SiriusXM radio accused of poaching car-buyer address for subscription offer
The tragic murder of actress Rebecca Schaeffer in 1989 brought home the horrors of stalking to a shocked public. Schaeffer, a successful young actress who was pursued obsessively by her killer for three years prior to her death, was fatally shot in front of her West Hollywood home ‒ her killer had retrieved her address from records at the California Department of Motor Vehicles.
The murder, along with a spate of stalking attacks that occurred around the same time, inspired a groundswell of anti-stalking legislation. The wave started in California and spread nationwide; within three years of the first California bill’s passing in 1990, every state in the country had passed some sort of related legislation.
A related federal law, The Driver’s Privacy Protection Act, was passed in 1994; it forbade the disclosure of personal information by DMVs. This same law is currently at the center of a subscription offer lawsuit, which has made its way to the Ninth Circuit Court of Appeals.
James Andrews, a California consumer, sued digital radio giant SiriusXM in August 2017 for allegedly poaching his contact information from an auto dealership, which is required to record purchaser information from driver’s licenses. Andrews alleged that SiriusXM received his contact information from the auto dealer and began contacting him to renew a subscription that belonged to the previous owner of the car.
The suit was tossed by the Southern District of California at summary judgment, with the district court ruling that the DPPA “regulates the disclosure of personal information contained in the records of state motor vehicle departments,” and not information handed over by the licensee, even if that information was printed on an official license.
Andrews and SiriusXM have made their cases to the Ninth Circuit; the dispute is now centered on whether the DPPA is violated only when information stored at the DMV is handed over by the DMV itself. (For reasons that are sadly obvious, both parties cite Schaeffer’s murder in their briefs.)
Andrews claims that “the express language of the DPPA permits liability to be based on disclosure of information from a motor vehicle record even if it was not obtained directly from the DMV”; SiriusXM maintains that “a driver’s license is not a ‘motor vehicle record’ for purposes of the DPPA.” Moreover, SiriusXM’s brief continues, “even if Andrews’ driver’s license qualified as a ‘motor vehicle record,’ SiriusXM still would not be liable. … The DPPA covers only the acquisition of information through methods that ultimately track back to the DMV’s files. But SiriusXM did not acquire Andrews’ information that way.”
SiriusXM, however, doesn’t simply contradict Andrews’ argument; it offers a warning for those who might be tempted by his vision of the DPPA. If Andrews is right, the brief argues, “the DPPA would subject an enormous swath of ordinary conduct to criminal and civil liability. Imagine you check into a hotel and hand over your driver’s license when the clerk asks for your contact information. If the hotel later mails you a survey asking about your stay, it has committed a crime, and you may sue it for $2,500.”
We don’t know how the Ninth will rule on the meaning of the DPPA in this dispute. But in any case, if your business shares customer information with third parties, you need to beware of data privacy protection laws that may apply. For instance, California has passed a paradigm-shifting consumer privacy law that goes into effect in January 2020, and Nevada recently amended its online privacy law to add a “do not sell” opt-out inspired by, but less restrictive than, the soon-to-be-implemented California law. The Nevada law is effective Oct. 1, 2019. Many other states are considering new consumer privacy legislation, some including a private right of action. To stay on top of the legislative developments, visit our U.S. Consumer Privacy Resource Center and subscribe to our privacy blogs and alerts.