Last week a federal court dismissed a federal driver privacy class action, granting the Defendant judgment on the pleadings. Hensley v. Order City of Charlotte, 2021 U.S. Dist. LEXIS 146752 (W.D.N.C. Aug. 4, 2021). The court’s ruling was based primarily on: (1) language in a contract that required parties to use driver data subject to the obligations of federal law and (2) legal issues previously addressed in Gaston v. Lexisnexis Risk Solutions, another driver privacy class action in the same jurisdiction that was resolved earlier this year. 2021 U.S. Dist. LEXIS 12872 (W.D.N.C. Jan. 25, 2021).
First, let’s take a look at the (alleged) facts. As readers may recall from our prior coverage of Gaston v. Lexisnexis Risk Solutions, North Carolina law enforcement officers are required to document reportable vehicle crashes on a standard form promulgated by the North Carolina Department of Motor Vehicles (“NCDMV”) known as a DMV-349. When a DMV-349 has been completed by a N.C. law enforcement officer, it usually contains the following personal information about the drivers involved in the accident: (1) name, (2) date of birth, (3) gender, (4) residence address, and (5) NCDMV driver’s license number.
The Plaintiff in Hensley was involved in a motorcycle accident in North Carolina in 2017. The resulting DMV-349 prepared by the responding officer purportedly contained Plaintiff’s personal information including his address; his date of birth; his North Carolina driver’s license number; and his telephone number.
Plaintiff alleged that since at least 2007 the city of Charlotte, North Carolina has placed unredacted copies of each DMV-349 “recently received” on the front desk of its records division so that the forms are available to the public. Although Plaintiff alleged that individuals go to the records division to review these DMV-349 reports for various purposes, including marketing, he claimed that “the City does not maintain any log or record identifying which accident reports have been looked at, the persons or entities that have reviewed any accident reports or the purpose for which any report was reviewed.” Plaintiff additionally alleged that Charlotte contracted with PoliceReports US (“PRUS”), a company purchased by LexisNexis Claims Solutions (“LexisNexis”), to make DMV-349s available to the public on a LexisNexis website.
Plaintiff filed suit under the Driver’s Privacy Protection Act (“DPPA”), asserting that Charlotte made copies of his accident report containing his personal information available to the public at both the records division and through the LexisNexis website in violation of the DPPA. Plaintiff in Hensley sought to represent a putative class consisting of similarly situated individuals.
The DPPA is a federal statute governing the sale and resale of certain “personal information” from motor vehicle records. Following the well-publicized murder of an actress in 1989 by a stalker (who had obtained her unlisted home address from a state DMV), the DPPA was enacted for the purpose of protecting drivers from violent crime. The DPPA was also intended to curb certain direct marketing and solicitation practices. The statute contains a private right of action.
The court relying on Gaston found that Plaintiff’s DPPA claim was deficient as a matter of law.
First, in regards to Plaintiff’s PRUS/LexisNexis allegations, the court noted that in Gaston it ruled that the city of Charlotte and Charlotte-Mecklenburg Police Department (“CMPD”) did not violate the DPPA by knowingly disclosing DPPA protected personal information to PRUS/LexisNexis. This was on the basis that the contract between the city of Charlotte and PRUS/LexisNexis explicitly required that PRUS/LexisNexis use the information “subject to the obligations of federal law.” (emphasis in original). To put it otherwise, compliance with the federal DPPA was a required term of the parties’ agreement. As such, the court found that “Plaintiff’s allegations that he received marketing solicitations from law firms as a result of the improper disclosure of his personal information on the PRUS/LexisNexis website does not plausibly state a DPPA claim.” (emphasis supplied).
Nor did Plaintiff’s allegations concerning the potential disclosure of his accident report from the CMPD records division counter fare any better. This was because, the court held, “there is admittedly no record of which accident reports were viewed by any member of the public nor has Plaintiff specifically alleged – in the relevant pleadings – that he received a solicitation as a result of the disclosure of DPPA protected personal information from that physical location rather than the PRUS/LexisNexis website.” (emphasis in original).
The court held that Plaintiff’s complaint did not plausibly plead a cognizable violation of the DPPA and granted Defendant judgment on the pleadings. The case was dismissed.
However, expect more cases like this going forward. Because the DPPA has a private right of action with liquidated damages, it has been a recent target of plaintiffs’ attorneys seeking to bring novel theories of liability against entities that handle driver license data in pursuit of a large cash payout. Not to worry, CPW will be there to keep you informed of these developments as they occur. Stay tuned.