal information, nor do they dispute that Defendants might have put some information to an end use permitted under section 2721(b). Instead, Plaintiffs argue that Defendants obtained records in bulk merely for the convenience of maintaining their own motor vehicle record databases in anticipation of future use, and therefore have violated the DPPA as to each record Defendants did not put to an immediate permissible use. Defendants, however, assert that they obtained driving records for the purpose of using them in accordance with section 2721(b). According to Defendants, the bulk obtainment of those records was meant to facilitate that purpose by reducing cost and expediting access; bulk obtainment was not an end in itself.
The language of section 2721(b) does not address whether Congress specifically intended to allow or prohibit bulk obtainment for most of the enumerated purposes. However, it is apparent from the statute as a whole that the DPPA is concerned with the ultimate use of drivers' personal information, not how that information is obtained. See 18 U.S.C. § 2721(b) (listing exceptions based on the ultimate “use” of the information); 18 U.S.C. § 2722(a) (“It shall be unlawful for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b) of this title.”) (emphasis added). All of our sister circuits who have considered this issue have concluded the same. See Graczyk v. West Publ'g Co., 660 F.3d 275, 279 (7th Cir.2011) (The DPPA “is concerned with the ultimate use or uses to which personal information contained in motor vehicle records is put”); Howard v. Criminal Info. Servs., Inc., 654 F.3d 887, 891 (9th Cir.2011) (“[T]he statute was written in a way that logically put the focus on the purposes for which the information would eventually be used—on the ‘end’ sought by the purchaser—not on the reason for buying it in bulk.”); Roth v. Guzman, 650 F.3d 603, 614–17 (6th Cir.2011) (analyzing and agreeing with Taylor); Taylor, 612 F.3d at 338–39.
When an entity obtains a state database in bulk, its purpose for obtaining the entire database is the same as its purpose for obtaining only one driver's personal information; the fact that not all of the records will be used does not change that purpose. See Taylor, 612 F.3d at 337 (offering the analogy that attorneys buy legal reporters for the purpose of legal research, even if they don't use every volume). The proper focus for courts is not the manner in which the information was acquired, but the use to which it is eventually put. Howard, 654 F.3d at 892 (“[T]he portion of the statute that expresses the permissible purposes explicitly does so in terms of the ‘use’ of the information. That is what should be considered in determining whether the acquisition of the information is permitted under the statute.”).
Other courts have noted the efficiencies that result from allowing businesses to obtain driving records in bulk rather than requiring those businesses to submit separate requests each time they need an individual record. Taylor, 612 F.3d at 338 n. 12; Graczyk, 660 F.3d at 280. Plaintiffs, on the other hand, offer no persuasive argument that Congress intended to limit the states to disclosing personal information one request at a time, or why it would want to. Plaintiffs reason that “stockpiling” is prohibited by the statute because personal information must be used “immediately” after the information is obtained. Yet no language in the statute requires immediate use; the DPPA only requires that the information be obtained for a permissible purpose. Indeed, there is no suggestion of a temporal limit anywhere in the DPPA. See Howard, 654 F.3d at 892 (“There is also no problem with Defendants obtaining the personal information for potential future use, even if they may never use it. The DPPA does not contain a temporal requirement for when the information obtained must be used for the permitted purpose.”). We decline to read such a requirement into the statute.
Statements from the legislative history support our reading of the DPPA. One co-sponsor described the bill in the Senate as “strik[ing] a critical balance between the legitimate governmental and business needs for this information, and the fundamental right of our people to privacy and safety.” 139 Cong. Rec. 29468 (1993) (statement of Sen. Boxer). The idea that the DPPA was meant to restrict improper uses of driver information while allowing access to businesses with a legitimate need was echoed in the House of Representatives. See 140 Cong. Rec. 7929 (1994) (statement of Rep. Goss) (“The flow of information would only be denied to a narrow group of people that lack legitimate business. The Amendment defines ‘legitimate business' broadly, including all the duties of Federal, State, and local law enforcement agencies and courts, verification and/or correction of personal information, private investigations, and anything related to the operation of a motor vehicle.”).
Congressman Moran, a co-sponsor in the House, also addressed the DPPA's balance between “rights to privacy with legitimate interests in accessing DMV information.” Protecting Driver Privacy: Hearings on H.R. 3365 Before the Subcomm. on Civil and Constitutional Rights of the House Comm. on the Judiciary, 103d Cong., 2d Sess. (Feb. 3, 1994) (statement of Rep. Moran). Moran indicated his desire to avoid impediments for companies that rely on “information that is necessary and essential for them to do business.” Id. Moran also indicated that the law was not meant to intrude on existing, legitimate uses of the information:
Careful consideration was given to the common uses now made of this information and great efforts were made to ensure that those uses were allowed under this bill. Among those who will continue to have unfettered access are federal and state governments and their contractors, for use in auto recalls, by businesses (such as an insurance company) to verify the accuracy of personal information submitted by a licensee, for use in any civil or criminal proceeding, in research activities, and in marketing activities as long as the individual has been given the opportunity to opt out.
