
    Norma WILES, Thomas Wiles, Theresa Gibson and Wanta Evitt, Plaintiffs-Appellants, v. ASCOM TRANSPORT SYSTEM, INC., dba ACS Transport Solutions, Inc., Defendant-Appellee.
    No. 11-5342.
    United States Court of Appeals, Sixth Circuit.
    April 30, 2012.
    
      Before: COLE and McKEAGUE, Circuit Judges; and ZATKOFF, District Judge.
    
    
      
       The Honorable Lawrence P. Zatkoff, United States District Judge for the Eastern District of Michigan, sitting by designation.
    
   OPINION

ZATKOFF, District Judge.

Plaintiffs-Appellants, each of whom is a Kentucky resident holding a driver’s license issued by the Commonwealth of Kentucky, filed this suit on behalf of themselves and all others similarly situated, claiming that Defendant-Appellee violated the Driver’s Privacy Protection Act, 18 U.S.C. § 2721 et seq. (the “DPPA”), Plaintiffs’ common law right to privacy and 42 U.S.C. § 1983 when Defendant obtained in bulk, used, resold and/or disclosed Plaintiffs’ personal information contained in the Commonwealth of Kentucky’s motor vehicle records without a permissible purpose under the DPPA. The district court held that the bulk purchase of motor vehicle records without a specific need for every record does not violate the DPPA and ultimately granted Defendant’s motion to dismiss Plaintiffs’ Third Amended Complaint. We affirm.

I. BACKGROUND

On January 10, 2010, Plaintiffs instituted a proposed class action lawsuit against numerous defendants. Plaintiffs sought protection from, and the recovery of statutory damages for, each defendant’s allegedly unlawful obtainment, use and/or disclosure of Plaintiffs’ protected personal information contained in the motor vehicle records of the Commonwealth of Kentucky’s Transportation Cabinet (hereinafter, the “K.T.C.”). Over the course of the next year, Plaintiffs filed numerous complaints against an ever-evolving list of defendants, numerous motions to dismiss were filed and numerous defendants were dismissed for a variety of reasons. Ultimately, the district court approved Plaintiffs’ motion to file a third amended complaint on December 3, 2010, and Plaintiffs filed their Third Amended Complaint the same day.

The Third Amended Complaint contained allegations against Defendant and each of the defendants set forth in footnote 1, supra. Plaintiffs alleged, in relevant part, the following:

17. Defendants’ [sic] obtained the K.T.C. Database, and continued updates thereto, in violation of relevant state and federal laws[,] including certain provisions and protections afforded to each and every Kentucky resident by the [DPPA]. More specifically, the Defendants knowingly obtained Plaintiffs’ protected personal information outside of any of the requisite permissible purposes enumerated by the DPPA and in violation of Plaintiffs’ privacy rights. Moreover, each Defendant ... misrepresented to the K.T.C. that they [sic] had a permissible purpose for each and every record and as to the personal information of each and every person therein when they [sic] did not. Defendants knew that they had (and know they have) no permissible purpose for each and every private personal record but obtained them regardless.
^
25. The K.T.C. only sells “personal information” from a motor vehicle record to “persons” who represent that they have a lawful purpose for the information.
26. Once a “person” certifies to the K.T.C. that they have [sic] a lawful purpose for the personal information and/or have obtained requisite consent, the K.T.C. provides that person with a copy of the ENTIRE DATABASE of names, addresses and other personal information — millions of persons’ DPPA-protect-ed personal information. In other words, the K.T.C. simply hands over to a third-party the DPPA-protected personal information of millions of Kentuckians. Of course before doing so, the obtaining party must agree to indemnify the K.T.C. for any damages as a result of obtainment.
* * * * * *
29. When each of the Defendants purchased the ENTIRE DATABASE, those Defendants executed a contract with the K.T.C. whereby they specifically claimed to possess a proper purpose for obtaining the information. Such was clearly a misrepresentation because the Defendants had no purpose or intended use for the private information of each and every personal record included in the database.
* * * * * *
31. First, each of the Defendants ... violated the DPPA by unlawfully obtaining the “personal information” of the Plaintiff[s] and putative class from the K.T.C.’s “motor vehicle records” ... Each of the Defendants also violated the DPPA by unlawfully using and disclosing the “personal information” of the Plaintiff[s] and putative class from the KT.C.’s “motor vehicle records” ...
82. Second, each of the Defendants did not, and still do not, have a permissible purpose to purchase the KT.C.’s ENTIRE DATABASE of DPPA protected personal information. Moreover, none of the Defendants obtained the information with prior written consent thereto by the Plaintiffs (which, as previously stated, include members of the Putative Class).

