UPDATED: Mar 13, 2020
It’s all about you. We want to help you make the right coverage choices.
We strive to help you make confident insurance decisions. Comparison shopping should be easy. We partner with top insurance providers. This doesn't influence our content. Our opinions are our own.
As a driver, it’s very likely that you’ll have to visit the Department of Motor Vehicles (DMV) to register and insure your car. When you visit DMV, however, is your personal information safe? Or does the DMV put your privacy at risk? According to a recent investigation by Vice, your personal information may not be as safe as you think when you get a new driver’s license.
In fiscal year 2017, the Florida Department of Motor Vehicles made over $77 million by selling driver and ID cardholder’s personal information to private third parties.
That’s nearly $4 for every single Florida resident, driver or non-driver, child or senior. And that’s just $77 million in a single year. In the video below from ABC Action News, you will learn more about Florida’s DMV selling consumer information to turn an easy profit.
Such sales, our research shows, can lead to much more than just junk mail and unwanted robocalls. In this article, we’ll cover what you need to know as a consumer about DMVs selling personal information to third party companies, from which DMVs are guilty of this to what you can do to protect yourself.
As experts in the car insurance industry, we always help people find the best car insurance for them and their families. And that includes protecting them from predatory practices by actors like the DMV.
Which state DMVs have sold consumer information?
Extensive evidence has been found that the states in the following table’s departments of Motor Vehicles have been selling the private information of their customers to a range of third-party outlets, from bounty hunters to debt collectors, private investigators to consumer credit reporting bureaus.
|States C-N||States R-W|
As you can see, these states are located all over the country, from California on the West Coast to Rhode Island in New England. And you should know: it is quite possible that additional states’ DMVs have been selling customer information to private third parties.
Several of these states, interestingly enough, are also home to some of the most expensive car insurance premiums in the country, including Florida, Rhode Island, and New Jersey.
What information has been sold by DMVs?
Not surprisingly, the private information DMVs have sold varies from state to state. This is in part because states have various laws about what can be sold through legal loopholes, and in part, because different states’ DMVs collect different information.
So what information are DMVs selling? Our research has shown that the most common information sold includes:
Though this information might seem innocuous — more of a nuisance where you get robocalls or junk mail — collectively it can lead to serious violations of your privacy and being targeted by bill collectors or others. We all deserve to know what organizations are buying this consumer information from DMVs.
Who is buying information from DMVs?
The Driver’s Privacy Protection Act, as we will talk about below, has traditionally allowed for some legitimate sharing of consumer information, such as between public agencies or with car insurance companies. Since at least 2014, however, DMVs have been selling customer data to companies or groups that should worry every privacy-minded consumer. These companies include:
- Consumer credit reporting bureaus
- Bill collectors
- Bail bondsmen
- Bounty hunters
- Private investigators
As we will soon discuss, this last group — private investigators — is especially troubling, as some states require very little or even no licensing for an individual to work as a private investigator.
What is the Driver’s Privacy Protection Act?
The Driver’s Privacy Protection Act, or DPPA, is a 1994 federal statute that aimed to protect the private information of DMV customers from getting into the wrong hands.
On July 18, 1989, Rebecca Schaeffer, a 21-year-old actress, was stabbed to death in her West Hollywood home. Schaeffer’s murderer, an obsessive fan who had been stalking her for several years, had paid a private investigator to obtain Schaeffer’s home address from California DMV records. In the aftermath of Schaeffer’s murder, public calls to protect the private information of DMV customers began to increase.
In the early 1990s, anti-abortion activists began using DMV records to stalk, threaten, and otherwise harass women’s reproductive health care providers. In October 1991, such activists broke into the home of Dr. Susan Wicklund, having obtained her private address from a public DMV database. They had accessed this information after seeing her license plate number in the parking lot of the clinic where she worked.
Following this incident, U.S. Rep. Jim Moran of Virginia introduced the Driver’s Privacy Protection Act (DPPA) to combat such stalking through DMV databases. The bill became law in 1994 and was upheld in the 2000 Supreme Court case Reno v. Condon.
