Dye v. Meta Platforms, Inc.

Filing 32

ORDER granting 15 Motion to Dismiss for Failure to State a Claim. Signed by District Judge Terrence W. Boyle on 5/10/2024. (Stouch, L.)

Download PDF
IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF NORTH CAROLINA WESTERN DIVISION No. 5:23-CV-509-BO-BM DAWN DYE, on behalf of herself and all others similarly situated, ) ) ) Plaintiff, ) ) V. META PLATFORMS, INC. , Defendant. ) ) ) ) ) ORDER This cause comes before the Court on defendant's motion to dismiss plaintifrs complaint. Plaintiff has responded, defendant has replied, and a hearing on the matter was held before the undersigned on March 21 , 2024, at Raleigh, North Carolina. In this posture, the motion is ripe for ruling. For the reasons that follow , the motion to dismiss is granted. BACKGROUND Plaintiff initiated this action by filing a complaint on behalf of h~rself and all others similarly situated on September 15, 2023. [DE 1]. Plaintiff alleges that defendant has violated the Drivers' Privacy Protection Act (DPPA), 18 U .S.C. §§ 2721 , et seq. by surreptitiously tracking the activities of North Carolinians who use the North Carolina Department of Motor Vehicles (OMV) online payment portal (myNCDMV) to obtain disability placard renewals, new car registrations, identification card renewals, and engage in other activities. Plaintiff alleges that when users visit Facebook.com, defendant installs a tracking code, the Meta Tracking Pixel (Pixel), onto their browsers which tracks many of the websites that they visit, including myNCDMV. Plaintiff specifically alleges that the Pixel "is a piece of code that advertisers can integrate into their website. Once activated, the [] Pixel tracks the people and type of actions they take. When the [] Pixel captures an action, it sends a record to Facebook. Once this record is received, Meta processes it, analyzes it, and assimilates it into datasets .. .. " Comp!. 1 17. The OMV hosts the Pixel to allow defendant to track what visitors to the myNCOMV site do. This tracking permits defendant to deliver targeted advertisements to its users. Plaintiff alleges that the myNCOMV website transmits three events to defendant via the Pixel: " Page View," "Microdata," and "Button Click." Comp!. 1 20. Plaintiff's complaint alleges these events are present on nearly all of the myNCOMV webpages and "covey a trove of information about a driver' s personal business with the OMV" including "highly restricted personal information" . Comp!. 11 25-36. Plaintiff alleges that when a web user is navigating the myNCOMV website while logged into Facebook, "the myNCOMV website compels a visitor' s browser to transmit an identifying ' computer cookie' to Meta, called ' c_ user,' for every single event sent through the [] Pixel." Comp!. 1 27. Plaintiff alleges that the c_ user cookie constitutes personally identifiable information because it contains the web user' s unencrypted Facebook ID, which anyone may use to identify a particular Facebook user through their Facebook page. Comp!. 128. Plaintiff also brings allegations regarding the Pixel ' s fr cookie, which contains an encrypted Facebook ID and browser identifier, and the usida cookie which defendant uses to target advertisements. Comp!. 11 30-35. Plaintiff alleges that " [b]y compelling a visitor' s browser to disclose the c_user and fr cookies alongside event data, the myNCOMV website knowingly discloses personal information and highly restricted personal information to Meta. By partnering with the myNCOMV website to host the [] Pixel , Meta also knowingly obtains this same personal information and highly restricted personal information." Compl. 138. Plaintiff further alleges that 2 defendant is collecting a drivers ' Facebook ID from the myNCDMV website by collecting c_user and fr cookies as first-party cookies. Comp!. 139. Plaintiff s specific experience is described in the complaint as follows. Plaintiff used the myNCDMV website to conduct private busi ness with the DMV in August 2023. When doing so, plaintiff accessed the myNCDMV website usi ng the same browser she uses to access her Facebook account. Plaintiff alleges that when she was navigating through the myNCDMV website, defendant obtained and used her personal information to help in its advertising efforts. Comp!. 11 43-47. Defendant has moved to dismiss plaintiffs complaint for failure to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). Defendant argues that plaintiff has failed to allege that defendant received any information from a motor vehicle record; that she failed to allege that defendant obtained any data for an improper purpose; and that she has failed to allege that defendant knowingly obtained or used protected information for an improper purpose. DISCUSSION A Rule 12(b)(6) motion tests the legal sufficiency of the complaint. Papasan v. Allain, 4 78 U.S. 265,283 (1986). A complaint must allege enough facts to state a claim for relief that is facially plausible. Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007). In other words, the facts alleged must allow a court, drawing on judicial experience and common sense, to infer more than the mere possibility of misconduct. Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250, 256 (4th Cir. 2009). The court " need not accept the plaintiffs legal conclusions drawn from the facts, nor need it accept as true unwarranted inferences, unreasonable conclusions, or arguments." Philips v. Pitt County Mem. Hosp. , 572 F.3d 176, 180 (4th Cir. 2009) (internal alteration and citation omitted). 3 A. TheDPPA To obtain a driver' s license or register a vehicle, state DMVs, as a general rule, require an individual to disclose detailed personal information, including name, home address, telephone number, Social Security number, and medical information. See Reno v. Condon, 528 U.S. 141 , 143, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000). The enactment of the DPPA responded to at least two concerns over the personal information contained in state motor vehicle records. The first was a growing threat from stalkers and criminals who could acquire personal information from state DMVs. The second concern related to the States ' common practice of selling personal information to businesses engaged in direct marketing and solicitation. To address these concerns, the DPPA "establishes a regulatory scheme that restricts the States' ability to disclose a driver' s personal information without the driver' s consent." Id., at 144, 120 S.Ct. 666. Maracich v. Spears, 570 U.S. 48, 57 (2013). To that end, the DPPA provides that "A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court." 18 U.S.C . § 2724(a). Thus, to state a claim for violation of the DPPA, a plaintiff must ultimately prove that the defendant (I) "knowingly obtained his personal information (2) from a motor vehicle record (3) for a nonpermissible use." Andrews v. Sirius XM Radio Inc., 932 F.3d 1253 , 1259 (9th Cir. 2019). B. Plaintiffs complaint Plaintiff alleges that Facebook ID numbers are personal information under the DPPA and that webpages on the myNCDMV on line payment portal are a type of motor vehicle record under the DPPA. Plaintiff alleges that, in violation of the DPPA, defendant obtained highly restricted personal information from a motor vehicle record and that it knowingly used this personal information to deliver targeted advertisements, without the express consent of plaintiff or the putative class members having been granted to either defendant or the OMV. Comp!. 4 ,r,r 57-63 . Personal information is defined by the DPPA as " information that identifies an individual , including an individual 's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information .. .. " 18 U.S.C. § 2725(3). The Court assumes, without deciding, that plaintiff has plausibly alleged that a Facebook lD is personal information under the DPPA. See Keogh v. Meta Platforms, Inc., 680 F. Supp. 3d 601,609 (D.S.C. 2023). Plaintiff has failed , however, to plausibly allege that the cookies defendant allegedly received containing her Facebook ID were obtained from a motor vehicle record. A "motor vehicle record" is defined by the DPPA as "any record that pertains to a motor vehicle operator' s permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles". 18 U .S.C. § 2725(1 ). The term "record" is defined by the Privacy Act of 1974, which the DPPA is intended to reflect, as " information about an individual that is maintained by an agency." 5 U.S .C. § 552a(a)(4);Andrews, 932 F.3d at 1260. The myNCDMV website is a public-facing website accessible by anyone using the internet. A user of the myNCDMV website can access information about vehicle registration renewal, license and ID cards, and disability placard renewal, as well as paying administrative hearing fees and submitting a voter registration application. See www.payments.ncdot.gov (last visited May 6, 2024). The complaint fails to allege any information about an individual that is maintained on the myNCDMV website by the OMV such that the website itself could be considered a " record" for purposes of the DPPA. Nor is the myNCDMV website a "motor vehicle record." A court recently considering a substantially similar case brought against defendant arising from a user's interaction with the South Carolina Department of Motor Vehicles (SCDMV) website concluded that "even if the SCDMV 5 website was a ' record,' it is not a ' motor vehicle' record under the statutory definition, which is limited to records pertaining to ' a motor vehicle operator' s permit, motor vehicle title, motor vehicle registration, or identification card."' Keogh, 680 F. Supp. 3d at 610 (quoting 18 U.S.C. § 2725(1)). There, as here, plaintiffs argued that almost every webpage on