Cook v. ACS STATE & LOCAL SOLUTIONS, INC.

United States Court of Appeals
FOR THE EIGHTH CIRCUIT
___________

No. 10-3818
___________

Janice Cook, on behalf of themself *
and all others similarly situated, et al. *
*
Plaintiffs - Appellants, *
*
v. *
*
ACS State & Local Solutions, Inc., *
*
Defendant - Appellee, *
*
Listco West, *
* Appeal from the United States
Defendant, * District Court for the
* Western District of Missouri.
Samba Holding, Inc.; Aristotle *
International, Inc., *
*
Defendants - Appellees, *
*
E-Infodata.com, Inc., *
*
Defendant, *
*
Insurance Information Exchange; *
St. Louis Post-Dispatch; Worldwide *
Information, Inc., *
*
Defendants - Appellees. *
*
*
Coalition for Sensible Public Records *
Access; Consumer Data Industry *
Association; West Publishing *
Corporation, *
*
Amici on Behalf of *
Appellees. *
___________

Submitted: September 22, 2011
Filed: December 15, 2011
___________

Before MELLOY, SMITH, and BENTON, Circuit Judges.
___________

MELLOY, Circuit Judge.

Plaintiffs bring this class action suit against a variety of defendants, alleging
that each improperly obtained personal driver information from the Missouri
Department of Revenue ("DOR") in violation of the Driver's Privacy Protection Act
("DPPA"), 18 U.S.C. §§ 2721–2725. Plaintiffs base their claims on two separate
theories: (1) The bulk obtainment of personal information, which allows a company
to "stockpile" information for the sake of convenience when a permissible purpose to
use that information arises, is a per se violation of the DPPA; and (2) obtaining an
entire database of personal information for the sole purpose of reselling that
information to others is also a violation of the DPPA. The district court1 found that
neither theory stated a valid claim under the DPPA and granted Defendants' Rule
12(b)(6) motions to dismiss. For the reasons stated below, we affirm.

1
The Honorable Greg Kays, United States District Judge for the Western
District of Missouri.

-2-
 I. Background
Plaintiffs represent a putative class of licensed Missouri drivers alleging injury
under the DPPA. Missouri drivers are required by law to submit certain personal
information to the DOR. Under Missouri law and the federal regulatory scheme of
the DPPA, the DOR is permitted to sell that information to individuals or entities who
certify that they have a permitted purpose for the information. Defendants2 are an
assortment of businesses that purchase driver information pursuant to Missouri law.

On February 25, 2010, Plaintiffs filed suit alleging that Defendants improperly
obtained the entire database of drivers' information from the Missouri DOR. Plaintiffs
amended their complaint on April 29, 2010, advancing claims that some Defendants
obtained the database to "stockpile" information for future use and that other
Defendants obtained the database merely to resell information to third parties. In
either scenario, Plaintiffs alleged that Defendants did not have an immediate use for
the information, and therefore did not obtain it for any permitted purpose under the
DPPA. Defendants challenged Plaintiffs' standing to sue and asserted that Plaintiffs
failed to state a valid claim under the DPPA. The district court found that Plaintiffs
alleged a proper injury and had the standing conferred by Congress under the DPPA.
However, the court determined that neither theory advanced by Plaintiffs established
a claim upon which relief could be granted. The district court noted that Plaintiffs'
claims were the same as those rejected by the Fifth Circuit in Taylor v. Acxiom Corp.,
612 F.3d 325 (5th Cir. 2010). Though not bound by the Fifth Circuit's decision, the
district court found Taylor's analysis to be persuasive and granted Defendants'
12(b)(6) motions to dismiss. Plaintiffs now appeal.

2
Though named as Defendants in the caption, Listco West and E-Infodata.com,
Inc. were both dismissed from the suit before the district court's 12(b)(6)
determination and are not party to the present appeal.

