California DMV is Making $50M/Year Selling Personal Information
Privacy Plus+
Privacy, Technology and Perspective
California DMV is Making $50M/Year Selling Personal Information. This week, a report revealed that the California Department of Motor Vehicles is generating revenue of $50,000,000 a year by selling drivers’ personal information. You can read more by following this link to an article in Vice:
The Vice article notes the irony that California’s data sales “come from a state which generally scrutinizes privacy to a higher degree than the rest of the country.”
We have posted previously about the soon-to-be-effective California Consumer Privacy Act (CCPA), CA Civ. Code §§ 1798.100 - 1798.199, which, in part, requires disclosure of the categories of third parties with whom personal information is shared (§ 1798.110(3)) and updates to website privacy notices every 12 months (§ 1798.130(5)). However, the CCPA will only regulate data sales by “businesses” (§ 1798.140(c)), and not governmental entities. You can read more about the CCPA by following this link:
The California DMV’s current Privacy Policy is both scant and dated (effective date, July 23, 2018). A link to it follows:
https://www.dmv.ca.gov/portal/dmv/detail/portal/portal/policy
It notes little about how personal information is shared, but links to the following site, which catalogs the applicable laws related to how drivers’ license information is “protected and disclosed”:
https://www.dmv.ca.gov/portal/dmv/detail/dl/how_info_shared
We note with particular interest that the notice recognizes that the federal Driver’s Privacy Protection Act (DPPA), 18 U.S.C. § 2721, requires all States to protect the privacy of personal information contained in a person’s motor vehicle record, and limits the use of such record to the following purposes:
Carrying out government agency functions, including courts and law enforcement.
Use in matters of motor vehicle safety, theft, emissions, product recalls.
Motor vehicle market research and surveys.
Legitimate business needs in transactions initiated by the individual to verify the accuracy of personal information.
Use in connection with a civil, criminal, administrative, or arbitral proceeding.
Research activities and statistical reports, so long as the personal information is not redisclosed or used to contact individuals.
Insurance activities.
Yet, the Vice article above reports that the California DMV regularly sells its records to a data broker, a consumer credit reporting agency, and private investigators, among others, for amounts now north of $50 million per year. The article quotes the California DMV as claiming it only sells these records for permitted purposes and that it requires purchasers to certify that they, too, will only use drivers’ license information for proper purposes as described above. But even assuming that is true, is that all? Are there no other controls?
And are these few assertions enough? If these allegations are true, then has the California DMV has violated the federal law that protects the release of DMV information? In so doing, has the California DMV also waived sovereign immunity under its state law – from suit, from liability for monetary damages, from an equitable disgorgement, or from all of these?
It would certainly seem fair that the revenue reaped from illicit sales of the data of California drivers should be forwarded to the California drivers, who never consented to the DMV’s commercial exploitation of their personal information – in violation of federal law – in the first place.
And regardless, contracting by governmental entities clearly needs closer scrutiny to prevent privacy violations.
Hosch & Morris, PLLC is a Dallas-based boutique law firm dedicated to data protection, privacy, the Internet and technology. Open the Future℠.