In May 2009, I wrote a blog post about Acxiom, an Arkansas-based corporation, and the huge database it maintains about consumers. Some of that data includes consumers' auto information which suggested that Acxiom (and companies like it) purchase data from states' motor vehicle registration agencies.
That blog mentioned a lawsuit against Acxiom and the Drivers Protection Privacy Act, which was intended to protect the sensitive personal information stored about consumers by states' drivers and vehicle registration agencies. I began to wonder what the status is of that class-action lawsuit.
The Taylor et al v Acxiom class-action lawsuit is still in litigation. Acxiom stated in November 2009 in its quarterly filing (bold emphasis and links added):
"Richard Fresco, et al. v. R.L. Polk and Company and Acxiom Corporation, (U.S. Dist. Court, S.D. Florida, 07-60695) formerly, Linda Brooks and Richard Fresco v. Auto Data Direct, Inc., et al., (U.S. Dist. Court, S.D. Florida, 03-61063) is a putative class action lawsuit, removed to federal court in May 2003, filed against Acxiom and several other information providers. The plaintiffs allege that the defendants obtained and used drivers’ license data in violation of the federal Drivers Privacy Protection Act. To date, a class has not been certified. Among other things, the plaintiffs seek injunctive relief, statutory damages, and attorneys’ fees. Acxiom has agreed to settle the case and is seeking preliminary approval by the court. The process of obtaining final approval of the settlement is expected to take several months. Acxiom has accrued $5.0 million for the settlement and ancillary costs to obtain final approval and has paid $2.5 million of this amount into an escrow fund established for the settlement, leaving a remaining accrual of $2.5 million. Two companion cases, Sharon Taylor, et al., v. Acxiom, et al., (U.S. District Court, E.D. Texas, 207CV001) and Sharon Taylor, et al. v. Biometric Access Company, et al., (U.S. District Court, E.D. Texas, 2:07-CV-00018), were filed in January 2007. Both Taylor cases were dismissed by the District Court and are now on appeal."
To summarize: there have been at least two court cases against Acxiom about alleged DPPA violations. One case (e.g., Taylor et al) is still in litigation on appeal, and Acxiom seeks to settle out of court the second case (e.g., Fresco et al) with a planned $5 million payout.
So, that's the status on Acxiom. I began to wonder if there were any other lawsuits about alleged DPPA violations. A quick blog search found a Pogo Was Right blog post about a class-action suit in the State of Oregon. I downloaded and read the complaint available at Courthouse News Service.
The plaintiffs are consumers: owners of Oregon drivers licenses and most also own a vehicle registered with the State of Oregon. The defendants include a mix of Oregon-based and foreign-based companies who allegedly used the plaintiffs' sensitive personal data in violation of the DPPA law. The suit alleges that the defendants did not gain the consumers' permission to use their personal information:
"Each Defendant in this litigation purchased this entire database of names from the State of Oregon. Defendants each have a signed contract with the State of Oregon whereby they claim that they have a proper purpose for obtaining each piece of personal information... Defendants, however, cannot and do not have a permissible purpose to obtain all the personal information contained in the State of Oregon's database."
The complaint explained the original DPPA in 1993:
"... made it unlawful for any person or organization to disclose or obtain personal information derived from any motor vehicle record, unless the subject of the information had authorized such disclosure or the request/disclosure qualified under a recognized exception, including use by any federal or state agency, use in connection with motor vehicle and driver safety, use in court proceedings, use in certain research activities, use relating to certain insurance matters, and use for verification of personal information submitted by the subject of such information. Use of personal information for marketing activities was permitted, so long as the States had provided individuals identified in motor vehicle records with the opportunity to prohibit such disclosures. This "opt out" provision effectively gave individuals the right to prohibit the States from disclosing personal information for marketing purposes."
The complaint also explained a 1999 change in the DPPA by Congress:
"... eliminating the "opt out" provision for marketing activities. Use or obtaining of personal information contained in motor vehicle records for "surveys, marketing or solicitations" is permitted only "if the State has obtained the express consent of the person to whom such personal information pertains." Similarly, a requester of personal information may obtain such information for any purpose, "if the requester demonstrates if has obtained the express consent of the person to whom such personal information pertains."
A contributing factor to the problem seems to be that:
"Oregon law does not provide for an "opt-in" procedure as described in the 1999 amendments to the DPPA. In fact, Oregon does not obtain express consent from any driver. Instead, the State of Oregon only sells "personal information" from a motor vehicle record to "persons" who claim that they have a lawful purpose for the information (other than for direct or mass marketing)."
Does it make sense for a state DMV agency to sell all of its DMV records when a company needs only a few records? Do you want your State DMV selling your sensitive personal information to persons, or companies, who CLAIM to have a legitimate purpose and but don't? Wouldn't you want that company to get your express written permission, first? I know I would. I want to maintain control over my sensitive personal information.
I want companies like Acxiom and the defendants in the Oregon lawsuit to disclose exactly where they purchase consumer data from. To me, it isn't enough for these companies to hide behind an excuse that's its proprietary process; or make a vague claim in their Web site terms and conditions policy that they exchange data with unnamed companies for marketing purposes.
This is playing fast and loose with valuable consumer data. The fast-and-loose approach with selling consumers' sensitive data has led to some spectacular data breaches and fraud. In 2006, Choicepoint paid $15 million fines to the FTC after selling data to identity thieves posing as potential lenders that lead to identity theft and fraud.
As I read the Oregon complaint, I noticed a familiar name in the list of attorneys for the plaintiffs... the Law Office of Joseph Malley Law, a Privacy Crusader in the NebuAd class-action suit. It's good to see attorneys acting again to protect consumers' interests.
This story about Acxiom and the Oregon lawsuits is only the beginning. I will continue to search for more lawsuits about possible DPPA violations, and will report my findings in this blog.