Based on the foregoing allegations, Plaintiffs claimed that Defendant violated: (1) the DPPA by knowingly obtaining (Count I), disclosing (Count II) and using (Count III) personal information from K.T.C. motor vehicle records for a purpose not permitted under the DPPA, (2) Plaintiffs’ common law right to privacy (Count IV), and (3) 42 U.S.C. § 1983 (Count V).

On December 3, 2010, the district court also issued a memorandum opinion and order. Relying on the reasoning set forth in a. recent Fifth Circuit case, the district court held that the bulk purchase of vehicle records without a specific need for every record does not violate the DPPA. See Taylor v. Acxiom Corp., 612 F.3d 325 (5th Cir.2010), cert. denied, — U.S. -, 131 S.Ct. 908, 178 L.Ed.2d 804 (2011) (“A person who buys DMV records in bulk does so for the purpose of making permissible actual use of information therein under [the DPPA], even if that person does not actually use every single item of information therein”). The district court also instructed the parties that it would consider dismissal of specific elements of the Third Amended Complaint affected by its ruling. Shortly thereafter, Defendant filed a motion to dismiss the Third Amended Complaint. On February 17, 2011, the district court granted Defendant’s motion to dismiss and entered judgment in favor of Defendant and the other named defendants. Plaintiffs timely appealed. This Court has jurisdiction to review the final judgment of the district court under 28 U.S.C. § 1291.

II. ANALYSIS

A. Standard of Review

We review the grant of a motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) de novo, see Harbin-Bey v. Rutter, 420 F.3d 571, 575 (6th Cir.2005), and may “affirm the district court’s dismissal of a plaintiff’s claims on any grounds, including grounds not relied upon by the district court.” Hensley Mfg. v. ProPride Inc., 579 F.3d 603, 609 (6th Cir.2009). In determining whether a party has failed to state a claim, we construe the complaint in the light most favorable to the non-moving party and accept all factual allegations as true. See Harbin-Bey, 420 F.3d at 575. To survive a Rule 12(b)(6) motion to dismiss, a complaint “need contain only ‘enough facts to state a claim to relief that is plausible on its face.’ ” Paige v. Coyner, 614 F.3d 273, 277 (6th Cir.2010) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007)).

B. The Driver’s Privacy Protection Act of 1994

As this Court recently stated:

The federal DPPA was enacted in response to growing concerns over the ease with which stalkers and other criminals could obtain personal information from state departments of motor vehicles. Reno v. Condon, 528 U.S. 141, 143-44, 120 S.Ct. 666, 145 L.Ed.2d 587 (2000). Congress was also concerned about the practice in many states of selling personal information from motor vehicle records to businesses, marketers, and others for, at times, significant revenue. Id. The DPPA, held to be a proper exercise of the power to regulate interstate commerce, established a regulatory scheme that both mandates and restricts the disclosure of personal information from records maintained by state motor vehicle departments. Id. at 148, 120 S.Ct. 666.
At all times relevant to this case, the DPPA, as amended, imposed the following general prohibitions against the disclosure of personal information obtained from an individual’s motor vehicle record:
(a) In general. — A State department of motor vehicles, and any officer, employee, or contractor thereof, shall not knowingly disclose or otherwise make available to any person or entity:
(1) personal information, as defined in 18 U.S.C. [§ ] 2725(3), about any individual obtained by the department in connection with a motor vehicle record, except as provided in subsection (b) of this section; or
(2) highly restricted personal information, as defined in 18 U.S.C. § 2725(4), about any individual obtained by the department in connection with a motor vehicle record, without the express consent of the person to whom such information applies, except uses permitted in subsections (b)(1), (b)(h), (b)(6), and (b)(9); Provided, That subsection (a)(2) shall not in any way affect the use of organ donation information on an individual’s driver’s license or affect the administration of organ donation initiatives in the States.

18 U.S.C. § 2721(a)(l)-(2) (emphasis added). “Personal information” is defined as “information that identifies an individual, including an individual’s photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information.” Id. at § 2725(3). “Highly restricted personal information” is defined as “an individual’s photograph or image, social security number, medical or disability information.” Id. at § 2725(4).

