Congressional Reps Want To Know Why The California DMV Is Making $50 Million A Year Selling Driver Data
from the time-to-start-cutting-the-public-in-on-the-scam dept
Congressional legislators -- apparently caught off guard by one state's revenue stream -- are asking the California Department of Motor Vehicles a $50 million question: why the hell are you selling residents' personal data?
A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers' information.
As Karl Bode noted last year when covering this revelation, this sale of data is codified. The Driver's Privacy Protection Act doesn't do much to protect drivers' privacy. It may prevent abuse of this data by government employees but none of that affects private sector access where the real money is made.
The data from the California DMV is sold to a variety of data brokers. The public records request that resulted in this windfall of transparency about the DMV's windfall of actual money didn't name any of its customers. But did show a steady increase in revenue over the five years the records covered.
The letter [PDF] signed by nine members of Congress -- including California Congressional rep Ted Lieu -- asks the DMV a lot of pointed questions about its practice of profiting off data Californians are forced to hand over in exchange for licenses. It asks the questions the records obtained by Motherboard left unanswered. First off, the legislators want to know who this data is being sold to.
What types of organizations has the DMV disclosed drivers’ data to in the past three years? In particular, has the DMV sold or otherwise disclosed data to debt collection agencies, private investigators, data brokers, or law enforcement agencies?
Has the DMV ever disclosed drivers’ photos to federal, state, or local law enforcement agencies or given such agencies access to a database of drivers’ photos?
What specific fields of personal information have been sold or disclosed to third parties by the DMV in the past three years?
Have Social Security numbers or driver’s license photos ever been disclosed?
The legislators also want to know if this data is being shared with ICE and other federal agencies for the purposes of locating undocumented immigrants. It also asks if Californians can ask to opt out of the data sales/sharing and whether the agency would honor any of these requests.
The legislators note that they're concerned about this practice they probably should have already been aware of -- especially the two California assembly members who also signed the letter.
[W]e’re troubled by press reports about the California DMV’s disclosure of vast quantities of data which could enable invasive biometric policing and be a symptom of a deeper privacy malady. [...] What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear.
The DMV has already answered some of these questions... sort of. In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program." It denies selling information to marketers. It did not deny selling info to data brokers or other common customers for DMV data, like credit reporting agencies.
"The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program," the statement added.
"Only released according to California law." That's the problem. The law allows the DMV to sell data to private companies. It takes a few purchases to add up to $50 million. Handing out info to car manufacturers for recalls is probably something the DMV does for a minimal cost, if it even charges anything for it. The DMV's statement sounds good but really says nothing. No one will really know what happens to the data the DMV collects until it starts handing over detailed answers to these questions from Congress.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: anna eshoo, california, data, dmv, privacy, selling data, ted lieu
Reader Comments
Subscribe: RSS
View by: Time | Thread
Revenue neutral?
Ah! Then the DMV can close the requester program, stopping sales of the data, and everything is fine?
[ link to this | view in chronology ]
Re: Revenue neutral?
They are troubled by the "press reports." They don't care about the actually breach and sale of public trust or private data, only that the cat is out of the bag.
[ link to this | view in chronology ]
You got to just _love_ this kind of waffling
"To ensure information is only released to authorized persons" translates into "we try not to have the data stolen without payment to us". Because obviously a sale is an authorization. "and for authorized purposes" - "no open advertising for resale behind our backs that would cut into our profits" because obviously they don't have personnel for active monitoring of internal compliance with particular use cases.
"For example [...] the DMV may provide" translates into "there hasn't been a legitimate purpose we can think of right now in our sales practice, but in theory there might be such cases, so please don't stop us".
If the answer to a request for a list of customers is "well, in theory there might have been this legitimate purpose", it's sort of the same kind of answer you'd get from an organized crime syndicate. Except that they aren't as stupid as that.
[ link to this | view in chronology ]
Assuming this to be true, the possibilities I can think of:
[ link to this | view in chronology ]
Privacy!
Got to love how CA is one of the more aggressive states with respect to internet privacy and consumer rights and then the government goes and sells the info!
[ link to this | view in chronology ]
Re: Privacy!
California government is a facade.
[ link to this | view in chronology ]
Re: Privacy!
They are just trying to reduce the potential competition.
[ link to this | view in chronology ]
That's a horrible example.
Since the recalls are, generally, due to safety issues that may result in injuries or death, I'd like to suggest that a government agency in charge of (checks notes) vehicle safety should not be profiting from allowing that information to be passed on to the populace.
(I'd even go one step further: instead of "provid[ing] the car manufacturer with information on California owners", the DMV should be the ones sending the manufacturer's notice. That way, the notice gets where it needs to go, and private data stays private.)
[ link to this | view in chronology ]
Re:
Agreed.
Having done similar things in sensitive settings you can also use neutral 3rd parties to combine/match data and execute on sending letters etc.
Also, you don't actually need personal information - you only care about the vehicle so a "Dear Owner" letter to a street address minimizes exposed data while still achieving the desired outcome.
[ link to this | view in chronology ]
So my personal data is being sold by the DMV to advertisers and stalkers. Great. Another betrayal of trust.
Hey Governor Newsom, WTF?
[ link to this | view in chronology ]
'It's expensive to sell the public out you know.'
In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program."
If that program costs fifty million to run then either it is horrifically designed and run and needs to be shut down, or one or more people involved are getting some serious 'bonuses' in their paychecks on a regular basis.
[ link to this | view in chronology ]
Wisconsin has been doing this for at least a decade
When I moved to Wisconsin, the first piece of mail I got was a catalog from a big and fat clothing store targeted to me based on my height and weight which they bought from Wisconsin's DMV. The same DMV that had big TVs on every wall running an occasional PSA but 80% paid commercials.
I doubt very much only two states are doing this crap. This is the kind of government you get when you put soulless business people in charge of government.
[ link to this | view in chronology ]
Re: Wisconsin has been doing this for at least a decade
Yeah, 'soulless!' What he said!
[ link to this | view in chronology ]
'the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program."
So they could shut it down, no longer sell the data and thereby re-implement a proper privacy program and it wouldn't cost anything. What on earth are they waiting for?
[ link to this | view in chronology ]
The question becomes...
..can the users sue the state of California for this??
[ link to this | view in chronology ]
Who needs to crack computers..
the Gov is as bad as all the corps.
Dont need to hack computers if you can BUY THE INFO.
[ link to this | view in chronology ]
Taking its obligation very seriously
The DMV takes its obligation to protect personal information very seriously.
Whenever I see a phrase to this effect, I figure some clerk is being very stern as he works out how to circumvent such duties for profit.
[ link to this | view in chronology ]
We are shocked just shocked how much money they are making selling out citizens...
Perhaps y'all should do some quick audits & find all of the other magical sources of income various branches of government are making by screwing citizens.
[ link to this | view in chronology ]
In answer to the question in the title, I have this total wild idea, but hear me out.
Maybe it is, because you run the agency like a private company and expect them to turn a profit and then create laws which allows them to do so, by selling that data?
Just an idea, might be lightyears off.
[ link to this | view in chronology ]
Requester Program 50M
I'm here to help...
Pay me 1 million per year and I will save the state 49M per year. Business email or call requesting our data?
I will simply say; No, we don't do that to our people!
Should have already been doing this!!!!!
[ link to this | view in chronology ]
DMV
Starting today, there are no more fees to DMV ever!
Free license
Free renewal
Free ID
Free registration
Everything is FREE forever!
You owe us waay more, but, we are willing to call it even for the above resolution!
[ link to this | view in chronology ]