Within a month of a California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc. (finding ZIP codes constitute personal identification information under California's Song-Beverly Act), over 100 putative class action law suits were filed against retailers operating in California. A November 22 lawsuit against Best Buy (Siegler v. Best Buy Co. of Minnesota, Inc.) alleging violations of the federal Driver's Privacy Protection Act (DPPA) may signal the next wave of class action lawsuits to face retailers related to the collection of consumer data at the point of sale.
The DPPA makes it unlawful for any person to knowingly obtain or disclose personal information from a motor vehicle record for any use not permitted under 18 U.S.C. § 2721(b). The DPPA contains 14 exceptions, including: (1) for use by a government agency; (2) for use in connection with matters of driver safety and theft; (3) for use in any civil, criminal, administrative or arbitral proceeding; (4) for use in research; (5) for use by an insurer or insurance support organization; (6) for use in operation of private toll transportation facilities; (7) for bulk distribution of surveys or marketing; and (8) for any requester if the requester has obtained written consent. Another exception permits use in the normal course of business by a legitimate business or its agents, employees or contractors, but only to verify the accuracy of personal information submitted by the individual to its agents. If such information as submitted is not correct, the agent is permitted to obtain the correct information, but only to prevent fraud. Under 18 U.S.C. § 2721(c), an "authorized recipient" of personal information (except for some exceptions) may resell or redisclose the information only for a use permitted under 18 U.S.C. § 2721(b).
The remedies available for violating the DPPA also make this an attractive law for class actions. Not only does the DPPA authorize a private right of action for knowing violations, a court may award the following damages for violations: (1) actual damages, but not less than liquidated damages in the amount of $2,500; (2) punitive damages upon proof of willful or reckless disregard of the law; (3) reasonable attorney's fees and other litigation costs reasonably incurred; and (4) other such preliminary and equitable relief as the court determines to be appropriate.
In the complaint filed against Best Buy on November 22, 2011, the plaintiff alleged that Best Buy's return policy, whereby cashiers swipe the customer's driver's license during a return, violates the DPPA by "taking, storing, using and/or sharing customer's personal or highly restricted personal information, without consent, when customers make a normal return of Best Buy merchandise." More specifically, the plaintiff alleges he purchased a computer mouse at Best Buy in Florida and presented the product for return in its original packaging and with a receipt. When he provided his driver's license at the request of the cashier, the cashier "swiped" the driver's license without notice or consent by the plaintiff. When the plaintiff asked that his personal information be deleted and the transaction reversed, the cashier and manager refused, and neither could explain what information was taken from the plaintiff's license.
The plaintiff alleges that Best Buy knowingly took, used, stored, retained and/or disclosed the plaintiff's personal information or restricted personal information not in the normal course of business. The class is defined as all persons within the U.S. who have had their personal information or highly restricted personal information taken, stored or shared by Best Buy, without consent, from November 21, 2007, to the present. Plaintiffs seek compensatory and punitive damages, attorney's fees and costs, statutory damages and equitable, injunctive and declaratory relief.
Best Buy's receipt states that it "tracks exchanges and returns ... and some of the information from your ID may be stored in a secure, encrypted database of customer activity that Best Buy and its affiliates use to track exchanges and returns." The plaintiff alleges that the receipt does not indicate what information is taken, explain where the information is stored, describe for how long it is stored, identify Best Buy's affiliates, explain how information is disclosed to Best Buy's affiliates, describe how often personal information or highly restricted personal information is disclosed to Best Buy's affiliates, or explain how personal information or highly restricted information is used.
Furthermore, a DPPA case, decided in August 2011, may have expanded the scope of the DPPA. In Wiles et al. v. LocatePlus Holdings Corp., the court ruled contrary to other cases and found that Worldwide Information, Inc. (a wholly owned subsidiary of LocatePlus Holdings Corp.) was not an "authorized recipient" to obtain records for resale to third parties under the DPPA. On September 15, 2011, the plaintiffs filed a motion for final judgment and an award of $40 million in monetary damages. In this case, Worldwide purchased and resold state motor vehicle and driver's license records and, as part of this, began receiving DMV records from the state of Missouri from 1999 to 2009. The data files included drivers' names, addresses, height, weight, eye color, organ donor information, driver's license numbers and some social security numbers. When Worldwide's customers requested data, they received the entire database for all Missouri drivers, including social security numbers, even if only one individual customer was needed.
We will be closely monitoring these developments and will provide additional updates as they arise. In the meantime, if you have any questions about the DPPA or how it may impact your business, please contact Jerry Ferguson (email@example.com or 212.589.4238), Ted Kobus (firstname.lastname@example.org or 212.271.1504) or any member our Privacy, Security and Social Media Team.
Authorship Credit: Craig A. Hoffman and Jennifer D. Johnson
Baker & Hostetler LLP publications are intended to inform our clients and other friends of the Firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience. © 2011 Baker & Hostetler LLP