Whitaker et al v. Appriss Inc

Filing 194

OPINION AND ORDER: GRANTING 175 Motion for Summary Judgment by Defendant Appriss Inc. against Plaintiffs Rachel A Whitaker and Richard L Dunkin. Signed by Judge Robert L Miller, Jr on 7/18/17. (jld)

Download PDF
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF INDIANA SOUTH BEND DIVISION RACHEL A. WHITAKER AND RICHARD L. DUNKIN, Plaintiffs, V. APPRISS, INC., Defendant. ) ) ) ) ) ) ) ) ) ) Cause No. 3:13-cv-826 RLM-CAN OPINION AND ORDER The Driver’s Privacy Protection Act of 1994, 18 U.S.C. § 2721 et seq., secures from prying eyes the personal information held in state department of motor vehicles records. Appriss, Inc. sold two drivers’ accident reports to businesses, which then used those reports to solicit the drivers. The drivers brought a putative class action against Appriss for violating the DPPA, and Appriss now moves for summary judgment. I. BACKGROUND The Indiana State Police contracted with Appriss to design and to maintain the Automated Reporting Information Exchange System, or ARIES. ARIES offered a uniform accident report for police throughout the state, a software platform for police to complete accident reports, and electronic storage for completed accident reports. Police officers had two options when filling drivers’ personal information into the Indiana Officer’s Standard Crash Report. They could manually type in the driver’s contact and vehicle information. Or they could use a handheld scanner to scan the barcodes on the back of the driver’s license and registration documents. Once the scanner read the barcode, it would auto-populate the accident report with the information listed on the driver’s license and registration, including the driver’s name, address, and license number. The only practical difference between these methods was that using the scanner would save time for officers and avoid typographical errors. The barcode method never accessed the Bureau of Motor Vehicles’ own database of driver data. It used no internet connection at all. The driver’s license barcode was encoded with the information on the front of the driver’s license – the scanner simply read it and input the information into the form.1 Once an officer completed the crash report, often after filling in details about the accident back at the station, the report would then upload to the ARIES database. Appriss made completed crash reports available on its website, www.buycrash.com. The state police required ARIES to be a “self-funded” program, meaning that Appriss relied on user fees from the website to make money, without charging the state for its services. Through the website, Appriss allowed parties involved in accidents to purchase copies of their accident reports. Appriss also allowed the general public, including businesses, to buy individual reports or to pay a subscription fee that allowed them to access reports in bulk. Companies that purchased accident reports could then use them to solicit Appriss had a third method to populate the accident reports that involved logging into the BMV database. This method wasn’t available to either police department involved in this litigation. 1 2 clients. According to Appriss’s contract, the state police authorized the specific fees that Appriss charged to the public, and Appriss remitted a portion of the fees paid to it back to the state police. ARIES would also send all new and updated crash report data to the BMV every day, allowing the BMV to investigate financial responsibility in accidents and to suspend licenses as needed. The BMV stores all of its driver, vehicle, and title records in the STARS (System Tracking and Record Support) system. Police officers can use the Indiana Data and Communications System, or IDACS, to access the records in STARS to check the validity of drivers’ licenses. The BMV logs every IDACS request to access STARS, including the date and information accessed. IDACS seems to be the only way for an officer to access STARS data. The plaintiffs argue that Appriss impermissibly disclosed their contact information, contained in their accident reports, to third-party businesses that then used that information to solicit them without their consent. The first plaintiff is Rachel Whitaker, who was in a car accident in Kokomo, Indiana. Officer Cunningham responded to the accident. He initially didn’t want to prepare an accident report because he believed that the damage to her car was worth less than $1,000. Ms. Whitaker insisted that he complete one anyway. She says she gave Officer Cunningham her driver’s license and registration, and Officer Cunningham then returned to his car with these items. Officer Cunningham explained that, when responding to accidents, he often uses IDACS to check the validity of a driver’s