Section 2721(b) carves out both mandatory and permissive exceptions to the general prohibitions in subsection (a). Id. at § 2721(b). First, states must disclose personal information for use in carrying out the purposes of several federal statutes not relevant here. Second, states may disclose personal information (subject to § 2721(a)(2)), for any of the permissible uses or purposes listed in § 2721(b)(1) — (14). Eleven of these permissible uses — including for “use in the normal course of business” under § 2721(b)(3) — authorize nonconsensual disclosure of personal information. Id. at § 2721(b)(1) — (10) and (14). The other three permissible uses require the express consent of the persons to whom the information pertains. Id. at § 2721(b)(ll) — (13).

The DPPA also regulates the “resale or redisclosure” of personal information in § 2721(c), which provides, in pertinent part, that: “An authorized recipient of personal information (except a recipient under subsection (b)(ll) or (12)) may resell or redisclose the information only for a use permitted under subsection (b) (but not for uses under subsection (b)(ll) or (b)(12)).” Id. at § 2721(c) (emphasis added). Subsection (e) also imposes a record-keeping obligation on “[a]ny authorized recipient (except a recipient under subsection (b)(ll)) that resells or rediscloses personal information covered by this chapter” to keep for five years “records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.” Id.

The DPPA makes it unlawful for “any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under [§ ] 2721(b),” or “to make false representation to obtain any personal information from an individual’s motor vehicle record.” 18 U.S.C. § 2722(a)-(b). A person who knowingly violates the DPPA is subject to criminal fine, id. at § 2723(a), and may be held civilly liable for actual damages (but not less than $2,500 in liquidated damages), punitive damages, attorney fees, and appropriate equitable relief[.] [I ]d at § 2724. A “person” is defined as an individual, organization or entity, “but does not include a State or agency thereof[.]” {I Id. at § 2725(2). Instead, the Attorney General may impose civil penalties if a state has a policy or practice of “substantial noncompliance” with the DPPA[.] [I ]d. at § 2723(b) (civil penalty of not more than $5,000 per day).

Roth v. Guzman, 650 F.3d 603, 606-07 (6th Cir.2011) (footnotes omitted).

1. Bulk Obtainment and Use

The basis for Plaintiffs’ DPPA claims (and their apparent basis for alleging that Defendant misrepresented that it had a permissible purpose for obtaining the drivers’ personal information) is that “Defendant[ ] had no purpose or intended use for the private information of each and every personal record included in the database.” R. 158, Third Am. Compl., ¶ 29 (emphasis added). Thus, the issue before this Court is whether, assuming Defendant asserted a permissible purpose to the K.T.C. for obtainment of personal information in motor vehicle records, such purpose is rendered void because Defendant obtained the drivers’ records for all Kentucky drivers, without showing “a permissible purpose for each and every record [in the K.T.C. database] and ... the personal information of each and every person therein.” In other words, even if Defendant had asserted a permissible purpose for obtaining such records under § 2721(b), does the bulk obtainment of such records for the purpose of “stockpiling” such records violate the DPPA?

Shortly after the parties filed their appellate briefs, this Court issued the Roth opinion. Therein, in the context of deciding a qualified immunity issue, this Court concluded that it was not clearly established that “‘stockpiling’ or bulk disclosures of personal information for a permissible purpose under § 2721(b)(3) would violate the DPPA.” Roth, 650 F.3d at 617. The Roth court extensively cited and relied upon the Fifth Circuit’s opinion in Taylor, supra. Most notably, this Court stated:

