Curtis v City of New York
2023 NY Slip Op 23196 [80 Misc 3d 321]
July 5, 2023
Kim, J.
Supreme Court, New York County
Published by New York State Law Reporting Bureau pursuant to Judiciary Law § 431.
As corrected through Wednesday, October 4, 2023


[*1]
Noel Curtis, Plaintiff,
v
City of New York, Defendant.

Supreme Court, New York County, July 5, 2023

APPEARANCES OF COUNSEL

Sylvia O. Hinds-Radix, Corporation Counsel, New York City (Kevin B. Collins of counsel), for defendant.

Cahill Gordon & Reindel LLP, New York City (Joel Laurence Kurtzberg of counsel), for plaintiff.

{**80 Misc 3d at 322} OPINION OF THE COURT
Judy H. Kim, J.

Defendant's motion to dismiss this action is granted for the reasons set forth below.

Factual Background

On January 24, 2022, Administrative Code of the City of New York §§ 20-563.7 (the Customer Data Law) and 20-563.11 went into effect. Administrative Code § 20-563.7 provides:

"a. A food service establishment may request customer data from a third-party food delivery service. Upon such a request, a third-party food delivery service shall provide to the food service establishment all applicable customer data, until such food service establishment requests to cease receiving such customer data.{**80 Misc 3d at 323}
"b. Notwithstanding the requirements of subdivision a of this section, a third-party food delivery service shall not share customer data applicable to an online order pursuant to subdivision a of this section if such customer requests that such data not be shared in relation to such online order. The customer shall be presumed to have consented to the sharing of such customer data applicable to all online orders unless such customer has made such a request in relation to a specific online order. The third-party food delivery service shall provide in a conspicuous manner on its website, in a style and form required by the commissioner, a means for a customer to make such request. To assist its customers with deciding whether their data should be shared, a third-party food delivery service shall clearly and conspicuously disclose to the customer the customer data that may be shared with the food service establishment and shall identify the food service establishment fulfilling such customer's online order as a recipient of such data.
"c. Third-party food delivery services that share customer data pursuant to this section shall provide such data in a machine-readable format, disaggregated by customer, on an at least monthly basis. Third-party food delivery services shall not limit the ability of food service establishments to download and retain such data, nor limit their use of such data for marketing or other purposes outside of the third-party food delivery service website, mobile application or other internet service.
"d. Food service establishments that receive customer data pursuant to this section shall not sell, rent, or disclose such customer data to any other party in exchange for financial benefit, except with the express consent of the customer from whom the customer data [*2]was collected . . .
"e. Nothing in this section shall prevent a third-party food delivery service or a food service establishment from complying with any other law or rule." (Administrative Code § 20-563.7 [emphasis added].)

Administrative Code § 20-563.11 permits the New York City Law Department to commence a civil action to recover civil penalties, injunctive relief, and restitution for violations of the Customer Data Law.{**80 Misc 3d at 324}

On December 10, 2021, before the Customer Data Law went into effect, Grubhub Inc. (Grubhub), a third-party food delivery service, filed an action in the United States District Court of the Southern District of New York (the federal action) seeking a declaration that the Customer Data Law is invalid as violating various provisions of the United States and New York Constitutions and, as pertinent here, preempted by New York State's Civil Rights Law §§ 50-51. Pursuant to a stipulation entered into in the federal action, the City has agreed not to enforce the Customer Data Law as against Grubhub until the conclusion of the federal action.

On May 9, 2022, plaintiff Noel Curtis, a vice president of technology of Grubhub, commenced this action seeking a declaratory judgment that the Customer Data Law is null and void because it is preempted by Civil Rights Law §§ 50-51 under the doctrine of conflict preemption[FN1] (NY St Cts Elec Filing [NYSCEF] Doc No. 2, complaint). His complaint asserts that, if the Customer Data Law goes into effect, he will be harmed by either: (1) being forced to affirmatively opt out of the data sharing between Grubhub and third-party restaurants mandated by the Customer Data Law; or, if he fails to do so, (2) having his personal data shared with third-party restaurants that may not properly secure it and may also use his information in "marketing" in a manner that violates Civil Rights Law §§ 50 and 51. In his complaint, plaintiff argues that this impermissible marketing includes a restaurant using his name and address to send him promotional materials.