-3-
 II. Discussion
Plaintiffs argue that the district court erred in dismissing their suit on the ground
that the complaint failed to state a claim under the DPPA. We review the district
court's grant of a motion to dismiss de novo. Schaaf v. Residential Funding Corp.,
517 F.3d 544, 549 (8th Cir. 2008). Dismissal is proper where the plaintiffs' complaint
fails to state a claim upon which relief can be granted. Fed. R. Civ. P. 12(b)(6). The
court accepts as true all factual allegations but is "'not bound to accept as true a legal
conclusion couched as a factual allegation.'" Ashcroft v. Iqbal, 556 U.S. 662, 129
S.Ct. 1937, 1950 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555
(2007)).

State motor vehicle departments require drivers to provide personal
information, such as a person's name, address, telephone number, Social Security
number, and medical information as a condition of obtaining a driver's license or
registering a vehicle. Reno v. Condon, 528 U.S. 141, 143 (2000). Congress enacted
the DPPA as an amendment to the Violent Crime Control and Law Enforcement Act
of 1994 in response to safety concerns about the ease with which individuals could
obtain this information from the state, as well as concerns about direct marketers who
used this information for commercial purposes without drivers' consent. Taylor, 612
F.3d at 336–37. The DPPA regulates the disclosure of personal information contained
in state motor vehicle records. The DPPA generally prohibits any state department
of motor vehicles from "knowingly disclos[ing] or otherwise mak[ing] available to
any person or entity personal information . . . about any individual obtained by the
department in connection with a motor vehicle record." 18 U.S.C. § 2721(a). The Act
applies not only to states; it prohibits private individuals from knowingly "obtain[ing]
or disclos[ing] personal information, from a motor vehicle record, for any use not
permitted under section 2721(b)." 18 U.S.C. § 2722(a). The DPPA also regulates the
resale and redisclosure of drivers' personal information by private individuals. The
resale or redisclosure subsection provides:

-4-
 An authorized recipient of personal information (except a recipient under
subsection (b)(11) or (12)) may resell or redisclose the information only
for a use permitted under subsection (b) (but not for uses under
subsection (b)(11) or (12)). An authorized recipient under subsection
(b)(11) may resell or redisclose personal information for any purpose.
An authorized recipient under subsection (b)(12) may resell or redisclose
personal information pursuant to subsection (b)(12). Any authorized
recipient (except a recipient under subsection (b)(11)) that resells or
rediscloses personal information covered by this chapter must keep for
a period of 5 years records identifying each person or entity that receives
information and the permitted purpose for which the information will be
used and must make such records available to the motor vehicle
department upon request.

18 U.S.C. § 2721(c).

The general prohibition on disclosure under the DPPA "does not apply if
drivers have consented to the release of their data." Reno, 528 U.S. at 144. The
general prohibition on disclosure is also subject to a number of exceptions. First,
there are some uses of personal information connected to safety, theft, or compliance
with other federal statutes for which disclosure of personal information is mandatory.
See 18 U.S.C. § 2721(b). Second, there are fourteen enumerated uses for which
disclosure is permissible:

(1) For use by any government agency, including any court or law
enforcement agency, in carrying out its functions, or any private person
or entity acting on behalf of a Federal, State, or local agency in carrying
out its functions.

-5-
(2) For use in connection with matters of motor vehicle or driver safety
and theft; motor vehicle emissions; motor vehicle product alterations,
recalls, or advisories; performance monitoring of motor vehicles, motor
vehicle parts and dealers; motor vehicle market research activities,
including survey research; and removal of non-owner records from the
original owner records of motor vehicle manufacturers.

(3) For use in the normal course of business by a legitimate business or
its agents, employees, or contractors, but only—

(A) to verify the accuracy of personal information submitted by the
individual to the business or its agents, employees, or contractors; and

(B) if such information as so submitted is not correct or is no longer
correct, to obtain the correct information, but only for the purposes of
preventing fraud by, pursuing legal remedies against, or recovering on
a debt or security interest against, the individual.

(4) For use in connection with any civil, criminal, administrative, or
arbitral proceeding in any Federal, State, or local court or agency or
before any self-regulatory body, including the service of process,
investigation in anticipation of litigation, and the execution or
enforcement of judgments and orders, or pursuant to an order of a
Federal, State, or local court.