SCDMV has a "connection with driving." Id. ; [DE 17 p. 5] . But the South Carolina court rejected that argument, noting both that the SCDMV website had information unrelated to driving and that, in any event, the argument did not help the plaintiff because whether a record or information is "connected" to driving does not satisfy the DPPA ' s definition of a "motor vehicle record" - the statute narrowly defines a motor vehicle record as only records which pertain to the "four specific types of records" identified. Keogh, 680 F. Supp. 3d at 610. The same is true for plaintiff here. The myNCDMV website contains information related to voting registration, which plainly does not pertain to a "motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card." 18 U.S .C. § 2725(1 ). And, as defendant has argued, it would stretch the DPPA too far for there to be a violation of the statute anytime a Facebook user accesses myNCDMV to register to vote. Moreover, "disclosure of the fact that a person simply visited a website page where motor vehicle records might or might not be accessed does not violate the DPPA [because] the DPPA does not create a right to privacy with respect to every interaction that a citizen may have with the DMV website." Keogh, 680 F. Supp. 3d at 610. Additionally, even assuming that the myNCDMV website uses the information it collects to create other records about motor vehicle regi strations or disabil ity placards, that does not cause the myNCDMV website itself to be a motor vehicle record as that term is defined by the DPPA. 6 Finally, even if it is determined that the myNCOMV website is a motor vehicle record, plaintiff has not plausibly alleged that the information defendant obtained comes from a motor vehicle record. The complaint alleges that the c_ user and fr cookies at issue are placed on plaintiffs and other users ' web browsers. Compl. ,r,r 27; 38, 45 , 59. Specifically, plaintiff alleges that "the myNCOMV website compels a visitor' s browser to transmit an identifying ' computer cookie' to Meta [which] contains that visitor' s unencrypted Facebook ID." Compl. ,r 27. In other words, the information contained in the cookie comes, not from the myNCOMV website or any OMV database, but from the webpage visitor' s browser. But the " OPPA imposes civil liability only on a defendant who obtains personal information.from a motor vehicle record, but not on a defendant who merely obtains personal information that can be linked back to (i.e., derived from) such a record. " Garey v. James S. Farrin, P. C., 35 F.4th 917,927 (4th Cir. 2022). Plaintiff has not plausibly alleged that the personal information transmitted via cookie from her own web browser is information.from a motor vehicle record . See also Andrews, 932 F.3d at 1260 ("where, as here, the initial source of personal information is a record in the possession of an individual , rather than a state OMV, then use or disclosure of that information does not violate the OPPA."). In opposition to the motion to dismiss, plaintiff relies heavily on the holding in Gershzon v. Meta Platforms, Inc. , No. 23-CV-00083-Sl , 2023 WL 5420234 (N.O. Cal. Aug. 22, 2023). There, however, unlike here, plaintiff alleged that he had opened an on line OMV account and that in doing so provided his full name, email address, and telephone number. Id. at *3. He further specifically alleged that he visited the website twice per year, at least in part to apply for a disability placard. Additionally, " Gershzon alleges that Meta obtained his personal information from the OMV website and that the OMV maintained thi s information after Gershzon provided it to the OMV through his "MyOMV" online account." Gershzon, 2023 WL 5420234, at *8. Plaintiff 7 makes no similar allegations in her complaint. She alleges only that in August 2023 she visited the myNCDMV website to conduct private business, that she also has a Facebook account, and that defendant obtained and used her personal information. Comp!. ,r,r 43-46. Gershzon is therefore factually distinguishable, and plaintiff's allegations are insufficient to state a claim. In sum, plaintiff has failed to plausibly allege that defendant knowingly obtained any personal information from a motor vehicle record. This Court is persuaded by the holding in Keogh, which is premised on similar facts, and determines that plaintiff's complaint is appropriately dismissed. 1 CONCLUSION Accordingly, for the foregoing reasons, defendant's motion to dismiss [DE 15] is GRANTED. Plaintiff's complaint is hereby DlSMISSED. The clerk is DIRECTED to close this case. SO ORDERED, this /b day of May 2024. :z:~P~ UNITED STA TES DISTRICT JUDGE 'Because the Court determines that plaintiff has failed to allege the existence of a motor vehicle record, the Court need not address defendant's remaining arguments. 8

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?