[T]he starting point is the ordinary meaning of the statute. Mills Music, Inc. v. Snyder, 469 U.S. 153, 164, 105 S.Ct. 638, 83 L.Ed.2d 556 (1985) (“In construing a federal statute it is appropriate to assume that the ordinary meaning of the language that Congress employed ‘accurately expresses the legislative purpose.’ ”) (citation omitted). If the language of the statute is clear, the plain meaning of the text must be enforced. United States v. Ron Pair Enters., Inc., 489 U.S. 235, 241, 109 S.Ct. 1026, 103 L.Ed.2d 290 (1989). “The plainness or ambiguity of statutory language is determined by reference to the language itself, the specific context in which that language is used, and the broader context of the statute as a whole.” Robinson v. Shell Oil Co., 519 U.S. 337, 341, 117 S.Ct. 843, 136 L.Ed.2d 808 (1997). When a plain reading “leads to ambiguous or unreasonable results, a court may look to legislative history to interpret a statute.” Limited, Inc. v. Comm’r, 286 F.3d 324, 332 (6th Cir.2002).
[Section] 2721(b)(3) provides that state officials may disclose personal information “[f]or use in the normal course of business ... to verify the accuracy of personal information submitted by the individual to the business,” and to correct inaccurate personal information for the purposes of “preventing fraud by, pursuing legal remedies against, or recovering on a debt or security interest against the individual.” Plaintiffs interpret the references to “the individual” in § 2721(b)(3) as unambiguously limiting disclosure to personal information pertaining to one individual at a time. Defendants counter that “individual” in this subsection does not refer to how many requests may be made at one time, but rather to the basis for disclosures permitted under this subsection. The Fifth Circuit, the only circuit to decide this issue, rejected the same arguments in Taylor v. Acxiom Corp., 612 F.3d 325, 335 (5th Cir.2010), cert. denied, — U.S. -, 131 S.Ct. 908, 178 L.Ed.2d 804 (2011).

Texas, like at least eleven other states, allows persons or entities to purchase magnetic tapes of the database of driver’s license records upon certification of a lawful purpose under the DPPA. Id. at 332. The defendants in Taylor were third parties who did not use all of the records immediately, but maintained databases to either use in the future (non-resellers) or to resell to others for lawful purposes (resellers). The plaintiffs in Taylor argued that maintaining records not actually used was itself an impermissible purpose; in other words, that “ ‘buying the records in bulk with an expectation and purpose of valid potential use is not a permissible use under the DPPA.’ ” Id. at 334. Examining § 2721(b)(3) in the context of all fourteen permissible uses under § 2721(b), the court emphasized that only one subsection limits permissible uses to individual motor vehicle records, while only one other subsection limits permissible uses to bulk distributions. Id. at 335; compare § 2721(b)(ll) (“[f]or any other use in response to requests for individual motor vehicle records if the State has obtained the express consent of the person to whom such personal information pertains”), with § 2721(b)(12) (“[f]or bulk distribution for surveys, marketing or solicitations if the State has obtained the express consent of the person to whom such personal information pertains”). For the rest of the permissible uses, the court found there was more than one reasonable interpretation: “individual release, bulk release, or both.” Id. at 335. The court explained:

It does not make sense that Congress would expressly limit states to individual distribution with one permissible use if Congress intended to limit all of the permissible uses to individual distribution. If Congress intended only individual distribution, one would expect either Congress to expressly limit all uses or, at least, to remain silent on the matter. Likewise, if Congress intended only bulk distribution, it makes no sense to expressly limit one of the fourteen uses to bulk distribution and not the others. The text of the statute strongly indicates that it allows both individual and bulk distribution.

Id. at 336. We agree.