(5) For use in research activities, and for use in producing statistical
reports, so long as the personal information is not published, redisclosed,
or used to contact individuals.

-6-
(6) For use by any insurer or insurance support organization, or by a
self-insured entity, or its agents, employees, or contractors, in connection
with claims investigation activities, antifraud activities, rating or
underwriting.

(7) For use in providing notice to the owners of towed or impounded
vehicles.

(8) For use by any licensed private investigative agency or licensed
security service for any purpose permitted under this subsection.

(9) For use by an employer or its agent or insurer to obtain or verify
information relating to a holder of a commercial driver's license that is
required under chapter 313 of title 49.

(10) For use in connection with the operation of private toll
transportation facilities.

(11) For any other use in response to requests for individual motor
vehicle records if the State has obtained the express consent of the
person to whom such personal information pertains.

(12) For bulk distribution for surveys, marketing or solicitations if the
State has obtained the express consent of the person to whom such
personal information pertains.

(13) For use by any requester, if the requester demonstrates it has
obtained the written consent of the individual to whom the information
pertains.

-7-
 (14) For any other use specifically authorized under the law of the State
that holds the record, if such use is related to the operation of a motor
vehicle or public safety.

18 U.S.C. § 2721(b).

Plaintiffs argue that these enumerated exceptions all carry an implicit
requirement that the personal information obtained from the state be used
immediately. According to Plaintiffs' theory, any individual or entity that obtains an
entire state database of personal information and "stockpiles" it for future use has
violated the DPPA.3 This also would mean a company that obtains the entire database
in order to resell the information to third parties has violated the DPPA by not putting
the information to an immediate section 2721(b) use.

A. Stockpiling
Plaintiffs do not contend that Defendants actually misused drivers' personal
information, nor do they dispute that Defendants might have put some information to
an end use permitted under section 2721(b). Instead, Plaintiffs argue that Defendants
obtained records in bulk merely for the convenience of maintaining their own motor
vehicle record databases in anticipation of future use, and therefore have violated the
DPPA as to each record Defendants did not put to an immediate permissible use.
Defendants, however, assert that they obtained driving records for the purpose of
using them in accordance with section 2721(b). According to Defendants, the bulk
obtainment of those records was meant to facilitate that purpose by reducing cost and
expediting access; bulk obtainment was not an end in itself.

3
Though Plaintiffs focus on the bulk obtainment of personal information, this
immediate-use requirement would presumably apply to individual requests as well.
Under Plaintiffs' theory, any entity who obtains an individual record for a permissible
purpose will violate the DPPA if it does not use that information "immediately."

-8-
 The language of section 2721(b) does not address whether Congress specifically
intended to allow or prohibit bulk obtainment for most of the enumerated purposes.
However, it is apparent from the statute as a whole that the DPPA is concerned with
the ultimate use of drivers' personal information, not how that information is obtained.
See 18 U.S.C. § 2721(b) (listing exceptions based on the ultimate "use" of the
information); 18 U.S.C. § 2722(a) ("It shall be unlawful for any person knowingly to
obtain or disclose personal information, from a motor vehicle record, for any use not
permitted under section 2721(b) of this title.") (emphasis added). All of our sister
circuits who have considered this issue have concluded the same. See Graczyk v.
West Publ'g Co., 660 F.3d 275, 279 (7th Cir. 2011) (The DPPA "is concerned with the
ultimate use or uses to which personal information contained in motor vehicle records
is put"); Howard v. Criminal Info. Servs., Inc., 654 F.3d 887, 891 (9th Cir. 2011)
("[T]he statute was written in a way that logically put the focus on the purposes for
which the information would eventually be used—on the 'end' sought by the
purchaser—not on the reason for buying it in bulk."); Roth v. Guzman, 650 F.3d 603,
614–17 (6th Cir. 2011) (analyzing and agreeing with Taylor); Taylor, 612 F.3d at
338–39.

