Earlier this year leaked data revealed that the Department of Motor Vehicles in numerous states has spent years selling citizen data to a laundry list of third parties, often without making such financial relationships or data transfers clear to patrons. Some of the data wound up being sold to the usual suspects (auto insurance and credit reporting companies being the most obvious), but much of it is routinely sold to more dubious third-party outfits and private investigators, which fairly obviously poses a risk to folks dealing with stalkers and psychotic exes.
A new report this week revealed that the California DMV alone is making $50 million annually selling this data to a laundry list of companies and third parties:
"In a public record acts request, Motherboard asked the California DMV for the total dollar amounts paid by commercial requesters of data for the past six years. The responsive document shows the total revenue in financial year 2013/14 as $41,562,735, before steadily climbing to $52,048,236 in the financial year 2017/18.
The document doesn’t name the commercial requesters, but some specific companies appeared frequently in Motherboard’s earlier investigation that looked at DMVs across the country. They included data broker LexisNexis and consumer credit reporting agency Experian. Motherboard also found DMVs sold information to private investigators, including those who are hired to find out if a spouse is cheating. It is unclear if the California DMV has recently sold data to these sorts of entities."
Granted all of this is perfectly legal due to the Driver’s Privacy Protection Act (DPPA), a 90’s law that critics say is in dire need of an update. That law was created in response to a series of abuses of DMV data, including the 1989 murder of actress Rebecca Schaeffer, after her killer obtained her home address from the DMV. And while the law was intended to stop the abuse of DMV data, it contained (surprise!) plenty of intentional loopholes making it okay to sell this data to a wide variety of individuals, including PIs, bail bondsmen, and consumer credit reporting agencies.
While the data sold can vary from state to state, it generally includes names, addresses, zip codes, dates of birth, phone numbers, and email addresses. Past leaks have shown that the Wisconsin DMV, for example, has personal data sales relationships with more than 3,100 different entities, and that the sale of this data is hugely profitable. California, for its part, insisted that it was doing everything it could to ensure this data isn’t abused:
"The DMV takes its obligation to protect personal information very seriously. Information is only released pursuant to legislative direction, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. The DMV also audits requesters to ensure proper audit logs are maintained and that employees are trained in the protection of DMV information and anyone having access to this information sign a security document."
But if you hadn’t noticed by now, these kinds of promises, be they coming from the DMV or Equifax, haven’t been worth all that much. And when and if the data is leaked and abused, the penalties are usually a far cry from the profit made from selling this kind of data in the first place.