A key provision in the DPPA has become a major loophole that has legally protected the sale of your information by the DMV.
According to subsection (b)(8), the DMV can release customer information “for use by any licensed private investigative agency or licensed security service for any purpose permitted under this subsection.” With many states having lenient or non-existent licensing laws for private investigators or other security services, this loophole means that your private information, from what kind of car you drive to where you live, can be released to a third party without your direct consent.
In the video below, Central Florida’s DeWitt Law Firm, a leading law group committed to fighting DPPA violations, offers a solid short overview of the DPPA.
As you can see, the number of DPPA misuses is on the rise. Fortunately, several states are in the processing of passing comprehensive consumer privacy laws that would go above and beyond the federal protections guaranteed by the Driver’s Privacy Protection Act of 1994.
What are the privacy laws in my state?
According to the Electronic Privacy Information Center (EPIC):
“The DPPA, like many other privacy statutes, provides a federal baseline of protections for individuals. The DPPA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the DPPA.“
Privacy professionals around the world are working together to research and advocate for the protection of citizens’ personal information. The International Association of Privacy Professionals (IAPP) exists “to define, support and improve the privacy profession globally.”
Lucky for us, they track the emergence of privacy laws state-by-state across the United States and report on what these laws actually mean for citizens. (And if you’re interested in state-specific laws, you might want to know about the 10 states with the worst drivers.)
Although the legislative drive for comprehensive privacy laws is increasing, states across the country largely lag behind both innovations in technology and how information is used against people.
That being said, the IAPP offers the map below of which states have signed comprehensive privacy bills into law, as well as states where such bills have been passed or have been introduced. It also shows which bills are in cross-chamber or cross-committee, cross meaning that the chamber or the committee has members from multiple political parties.
But what protections do these bills actually contain for private consumers? And what do those specific protections actually mean in action? These are good questions to ask. In the table below, we offer the individual provisions of privacy protection laws individual states have passed and laws that are currently in the legislative process.
|State||Statute/Bill||Access Right||Rectification Right||Deletion Right||Restriction Right||Opt-Out Right||Notice/Transparency Requirement|
|California||AB 375/SB 1121||✓||✓||✓||✓|
|New Hampshire||HB 1680||✓||✓||✓||✓|
|New York||S 224||✓|
|New York||S 5642||✓||✓||✓||✓||✓||✓|
According to the IAPP, the 16 common privacy provisions include the following:
- The right of access to personal info: The right for a consumer to access the information collected about them and the information shared with third parties.
- The right to rectification: The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted.
- The right to deletion: The right for a consumer to request the deletion of personal information about the consumer under certain conditions.
- The right to restriction of processing: The right for a consumer to restrict a business’s ability to process personal information about the consumer.
- The right to data portability: The right for a consumer to request personal information about the consumer be disclosed in a common file format.
- The right to opt-out of personal info sales: The right for a consumer to opt out of the sale of personal information about the consumer to third parties.
- The right against automated decisions: A prohibition against a business making decisions about a consumer based solely on an automated process.
- A consumer private right of action: The right for a consumer to seek civil damages from a business for violations of a statute.
- A strict opt-in for the sale of personal info: A restriction to treat young consumers with an opt-in default for the sale of their personal information.
- Notice/transparency requirements: An obligation placed on a business to provide notice to consumers about certain data practices, privacy operations, and/or privacy programs.
- Data breach notification: An obligation placed on a business to notify consumers and/or enforcement authorities about a privacy or security breach.
- Mandated risk assessment: An obligation placed on a business to conduct formal risk assessments of privacy and/or security projects or procedures.
- Prohibited discrimination on a consumer: A prohibition against a business treating a consumer who exercises a right differently than those who don’t.
- A purpose limitation: An EU General Data Protection Regulation–style restrictive structure that prohibits the collection of personal information except for a specific purpose.
- A processing limitation: A GDPR-style restrictive structure that prohibits the processing of personal information except for a specific purpose.
