SiriusXM successfully defends lawsuit relating to trial subscribers' contact information

Client(s) Sirius XM Radio Inc.

Jones Day successfully defended and obtained affirmance on behalf of Sirius XM Radio Inc. in a putative class action alleging violations of the Driver's Privacy Protection Act ("DPPA").

Sirius XM works with vehicle manufacturers to install Sirius XM-compatible equipment in new and used vehicles, and it takes various steps, including working with car dealerships, to ensure that those who purchase Sirius XM-equipped vehicles can enjoy Sirius XM's satellite radio service. Sirius XM has contracts with many vehicle dealerships, pursuant to which those dealerships promise to lawfully provide their customers' contact information to Sirius XM when a customer purchases or leases a Sirius XM-equipped vehicle. Sirius XM provides a trial subscription to the dealership's customers, increasing the value and desirability of the vehicles.

Plaintiff James Andrews bought a used car in California and received a trial subscription to Sirius XM's services. After Sirius XM attempted to contact him about that trial subscription, he sued. He initially alleged that Sirius XM violated the DDPA—a statute aimed at the unlawful disclosure of personal information by state DMVs—because it supposedly obtained his contact information from the California DMV. After Sirius XM explained to him that it acquired his information lawfully through its agreement with the vehicle dealership, he maintained his suit anyway. Andrews alleged that, by using information ultimately derived from his own voluntarily provided driver's license, Sirius XM violated the DPPA.

The district court disagreed with Andrews' claim, and a unanimous panel of the U.S. Court of Appeals for the Ninth Circuit affirmed. As Sirius XM "correctly observe[d]," the DPPA "'was not designed to remedy every misuse of personal information that happened to come from a driver’s license.'" Id. at *6 (quoting Sirius XM's brief). "Instead, its scope is limited to impermissible disclosures by state DMVs and those who seek information from them." Id. Because "neither Sirius XM nor anyone else requested or acquired his information from the California DMV," the court ruled Sirius XM did not violate the DPPA. Id.

The Ninth Circuit also affirmed the district court's refusal to allow Andrews to add a claim under the Computer Fraud and Abuse Act ("CFAA") to his complaint. Andrews alleged that Sirius XM violated the CFAA by allegedly tricking the dealership into entering the data-sharing agreement. But even accepting that (mistaken) assertion, Andrews could not state a claim under the CFAA. To do so, he had to show "loss to 1 or more persons … aggregating at least $5,000." Andrews claimed that his and his putative class members' "lost opportunity" to market their customer data met this requirement, but the Ninth Circuit disagreed. To qualify as "loss" under the CFAA, any "'revenue los[s]'" must stem from an "'interruption of service.'" Id. at *7 (quoting 18 U.S.C. § 1030(e)(11)). Because Andrews' missed marketing opportunities had nothing to do with an "interruption of service," it would have been futile to let him amend his complaint. Id. at *8.

With its unanimous decision, the Ninth Circuit thus made clear that businesses may continue to lawfully acquire and use customers' contact information without fear of expansive liability under the DPPA or CFAA.

Andrews v. Sirius XM Radio, Inc., No. 18-55169 (9th Cir.); Andrews v. Sirius XM Radio, Inc., et al., No. 5-17-cv-01724 (C.D. Cal.)