‡ # # #

To resolve the ambiguity, both parties point to aspects of the legislative history to support their positions but nothing speaks directly to the issue of “bulk” disclosures under § 2721(b)(3). More generally, Congress expressed an intention “to strike ‘a critical balance between legitimate governmental and business needs for this information, and the fundamental right of our people to privacy and safety.’ ” Russell v. ChoicePoint Servs., Inc., 300 F.Supp.2d 450, 456 (E.D.La.2004) (quoting 139 Cong. Rec. S15, 763 (1993)). Although plaintiffs rely on statements from the legislative history reflecting an intention to give individuals control over the release of their personal information, those statements are again directed at the bulk sale of personal information for direct marketing purposes.
A statement by the sponsor of the DPPA in the House expressed concern first with the need to address the ease with which criminals and strangers could obtain driver’s license information and second with the desire to curb the sale of DMV databases to direct marketers for commercial purposes by requiring consent. Taylor, 612 F.3d at 336-37 (quoting statement of Rep. Moran Feb. 4, 1994, 1994 WL 212698 (F.D.C.H.)). In that same statement, however, the sponsor also expressed the intention that common uses being made of the information at the time — including by-businesses verifying personal information — should continue unfettered. Id. at 336.
Notably, the amendments to the DPPA, which restricted further the bulk distribution provision to require express as opposed to implied consent, did not adopt a consent requirement for disclosure under § 2721(b)(3), or clarify that requests for disclosure under § 2721(b)(3) should be for one person’s records at a time. The Fifth Circuit was also persuaded by a Department of Justice (DOJ) advisory opinion issued in October 1998, concluding that the DPPA allowed the State of Massachusetts to release personal information to a commercial distributor who would disseminate the information to any other authorized recipients or entities that use the information solely for authorized purposes. Taylor, 612 F.3d at 339. We agree that the DOJ’s advisory opinion is inconsistent with the notion that bulk distribution is prohibited by the DPPA. Id.
Finally, the court in Taylor concluded that the plaintiffs’ reading of § 2721(b)(3) would lead to “essentially absurd results,” explaining:
At a checkout line at a grocery store or similar establishment, when a customer wishes to pay by (or cash) a check, and presents a driver’s license as identification, it is obviously wholly impractical to require the merchant for each such customer to submit a separate individual request to the state motor vehicle department to verify the accuracy of the personal information submitted by the customer, under section 2721(b)(3). Any such process would obviously take way too long to be of any use to either the customer or the merchant, and would moreover flood the state department ■with more requests than it could possibly handle. So, the merchant buys the state department’s entire data base and from it extracts on that occasion that particular customer’s information, and later performs the same task as to the next such customer in the line. Plaintiffs would have us hold that the merchant violates the DPPA by acquiring the data base even though every single actual use made of it is an authorized use under section 2721(b), so long as there is at least one name in the data base as to which no actual use is made.
Id. at 337. The court then analogized the situation to the purchase of a set of legal reporters, which a lawyer purchases for the purpose of legal research even though the attorney would never read every opinion in each volume. Id.
As interpreted by the court in Taylor, plaintiffs could not establish a violation of the DPPA merely because the defendants sold personal information from motor vehicle records in bulk where the disclosure was for use, or potential use, in “the normal course of business” under § 2721(b)(3). The purchase in bulk for use as needed for a permitted purpose under § 2721(b)(3), described by some courts as “stockpiling,” has been found not to violate the DPPA by several district courts. See, e.g., Wiles v. ASCOM Transp. Sys., Inc. (Wiles II), No. 3:10-cv-28-H, 2011 WL 672652 (W.D.Ky. Feb. 17, 2011) (unpublished); Cook v. ACS State and Local Solutions, Inc., 756 F.Supp.2d 1104 (W.D.Mo.2010).[]

Roth, 650 F.3d at 614-17.

For the same reasons, several other Circuits have reached the same conclusion as the Taylor court when considering whether “stockpiling” or bulk obtainment/diselo-sure of personal information violates the DPPA. See Cook v. ACS State & Local Solutions, Inc., 663 F.3d 989, 994, 996 (8th Cir.2011) (“The proper' focus for courts is not the manner in which the information was acquired, but the use to which it is eventually put” and “Plaintiffs cannot establish a violation of the DPPA if all the defendants have done is obtain driver information in bulk for potential use under a permissible purpose”); Graczyk v. West Publ’g Co., 660 F.3d 275, 279 (7th Cir.2011) (The DPPA “is concerned with the ultimate use or uses to which personal information contained in motor vehicle records is put”); Howard v. Criminal Info. Servs., Inc., 654 F.3d 887, 891, 892 (9th Cir.2011) (The DPPA “was written in a way that logically put the focus on the purpose for which the information would eventually be used — on the ‘end’ sought by the purchaser — not on the reasons for buying it in bulk” and “the portion of the statute that expresses the permissible purposes explicitly does so in terms of the ‘use’ of the information. That is what should be considered in determining whether the acquisition of the information is permitted under the statute.”).

This Court agrees with the reasoning of Roth and the referenced DPPA cases from other Circuits. Plaintiffs have not cited any case law, legislative history or other “any authority or persuasive argument for concluding that [the DPPA] clearly and unambiguously limits disclosure of personal information to one individual at a time.” Roth, 650 F.3d at 615. In contrast, as noted in several of the cases discussed above, the legislative history clearly establishes that Congress did not intend to alter the traditional method of bulk disclosures by states, subject to the express limitations set forth in the DPPA.

Plaintiffs also contend that “stockpiling” of the personal information is prohibited because the personal information must be used immediately after it is obtained. Plaintiffs, however, fail to identify any language in the statute that requires immediate use. They cannot do so because there is no such language in the DPPA. See Cook, 663 F.3d at 995 (citing Howard, 654 F.3d at 892 (“There is also no problem with Defendants obtaining the personal information for potential future use, even if they may never use it. The DPPA does not contain a temporal requirement for when the information obtained must be used for the permitted purpose.”)). This Court therefore declines to read such a requirement into the statute.