When an entity obtains a state database in bulk, its purpose for obtaining the
entire database is the same as its purpose for obtaining only one driver's personal
information; the fact that not all of the records will be used does not change that
purpose. See Taylor, 612 F.3d at 337 (offering the analogy that attorneys buy legal
reporters for the purpose of legal research, even if they don't use every volume). The
proper focus for courts is not the manner in which the information was acquired, but
the use to which it is eventually put. Howard, 654 F.3d at 892 ("[T]he portion of the
statute that expresses the permissible purposes explicitly does so in terms of the 'use'
of the information. That is what should be considered in determining whether the
acquisition of the information is permitted under the statute.").

-9-
 Other courts have noted the efficiencies that result from allowing businesses to
obtain driving records in bulk rather than requiring those businesses to submit separate
requests each time they need an individual record. Taylor, 612 F.3d at 338 n.12;
Graczyk, 660 F.3d at 280. Plaintiffs, on the other hand, offer no persuasive argument
that Congress intended to limit the states to disclosing personal information one
request at a time, or why it would want to. Plaintiffs reason that "stockpiling" is
prohibited by the statute because personal information must be used "immediately"
after the information is obtained. Yet no language in the statute requires immediate
use; the DPPA only requires that the information be obtained for a permissible
purpose. Indeed, there is no suggestion of a temporal limit anywhere in the DPPA.
See Howard, 654 F.3d at 892 ("There is also no problem with Defendants obtaining
the personal information for potential future use, even if they may never use it. The
DPPA does not contain a temporal requirement for when the information obtained
must be used for the permitted purpose."). We decline to read such a requirement into
the statute.

Statements from the legislative history support our reading of the DPPA. One
co-sponsor described the bill in the Senate as "strik[ing] a critical balance between the
legitimate governmental and business needs for this information, and the fundamental
right of our people to privacy and safety." 139 Cong. Rec. 29468 (1993) (statement
of Sen. Boxer). The idea that the DPPA was meant to restrict improper uses of driver
information while allowing access to businesses with a legitimate need was echoed
in the House of Representatives. See 140 Cong. Rec. 7929 (1994) (statement of Rep.
Goss) ("The flow of information would only be denied to a narrow group of people
that lack legitimate business. The Amendment defines 'legitimate business' broadly,
including all the duties of Federal, State, and local law enforcement agencies and
courts, verification and/or correction of personal information, private investigations,
and anything related to the operation of a motor vehicle.").

-10-
 Congressman Moran, a co-sponsor in the House, also addressed the DPPA's
balance between "rights to privacy with legitimate interests in accessing DMV
information." Protecting Driver Privacy: Hearings on H.R. 3365 Before the
Subcomm. on Civil and Constitutional Rights of the House Comm. on the Judiciary,
103d Cong., 2d Sess. (Feb. 3, 1994) (statement of Rep. Moran). Moran indicated his
desire to avoid impediments for companies that rely on "information that is necessary
and essential for them to do business." Id. Moran also indicated that the law was not
meant to intrude on existing, legitimate uses of the information:

Careful consideration was given to the common uses now made of this
information and great efforts were made to ensure that those uses were
allowed under this bill. Among those who will continue to have
unfettered access are federal and state governments and their contractors,
for use in auto recalls, by businesses (such as an insurance company) to
verify the accuracy of personal information submitted by a licensee, for
use in any civil or criminal proceeding, in research activities, and in
marketing activities as long as the individual has been given the
opportunity to opt out.

Id.4 Indeed, the only business use that Moran expressed concern about was the use of
driver information in direct marketing solicitations. Even this use was not prohibited,
however, because the law "would allow DMVs to continue to sell DMV information

4
The opt-out provision in section 2721(b) was later amended in 1999 and
became an opt-in requirement. The effect of the amendment was that "States may not
imply consent from a driver's failure to take advantage of a state-afforded opportunity
to block disclosure, but must rather obtain a driver's affirmative consent to disclose
the driver's personal information for use in surveys, marketing, solicitations, and other
restricted purposes." Reno, 528 U.S. at 144–45. The 1999 amendment changed the
extent of control a driver had over the exceptions in sections 2721(b)(11) and (12), but
did not extend new controls over any other 2721(b) exception. See Pub. L. 106-69,
113 Stat. 986, § 350.

