Fourth Circuit Holds Drivers Fall Short on Standing in Accident Report Privacy Claims
Traditional plaintiffs’ law firms found success as defendants in a recent Fourth Circuit case on the hotly contested issue of Article III standing in privacy litigation. In Garey v. James S. Farrin, P.C., No. 21-1478, 2022 WL 1815109 (4th Cir. 2022), the Fourth Circuit considered standing and more in a previously thwarted class action concerning federal privacy protection for motor vehicle records.
To have standing in federal court, a plaintiff must demonstrate a harm that is concrete and particularized, as well as either actual or imminent. See Spokeo, Inc. v. Robins, 578 U.S. 330 (2016). This Constitutional requirement creates challenges for many would-be privacy litigation plaintiffs, particularly in the context of class-action litigation, because the harm of a data breach or other privacy concern is often nebulous.
Potential classes in privacy litigation often explore statutory violations as a potential avenue to standing. The U.S. Supreme Court recently clarified that plaintiffs asserting standing under a statutory cause of action must “identify a close historical or common-law analogue for their asserted injury,” as well as its conventional redressability through litigation. Transunion LLC v. Ramirez, 594 U.S. ___, 141 S.C. 2190, 2204 (2021). In Transunion, a class action, the Supreme Court held that allegations of Fair Credit Reporting Act (the “FCRA”) violations alone fell short of the “concrete injury” a plaintiff must demonstrate for Article III standing. The simple reason: For most of the class members, alleged inaccurate credit reports were never disseminated to anyone. There was no harm. (For more on Transunion, see our September 2021 Best in Class post.)
Following Transunion’s Path in Federal Privacy Protection Statutes
In Garey v. James S. Farrin, P.C., the Fourth Circuit had the opportunity to consider a different federal privacy protection—the Driver’s Privacy Protection Act (the “DPPA”). The case presented the court with the chance to conduct a detailed statutory interpretation analysis of a number of novel issues, including whether drivers’ licenses or DMV databases are “motor vehicle records,” and thereby information protected by federal privacy law, and whether restrictions on the use of information impinge on the First Amendment. However, the Fourth Circuit held it only needed to interpret a single word, the word “from.”
In Garey, drivers who had been involved in car accidents brought suit against several law firms “who wish to represent people involved in car crashes in North Carolina.” The drivers alleged the law firms obtained their personal information, including the drivers’ names and home addresses from accident reports, and used that information to contact them regarding potential representation. These accident reports are public record in North Carolina. See N.C. Gen. Stat. § 20-166.1(i). The drivers sought damages and injunctive relief under the DPPA’s federal statutory scheme protecting drivers’ private information in motor vehicle records.
In relevant part, the DPPA creates a private, civil cause of action against a party who “knowingly obtains, discloses or uses personal information, from a motor vehicle record” for a purpose not permitted by statute. 18 U.S.C. § 2724(a) (emphasis added). Pursuant to the statute, a court may award actual damages “not less than liquidated damages in the amount of $2,500,” as well as preliminary and equitable relief. 18 U.S.C. § 2724(b).
The word “from” in Section 2724(a) had previously proved problematic for the Garey plaintiffs. While initially brought as a class action, in 2020 the United States District Court for the Middle District of North Carolina denied class certification on the basis of questionable commonality and absent typicality. “Plaintiffs have failed to persuade the Court that this central merits question—Where did the information come from?—can ultimately be answered with class-wide proof.” Garey v. James S. Farrin, P.C., No. 1:16CV542, 2020 WL 4227551, at *4 (M.D.N.C. July 23, 2020).
With a class action off the table, the matter proceeded in the district court as two separate cases, Garey and Hatch, creating a “voluminous record” with a “flurry of motions and amended complaints.”
Eventually, the defendant law firms prevailed in a series of cross motions for summary judgment on an argument that the DPPA only applies to a person who obtains directly from the DMV. The two cases arrived at the Fourth Circuit, which were consolidated on appeal. (As the Fourth Circuit observed, arguments on appeal by the Garey and Hatch plaintiffs were largely identical, so the court only named the Hatch plaintiffs where their arguments differ. This post follows the same approach.)
Two Diverging Roads to Standing under the Driver’s Privacy Protection Act
The Fourth Circuit first considered whether the drivers had standing to pursue damages or injunctive relief.
