Congressional Reps Want To Know Why The California DMV Is Making $50 Million A Year Selling Driver Data

from the time-to-start-cutting-the-public-in-on-the-scam dept

Congressional legislators -- apparently caught off guard by one state's revenue stream -- are asking the California Department of Motor Vehicles a $50 million question: why the hell are you selling residents' personal data?

A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers' information.

As Karl Bode noted last year when covering this revelation, this sale of data is codified. The Driver's Privacy Protection Act doesn't do much to protect drivers' privacy. It may prevent abuse of this data by government employees but none of that affects private sector access where the real money is made.

The data from the California DMV is sold to a variety of data brokers. The public records request that resulted in this windfall of transparency about the DMV's windfall of actual money didn't name any of its customers. But did show a steady increase in revenue over the five years the records covered.

The letter [PDF] signed by nine members of Congress -- including California Congressional rep Ted Lieu -- asks the DMV a lot of pointed questions about its practice of profiting off data Californians are forced to hand over in exchange for licenses. It asks the questions the records obtained by Motherboard left unanswered. First off, the legislators want to know who this data is being sold to.

What types of organizations has the DMV disclosed drivers’ data to in the past three years? In particular, has the DMV sold or otherwise disclosed data to debt collection agencies, private investigators, data brokers, or law enforcement agencies?

Has the DMV ever disclosed drivers’ photos to federal, state, or local law enforcement agencies or given such agencies access to a database of drivers’ photos?

What specific fields of personal information have been sold or disclosed to third parties by the DMV in the past three years?

Have Social Security numbers or driver’s license photos ever been disclosed?

The legislators also want to know if this data is being shared with ICE and other federal agencies for the purposes of locating undocumented immigrants. It also asks if Californians can ask to opt out of the data sales/sharing and whether the agency would honor any of these requests.

The legislators note that they're concerned about this practice they probably should have already been aware of -- especially the two California assembly members who also signed the letter.

[W]e’re troubled by press reports about the California DMV’s disclosure of vast quantities of data which could enable invasive biometric policing and be a symptom of a deeper privacy malady. [...] What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear.

The DMV has already answered some of these questions... sort of. In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program." It denies selling information to marketers. It did not deny selling info to data brokers or other common customers for DMV data, like credit reporting agencies.

"The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program," the statement added.

"Only released according to California law." That's the problem. The law allows the DMV to sell data to private companies. It takes a few purchases to add up to $50 million. Handing out info to car manufacturers for recalls is probably something the DMV does for a minimal cost, if it even charges anything for it. The DMV's statement sounds good but really says nothing. No one will really know what happens to the data the DMV collects until it starts handing over detailed answers to these questions from Congress.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: anna eshoo, california, data, dmv, privacy, selling data, ted lieu


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 11 Aug 2020 @ 4:35am

    Revenue neutral?

    the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program."

    Ah! Then the DMV can close the requester program, stopping sales of the data, and everything is fine?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Aug 2020 @ 8:05am

      Re: Revenue neutral?

      They are troubled by the "press reports." They don't care about the actually breach and sale of public trust or private data, only that the cat is out of the bag.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 11 Aug 2020 @ 4:35am

    You got to just _love_ this kind of waffling

    DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program,"

    "To ensure information is only released to authorized persons" translates into "we try not to have the data stolen without payment to us". Because obviously a sale is an authorization. "and for authorized purposes" - "no open advertising for resale behind our backs that would cut into our profits" because obviously they don't have personnel for active monitoring of internal compliance with particular use cases.

    "For example [...] the DMV may provide" translates into "there hasn't been a legitimate purpose we can think of right now in our sales practice, but in theory there might be such cases, so please don't stop us".

    If the answer to a request for a list of customers is "well, in theory there might have been this legitimate purpose", it's sort of the same kind of answer you'd get from an organized crime syndicate. Except that they aren't as stupid as that.

    reply to this | link to this | view in chronology ]

  • icon
    Khym Chanur (profile), 11 Aug 2020 @ 4:37am

    the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program." I

    Assuming this to be true, the possibilities I can think of:

    1. The DMV receives such a mind-boggling huge number of requests per year that it really does take $50 million to handle all the requests.
    2. They've outsourced most of the operation, and whoever they outsourced it to is ripping them off.
    3. Lots and lots of embezzlement.

    reply to this | link to this | view in chronology ]

  • identicon
    Eric, 11 Aug 2020 @ 5:51am

    Privacy!