- Fiduciary duty: An obligation imposed on a business/controller to exercise the duties of care, loyalty, and confidentiality (or similar) and act in the best interest of the consumer.
One of the best things you can do to protect yourself and future consumers from the selling and misuse of private information is to advocate for stricter oversight regarding privacy and the protection of private information. If you’re interested in contacting your federal, state, or local officials to advocate for privacy protection laws, check out USA.gov’s “How to Contact Your Elected Officials” guide.
No matter what state you call home, you have to register and insure your vehicle. So sadly, a trip to the DMV might be in your future, but hopefully, now you’re better prepared to protect your private information there. And if you’re moving to another state, make sure you know that state’s minimum auto insurance requirements before you head to the DMV.
How widespread is the problem of DMVs selling consumer data?
Investigative research is mixed on how deeply the problem of DMV consumer information sharing runs from state to state.
This we know: The sale of private information by DMVs is an issue that deserves to be addressed by federal, state, and local agencies.
As we already discussed, Florida, whose DMV appears to be the biggest seller of consumer data, made over $77 million in 2017 from the practice. But what about other states?
Vice’s Motherboard investigation found that “the Virginia DMV has sold data to 109 private investigator firms” while “the New Jersey Motor Vehicle Commission has sold data to at least 16 private investigation firms.” They also found that “the Delaware DMV has data-sharing agreements with at least a dozen investigation firms, and Wisconsin has over 20 current agreements with such firms, other documents show.”
Dallas-Fort Worth’s CBS 11 found that in 2012, the Texas Department of Motor Vehicles made more than $2 million in data sales, while Greenville, South Carolina’s CBS 4 reports that “the South Carolina Department of Motor Vehicles has made more than $42 million selling your information since July 2015.”
An ironic fact: South Carolina also has some of the most dangerous highways in the United States.
Like Florida, California — the only state with current legislation in place to protect consumers beyond the DPPA — seems to be a big seller of DMV customer information. San Diego’s NBC 7 reports that the state has brought in more than $50 million per year since 2015 through such sales. You should note that California is also home to some of the strictest insurance laws in the country.
The video from CBS News below illustrates well the potential scope of this problem.
With so much information being sold by DMVs in such a wide variety of states across the United States, it’s important to know as much as we can about how much these DMVs are banking from their unethical sales. And what we fear, sadly, is that this research is only scraping the tip of the iceberg of what and how much DMVs might be selling to third parties.
Nevertheless, the table below summarizes what we have found about each state’s DMV and the sale of private consumer information:
|California||$50 million per year since 2015|
|Delaware||Sales to at least a dozen private investigation firms|
|Florida||$77 million in 2017|
|New Jersey||Sales to at least 16 private investigation firms|
|South Carolina||$42 million since July 2015|
|Texas||$2 million in 2012|
|Virginia||Sales to at least 109 private investigation firms|
|Wisconsin||Sales to at least two dozen private investigation firms|
Sales information for North Carolina and Rhode Island is currently unknown. Though the problem of information selling, as you can see in the table above, can be daunting, there are actions we can all take to protect ourselves, now and in the future.
What can consumers do to protect themselves?
On June 28, 2018, California Governor Jerry Brown signed the California Consumer Privacy Act into law. That means that if you live in California, you now have the strongest and most-comprehensive consumer privacy protection law, the California Consumer Privacy Act, or CCPA, in place to protect you. In fact, many other states that are currently writing and debating legislation are basing their laws off of the CCPA.
According to the advocacy coalition Californians for Consumer Privacy:
“The California Consumer Privacy Act empowers you to find out what information businesses are collecting about you, your devices, and your children, and gives you the choice to tell them NO.”
Corporations and businesses collecting personal data online in California are required to prominently place a link that says “do not sell my data” on every page where they are collecting personal information. Simply click on that link to secure your rights as a California resident under the CCPA.
The video below provides a great overview of how to utilize the CCPA.
But chances are you don’t live in California. So what can you do then?