The City now moves to dismiss the complaint, arguing that: (1) plaintiff does not have standing to challenge the Customer Data Law as the alleged harm asserted is speculative and contingent on plaintiff acting against his interest, and (2) the complaint fails to state a claim, as there is no conflict between the Customer Data Law and Civil Rights Law §§ 50-51. Plaintiff opposes the motion.

Discussion

The court first addresses the question of plaintiff's standing to bring the instant action (see Security Pac. Natl. Bank v Evans, 31 AD3d 278, 279 [1st Dept 2006]). "[T]he burden is on the . . . [City] to establish, prima facie, the plaintiff's lack of{**80 Misc 3d at 325} standing as a matter of law" (New York Community Bank v McClendon, 138 AD3d 805, 806 [2d Dept 2016] [citations omitted]; see CPLR 3211 [a] [3]). The "motion will be defeated if the plaintiff's submissions raise a question of fact as to its standing" (U.S. Bank N.A. v Clement, 163 AD3d 742, 743 [2d Dept 2018] [internal quotation marks and citations omitted], appeal dismissed 32 NY3d 1197 [2019]).

[1] The City has met its burden here. To have standing to sue, plaintiff must allege an "injury-in-fact," i.e., that he has "suffered a cognizable harm that is not tenuous, ephemeral, or conjectural but is sufficiently concrete and particularized to warrant judicial intervention" (Matter of Stevens v New York State Div. of Criminal Justice Servs., 206 AD3d 88, 98 [1st Dept 2022][*3][internal quotation marks and citations omitted]). A plaintiff "making a general attack on legislative or administrative action or inaction must [also] demonstrate special damages distinct from that suffered by the public at large" i.e., a "special right[ ] or interest[ ] in the matter in controversy, other than [that] common to all taxpayers and citizens" (Matter of Abrams v New York City Tr. Auth., 48 AD2d 69, 70 [1st Dept 1975] [citations omitted], affd 39 NY2d 990 [1976]). The foregoing requirements apply to an action, such as this one, for declaratory and injunctive relief challenging a local law as preempted by a state law (see Patrolmen's Benevolent Assn. of the City of N.Y., Inc. v City of New York, 142 AD3d 53 [1st Dept 2016], appeal dismissed 28 NY3d 978 [2016]).

Plaintiff's complaint does not satisfy any of these requirements. The injury alleged therein—that his personal information will be transmitted to restaurants who will use it in a manner that violates Civil Rights Law §§ 50-51—is an injury shared by all other New Yorkers who do not opt out of the data sharing contemplated by the Customer Data Law. Moreover, the harm contemplated by the complaint is also entirely speculative. Plaintiff alleges that, if the Customer Data Law is enforced (which enforcement would, the court notes, necessarily be preceded by the District Court in the federal action rejecting Grubhub's argument that the Customer Data Law is preempted by Civil Rights Law §§ 50-51), then plaintiff, a vice president of technology for Grubhub, will intentionally not opt out of the data sharing directed by this law, after which these restaurants will use his information in marketing in a manner{**80 Misc 3d at 326} impermissible under Civil Rights Law §§ 50-51.[FN2] This harm is entirely contingent on a series of events that may or may not happen and is therefore not sufficient to confer standing (see Roberts v Health & Hosps. Corp., 87 AD3d 311, 318-319 [1st Dept 2011] [petitioners' claim that the scheduled layoffs would leave HHC so short-staffed that HHC facilities would inevitably violate Public Health Law article 28, thus exposing them to "imminent" risk from "smoke, fire, bacterial, toxic and structural hazards," is speculative]; see also Schulz v Cuomo, 133 AD3d 945, 947 [3d Dept 2015]).

In addition, the court notes that the first link in this chain of events requires that plaintiff intentionally decline to opt out of this data sharing, despite knowing that failing to do so will result in his data being shared by Grubhub, an outcome he does not want. The fact that the harm alleged requires plaintiff to act against his own interest further undercuts any claim to standing (see Chino v New York Dept. of Fin. Servs., 171 AD3d 610, 610-611 [1st Dept 2019] ["any injury suffered by petitioners was self-created, by abandonment of the licensing process after submission of an incomplete application"]; Lancaster Dev., Inc. v McDonald, 112 AD3d 1260, 1261-1262 [3d Dept 2013] ["inasmuch as the harm purportedly suffered by Lancaster was occasioned not by its failure to secure the winning bid for the project but, rather, by its entirely voluntary decision to forgo submitting a bid at all, we are not persuaded that Lancaster has suffered an injury in fact distinct from that of the public at large" (citation omitted)]; Matter of Barrett Paving Materials, Inc. v New York State Thruway Auth., 184 AD3d 1173, 1174 [4th Dept 2020] [same]). Finally, to the extent that plaintiff argues that he is harmed by the requirement that he affirmatively opt out [*4]of having his data shared by Grubhub, this is an inconvenience rather than a harm.

