The California Department of Motor Vehicles is generating revenue of $50,000,000 a year through selling drivers’ personal information, according to a DMV document obtained by Motherboard.
DMVs across the country are selling data that drivers are required to provide to the organization in order to obtain a license. This information includes names, physical addresses, and car registration information. California’s sales come from a state which generally scrutinizes privacy to a higher degree than the rest of the country.
In a public record acts request, Motherboard asked the California DMV for the total dollar amounts paid by commercial requesters of data for the past six years. The responsive document shows the total revenue in financial year 2013/14 as $41,562,735, before steadily climbing to $52,048,236 in the financial year 2017/18.
The document doesn't name the commercial requesters, but some specific companies appeared frequently in Motherboard's earlier investigation that looked at DMVs across the country. They included data broker LexisNexis and consumer credit reporting agency Experian. Motherboard also found DMVs sold information to private investigators, including those who are hired to find out if a spouse is cheating. It is unclear if the California DMV has recently sold data to these sorts of entities.
In an email to Motherboard, the California DMV said that requesters may also include insurance companies, vehicle manufacturers, and prospective employers.
Asked if the sale of this data was essential to the DMV, Marty Greenstein, public information officer at the California DMV, wrote that its sale furthers objectives related to highway and public safety, "including availability of insurance, risk assessment, vehicle safety recalls, traffic studies, emissions research, background checks, and for pre- and existing employment purposes."
"The DMV takes its obligation to protect personal information very seriously. Information is only released pursuant to legislative direction, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. The DMV also audits requesters to ensure proper audit logs are maintained and that employees are trained in the protection of DMV information and anyone having access to this information sign a security document," Greenstein wrote.
Do you know anything else about data selling? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Multiple other DMVs around the U.S. previously confirmed to Motherboard that they have cut-off data access for some commercial requesters after they abused the data.
One of the main pieces of legislation that governs the sale of DMV data stemmed from a case in California. Lawmakers introduced the Driver's Privacy Protection Act (DPPA) in 1994 after a private investigator hired by a stalker obtained the address of actress Rebecca Schaeffer from the DMV. The stalker went on to kill Schaeffer. The DPPA was designed to restrict access to DMV data, but included a wide array of exemptions, including for private investigators.
After Motherboard's earlier investigation, senators and digital privacy experts criticized the sale of DMV data, and some said the law should be changed. Senator and Democratic Presidential candidate Bernie Sanders said DMVs should not profit from such information.
Subscribe to our cybersecurity podcast, CYBER.