For damages, the court of appeals looked to Transunion and its own recent opinion regarding the Telephone Consumer Protection Act (the “TCPA”). See Krakauer v. Dish Network, LLC, 925 F.3d 643 (4th Cir. 2019). There, the Fourth Circuit held that the plaintiffs had standing under the TCPA because the cause of action created by that statute is analogous to a common law privacy tort. While a statutory cause of action may differ from a common law tort, the inquiry “focuses on types of harms protected at common law, not the precise point at which those harms become actionable.” In Garey, as “closely related” invasion of privacy claims have “long been” recognized and redressable through private rights of action, the Fourth Circuit likewise held that the drivers had standing to bring damages claims under the DPPA.
The court of appeals found standing for the plaintiffs’ claims for injunctive relief more problematic because of a failure to establish non-speculative, imminent harm. For the Garey plaintiffs, the Fourth Circuit observed that while the DPPA creates a cause of action against a person who “obtains, discloses, or uses” a driver’s personal information, the plaintiffs had narrowed their claims to focus on the defendant law firms obtaining the information. “A future ‘obtaining’ violation would only occur if  a Plaintiff is involved in a future car accident in North Carolina,  if law enforcement generates another crash report, and  if the Defendants obtain that hypothetical report.” Finding this series of events speculative, at best, the court of appeals held standing lacking for the Garey plaintiffs. See also City of Los Angeles v. Lyons, 461 U.S. 95 (1983).
Unlike the Garey plaintiffs, the Hatch plaintiffs alleged the law firms both “obtained” and “used” their personal information. “But there is no allegation that the Plaintiffs were continuing to receive such mailings at the time of the operative complaint, nor that they are imminently likely to receive such mailings in the future.” Garey, 2022 WL 1815109, at *5. Thus, standing was lacking for these plaintiffs, as well.
Strict Statutory Interpretation: You Can’t Get There ‘From’ Here
Holding the plaintiffs had standing for damages—but not injunctive relief—the court turned its eye to the problematic word for the plaintiffs—“from.” The DPPA creates a cause of action against a party who “knowingly obtains, discloses or uses personal information, from a motor vehicle record.” 18 U.S.C. § 2724(a) (emphasis added). The plaintiffs and defendants focused their attention on what documents might constitute a motor vehicle record. The plaintiffs asserted that a driver’s license, DMV database, and the accident report itself might all be motor vehicle records.
However, the Fourth Circuit focused its attention on consideration that the plaintiffs failed to make (or otherwise preserve) any claim that the law firms actually obtained the protected information from those sources. While observing that drivers’ licenses and the DMV database might be the types of motor vehicle records protected under the DPPA, the plaintiffs did not actually allege the law firms accessed their personal information from those sources. Similarly, the plaintiffs failed to preserve any argument that the accident reports themselves were motor vehicle records. The court further batted away arguments from the plaintiffs that information “from” a motor vehicle record may be interpreted as information “derived from” a motor vehicle record.
If you needed flour, eggs, and milk to bake a cake, you might say you purchased ingredients “derived from” wheat, hens, and cows. But you probably would not say that you purchased ingredients “from” wheat, hens, and cows, because as a general matter, plants and farm animals do not directly engage in the sale of their own wares.
Garey, 2022 WL 1815109, at *8 n. 9.
A ‘Narrow and Straightforward’ Holding
The Fourth Circuit described its holding in Garey as “narrow and straightforward.” Even so, it provides a further glimpse into the Court’s analysis of Article III standing and the broader statutory basis for privacy claims.
As to standing, the Fourth Circuit drew a distinction between statutory schemes like the driver’s protection act and Telephone Consumer Protection Act, where a statutory violation resembles an “invasion” of privacy, and statutory schemes like the Fair Credit Reporting Act, where causes of action might be limited to an “infraction” alone. In Garey, this delineation is amplified in the drivers’ success in demonstrating standing for their damages claims, but failure to do so for injunctive relief. While standing might come from an unwanted letter in the mail, the mere possibility of a future letter falls short.
Strict interpretation is also the apparent name of the game. The Court held that the DPPA “means what it says,” indicating that a successful defense grows from appreciating the nuances of statutory text. This close adherence to statutory text stands to reason. In Transunion, the Supreme Court re-affirmed its position in Spokeo that pleading a statutory cause of action alone falls short. While Congress may “elevate” harms into causes of action, “it may not simply enact an injury into existence, using its lawmaking power to transform something that is not remotely harmful into something that is.” Transunion, 141 S. Ct. at 2205.
Ergo, if the statute conferring standing is indeed “closely related” to a common law cause of action, a court assessing such claims on the merits must pay close attention to the plain text of the statute. To take a lesson learned twice by the Garey plaintiffs: If arguing for broad reading of a federal privacy protection statute, you can’t get there from here.