[2] Even assuming, for the sake of argument, that plaintiff had standing, the court would dismiss this action on its merits, because plaintiff's argument that a conflict between the Customer Data Law and Civil Rights Law §§ 50-51 exists such that the latter preempts the former is simply incorrect.

Civil Rights Law § 50 provides that

"[a] person, firm or corporation that uses for {**80 Misc 3d at 327}advertising purposes, or for the purposes of trade, the name, portrait or picture of any living person without having first obtained the written consent of such person, or if a minor of his or her parent or guardian, is guilty of a misdemeanor."

Civil Rights Law § 51 provides, in turn, that

"[a]ny person whose name, portrait, picture or voice is used within this state for advertising purposes or for the purposes of trade without the written consent first obtained as above provided may maintain an equitable action in the supreme court of this state against the person, firm or corporation so using his name, portrait, picture or voice, to prevent and restrain the use thereof; and may also sue and recover damages for any injuries sustained by reason of such use and if the defendant shall have knowingly used such person's name, portrait, picture or voice in such manner as is forbidden or declared to be unlawful by section fifty of this article, the jury, in its discretion, may award exemplary damages. But nothing contained in this article shall be so construed as to prevent any person, firm or corporation from selling or otherwise transferring any material containing such name, portrait, picture or voice in whatever medium to any user of such name, portrait, picture or voice, or to any third party for sale or transfer directly or indirectly to such a user, for use in a manner lawful under this article." (Emphasis added.)

Plaintiff argues that Administrative Code § 20-563.7 (c)—which prohibits third-party food delivery services from limiting the ability of food service establishments to use customer data provided by Grubhub for "marketing or other purposes outside of the third-party food delivery service website"—falls within these statutes' prohibition on the use of an individual's name for advertising or trade purposes without that individual's written consent. The court disagrees.

A reading of Administrative Code § 20-563.7, as a whole, indicates that the "marketing" contemplated by subdivision (c) is constrained by subdivision (d), which requires written consent from the customer before any food service establishments can sell, rent, or disclose such customer data to any other party in exchange for financial benefit. In light of this limitation, the only reasonable reading of subdivision (c) is{**80 Misc 3d at 328} that it contemplates a restaurant's use of its customers' names and addresses to market the restaurant to them through generic mailings and promotions rather than, as feared by plaintiff, advertising specific customers' patronage of a restaurant within promotional materials.

To the extent that plaintiff argues that such a generic mailing violates Civil Rights Law §§ 50-51, this argument is entirely undercut by the repeated admonition of the Court of Appeals that the prohibitions of Civil Rights Law §§ 50 and 51 "are to be strictly limited to nonconsensual commercial appropriations of the name, portrait or picture of a living person" (Finger v Omni Publs. Intl., 77 NY2d 138, 141 [1990]) i.e., a business's dissemination of an [*5]individual's name and/or likeness to the public to promote a particular good or service or its commercial enterprise more generally (see e.g. Hernandez v Wyeth-Ayerst Labs., 291 AD2d 66 [1st Dept 2002]). The "marketing" contemplated by Administrative Code § 20-563.7 (c) simply does not fall within this category. As there is no conflict between Administrative Code § 20-563.7 and Civil Rights Law §§ 50-51, the doctrine of conflict preemption does not apply to invalidate the Customer Data Law.

Accordingly, it is ordered that the City of New York's motion to dismiss is granted and this action is dismissed.



Footnotes


Footnote 1:The court notes that plaintiff and Grubhub are represented by the same law firm—and indeed, many of the same attorneys of the law firm—in this action and the federal action.

Footnote 2:Plaintiff also raises the possibility that a restaurant holding his personal data might suffer a data breach, resulting in the exposure of his personal data, but this harm is entirely speculative and insufficient to sustain standing.