    Got to love how CA is one of the more aggressive states with respect to internet privacy and consumer rights and then the government goes and sells the info!

    reply to this | link to this | view in chronology ]

  • identicon
    ryuugami, 11 Aug 2020 @ 6:09am

    "For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program," the statement added.

    That's a horrible example.

    Since the recalls are, generally, due to safety issues that may result in injuries or death, I'd like to suggest that a government agency in charge of (checks notes) vehicle safety should not be profiting from allowing that information to be passed on to the populace.

    (I'd even go one step further: instead of "provid[ing] the car manufacturer with information on California owners", the DMV should be the ones sending the manufacturer's notice. That way, the notice gets where it needs to go, and private data stays private.)

    reply to this | link to this | view in chronology ]

    • icon
      R2_v2.0 (profile), 11 Aug 2020 @ 7:29pm

      Re:

      Agreed.

      Having done similar things in sensitive settings you can also use neutral 3rd parties to combine/match data and execute on sending letters etc.

      Also, you don't actually need personal information - you only care about the vehicle so a "Dear Owner" letter to a street address minimizes exposed data while still achieving the desired outcome.

      reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 11 Aug 2020 @ 6:48am

    So my personal data is being sold by the DMV to advertisers and stalkers. Great. Another betrayal of trust.

    Hey Governor Newsom, WTF?

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 11 Aug 2020 @ 7:20am

    'It's expensive to sell the public out you know.'

    In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program."

    If that program costs fifty million to run then either it is horrifically designed and run and needs to be shut down, or one or more people involved are getting some serious 'bonuses' in their paychecks on a regular basis.

    reply to this | link to this | view in chronology ]

  • icon
    Mark Gisleson (profile), 11 Aug 2020 @ 7:47am

    Wisconsin has been doing this for at least a decade

    When I moved to Wisconsin, the first piece of mail I got was a catalog from a big and fat clothing store targeted to me based on my height and weight which they bought from Wisconsin's DMV. The same DMV that had big TVs on every wall running an occasional PSA but 80% paid commercials.

    I doubt very much only two states are doing this crap. This is the kind of government you get when you put soulless business people in charge of government.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Aug 2020 @ 8:19am

    'the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program."

    So they could shut it down, no longer sell the data and thereby re-implement a proper privacy program and it wouldn't cost anything. What on earth are they waiting for?

    reply to this | link to this | view in chronology ]

  • icon
    Code Monkey (profile), 11 Aug 2020 @ 9:21am

    The question becomes...

    ..can the users sue the state of California for this??

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 11 Aug 2020 @ 11:03am

    Who needs to crack computers..

    the Gov is as bad as all the corps.
    Dont need to hack computers if you can BUY THE INFO.

    reply to this | link to this | view in chronology ]

  • icon
    Uriel-238 (profile), 11 Aug 2020 @ 12:05pm

    Taking its obligation very seriously

    The DMV takes its obligation to protect personal information very seriously.

    Whenever I see a phrase to this effect, I figure some clerk is being very stern as he works out how to circumvent such duties for profit.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 11 Aug 2020 @ 6:48pm

    We are shocked just shocked how much money they are making selling out citizens...
    Perhaps y'all should do some quick audits & find all of the other magical sources of income various branches of government are making by screwing citizens.

    reply to this | link to this | view in chronology ]

  • identicon
    Private Agency, 12 Aug 2020 @ 5:01am

    In answer to the question in the title, I have this total wild idea, but hear me out.

    Maybe it is, because you run the agency like a private company and expect them to turn a profit and then create laws which allows them to do so, by selling that data?

    Just an idea, might be lightyears off.

    reply to this | link to this | view in chronology ]

  • icon
    ImNeverWrongAgain (profile), 16 Aug 2020 @ 10:03am

    Requester Program 50M

    I'm here to help...
    Pay me 1 million per year and I will save the state 49M per year. Business email or call requesting our data?
    I will simply say; No, we don't do that to our people!
    Should have already been doing this!!!!!

    reply to this | link to this | view in chronology ]

  • icon
    ImNeverWrongAgain (profile), 16 Aug 2020 @ 10:08am

    DMV

    Starting today, there are no more fees to DMV ever!
    Free license
    Free renewal
    Free ID
    Free registration
    Everything is FREE forever!
    You owe us waay more, but, we are willing to call it even for the above resolution!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.