license. He said that he then takes handwritten notes on a blank Standard Crash Report form, seemingly 3 without using the auto-populate feature from the barcode scanner. When he gets back to the station, he uses his notes to create an electronic version of the accident report for ARIES. Officer Cunningham says he would have followed these steps when he responded to Ms. Whitaker’s accident. According to a BMV representative, Ms. Whitaker’s information wasn’t accessed through IDACS on the date of the accident. Her accident report was uploaded to ARIES on the day of her accident. The report was updated at a later date, but only to include data on the accident’s location. About a month after the accident, Ms. Whitaker received letters from a personal injury law firm and from a chiropractor advertising their services and indicating knowledge that she had recently been in a car accident. According to Appriss, five different entities purchased Ms. Whitaker’s accident report. The second plaintiff is Richard Dunkin, who was involved in an accident in Carrol County, Indiana. Deputy Schimmel responded to the accident. Mr. Dunkin says he gave his driver’s license, vehicle registration, and proof of insurance to Deputy Schimmel, who then took them back to his police car. Deputy Schimmel’s usual practice when responding to an accident is to ask the driver for his license, registration, and insurance documents. He would scan the barcodes on the license and registration to auto-populate the accident report form. Deputy Schimmel also generally calls the dispatcher to request a “10/27,” code for a confirmation that a driver’s license is valid and that the holder has no outstanding warrants. In calling for a 10/27, he usually provides a combination 4 of the driver’s name, birth date, or license number. The dispatcher then uses IDACS to access the BMV’s STARS database to check whether the license is valid. When dispatch checks on a license, it usually relays some information, such as the driver’s name and address, back to the police officer. Deputy Schimmel says he probably wouldn’t compare that information against what was written on the license, and he’s usually just concerned with whether the license is valid. BMV records show that there was a STARS information request, through IDACS, for Mr. Dunkin on the date of his accident. Mr. Dunkin’s accident report was uploaded to ARIES and no changes were ever made to it. About a month after the accident, Mr. Dunkin received solicitations from businesses with which he had no relationship, and which indicated their knowledge that he had recently been in a car accident. According to Appriss, six different entities purchased Mr. Dunkin’s accident report. The plaintiffs weren’t the victims of stalking or identity theft from the disclosure of their personal information. Neither suffered any monetary loss or physical harm from the disclosure. Ms. Whitaker said she “resented,” and Mr. Dunkin said it was “scary,” that strangers could obtain their information so readily. Ms. Whitaker and Mr. Dunkin claim that Appriss violated the Driver’s Privacy Protection Act when it sold copies of accident reports containing personal information to third parties for solicitation purposes and without their consent. The plaintiffs seek liquidated damages in the amount of $2,500 each, § 2724(b)(1), and class certification, Fed. R. Civ. P. 23. 5 The court denied Appriss’s motion to dismiss for failure to state a claim. Whitaker v. Appriss, Inc., No. 3:13-cv-826, 2014 WL 4536559 (N.D. Ind. Sept. 11, 2014). The court bifurcated discovery, delaying any ruling about the potential class action until the court determines whether the named plaintiffs prevail. In 2016, the Supreme Court decided Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), which provided guidance on Article III standing. Based on Spokeo, Appriss moved to dismiss for lack of jurisdiction. Fed. R. Civ. P. 12(b)(1). The court decided that the plaintiffs have standing and the case continued through discovery. Whitaker v. Appriss, Inc., 3:13-cv-826, 2017 WL 193056 (N.D. Ind. Jan. 17, 2017). Appriss now moves for summary judgment. Fed. R. Civ. P. 56. II. STANDARD OF REVIEW Summary judgment is appropriate when the pleadings, discovery materials, disclosures, and affidavits demonstrate no genuine issue of material fact, such that the movant is entitled to judgment as a matter of law. Fed. R. Civ. P. 56; Protective Life Ins. Co. v. Hansen, 632 F.3d 388, 391-392 (7th Cir. 2011). The evidence and all inferences that reasonably can be drawn from it must be construed in the light most favorable to the non-moving parties. Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 255 (1986). As the moving party, Appriss bears the burden of informing the court of the basis for its motion, together with evidence demonstrating the absence of any genuine issue of material fact. Celotex Corp. v. Catrett, 477 U.S. 317, 323 (1986). If Appriss meets that burden, the plaintiffs can’t rest upon the allegations in the pleadings, but must “point to 6 evidence that can be put in admissible form at trial, and that, if believed by the fact-finder, could support judgment in [their] favor.” Marr v. Bank of Am., N.A., 662 F.3d 963, 966 (7th Cir. 2011); Hammel v. Eau Galle Cheese Factory, 407 F.3d 852, 859 (7th Cir. 2005) (summary judgment is “not a dress rehearsal or practice run; it is the put up or shut up moment in a lawsuit, when a party must show what evidence it has that would convince a trier of fact to accept its version of events”). III. DISCUSSION Congress enacted the DPPA to prevent “stalkers and criminals from utilizing motor vehicle records to acquire information about their victims,” and to stop “the States’ common practice of selling personal information to businesses engaged in direct marketing and solicitation.” Dahlstrom v. SunTimes Media, LLC, 777 F.3d 937, 944 (7th Cir. 2015) (quoting Maracich v. Spears, 133 S. Ct. 2191, 2198 (2013)). The Act prohibits state departments of motor vehicles from “knowingly disclos[ing] or otherwise mak[ing] available to any person or entity . . . personal information . . . about any individual obtained by the department in connection with a motor vehicle record,” except as allowed under the statute’s fourteen exceptions. 18 U.S.C. § 2721(a)(1). The Act prohibits “any person [from] knowingly [] obtain[ing] or disclos[ing] personal information, from a motor vehicle record, for any use not permitted under” one of the exceptions. § 2722(a). A “motor vehicle record” is “any record that pertains to a motor vehicle operator’s permit, motor vehicle title, motor vehicle registration, or 7 identification card issued by a department of motor vehicles.” § 2725(1). The Act confers a private right of action on people whose information was wrongfully obtained or disclosed for, among other things, “actual damages, but not less than liquidated damages in the amount of $2,500.” § 2724(a), (b)(1). The court holds that name, address, and driver’s license number written down or scanned from a driver’s license handed over by the license-holder isn’t “personal information, from a motor vehicle record,” protected by the DPPA. § 2722(a). Appriss didn’t violate the DPPA when it sold the plaintiffs’ personal information to businesses to solicit them. A. The law of the case Appriss first argues that the court’s earlier opinions compel judgment in its favor. See United States v. Thomas, 11 F.3d 732, 736 (7th Cir. 1993) (“[W]hen a court decides upon a rule of law, that decision should continue to govern the same issues in subsequent stages of the same case.”). In ruling against Appriss’s motion to dismiss, the court looked to Senne v. Village of Palatine, 695 F.3d 597 (7th Cir. 2012), which held that personal information printed onto a parking ticket is “personal information . . . about any individual obtained by the department in connection with a motor vehicle record,” 18 U.S.C. § 2721(a), and thus falls within the DPPA’s scope. Senne v. Vill. of Palatine, 695 F.3d 597, 601-603 (7th Cir. 2012). Senne wasn’t a case in which the plaintiff herself disclosed the information, but where the police officer accessed the DMV database to prepare the ticket. It led to this court’s conclusion 8 that “[i]f the original source of the other government agency’s information is the state department of motor vehicles, the DPPA protects the information throughout its travels.” Whitaker v. Appriss, Inc., No. 3:13-cv-826, 2014 WL 4536559, at *4 (N.D. Ind. Sept. 11, 2014) (citing Senne, 695 F.3d at 609). An accident report itself isn’t a motor vehicle record, but “disclosure of personal information that was obtained by and from the department of motor vehicles may nonetheless violate the DPPA.” Id. at *5 (discussing Mattivi v. Russell, No. Civ.A. 01-WM-533(BNB), 2002 WL 31949898 (D. Colo. Aug. 2, 2002)). The decisive factor is “how the police officer who created the accident report obtained the driver’s license and vehicle title information – from the plaintiffs themselves or from the state department of motor vehicles.” Id.; see Pavone v. Meyerkord & Meyerkord, LLC, 118 F. Supp. 3d 1046, 1054 (N.D. Ill. 2015) (“To the extent that the Schaumburg Police Department received the Pavones’ personal information verbally from the Pavones—a reasonable inference given they were at the scene of the accident—this would not constitute a violation of the DPPA.”). But the earlier opinion isn’t explicit as to whether personal information pulled from a driver’s license, without accessing the BMV’s database, is information “from the plaintiffs themselves[, who handed over their driver’s licenses,] or from the state department of motor vehicles[, which created the licenses using its records of the drivers’ personal information].” Id. The “original source” can be characterized either way. The law of the case doesn’t provide Appriss with a clear route to victory. 