Concerning the Scope of the ‘Litigation’ Exception to the Drivers’ Privacy Protection Act
- Whether the Fourth Circuit erred in holding, contrary to every other court heretofore to have considered the issue, that lawyers who obtain, disclose, or use personal information solely to find clients to represent in an incipient lawsuit – as opposed to evidence for use in existing or potential litigation – may seek solace under the litigation exception of the Act.
- Whether the Fourth Circuit erred in reaching the conclusion (in conflict with prior precedent) that a lawyer who files an action that effectively amounts to a “place holder”lawsuit may thereafter use DPPA-protected personal information to solicit plaintiffs for that action through a direct mail advertising campaign on the grounds that such use is “inextricably intertwined” with “use in litigation.”
This case presents an issue of first impression for the Supreme Court: the scope of the “litigation” exception under the Drivers’ Privacy Protection Act (“DPPA”), 18 U.S.C. § 2721 et seq. The lower court held that, as a matter of law, a lawyer’s use of personal information from a DPPA-protected database for the purpose of soliciting potential clients is permissible under the “litigation” exception.
Respondents, Spears et al., are class action attorneys in South Carolina. The attorneys obtained personal information, from the state department of motor vehicles, of thousands of car buyers (including names, addresses, phone numbers, and car purchase information). Respondents then used this information to identify potential clients for several “group action” lawsuits against car dealerships.
Petitioners, Maracich et al, are car buyers who received solicitations from Respondents. They brought suit alleging that Respondents violated the Driver Privacy Protection Act (DPPA) by obtaining and using the Petitioners’ personal information without their consent and for an impermissible purpose.
The DPPA restricts the disclosure and use of personal information held by state DMVs. Respondents claim their use is lawful under the litigation exception to the DPPA. This exception allows for the disclosure of DMV-held personal information “in connection with” litigation and for “investigation in anticipation of litigation.”
The Drivers’ Privacy Protection Act
The DPPA was passed in reaction to the a series of abuses of drivers’ personal information held by government. The 1989 death of actress Rebecca Schaeffer was a prominent example of such abuse. In that case, a private investigator, hired by an obsessed fan, was able to obtain Rebecca Schaeffer’s address through her California motor vehicle record. The fan used her address information to stalk and to kill her. Other incidents cited by Congress included a ring of Iowa home robbers who targeted victims by writing down the license plates of expensive cars and obtaining home address information from the State’s department of motor vehicles.
The Supreme Court, in a unanimous decision written by Justice Rehnquist, rejected a constitutional challenge to the DPPA. See Reno v. Condon, 528 U.S. 141 (2000). In that case, the state of South Carolina challenged the DPPA arguing that the Act violated principles of federalism. The Supreme Court upheld the constitutionality of the Act as a proper exercise of Congress’ authority to regulate interstate commerce under the Commerce Clause. EPIC filed an amicus brief in that case that argued in part:
- The Drivers Privacy Protection Act safeguards the personal information of licensed drivers from improper use or disclosure. It is a valid exercise of federal authority in that it seeks to protect a fundamental privacy interest. It restricts the activities of states only to the extent that it concerns the subsequent use or disclosure of the information in a manner unrelated to the original purpose for which the personal information was collected. The states should not impermissibly burden the right to travel by first compelling the collection of sensitive personal information and then subsequently disclosing the same information for unrelated purposes.
The district court ruled in favor of Respondents, holding that they did not engage in prohibited solicitation of clients, and that their use of driver records did not violate the DPPA because the litigation exception applies. On appeal, the Court of Appeals for the Fourth Circuit affirmed the district court ruling. The Fourth Circuit held that Respondents did participate in solicitation, but the use of the personal information was “inextricably intertwined” with “investigation in anticipation of litigation” and therefore falls under the DPPA exception. 18 U.S.C. §2721(b)(4). The Supreme Court granted certiorari on September 25, 2012.
EPIC has filed briefs in the past supporting strong DPPA protections for drivers’ personal information. See Reno v. Condon, 528 U.S. 141 (2000); Gordon v. Softech Int’l, Inc., 828 F. Supp. 2d 665 (S.D.N.Y. 2011), appeal docketed No. 12-661 (2d Cir. 2012); Kehoe v. Fidelity Fed. Bank & Trust, 421 F.3d 1209 (11th Cir. 2005).The DPPA is an important tool that provides an effective punishment against those who traffic in personal information. The protections provided by the DPPA require the narrow construction of the exceptions contained in the law, and the use of personal information for solicitations does not align with the purposes of the statute.
EPIC filed a “friend of the court” brief in support of Petitioners Maracich. EPIC’s brief discusses DMV data collection practices, Department of Homeland Security REAL ID regulations, and the risks posed by identity theft and data brokers.
State DMVs collect a massive array of detailed, sensitive personal information. Through an in-depth survey of DMV practices, EPIC identified 55 categories of information held in state DMV records. These data include conventional driver’s license information like names, addresses, and photos, but also much more sensitive documents used for identity verification including tax records, social security numbers, birth certificates, passports, immigration documents, firearms permits, and medical records. Department of Homeland Security REAL ID regulations require state DMVs to collect far more personal information than in years past, and to retain this information for years to come. In addition, DHS regulations and state practices now increasingly mandate the collection of biometric identifiers, including digital photos capable of facial recognition, iris data, and fingerprint records. Biometric data are especially sensitive because they are unique, immutable characteristics that a person cannot hide. Linking such identifiers to the wealth of information contained by DMVs poses a profound privacy risk.
Identity thieves and security breaches threaten the privacy of driver records. Because DMVs contain such a wealth of personal information, they are frequent targets of identity thieves. But state DMV information is also valuable to data brokers. Once information dealers acquire motor vehicle records, they put them at risk by combining them with broader consumer profiles. Creating links between various valuable pieces of identifying information heightens the identity security threat.
