Within a month of a California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc. (finding ZIP codes constitute personal identification information under California’s Song-Beverly Act), over 100 putative class action law suits were filed against retailers operating in California. A November 22 lawsuit against Best Buy (Siegler v. Best Buy Co. of Minnesota, Inc.) alleging violations of the federal Driver’s Privacy Protection Act (DPPA) may signal the next wave of class action lawsuits to face retailers related to the collection of consumer data at the point of sale.

The DPPA makes it unlawful for any person to knowingly obtain or disclose personal information from a motor vehicle record for any use not permitted under 18 U.S.C. § 2721(b). The DPPA contains 14 exceptions, including: (1) for use by a government agency; (2) for use in connection with matters of driver safety and theft; (3) for use in any civil, criminal, administrative or arbitral proceeding; (4) for use in research; (5) for use by an insurer or insurance support organization; (6) for use in operation of private toll transportation facilities; (7) for bulk distribution of surveys or marketing; and (8) for any requester if the requester has obtained written consent. Another exception permits use in the normal course of business by a legitimate business or its agents, employees or contractors, but only to verify the accuracy of personal information submitted by the individual to its agents. If such information as submitted is not correct, the agent is permitted to obtain the correct information, but only to prevent fraud. Under 18 U.S.C. § 2721(c), an “authorized recipient” of personal information (except for some exceptions) may resell or redisclose the information only for a use permitted under 18 U.S.C. § 2721(b).

The remedies available for violating the DPPA also make this an attractive law for class actions. Not only does the DPPA authorize a private right of action for knowing violations, a court may award the following damages for violations: (1) actual damages, but not less than liquidated damages in the amount of $2,500; (2) punitive damages upon proof of willful or reckless disregard of the law; (3) reasonable attorney’s fees and other litigation costs reasonably incurred; and (4) other such preliminary and equitable relief as the court determines to be appropriate.

In the complaint filed against Best Buy on November 22, 2011, the plaintiff alleged that Best Buy’s return policy, whereby cashiers swipe the customer’s driver’s license during a return, violates the DPPA by “taking, storing, using and/or sharing customer’s personal or highly restricted personal information, without consent, when customers make a normal return of Best Buy merchandise.” More specifically, the plaintiff alleges he purchased a computer mouse at Best Buy in Florida and presented the product for return in its original packaging and with a receipt. When he provided his driver’s license at the request of the cashier, the cashier “swiped” the driver’s license without notice or consent by the plaintiff. When the plaintiff asked that his personal information be deleted and the transaction reversed, the cashier and manager refused, and neither could explain what information was taken from the plaintiff’s license.

The plaintiff alleges that Best Buy knowingly took, used, stored, retained and/or disclosed the plaintiff’s personal information or restricted personal information not in the normal course of business. The class is defined as all persons within the U.S. who have had their personal information or highly restricted personal information taken, stored or shared by Best Buy, without consent, from November 21, 2007, to the present. Plaintiffs seek compensatory and punitive damages, attorney’s fees and costs, statutory damages and equitable, injunctive and declaratory relief.

Best Buy’s receipt states that it “tracks exchanges and returns … and some of the information from your ID may be stored in a secure, encrypted database of customer activity that Best Buy and its affiliates use to track exchanges and returns.” The plaintiff alleges that the receipt does not indicate what information is taken, explain where the information is stored, describe for how long it is stored, identify Best Buy’s affiliates, explain how information is disclosed to Best Buy’s affiliates, describe how often personal information or highly restricted personal information is disclosed to Best Buy’s affiliates, or explain how personal information or highly restricted information is used.

Furthermore, a DPPA case, decided in August 2011, may have expanded the scope of the DPPA. In Wiles et al. v. LocatePlus Holdings Corp., the court ruled contrary to other cases and found that Worldwide Information, Inc. (a wholly owned subsidiary of LocatePlus Holdings Corp.) was not an “authorized recipient” to obtain records for resale to third parties under the DPPA. On September 15, 2011, the plaintiffs filed a motion for final judgment and an award of $40 million in monetary damages. In this case, Worldwide purchased and resold state motor vehicle and driver’s license records and, as part of this, began receiving DMV records from the state of Missouri from 1999 to 2009. The data files included drivers’ names, addresses, height, weight, eye color, organ donor information, driver’s license numbers and some social security numbers. When Worldwide’s customers requested data, they received the entire database for all Missouri drivers, including social security numbers, even if only one individual customer was needed.