Id.4 Indeed, the only business use that Moran expressed concern about was the use of driver information in direct marketing solicitations. Even this use was not prohibited, however, because the law “would allow DMVs to continue to sell DMV information in bulk as long as every driver in that state had been given the opportunity to restrict the sale of their name for marketing purposes.” Id.
Bulk obtainment of driver information for a permissible purpose does not violate the DPPA. Plaintiffs cannot establish a violation of the DPPA if all the defendants have done is obtain driver information in bulk for potential use under a permissible purpose.
Some of the Defendants in this case obtained personal information in bulk from the Missouri DOR not for their own permissible use, but to sell to third parties who have permissible uses of their own. There is no dispute that 18 U.S.C. § 2721(c) explicitly authorizes the resale and redistribution of personal information, however Plaintiffs contend that this section does not provide a stand-alone justification for businesses to obtain records from the state. Plaintiffs argue that the DPPA requires resellers to have their own permissible use for personal information before selling it to third parties. Plaintiffs interpret the phrase “authorized recipient” under section 2721(c) as an individual or entity who has an immediate permissible use for the information under section 2721(b).
The statute does not define “authorized recipient,” and therefore does not provide direct guidance on this issue. However, Plaintiffs identify no support in either the language of the statute or the legislative history that suggests an authorized recipient must have an authorized use. As other courts have pointed out, section 2721(c) restricts only “authorized recipients,” not “authorized users” or “permissible users” (which would more closely mirror section 2721(b)). Taylor, 612 F.3d at 338; Russell v. ChoicePoint Servs. Inc., 300 F.Supp.2d 450, 455–61 (E.D.La.2004). So long as personal information is ultimately used only for permitted purposes, it is not clear why Congress would have intended to regulate who could obtain it. The statute as a whole is concerned only with the use of the information, not the entity requesting it. See Russell, 300 F.Supp.2d at 457 (“The plain language of the DPPA is written in terms of permissible ‘uses' rather than permissible ‘users.’ ”); Graczyk, 660 F.3d at 279 (pointing out that the statute permits an agent to obtain information for use by a business without requiring the agent to have a separate use).
The documentation requirements in section 2721(c) seem to further indicate that Congress was primarily concerned with the end use of personal information. Congress provided additional safeguards in section 2721(c) that require resellers to document each sale to a third party. Section 2721(c) requires that “[a]ny authorized recipient ․ that resells or rediscloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.” 18 U.S.C. § 2721(c). These safeguards support our view that Congress was focused more on the end use of the information than the manner in which it was obtained.
The Fifth and the Seventh Circuits have found persuasive support for this view in an unpublished Department of Justice opinion letter. The letter responded to an inquiry from the Commonwealth of Massachusetts about whether it was permitted under the DPPA to provide driver information to a commercial distributor who would resell the information only to third parties that themselves had permissible uses. See Letter from Robert C. McFetridge, Special Counsel to the Assistant Attorney Gen., to Peter Sacks, Office of the Attorney Gen. For the Commonwealth of Mass. (Oct. 9, 1998) (on file with the Fifth and Seventh Circuits). In response, the DOJ reasoned that the DPPA “regulated only the ultimate use of personal information without specifying or restricting who may obtain the information in order to accomplish that authorized purpose.” Id. The DOJ posited that Massachusetts could provide information to resellers so long as it could reasonably conclude that the information would be used only for authorized purposes. Id. We agree with our sister circuits that this is the most reasonable reading of the statute. See Graczyk, 660 F.3d at 280–81; Taylor, 612 F.3d at 339.
Section 2721(c) explicitly permits the resale of drivers' information, and it does not require that resellers must first use the information themselves. We hold that Plaintiffs cannot establish a DPPA violation by alleging that Defendants obtained personal information with the sole purpose of selling it to third parties who have permissible section 2721(b) uses for the information.
We conclude that the complaint was properly dismissed for failure to state a claim, and the order of the district court is affirmed.
1. The Honorable Greg Kays, United States District Judge for the Western District of Missouri.
2. Though named as Defendants in the caption, Listco West and E–Infodata.com, Inc. were both dismissed from the suit before the district court's 12(b)(6) determination and are not party to the present appeal.
3. Though Plaintiffs focus on the bulk obtainment of personal information, this immediate-use requirement would presumably apply to individual requests as well. Under Plaintiffs' theory, any entity who obtains an individual record for a permissible purpose will violate the DPPA if it does not use that information “immediately.”
4. The opt-out provision in section 2721(b) was later amended in 1999 and became an opt-in requirement. The effect of the amendment was that “States may not imply consent from a driver's failure to take advantage of a state-afforded opportunity to block disclosure, but must rather obtain a driver's affirmative consent to disclose the driver's personal information for use in surveys, marketing, solicitations, and other restricted purposes.” Reno, 528 U.S. at 144–45. The 1999 amendment changed the extent of control a driver had over the exceptions in sections 2721(b)(11) and (12), but did not extend new controls over any other 2721(b) exception. See Pub.L. 106–69, 113 Stat. 986, § 350.
MELLOY, Circuit Judge.