Personal information privacy seems to be a fluid construct these days. We give our information to social media companies like Facebook who sell the information for gain (Cambridge Analytica Scandal). We also give our private information directly to marketers if we enter any online contest, ask for information online about products or fill out an information form to obtain a preferred shopping card at the local supermarket.
According to a recent study, identity theft hit an all-time high in 2016 and one in six US adults were a victim. Date of birth is the biggest prize an identity thief wants because then he or she can open up credit cards, cellphone contracts and bank loans all under your name. Social security numbers are also prime targets. Both of these pieces of information can be obtained from your driver’s license.
Motorists have an expectation of driver’s license privacy. The Drivers Privacy Protection Act (DPPA) was enacted in 1994 to protect the personal information assembled by your state’s Department of Motor Vehicles (DMV).
Under DPPA, personal information about an individual in connection with a motor vehicle record is prohibited for release or use by DMV personnel. DPPA also requires states to obtain permission from individuals before their personal record may be sold or released to third-party marketers.
That hasn’t stopped a number of states from selling driver’s license information to marketers without consent. States like Texas claim the selling of information does not violate DPPA because it is sold to a middle man who THEN sells the information to marketers.
In November, Austin television station KXAN investigated and found that Texas made $2.1 million per year by selling information to marketers. KXAN also found that some of the businesses that bought data had been hacked. The biggest: Equifax.
In early March, Equifax reported that the data of another 2.4 million Americans had been breached with just the availability of their name and partial driver’s license number. This brings the total to 147.9 million Americans who were victimized with the Equifax breach since the middle of 2017. The vast majority of those affected had their Social Security Number exposed.
In a 2016 interview, Joe Malley, a Dallas-based lawyer with the moniker “Privacy Crusader,” said that Texas roughly sells 30 million motor vehicle and driver records to more than 200 companies per year. Malley said in the past, he had filed federal lawsuits in eight states involving 500 companies seeking privacy protection for 145 million Americans. And selling this information is not just about identity theft but personal safety too. He gives two important examples.
After receiving an extended car warranty pitch on the phone, a frantic woman called Malley to ask if her address was publicly available. She was concerned because her boyfriend had tried to kill her when she lived in Arizona and she was frantic to learn that since her address was public, he could find her again.
Looking into Washington State records for a different case, Malley found a pedophile had requested information for any girls aged 7 to 12 who had asked for a state ID card. Using the list he obtained, the man marketed a beauty contest for these girls. To enter, they only had to submit a photograph of themselves wearing a bathing suit. Malley forwarded his findings to the authorities who quickly handled the situation.
In a November 2017 Mobile TV station story about Alabama selling driver’s license information, Malley was interviewed and noted that “The DMV data is basically (what) I call the holy grail of all marketing data. Most states sell the motor vehicle records, about 37 of the states.”
In 2015, a Texas Court of Appeals declared that the date of birth of “every living person” is not public information. When middlemen sell that information to marketers though, that private information becomes very public.
In 2016, a Tampa, Florida TV Station investigation revealed that Florida had generated nearly $150 million in the past two years from sales of driver records to 75 different marketing firms. A number of those firms resold the information to other businesses and individuals, stating that they were utilizing exemptions under the DPPA such as “requesting my own record,” “requesting a family member’s record,” “requesting an employee’s record,” and “requesting for other business purposes.” As you might expect, none of these are actual exemptions under DPPA.
With the advent of current state experiments with digital driver’s licenses and REAL ID which connects information into a vast national database, and with states selling information to the highest bidder, protection of personal data is moving in exactly the wrong direction.