DMVs, Data Brokers, and the DPPA

By Bailey McHale

From the Congressional hearings of Mark Zuckerberg to Edward Snowden’s revelations over the National Security Administration’s gathering of American citizens’ phone records, much thought has been dedicated to the national discussion of privacy rights. One of the biggest problems society faces today is that “privacy rights” are not explicitly protected in the U.S. Constitution. Instead, they have been interpreted by the Supreme Court as a Fourth Amendment protection deemed necessary with technological advancements. [1] One agency that may have skirted public criticism on this topic is the Department of Motor Vehicles (DMV), or, in other states, the Department of Public Safety. However, it is these state organizations that are making millions of dollars from selling driver registrations to the data brokers we see vilified in the national headlines. The 1994 federal Driver Privacy Protection Act should be updated to handle these new data brokers in today’s era of social media and digital data brokers.

The scope of these DMV sales is difficult to record. As state institutions, there are few national statistics or reports documenting DMV sales. Instead, a few particular states have been put in the spotlight. According to local sources, Texas generated nearly 3 million dollars from DMV sales in 2017 and sold voter registration information to nearly 800 different outside groups between 2015 and 2017. [2] Florida’s Department of Highway Safety and Motor Vehicles reported making $77 million from driver and ID data sales. [3] One company, Acxiom, has an agreement with Florida that allows them to buy driver or ID records for only a penny per record, which is in turn sold to the company’s 2.5 billion customers. Large companies that sell to other marketing firms are referred to as data brokers. [4]

The term “data broker” has only recently come into popular vocabulary, but it is still an evolving concept with a broad application. Data brokers, such as Acxiom or Equifax, collect information from a variety of government and non-government sources to create both individual profiles and group rolls (for example, a list of people in a certain estimated income bracket in a certain zip code). [5] Data brokers sell bulk data to marketing firms, private investigators, political interest groups, and other interested paying customers. [6] Once a data broker has created a profile on you or a company has put you on a mailing list, you do not have a legal right to remove yourself or request your profile be deleted. [7] While many privacy activists have written on the precautions you can take to protect yourself from online data collection, there are very few actions an individual can take to prevent the government from collecting or selling personal information. 

Congress has attempted to address this problem before. In 1989, a string of abuses of DMV records came to light which prompted the Drivers Privacy Protection Act, or the DPPA. [8] There are some protections such as limitations on disclosing a particular individual’s information. [9] The non-governmental customers also have to agree that the records will be used for non-commercial and non-marketing purposes. [10] However, once data brokers have this personal information, they are supposed to only give it to authorized parties. [11] Since there is no regulator of these authorized parties, DMV information often ends up being used for marketing purposes. [12]

 Given the new REAL ID standards from Homeland Security that require a passport or driver’s license to fly in a domestic flight, most Americans will be going to their local DMV offices in the next year to receive a new driver’s license or alternative identity card. [13] This new requirement has given a particular urgency to the need to protect driving records and restrict DMVs from selling this information. The DPPA needs to be amended to create stronger protections. There should be updates to ensure inclusion of digital records and internet data collection that are often combined with driver and ID records. Stronger regulation of the customers of data brokers to make sure data is not being used for marketing purposes. An agency dedicated to enforcing the DPPA would be an important start. The importance of these changes reaches beyond ending your digital and physical mailboxes full of marketing materials you didn’t sign up for. These changes mean the state can’t make money off of your private and confidential information.

Endnotes

1. “The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record.” Electronic Privacy Information Center. Date Unknown. https://epic.org/privacy/drivers/
2. Milburn, Forest. “Facebook may not sell the data it collects, but the state of Texas sure does.” Houston Chronicle. Updated 15 April 2018. https://www.houstonchronicle.com/news/politics/texas/article/Facebook-may-not-sell-the-data-it-collects-but-12832831.php
3. Walser, Adam. “I-Team: Florida DMV sells your personal information to private companies, marketing firms.” ABC Action News. July 10, 2019. https://www.abcactionnews.com/news/local-news/i-team-investigates/i-team-florida-dmv-sells-your-personal-information-to-private-companies-marketing-firms
4. Ibid. 
5. Leetaru, Kalev. “The Data Brokers So Powerful Facebook Bought Their Data – But They Got Me Wildly Wrong.” Forbes. April 5, 2018. https://www.forbes.com/sites/kalevleetaru/2018/04/05/the-data-brokers-so-powerful-even-facebook-bought-their-data-but-they-got-me-wildly-wrong/#7b6bdd453107
6. Cox, Joseph. “DMVs Are Selling Your Data to Private Investigators.” Vice. Sept. 6, 2019. https://www.vice.com/en_us/article/43kxzq/dmvs-selling-data-private-investigators-making-millions-of-dollars
7. Ibid.
8. The Drivers Privacy Protection Act (DPPA) and the Privacy of Your State Motor Vehicle Record.”
9. Ibid. 
10. Ibid. 
11. Ibid. 
12. Ibid. 
13. REAL ID Frequently Asked Questions for the Public.” Department of Homeland Security.Date Unknown. https://www.dhs.gov/real-id-public-faqs