-11-
in bulk as long as every driver in that state had been given the opportunity to restrict
the sale of their name for marketing purposes." Id.

Bulk obtainment of driver information for a permissible purpose does not
violate the DPPA. Plaintiffs cannot establish a violation of the DPPA if all the
defendants have done is obtain driver information in bulk for potential use under a
permissible purpose.

B. Resale
Some of the Defendants in this case obtained personal information in bulk from
the Missouri DOR not for their own permissible use, but to sell to third parties who
have permissible uses of their own. There is no dispute that 18 U.S.C. § 2721(c)
explicitly authorizes the resale and redistribution of personal information, however
Plaintiffs contend that this section does not provide a stand-alone justification for
businesses to obtain records from the state. Plaintiffs argue that the DPPA requires
resellers to have their own permissible use for personal information before selling it
to third parties. Plaintiffs interpret the phrase "authorized recipient" under section
2721(c) as an individual or entity who has an immediate permissible use for the
information under section 2721(b).

The statute does not define "authorized recipient," and therefore does not
provide direct guidance on this issue. However, Plaintiffs identify no support in either
the language of the statute or the legislative history that suggests an authorized
recipient must have an authorized use. As other courts have pointed out, section
2721(c) restricts only "authorized recipients," not "authorized users" or "permissible
users" (which would more closely mirror section 2721(b)). Taylor, 612 F.3d at 338;
Russell v. ChoicePoint Servs. Inc., 300 F. Supp. 2d 450, 455–61 (E.D. La. 2004). So
long as personal information is ultimately used only for permitted purposes, it is not
clear why Congress would have intended to regulate who could obtain it. The statute
as a whole is concerned only with the use of the information, not the entity requesting

-12-
it. See Russell, 300 F. Supp. 2d at 457 ("The plain language of the DPPA is written
in terms of permissible 'uses' rather than permissible 'users.'"); Graczyk, 660 F.3d at
279 (pointing out that the statute permits an agent to obtain information for use by a
business without requiring the agent to have a separate use).

The documentation requirements in section 2721(c) seem to further indicate that
Congress was primarily concerned with the end use of personal information.
Congress provided additional safeguards in section 2721(c) that require resellers to
document each sale to a third party. Section 2721(c) requires that "[a]ny authorized
recipient . . . that resells or rediscloses personal information covered by this chapter
must keep for a period of 5 years records identifying each person or entity that
receives information and the permitted purpose for which the information will be used
and must make such records available to the motor vehicle department upon request."
18 U.S.C. § 2721(c). These safeguards support our view that Congress was focused
more on the end use of the information than the manner in which it was obtained.

The Fifth and the Seventh Circuits have found persuasive support for this view
in an unpublished Department of Justice opinion letter. The letter responded to an
inquiry from the Commonwealth of Massachusetts about whether it was permitted
under the DPPA to provide driver information to a commercial distributor who would
resell the information only to third parties that themselves had permissible uses. See
Letter from Robert C. McFetridge, Special Counsel to the Assistant Attorney Gen.,
to Peter Sacks, Office of the Attorney Gen. For the Commonwealth of Mass. (Oct. 9,
1998) (on file with the Fifth and Seventh Circuits). In response, the DOJ reasoned
that the DPPA "regulated only the ultimate use of personal information without
specifying or restricting who may obtain the information in order to accomplish that
authorized purpose." Id. The DOJ posited that Massachusetts could provide
information to resellers so long as it could reasonably conclude that the information
would be used only for authorized purposes. Id. We agree with our sister circuits that

-13-
this is the most reasonable reading of the statute. See Graczyk, 660 F.3d at 280–81;
Taylor, 612 F.3d at 339.

Section 2721(c) explicitly permits the resale of drivers' information, and it does
not require that resellers must first use the information themselves. We hold that
Plaintiffs cannot establish a DPPA violation by alleging that Defendants obtained
personal information with the sole purpose of selling it to third parties who have
permissible section 2721(b) uses for the information.

III. Conclusion
We conclude that the complaint was properly dismissed for failure to state a
claim, and the order of the district court is affirmed.
______________________________

-14-