9th Cir. Addresses Claims and Remedies under the Driver’s Privacy Protection Act

In Andrews v. Pa Afm Sirius Xm Radio, No. 18-55169, 2019 U.S. App. LEXIS 23670 (9th Cir. Aug. 8, 2019), the Court of Appeals for the 9th Circuit held that a used car stated no claim under the DPPA against Sirius radio.  The facts were as follows:

On January 14, 2017, Andrews purchased a pre-owned 2012 Chevy Equinox from Auto Source, a small used car lot in Banning, California. He presented the dealership with his California driver’s license, from which it obtained his name and PO Box address. He also filled out a California DMV Form 262-“Vehicle/Vessel Transfer and Reassignment  Form”-a multipurpose form that serves as an odometer disclosure, bill of sale, and power of attorney. On the Form 262, Andrews provided his telephone number, street address, PO Box, and name. Auto Source input this information into its dealer management system (DMS), which ran on a database platform operated by a third party, AutoManager. Andrews’s Equinox came equipped with Sirius XM radio, a subscription-based satellite radio service. Gail Berger, Sirius XM’s Vice President of Auto Remarketing, attested that her company has agreements with thousands of automotive dealerships across the country pursuant to which Sirius XM offers trial subscriptions for pre-owned vehicles and, in return, dealers provide Sirius XM with the names and addresses of customers who purchase or lease XM-equipped vehicles. According to Berger, Auto Source enrolled in Sirius XM’s pre-owned program in 2015. The terms of the agreement provided that Sirius XM “requires the use of data that exists in [Auto Source’s DMS], including customer data to activate [its] customers’ SiriusXM Trial Service and to communicate with customers regarding their Trial Subscriptions and options to extend their SiriusXM services following the Trial Subscriptions.” It also permitted Auto Source’s DMS provider, AutoManager, “to extract and share [its] DMS data with SiriusXM.” A separate agreement between Sirius XM and AutoManager specified that this information included “Customer Data.” Berger stated that, following Andrews’s purchase, AutoManager provided Sirius XM with a record of the sale. This electronic record included his name and street address. According to a Sirius XM manager, however, Andrews’s PO Box was not provided by AutoManager; instead, Sirius XM obtained that information through a separate contractor that used the U.S. Postal Service’s National Change of Address database. Andrews asserted that he gave neither Auto Source nor anyone else permission to share his personal information with Sirius XM. Within days of Andrews’s purchase, the deluge began. Sirius XM sent various letters to Andrews’s PO Box between January and August 2017, imploring him-“We Want You Back!”-to resume his Sirius XM service after the subscription included with his car purchase ended. Sirius XM also telephoned him for the same purpose.

The Court of Appeals found no remedy under the DPPA, finding that the DPPA forbids only use of driver’s license data obtained from the DMV or equivalent agency in another state, not information that the defendant or another obtains from the driver’s license that the driver has in his possession.

. . . we conclude that Andrews’s driver’s license was not a “motor vehicle record” pursuant to the DPPA. We acknowledge the potential abuses-such as the intrusive behavior Andrews experienced in this case-that can result from exploitation of personal information contained on an individual’s driver’s license. But we ultimately agree with the conclusion of the district court in O’Brien v. Quad Six, Inc., which considered the use of a plaintiff’s personal information after he presented his driver’s license as identification at a nightclub: We are sympathetic to plaintiff’s concerns about the way businesses collect and use personal information, and its implications for all of our privacies. But that is not what Congress intended the DPPA to regulate. This statute seeks to control dissemination of information collected using the coercive power of the state. It does not regulate information freely given by consumers to private businesses, such as when plaintiff tendered his driver’s license to [the nightclub]. 219 F. Supp. 2d 933, 934-35 (N.D. Ill. 2002). Aggrieved plaintiffs, Andrews included, might have other statutory remedies to rectify alleged abuses of their personal information. But the DPPA-a statute concerned solely with the actions of state DMVs and those who illicitly retrieve information from them-is not the proper vehicle for such redress, where, as here, the source of that information is a driver’s license in its owner’s possession. * * * Sirius XM correctly observes that “[t]he DPPA was not designed to remedy every misuse of personal information that happened to come from a driver’s license.” Instead, its scope is limited to impermissible disclosures by state DMVs to those who seek information from them. Andrews concedes that neither Sirius XM nor anyone else requested or acquired his information from the California DMV. Therefore, we conclude that Sirius XM’s conduct, annoying as it might have been, did not violate the DPPA.