For the foregoing reasons, we hold that bulk obtainment of personal information for a permissible purpose does not violate the DPPA. We also conclude that, as Defendant obtained the personal information from the K.T.C. under one or more of the permissible purposes set forth in the DPPA, Plaintiffs cannot establish a violation of the DPPA if the only alleged wrongdoing Defendant has committed was obtaining the personal information in bulk for use or potential use.

2. Disclosure (Resale of Personal Information)

The district court dismissed Plaintiffs’ DPPA disclosure claim, finding that Plaintiffs’ “allegations of unauthorized disclosure are deficient because they do not state either a specific unlawful third party to whom [Defendant] disclosed the data or a specific unlawful disclosure by a third party.” Again, this is an issue other Circuits have addressed. For example, the Eighth Circuit recently stated:

Some of the Defendants in this case obtained personal information in bulk from the Missouri DOR not for their own permissible use, but to sell to third parties who have permissible uses of their own. There is no dispute that 18 U.S.C. § 2721(c) explicitly authorizes the resale and redistribution of personal information, however Plaintiffs contend that this section does not provide a stand-alone justification for businesses to obtain records from the state. Plaintiffs argue that the DPPA requires resellers to have their own permissible use for personal information before selling it to third parties. Plaintiffs interpret the phrase “authorized recipient” under section 2721(c) as an individual or entity who has an immediate permissible use for the information under section 2721(b).
The statute does not define “authorized recipient,” and therefore does not provide direct guidance on this issue. However, Plaintiffs identify no support in either the language of the statute or the legislative history that suggests an authorized recipient must have an authorized use. As other courts have pointed out, section 2721(c) restricts only “authorized recipients,” not “authorized users” or “permissible users” (which would more closely mirror section 2721(b)). Taylor, 612 F.3d at 338; Russell v. ChoicePoint Servs. Inc., 300 F.Supp.2d 450, 455-61 (E.D.La.2004). So long as personal information is ultimately used only for permitted purposes, it is not clear why Congress would have intended to regulate who could obtain it. The statute as a whole is concerned only with the use of the information, not the entity requesting it. See Russell, 300 F.Supp.2d at 457 (“The plain language of the DPPA is written in terms of permissible ‘uses’ rather than permissible ‘users.’ ”); Graczyk, 660 F.3d at 279 (pointing out that the statute permits an agent to obtain information for use by a business without requiring the agent to have a separate use).
The documentation requirements in section 2721(c) seem to further indicate that Congress was primarily concerned with the end use of personal information. Congress provided additional safeguards in section 2721(c) that require resellers to document each sale to a third party. Section 2721(c) requires that “[a]ny authorized recipient ... that resells or re-discloses personal information covered by this chapter must keep for a period of 5 years records identifying each person or entity that receives information and the permitted purpose for which the information will be used and must make such records available to the motor vehicle department upon request.” 18 U.S.C. § 2721(c). These safeguards support our view that Congress was focused more on the end use of the information than the manner in which it was obtained.
The Fifth and the Seventh Circuits have found persuasive support for this view in an unpublished Department of Justice opinion letter. The letter responded to an inquiry from the Commonwealth of Massachusetts about whether it was permitted under the DPPA to provide driver information to a commercial distributor who would resell the information only to third parties that themselves had permissible uses. See Letter from Robert C. McFetridge, Special Counsel to the Assistant Attorney Gen., to Peter Sacks, Office of the Attorney Gen. For the Commonwealth of Mass. (Oct. 9, 1998) (on file with the Fifth and Seventh Circuits). In response, the DOJ reasoned that the DPPA “regulated only the ultimate use of personal information without specifying or restricting who may obtain the information in order to accomplish that authorized purpose.” Id. The DOJ posited that Massachusetts could provide information to resellers so long as it could reasonably conclude that the information would be used only for authorized purposes. Id. We agree with our sister circuits that this is the most reasonable reading of the statute. See Graczyk, 660 F.3d at 280-81; Taylor, 612 F.3d at 339.
Section 2721(c) explicitly permits the resale of drivers’ information, and it does not require that resellers must first use the information themselves. We hold that Plaintiffs cannot establish a DPPA violation by alleging that Defendants obtained personal information with the sole purpose of selling it to third parties who have permissible section 2721(b) uses for the information.

Cook, 663 F.3d at 996-97.

