The DMV is selling driver data and Eve Maler weighs in
|Richard Harris in Security Tuesday, September 24, 2019|
The DMV is selling driver data and Eve Maler, co-creator of the XML language has a few things to say about how DMV's across the nation are making millions by selling driver data to a variety of companies, including insurance companies, tow companies, and more.
Motherboard broke the news on September 6 that Departments of Motor Vehicles (DMVs) around the nation have been making millions by selling drivers’ personally identifiable information to thousands of businesses. Amongst the DMVs customers are insurance agencies, tow companies, data brokers and even private investigators – all who are able to purchase records for as little as $0.01 each. The whole process is completely legal under the Driver’s Privacy Protection Act (DPPA). The act, which was enacted in 1994, allows DMVs to peddle a driver’s information to these organizations without the need for their direct consent.
As privacy continues to becomes a hot topic in the U.S., especially with the looming enactment of the California Consumer Privacy Act (CCPA), Eve Maler of ForgeRock discusses the DMV’s practice of peddling consumer data, the future of the DPPA, what other organizations can learn from this news and more.
Eve is a strategist and innovator in security and privacy, and leads the User-Managed Access Work Group, she co-created the Extensible Markup Language (XML) and she is known for her role in the invention of the Security Assertion markup Language standard.
ADM: How long has the DMV been selling drivers’ data and who are they selling it to? How are the organizations that are purchasing this data using it?
Maler: It was found that DMVs have been selling drivers’ personally identifiable information (PII) since the enactment of the Driver’s Privacy Protection Act (DPPA) in 1994. Even though the law prohibits the disclosure of PII without the express consent of the person to whom the information applies, there is an exception that allows the DMV to disclose data without consent to any government agency, for use in connection with matters of motor vehicle or driver safety and theft, and the DMV can disclose information to licensed private investigation agencies.
Besides private investigators, tow companies, insurance agencies and thousands of other businesses have been acquiring drivers’ PII from DMVs in several states. Some uses of the PII include allowing companies to contact owners of certain cars in case they need to be recalled.
ADM: How did the DMV’s practice of selling drivers’ PII become uncovered?
Maler: Vice discovered the practice after obtaining hundreds of DMV documents through public records requests that describe the practice in greater detail. The substantive provisions of the DPPA were also taken into account, including its permissible use cases that allow the DMV to disclose drivers’ PII without their consent to any government agency, insurance companies, private investigators, private toll transportation facilities, providing notice to owners of towed vehicles and more.
ADM: Did the DMV break any laws? Why or why not? Do you believe these DMVs that have been selling data have broken trust with drivers?
Maler: Under the DPPA, the DMV’s sale of drivers’ PII is completely legal – even without the drivers’ consent. But by selling drivers’ PII unbeknownst to them, the DMV absolutely may have affected the level of trust it had with drivers. Unfortunately, there is no substitute institution drivers can go to in order to obtain driver’s licenses.
Consumers have become more sensitive about the information they share with organizations over the last several years, no doubt in part due to the personal data breaches affecting them, such as: Yahoo’s massive breach of 3 billion records in 2013, Marriott’s breach of 339 million users in 2018 and First American Corporation’s loss of 885 million records this year. Thinking about consumers’ heightened sensitivity along with the forthcoming enactment of the California Consumer Privacy Act (CCPA) in January 2020, it seems likely that Congress will consider altering the DPPA to require DMVs to obtain drivers’ consent before sharing their PII with all third parties.
ADM: Will DMVs in California be allowed to continue this practice after the enactment of CCPA in January 2020? How do you see other states protecting drivers from this practice of selling their data?
Maler: According to CCPA, California citizens will retain the right to opt out of the sale of their information, so if they do say no to the sale of their information with any organization, that organization must comply. Consumers will also be able to know the categories of sources of information from whom their data was acquired and the right not to be discriminated against for saying no to the sale of their information. However, CCPA does not apply to government agencies.
Regardless, CCPA is already encouraging other states to pass consumer data privacy laws that copy its mandates. As a result, companies operating in multiple states would face excess business friction trying to comply with as many as 50 similar but distinct privacy laws. To unlock an efficient “digital single market” and make the rules fair and transparent for all consumers, the U.S. would be better off a hammering out federal data privacy law, much like the European Union’s General Data Protection Regulation (GDPR).
ADM: How does this practice impact drivers that are minors? Will there be legal recourse available to those drivers or their representatives that had their data sold when they were minors?
Maler: This news is disturbing since there are millions of drivers under the age of 18 in the U.S., meaning that DMVs were more than likely benefiting from the sale of minors’ personally identifiable information (PII). Minors don’t have the full legal capacity of adults, for example, they cannot vote, consent to medical treatment, sue or be sued, or enter into certain types of contracts until they reach the age of 18, although the age varies from state to state.
Another disturbing fact is that it is relatively easy to become a private investigator in some states, like New York, compared to others, such as California. In fact, to become a private investigator in New York, it is as simple as completing and submitting the Empire State’s application. Meanwhile, California private investigator applicants need to secure a license from the California Department of Consumer Affairs Bureau of Security and Investigative Services, have three years’ minimum experience with reference checks, pass a two-hour examination, and more.
It will be interesting to see if the DMV has been selling minor drivers’ PII and what action may be taken against the DMV for doing so. Google was recently fined $170 million and agreed to make changes to protect children users’ privacy on YouTube, since it was discovered that the platform knowingly and illegally harvested kids’ PII and used it to profit by targeting those children with ads.
ADM: Is there a lesson other companies can take away from this news? How can organizations protect data of minors, particularly for those that regularly engage with them such as healthcare providers?
Maler: Other organizations should learn from this event that increasing data transparency and control can lead to a competitive edge. We live in a time where 87% of consumers will take their business elsewhere if they do not trust how a company is handling their data, according to PwC, so catering to consumers’ data privacy concerns will be a key to success. For example, putting comprehensive identity management and robust consent management systems in place will ensure that there are not only mechanisms that advocate on behalf of children and act as their first line of defense for protecting their data, but also strengthen the bonds of digital trust for all service users.
ADM: What is a good example of a company that has obtained a competitive edge and strengthened the bonds of digital trust for all users by increasing data transparency and putting consent management mechanisms in place?
Maler: A great example is the BBC, which provides a simple and trustworthy way for its tens of millions of audience members of all ages to identify themselves through a variety of different devices. The BBC’s users can get a personalized experience even while switching devices in the middle of watching a program, using the iPlayer application. The BBC even offers a single place for managing, accessing and maintaining the privacy of its users’ personal data, and even managing linked children and parent accounts with parental consent for those under 13. All this is possible in real-time as people subscribe to activity feeds for the latest shows and get recommendations about upcoming ones.
About Eve Maler
Eve Maler is currently the vice president of innovation and emerging technology at identity and access management provider ForgeRock, where she drives advances in privacy and consent that enable user-controlled and compliant data sharing across web, mobile, and Internet of Things contexts. Additionally, she serves as a trusted advisor to public and private forums specializing in key initiatives such as open banking, which requires strong authentication protocols and consented data sharing and payments.