Sadly, no other state currently has comprehensive consumer privacy protections in place beyond the DPPA. (Though many states are in the process of passing such legislation, as we’ve covered above.)
But that doesn’t mean there aren’t things you can do to protect your personal information, especially online. And our research has shown that a variety of industries — including the car insurance industry — are susceptible to fraudulent online predation.
The Federal Trade Commission, the federal agency tasked with protecting American consumers, has a great guide on “How to Keep Your Personal Information Secure.” Here are some of their key and actionable takeaways for protecting your personal information, both online and off:
- Shred receipts, credit offers, credit applications, insurance forms, physician statements, checks, bank statements, expired charge cards, and similar documents.
- Destroy the labels on prescription bottles before you throw them out and don’t share your health plan information with anyone who offers free health services or products.
- Opt out of prescreened offers of credit and insurance by mail. You can opt out for 5 years or permanently. To opt out, call 1 (888) 567-8688 or go to optoutprescreen.com.
- Monitor who is getting your personal or financial information. Don’t give out personal information on the phone, through the mail or over the internet unless you’ve initiated the contact.
- Rid all personal information from a device before you dispose of a computer or a mobile device. Use a wipe utility program to overwrite the entire hard drive.
- Secure your web browsers to guard your online transactions.
- Keep a tight hold on your Social Security number.
- Install anti-virus software, anti-spyware software, and a firewall on computers and tablets.
- Never open files, links, or downloadable programs sent by strangers.
With cars becoming smarter and smarter, it’s also important to protect your private information, given that your car communicates through smart technology. Check out our “10 Must-Know Tips to Save Your Car from Being Hacked” guide.
What do experts have to say about DMVs selling private information?
We asked experts from a variety of relevant fields, such as cybersecurity and privacy advocacy, to weigh in on the issue of DMVs selling private information. A lot of what they had to offer continued to shock us even more about this problematic practice. Read on to find out what a few of them had to say; their advice can help you protect you and your family’s private information.What are the dangers for citizens of DMVs selling their private information?
“The DMV’s sale of private information to third-party companies could affect citizens in a number of ways. If they are a public school bus driver or a hazardous material driver, for example, the information may prevent or stop their employment. As well, insurance rates could go up if the insurance company has access to your driving history.
The DMV also sends data to private investigators to help surveil people’s spouses. Other organizations that the DMV sells to include law firms, employers, banks, and credit reporting companies, so the selling of this data could affect your employment, loans, and credit.”
What states’ DMVs are selling citizens’ private information?
“Some states that have been found to be selling citizens’ private information include Virginia, New Jersey, Delaware, Wisconsin, Florida, Rhode Island, Texas, and South Carolina. What information has been sold?
It depends on the state, but in New York, the DMV is selling only your driver license and vehicle registration data, after recent legislation was passed banning the sale of personal information. However, many states still sell personal information including citizens’ email addresses, phone numbers, names, addresses, birthdays, and more.”
What states, if any, have taken action to prevent DMVs from selling private information?
“In my search, I found that only the state of New York has passed legislation to prevent the DMV from selling private data. ‘This legislation mandates that DMV will clearly and prominently place opt-out information on all its forms, as well as its website, and it is a positive first step in rectifying this situation,’ said State Senator Chris Jacobs.”
Are citizens in states where the DMV is public or privatized safer from this phenomenon? Why?
“I was unable to find a list of states with privatized DMVs, although I did see that New Jersey privatized their DMV in 1995. Unfortunately, I can’t speak to a correlation between public vs. private DMVs and the selling of citizens’ data.”
Is there anything the federal government can do to prevent this phenomenon?
“The federal government would need to amend the Driver’s Privacy Protection Act and either add more restrictions or explicitly prevent the DMV from selling citizens’ data.”
Is there anything private citizens can do to prevent the DMV, or other such agencies, from selling their private information?
“As a citizen, you can lobby for your state to pass legislation that prevents the state from selling your private information. However, until legislation is passed, you can’t prevent the DMV from selling your personal information, unfortunately.”