We find persuasive the analysis and conclusions of the Eighth Circuit, as well as those of the Fifth and Seventh and the DOJ, and we hold that obtaining personal information solely for the purpose of reselling such information is permitted under the DPPA, so long as the personal information will ultimately be used only for purposes permitted under Section 2721(b).

In this case, Plaintiffs have not alleged that the ultimate “use” of the information is for an impermissible purpose. Rather, Plaintiffs’ allegations pertaining to the resale/disclosure of the personal information are based on Defendant allegedly obtaining the personal information for the sole purpose of reselling it to third parties, without use of such information by Defendant. As stated by the Eighth Circuit, however, “Section 2721(c) explicitly permits the resale of drivers’ information, and it does not require that resellers must first use the information themselves.” Id. at 997. Therefore, we find that Plaintiffs have failed to state a claim upon which relief can be granted because Plaintiffs cannot establish a violation of the DPPA even if Defendant obtained Plaintiffs’ personal information with the sole purpose of selling it to third parties who have a permissible Section 2721(b) use for such information.

C. Common Law Right to Privacy

Plaintiffs’ common law invasion of privacy claim is based on two theories: (a) unreasonable intrusion upon the seclusion of another, and (b) unreasonable publicity to another’s private life.

An intrusion upon seclusion claim requires a plaintiff to show: (1) an intentional intrusion by the defendant, (2) into a matter that the plaintiff has a right to keep private, and (3) that the intrusion would be highly offensive to a reasonable person. See Restatement (Second) of Torts § 652B; Johns v. Firstar Bank, N.A., No. 2004-CA-001558-MR, 2006 Ky. App. LEXIS 85, at *7 (Ky.Ct.App. Mar. 24, 2006); Smith v. Bob Smith Chevrolet, Inc., 275 F.Supp.2d 808, 822 (W.D.Ky.2008). “What constitutes a private matter is dependent upon whether the plaintiff has a reasonable expectation of privacy in the subject information.” Webb v. Bob Smith Chevrolet, Inc., 2005 WL 2065237, at *6 (W.D.Ky. Aug. 24, 2005) (citing McCall v. Courier-Journal & Louisville Times Co., 623 S.W.2d 882, 887 (Ky.1981), cert. denied, 456 U.S. 975, 102 S.Ct. 2239, 72 L.Ed.2d 849 (1982)).

Plaintiffs contend that the district court erred in concluding as a matter of law that Defendant’s alleged intrusion into Plaintiffs’ privacy was not “highly offensive” — a determination that is to be made by the trier of fact. This Court need not consider that argument as it finds that Plaintiffs cannot establish a prima facie intrusion upon seclusion claim, specifically, the second element. The DPPA expressly allows the publication of Plaintiffs’ personal information to third parties under the parameters set forth in Section 2721. As this federal statute authorizes the disclosure of the personal information, a person whose information is disclosed pursuant to that statute cannot have a reasonable expectation that such personal information would be kept private. Accordingly, this Court concludes that Plaintiffs had no reasonable expectation of privacy in the personal information and, as such, that Plaintiffs’ intrusion upon seclusion claim fails as a matter of law.

Plaintiffs also challenge the district court’s dismissal of their “publicity given to a private life” claim, referenced in Restatement (Second) of Torts § 652D as “unreasonable publication.” A cause of action for unreasonable publication requires that a plaintiff prove that a defendant publicized material that: (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public. Id. Publicizing material “means that the matter is made public, by communicating to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” Id. cmt. (a). See also Ghassomians v. Ashland Indep. Sch. Distr., 55 F.Supp.2d 675, 693 (E.D.Ky.1998) (citation omitted) (a claim for unreasonable publicity requires disclosure of private information “in a way substantially certain to become general knowledge either through dissemination to the public at large or a multitude of persons.”). In the instant case, Plaintiffs have not alleged that Defendant disclosed, or caused to be disclosed, Plaintiffs’ personal information to the public at large or a multitude of persons such that the information could be regarded as substantially certain to become a matter of public knowledge. Accordingly, this Court finds that Plaintiffs have failed to state an actionable claim for unreasonable publication.

Therefore, we conclude that Plaintiffs failed to state a claim for common law invasion of privacy claim upon which relief can be granted.

D. 42 U.S.C. § 1983 Claim

The district court found that Plaintiffs failed to state a cognizable § 1983 claim because Defendants are not state actors, as required to impose § 1983 liability, and did not meet the nexus/symbiotic-relationship test by which private action may be attributed to the state. See Wiles v. ASCOM Transp. Sys., Inc., No. 3:10-CV-28-H, 2011 WL 672652, at *3 (W.D.Ky. Feb. 17, 2011).