9 B. The statute The first issue is whether the driver’s license itself is a “motor vehicle record.” If so, the disclosure of personal information from it would fall under the statute. A “motor vehicle record” is “any record that pertains to a motor vehicle operator’s permit . . . or identification card issued by a department of motor vehicles.” 18 U.S.C. § 2725(1) (emphasis added). The word “pertains,” as used in the DPPA, means “to belong as a part, member, accessory, or product.” Lake v. Neal, 585 F.3d 1059, 1061 (7th Cir. 2009). A driver’s license isn’t a part, member, accessory, or product of a motor vehicle operator’s permit; it is a motor vehicle operator’s permit. The plaintiffs suggest that “pertains” is intentionally expansive. As explained later, such an expansive reading would pull conduct into the Act’s orbit well beyond what Congress intended to govern. The license itself isn’t the relevant “motor vehicle record.” If there’s a possible claim, the relevant record would have to be that on which each license was based and which contains the driver’s personal information. This record would “belong as a part” to the driver’s license, without contorting the word “pertain.” If the “original source” of the information on the license is the BMV, then the information falls under the Act’s scope. Whitaker v. Appriss, Inc., No. 3:13-cv-826, 2014 WL 4536559, at *4 (N.D. Ind. Sept. 11, 2014) (citing Senne v. Vill. of Palatine, 695 F.3d 597, 609 (7th Cir. 2013)). The only issue then is whether the “original source” of the information is the DMV or the plaintiffs. 10 Other courts interpret DPPA protection to require that the information in a record be disclosed by a DMV, and not the plaintiff. The Second Circuit adopted this interpretation in Fontanez v. Skepple, 563 F. App’x 847 (2d Cir. 2014). The plaintiff in that case produced her driver’s license as identification at a jail so that she could visit her incarcerated boyfriend. The defendant, a corrections officer, used the address from her license to send her a teddy bear and note describing himself as her “new admirer.” Id. at 848. The Second Circuit held that “[w]here the personal information at issue is not obtained from a state DMV, no DPPA cause of action can be found.” Id. at 849. “[T]he DPPA does not protect against the use of personal information obtained from a driver’s license provided by the holder as proof of identity to gain access to a facility.” Id. at 848. The “access to a facility” language arguably limits the reach of the court’s holding, but nothing in the statute suggests that DPPA scope is related to whether the holder uses a license to gain access to a facility or for any other purpose. Because the plaintiff provided the license containing the information, there’s no DPPA claim when that information is misused. The Eleventh Circuit’s interpretation accords with the Second Circuit’s. In Siegler v. Best Buy Co. of Minnesota, 519 F. App’x 604 (11th Cir. 2013), a customer returned a computer mouse to Best Buy. To complete the return, the cashier took the customer’s driver’s license and scanned the magnetic strip on it. Id. at 604. The customer demanded that the information from the license be deleted and, when Best Buy didn’t do so, he sued for violating the DPPA. Id. 11 The court held that “the Act is concerned only with information disclosed, in the first instance, by state DMVs.” Id. at 605. “[T]he Act was intended to prohibit only the disclosure or redisclosure of information originating from state department of motor vehicles . . . records.” Id. (emphasis in original). That the plaintiff disclosed the information removed it from the scope of the act. See also Hurst v. State Farm Mut. Auto. Ins. Co., No. 10-1001-GMS, 2012 WL 426018, at *10 (D. Del. Feb. 9, 2012) (“Where, as here, a defendant does not obtain a plaintiff’s ‘personal information’ from a state motor vehicle agency, but instead, obtains that information directly from the plaintiff, any subsequent disclosure of that ‘personal information’ is not a DPPA violation.”); O’Brien v. Quad Six, Inc., 219 F. Supp. 2d 933, 934 (N.D. Ill. 2002) (“Reading the statute as a whole, it is clear that it is concerned with the source of the information—the state, as opposed to oneself—and not the medium by which it is conveyed—a driver’s license, passport, credit card, or the spoken word.”). These interpretations run counter to a decision from the Northern District of Illinois. That court held that “[a] driver’s license number and the other information contained on a driver’s license is, without question, ‘part’ of a motor vehicle operator’s permit.” Pavone v. Law Offices of Anthony Mancini, Ltd., 205 F. Supp. 3d 961, 966 (N.D. Ill. 2016). Information from a driver’s license is, thus, information from a “motor vehicle record” and subject to DPPA protection. Id. This court disagrees with Mancini. It treats the personal information on the license as the relevant “record.” The statute prohibits a person from “knowingly obtain[ing] or disclos[ing] personal information, from a motor vehicle 12 record,” 18 U.S.C. § 2722(a), with a “motor vehicle record” meaning “any record that pertains to a motor vehicle operator’s permit,” § 2725(1). To prevail on the claim, there should be, separately, “personal information,” a “record,” and a “motor vehicle operator’s permit.” Mancini treats the information on the driver’s license number as both “record” and “personal information.” Strange and far-reaching results follow from the Mancini interpretation, treating the license as the “motor vehicle record,” or treating the “original source” as the BMV. Any non-excepted use of information pulled off a driver’s license provided by its holder would subject the user of that information to DPPA liability. The alleged violations of the Act in the appeals court cases described above—the Fontanez “new admirer” case and the Best Buy case—illustrate the absurdity and breadth of the resulting liability. Appriss points out other absurd results. For example, a person who uses information on her spouse’s driver’s license information to make an order or reservation would be liable to the spouse for a DPPA violation.2 These results caution against conflating the various elements, or treating the DMV as the “original source” when the plaintiff discloses information. These interpretations balloon liability beyond the Act’s purpose of preventing disclosures by DMVs and misuse of information disclosed to third parties from DMVs. The plaintiffs try to cabin the broad effects of these interpretations by arguing that the DPPA protects information on driver’s licenses only when that information is disclosed involuntarily. They argue that, because Indiana law 2 That is, unless the spouse signed a written consent form. See 18 U.S.C. § 2721(b)(13). 13 requires disclosure of a driver’s license to the police after an accident, the plaintiffs didn’t disclose it voluntarily, so it remains under DPPA protection. Judge Moran arguably accepted this distinction when a night club patron’s information was disclosed after she used her driver’s license to gain access to the club. O’Brien v. Quad Six, Inc., 219 F. Supp. 2d 933, 935 (N.D. Ill. 2002) (“This statute seeks to control dissemination of information collected using the coercive power of the state. It does not regulate information freely given by consumers to private businesses . . . .”). The court declines to graft an involuntariness requirement onto the statute. There’s no strong basis for using voluntariness to determine DPPA coverage. No language in the statute alludes to this distinction. Even though this court disagrees with Judge Kennelly’s conclusions in Mancini, both courts agree on this point. Pavone v. Law Offices of Anthony Mancini, Ltd., 205 F. Supp. 3d 961, 966 (N.D. Ill. 2016). Fact-intensive analysis of what disclosures are voluntary also provides little guidance to entities attempting to determine how to comply with the Act before disclosing data. If the voluntariness distinction were relevant, the evidence here wouldn’t clearly answer whether the plaintiffs were required to disclose their licenses. Ms. Whitaker, for example, insisted that Officer Cunningham complete a police report. Could disclosure of her license be involuntary when she asked for the police report? It’s unclear how a business like Appriss is to discern which data is voluntarily disclosed and so disclosable to others. 14 “Through passage of laws like the DPPA, Congress extended privacy rights beyond just those redressible at common law.” Whitaker v. Appriss, Inc., 3:13cv-826, 2017 WL 193056, at *3 (N.D. Ind. Jan. 17, 2017). It did so narrowly and intentionally to protect information held by DMVs and disclosed by DMVs to other entities. Id. When the holder of a driver’s license hands over her personal information to an entity other than a DMV, even when that information is printed onto a driver’s license, the DPPA doesn’t protect it. IV. CONCLUSION Based on the foregoing, the court GRANTS Appriss’s motion for summary judgment [Doc. No. 175] and directs the Clerk to enter judgment accordingly. SO ORDERED. ENTERED: July 18, 2017 /s/ Robert L. Miller, Jr. Judge United States District Court 15

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?