EPIC argues that in order to satisfy the Congressional intent of the DPPA and safeguard privacy, the definition of “personal information” under the statute should be interpreted broadly and the statutory exceptions must be interpreted narrowly. Based on the text and legislative history, Congress intended the DPPA to cover a broad array of personal information, even as technology changes the nature of information held by DMVs. However, as is consistent with privacy statutes generally, exceptions that enable disclosures of private information must be interpreted narrowly. For this reason, the scope of the litigation exception does not permit the solicitation undertaken by Respondents Spears. EPIC therefore urged the Supreme Court to reverse the decision of the Fourth Circuit.
On June 17, 2013, the Supreme Court reversed the 4th Circuit and held that the “litigation exception” of the Driver Privacy Protection Act (“DPPA”) did not permit attorney solicitation of clients. Writing for the 5-4 majority, Justice Kennedy stated that a broad interpretation of “in connection with” in (b)(4) should be avoided for the following reasons: (1) such indefinite phrases must have a limiting principle; (2) Congress intended the DPPA exceptions to be narrow; and (3) driver privacy should be protected because state residents cannot avoid submitting personal information to the DMV. As one of the four exceptions that allow for disclosure of not only “personal information” but “highly restricted personal information” – which includes Social Security Numbers, photographs and medical information – a narrow reading of the exception was most prudent. Accordingly, “investigation in anticipation of litigation” was also read narrowly to be limited to background research in order to determine the necessity of a complaint.
Further, Justice Kennedy rejected respondents’ claims that their activity was meaningful solicitation for legitimate purposes and could be distinguished from “mere trolling.” The majority noted that solicitation is already addressed explicitly in the (b)(12) exception, operating under a tighter disclosure standard of explicit consent. Additionally, solicitation could be distinguished from other acts of the legal profession due to its pecuniary motive and potential conflict of interest, making it more like a commercial transaction. The Court instructed lower courts to ask whether solicitation was the “predominant purpose” for sending the letters, warning that downstream uses of data may not be legitimate, even if the initial collection is for legitimate purposes.
The Court’s opinion in Maracich represents a strong endorsement for the general structure of privacy protecting statutes: blanket prohibitions on use of sensitive information, with narrow, targeted exceptions for permissible uses. When interpreting these statutes, the Court made clear that exceptions must be explicit and should not be read to the broadest extent allowed by the text, but rather should follow Congressional intent. Even in situations when private information is widely disseminated, “contacting an individual is an affront to privacy even beyond the fact that a large number of persons have access to the personal information.” Additionally, even if a user has an upstream permissible purpose for use of private information, that does not insulate the user from liability against downstream inappropriate uses. “[E]ven if an initial request was proper, a later use may be a violation.”
Justice Kennedy was joined in the majority by Chief Justice Roberts and Justices Thomas, Breyer, and Alito. Justice Ginsburg dissented, joined by Justices Scalia, Sotomayor, and Kagan.
United States Supreme Court
- Brief of Petitioners Maracich
- Brief of Respondents Spears
- Reply Brief of Petitioners Spears
- Brief of Amicus Curiae Electronic Privacy Information Center in support of Petitioners
- Brief of Amicus Curiae Electronic Frontier Foundation in support of Petitioners
United States Court of Appeals for the Fourth Circuit
- Maracich v. Spears, 657 F.3d 281 (4th Cir. 2012)
- Oral Argument Audio, Maracich v. Spears, 657 F.3d 281 (4th Cir. 2012)
- Brief of Plaintiffs-Appellants Maracich et al., Maracich v. Spears, 657 F.3d 281 (4th Cir. 2012)
- Brief of Defendants-Appellees Spears et al., Maracich v. Spears, 657 F.3d 281 (4th Cir. 2012)
- Reply Brief of Plaintiffs-Appellants Maracich et al., Maracich v. Spears, 657 F.3d 281 (4th Cir. 2012)
United States District Court for the District of South Carolina
- Maracich v. Spears, No. 09-1651, 2010 WL 358128 (D.S.C. Jan. 25, 2010)
- Supreme Court and Appellate Court Cases
- Reno v. Condon, 528 U.S. 141 (2000)
- Rine v. Imagitas, 590 F.3d 1215 (11th Cir. 2009).
- Thomas v. George, Hartz, et al., 525 F.3d 1107 (11th Cir. 2008).
- Pichler v. UNITE, 542 F.3d 380 (3d Cir. 2008).
- Wemhoff v. District of Columbia, 887 A.2d 1004 (D.C. Ct. App. 2005).
Law Review Articles, Books, and Other Sources
- American Association of Motor Vehicle Administrators, State Vehicle Record Requests (July 31, 2012).
- American Association of Motor Vehicle Administrators, Personal Identification – AAMVA North American Standard – DL/ID Card Design (June 2012).
- American Association of Motor Vehicle Administrators, Biometrics in AAMVA Community 2012
- Deborah F. Buchman, Annotation, Validity, Construction, and Application of Federal Driver’s Privacy Protection Act, 18 U.S.C.A. 2721 to 2725, 183 A.L.R. Fed. 37 (2011).
- Geoffrey D. Kravitz, REAL ID: The Devil You Don’t Know, 3 Harv. L. & & Pol’y Rev. 431 (2009).
- Candice L. Kline, Security Theater and Database-Driven Information Markets: A Case for an Omnibus U.S. Data Statute, 39 U. Tol. L. Rev. 443 (2008)
- Lawrence Friedman, Establishing Information Privacy Violations: The New York Experience, 31 Hofstra L. Rev. 651 (2003)