Gabe Turner is a Director of Content at Security Baron headquartered in Brooklyn, New York.
Security Baron specializes in cybersecurity and is dedicated to your security and privacy.
“The privacy and protection of our personal information is a big deal. So when it was found that some DMVs are selling this information, it’s not surprising that people were upset. There are some situations where we are required to provide our private information and feel that this information should be protected and secure within the company which it is provided to. The DMV is one of these places.
Frankly, the DMV selling this information is immoral and a breach of personal privacy. When privacy is disregarded like this, people start to feel as if their information is no longer safe in the places where it should be.
On top of this, personal safety risks also come into play, as the information which is provided to the DMV could be information which is keeping a person safe from individuals who want to harm them. The individual’s personal safety could then be at risk should their private information fall into the wrong hands.
It should be the consumer’s choice as to what happens with their own data so that situations such as the one I mentioned above are avoided. We are seeing some positive movements in this direction.
Some areas have passed Consumer Privacy Acts which protect the well-being of consumers and their data, thus giving companies a better reason to avoid the misuse of data. Hopefully more areas start moving in this direction soon.
We need to continue to push for the importance of data privacy and security so that there are repercussions should privacy be disregarded in the ways that the DMV has disregarded personal data.”
Will Ellis is an IT security consultant and the founder of Privacy Australia.
His company’s mission is to keep data private and defend digital sovereignty.
What information has been sold?
“The information being sold includes address, type of car, etc. This can be used to infer information about the person. For instance, certain models or makes of car are associated with certain income levels.
Marketing agencies can buy this information from the DMV to better round out the profiles that they generate on you when they buy your internet history from your internet service provider. Even if you don’t receive junk mail as a result of the DMV selling your information, your privacy is still being violated — by a government entity that it is impossible to not use, no less.”
Is there anything the federal government can do to prevent this phenomenon?
“Yes, and they should. The United States is one of the only developed countries in the world that doesn’t have a right to privacy explicitly written into their Constitution. The U.S. Constitution does have the Fourth Amendment, which is often used successfully to defend citizens’ privacy, but it clearly fails in this instance.”
Is there anything private citizens can do to prevent the DMV, or other such agencies, from selling their private information?
“Unfortunately, short of not getting a driver’s license or state-issued ID, there isn’t any way to stop the DMV from having your information and doing with it what they wish.
I hate to be such a ‘Debbie Downer’ about this happenstance, but it’s one of the few areas where we can see, through FOIA requests, just how much of our data ends up being sold to marketing and advertising companies and that when there aren’t privacy protections, you can safely assume your privacy is being violated for profit.”
Caleb Chen is a writer for Private Internet Access (PIA), a no-log VPN company.
PIA believes that privacy is a right and champions for that right online and offline.
Bottom Line: DMVs Selling Your Personal Info for Money
Investigative reporting has shown that DMVs in states across the country, from Rhode Island to California, have sold the private information of their customers to third-party companies for millions of dollars.
This practice, sadly, has been largely allowed under the Drivers Privacy Protection Act, or DPPA, which is the only existing federal legislation currently addressing the issue.
It’s good to know that pressure is mounting for legislators, especially on the state level, to write protections for citizens into law. But as we have discussed, there are also measures you can take, especially online, to protect you and your family from having your private information misused in the first place.
Vice‘s tech team, Motherboard, was the first national news outlet to investigate and report on the phenomenon of DMVs selling consumers’ private information to a variety of third-party vendors. We relied upon the findings of their investigation to address our own questions about the problem and to conduct our own research on how states are addressing, or not addressing, the pressing issue of DMVs violating customer trust by sharing private information with third-party vendors.
The thorough research process for our comprehensive studies, such as this one on DMVs selling private information, includes an analysis of over 3,000 data points for all 50 U.S. states and the District of Columbia from a variety of government, nonprofit, academic, and industry sources. In this study specifically, we especially relied upon the International Association of Privacy Professionals (IAPP), Californians for Consumer Privacy, and the Federal Trade Commission.