On Tuesday the massive data broker LexisNexis reached a settlement of over $5 million in response to a class action lawsuit that alleged the company sold DMV data to law firms, which then used it for their own business purposes.
The news highlights how data from state DMVs can be abused and how it can be leveraged for financial gain. Motherboard has reported extensively on how DMVs sell data to a wide range of industries, including private investigators.
"Defendants will make payment of the amount of service awards, attorneys' fees, and other expenses approved by the Court up to and not more than $5,150,000.00, in the aggregate, by wire transfer to the agent identified by Class Counsel," the proposed settlement agreement reads. Law360 first reported the settlement.
Do you work at a company selling data? Do you know of an abuse of DMV data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The class action was filed in 2016, after North Carolina residents Deloris and Leonard Gaston claimed that LexisNexis sold their motor vehicle records (MVRs) for a purpose that violated the Drivers' Privacy Protection Act (DPPA). The DPPA is the law that governs the sale of DMV data, and it limits its use only to a set of permissible uses, such as for litigation, insurance, or fraud collections. Ironically, the permissible uses also include for private investigators; the DPPA was created in the first place after a private investigator working for a stalker obtained the address of actress Rebecca Schaeffer from the DMV. The stalker then murdered Schaeffer.
A second defendant in the class action was PoliceReports.US, a company that LexisNexis acquired in 2014 and which made vehicle accident or crash reports available on its website.
"Defendants websites allow the purchase of crash reports by report date, location, or driver name and payment by credit card, prepaid bulk accounts or monthly accounts," the original class action complaint reads, describing LexisNexis and PoliceReports.US. "Purchasers are not required to establish any permissible use provided in the DPPA to obtain access to Plaintiffs' and Class Members' MVRs," it adds. The Plaintiffs argued that LexisNexis and PoliceReports.US sold the data without their consent and without legal authorization.
LexisNexis did not respond to a request for comment.
"I do not fault the DMV because it is obligated to follow state and federal laws that govern driver’s license data, a responsibility it seems to take seriously. In my view, the oversharing of DMV data is a result of dated laws. In particular, it’s time for Congress to revisit the Driver's Privacy Protection Act, which was enacted in 1994," Representative Anna G. Eshoo previously told Motherboard in a statement.
Senator Ron Wyden, whose office has been following DMV data selling issues, told Motherboard in a statement on Wednesday that he will be introducing new legislation to tackle such data selling.
"The law that regulates the sale of American's driver's license data is riddled with loopholes that private investigators and data brokers like LexisNexis routinely exploit to violate our privacy. I'll be introducing tough legislation in the new year to close these loopholes and hold accountable those who abuse our personal privacy," the said.