The next time you apply for a driver’s license at your local Department of Motor Vehicles (DMV) office, just be aware that all of the personal information that you provide them might be later packaged up and sold to the highest bidder. That’s the disturbing takeaway from a recent VICE Motherboard investigation, which relied on hundreds of public records requests to track down exactly how much money state DMV offices are making by selling personal data every year. By some estimates, state DMV offices around the nation have made tens of millions of dollars in profit ever since the practice began around 2014.
How and why DMV offices are selling personal data
While this practice of selling personal contact information might seem unsavory and even a little bit sketchy, it’s not at all illegal or in violation of state law. There are a number of approved uses for selling and sharing data, such as selling your personal data to automotive insurance companies and towing companies. But, in recent years, DMV and DHS (Department of Highway Safety) offices have become increasingly bold about whom they sell to, and why. Instead of just selling to the types of companies that might legitimately have a need for this information, they have expanded their client base to include consumer credit reporting bureaus, bill collectors, bail bondsmen, bounty hunters, and even local private investigators (many of them unlicensed) looking to keep tabs on cheating spouses.
Moreover, as the investigation showed, these DMV offices knew full well that they were selling personal data and driver records for profit. Thanks to being able to get their hands on the original documents, the team of investigators found out exactly how much state government agencies were making by selling personal data and DMV information. Florida, for example, made $77 million in 2017 by selling personal data. And private investigation firms are among the biggest clients of these DMV offices. For example, the state of Virginia sold to over 100 private investigation firms, while the states of New Jersey, Delaware and Wisconsin all had over a dozen private investigation firm clients. This is now big business, and relatively easy money.
Eve Maler, vice president of innovation and emerging technology at ForgeRock, comments on the results of the investigation: “This news is disturbing since there are millions of drivers under the age of 18 in the U.S., meaning that DMVs were more than likely benefiting from the sale of minors’ personally identifiable information (PII). Minors don’t have the full legal capacity of adults, for example, they cannot vote, consent to medical treatment, sue or be sued, or enter into certain types of contracts until they reach the age of 18, although the age varies from state to state.”
Of course, when asked about this investigation into selling personal data, the state DMV offices promised that what they are doing is perfectly legal, under the terms of the 1994 Driver’s Protection Privacy Act (DPPA). As long as they are not selling photos or giving away Social Security Numbers, they are actually doing nothing wrong. Within the DPPA, there are plenty of loopholes that make it completely legal for selling personal data to third parties, no matter how unsavory or nefarious these third parties might be.
The deeper you dive into the practice of selling personal data, the more it becomes obvious that the practice is just too lucrative to give up for these state DMV offices. For example, a related investigation in the state of Florida found that state DMV offices were selling personal data to marketing firms, bill collectors, insurance companies and so-called “data brokers” (i.e. people who buy data in order to turn around and sell it to someone else). According to this investigation into the Florida Department of Highway Safety, the release of all this personal data into the wild (including not just physical addresses but also contact information like phone numbers and date of birth information) has led to a surge in direct mail offers and robocalls.
So what’s the remedy here? According to privacy experts, the only real remedy is to close all the loopholes in the DPPA in order to update it for the privacy era. Until those loopholes are closed, state DMV offices will continue to sell public records to the highest bidder. While any individual record may only sell for a single penny ($0.01), the real money is made by bundling together millions of records at one time. The only other effective approach might be a sort of public shaming in the full view of the general population. A single blog post might not be enough, but a massive media campaign might convince DMV offices to at least admit to customers that they are doing it, and then officially ask for permission to continue (such as by checking a box on a driver’s license application form).
YouTube fined for selling personal data of young kids
And your local state DMV office is not the only culprit found guilty of selling personal data and personally identifying information for big bucks – YouTube is now facing $170 million in fines from the Federal Trade Commission (FTC) and the New York State Attorney General. ($136 million will be paid to the FTC, and $34 million to New York State, for a total of $170 million to settle.) As part of an FTC investigation into YouTube advertising practices, it was found that YouTube routinely promised access to personal data of kids age 6 to 11 to advertisers that were specifically looking to market to young kids. YouTube, in fact, touted its popularity with children to advertisers like toy makers. As the New York Attorney General pointed out, YouTube “monitored, tracked and served targeted ads to young kids.”
By selling data of children to prospective corporate advertisers, YouTube is allegedly violating the Children’s Online Privacy Protection Act (COPPA), which specifically forbids companies from targeting kids under the age of 13 with advertising. As part of the FTC settlement, if any videos with so-called “child directed content” are shown on the YouTube platform, YouTube can no longer show targeted ads to viewers. Instead, YouTube must settle for the much less lucrative “contextual ads” that are shown based on the content in the video, and not on the personal data of the individual viewer. This is the only way for YouTube to comply with COPPA, even if the company refused to acknowledge any wrongdoing.
And, in an interesting twist, lawyers for the FTC are now suggesting that YouTube content creators might also be held legally liable for violations of the law if they are not upfront about the type of content on YouTube they are creating for kids. This is going to force YouTube to move all of its child directed content to its standalone YouTube Kids platform, which will become a children’s online video hub free of targeted ads.
Can the FTC clean up the data ecosystem?
One thing is clear of these two investigations – one into state DMV offices selling personal data of adults and one into YouTube selling personal data of kids – all companies and government entities are going to have to become much more responsible about the way they use, share and sell personal data.
As Eve Maler notes, “The privacy conundrum impacts all organizations that process and benefit from consumers’ PII, even government agencies. This news should teach other organizations that increasing data transparency and control can lead to a competitive edge, especially as 87% of consumers will take their business elsewhere if they do not trust how a company is handling their PII, according to PwC. By putting comprehensive identity management and robust consent management systems in place, we can ensure that there are not only mechanisms that advocate on behalf of children and act as their first line of defense for protecting their data, but also strengthen the bonds of digital trust for all service users.”
In short, the era of playing fast and loose with personal information is rapidly coming to a close. Both corporations and government agencies are starting to feel the consequences of not respecting personal privacy.