We think the better grounds on which to dismiss Plaintiffs’ § 1983 claims is then-failure to establish any violation of a federal right. Section 1983 “is not itself a source of substantive rights, but a method for vindicating federal rights elsewhere conferred....” Baker v. McCollan, 443 U.S. 137, 144 n. 3, 99 S.Ct. 2689, 61 L.Ed.2d 433 (1979); see also Moldowan v. City of Warren, 578 F.3d 351, 399 (6th Cir.2009), cert. denied. Plaintiffs allege they have been deprived of their privacy rights as secured by the DPPA, the Privacy Act (codified at 5 U.S.C. § 552a), and the federal constitution. We have already considered Plaintiffs’ DPPA claims and found no DPPA violation. Plaintiffs fail to state a Privacy Act claim because we have previously held that the Privacy Act applies only to federal agencies. Schmitt v. City of Detroit, 395 F.3d 327, 331 (6th Cir.2005). And Plaintiffs’ constitutional privacy claims are also foreclosed by this Court’s prior case law. As we observed in Lambert v. Hartman, 517 F.3d 433, 440 (6th Cir.2008), “this court has recognized an informational-privacy interest of constitutional dimension in only two instances: (1) where the release of personal information could lead to bodily harm (Kallstrom [v. City of Columbus, 136 F.3d 1055, 1061 (6th Cir.1998) ]), and (2) where the information released was of a sexual, personal, and humiliating nature (Bloch [v. Ribar, 156 F.3d 673, 683 (6th Cir.1998)]).” Plaintiffs have not alleged any facts that would support an inference that the information disclosures here fall into either category. As Plaintiffs have not established the deprivation of any federal constitutional or statutory right, their § 1983 claims must fail.

III. CONCLUSION

For the reasons above, we conclude that the district court properly dismissed Plaintiffs’ Third Amended Complaint for failure to state a claim, and we affirm the order of the district court. 
      
      . Defendant-Appellee Ascom Transport System, Inc., dba ACS Transport Solutions, Inc., is the only defendant named in the appeal, as it was Ascom Transport System, Inc.’s motion to dismiss the district court decided and, as a result, dismissed the action in its entirety. The other named defendants to Plaintiffs’ lawsuit at the time of its dismissal were Downtown Owensboro, Inc.; Jones & Wenner Insurance; Nationwide Debt Recovery Service, Inc.; Tennessee Valley Authority; and Xerox Corporation.
     
      
      . An amicus brief in support of allowing bulk disclosures under the DPPA was filed by The Coalition for Sensible Public Records Access, a non-profit organization dedicated to promoting the principle of open public records access, and The Consumer Data Industry Association, an international trade association.
     
      
       Disclosure under subsections (b)(ll) (for any use) and (b)(12) (for bulk distributions for surveys, marketing or solicitation) is permissible "if the State has obtained the express consent of the person to whom such personal information pertains.” Id. at § 2721(b)(ll)-(12) (as amended eff. June 1, 2000).
     
      
      . The Wiles district court case and the Cook district court case referenced by the Roth court are the underlying cases in the appeal currently before this Court and the Cook decision discussed herein (beginning at the next paragraph), respectively.
     
      
      . In addition to the statements of Congressman Moran set forth in the Taylor and Roth decisions, supra, several other congressman made similar proclamations regarding the purpose and scope of the DPPA. See, e.g., 139 Cong. Rec. 29468 (1993) (statement of Senator Boxer, describing the bill in the Senate as "strikpng] a critical balance between the legitimate governmental and business needs for this information, and the fundamental right of our people privacy and safety”); 140 Cong. Rec. 7929 (1994) (statement of Representative Goss that "The flow of information would only be denied to a narrow group of people that lack legitimate business. The Amendment defines 'legitimate business' broadly, including all the duties of Federal, State, and local law enforcement agencies and courts, verification and/or correction of personal information, private investigations, and anything related to the operation of a motor vehicle.”).
     
      
      . Plaintiffs' complaint cites to 5 U.S.C. § 552, the Freedom of Information Act, which requires federal agencies to make certain information available to the public. We assume Plaintiffs meant 5 U.S.C. § 552a, the Privacy Act, and construe their complaint accordingly.
     