Ohio’s Bureau of Motor Vehicles made more than $40 million last year selling personal information from driver and vehicle records to third parties.
In the past 10 years, sales from this practice earned the state $250 million in revenue, a 10 Investigates’ review of state data uncovered.
Data brokers, credit agencies, insurance and towing companies along with private investigators were among those who purchased access to the personal information from the state, according to 10 Investigates’ review.
The money generated from the sales goes back into a state highway fund, which is used to help cover operating and administrative costs associated with running the BMV and other agencies within the state’s Department of Public Safety, according to Charlie Norman, the director of Ohio’s BMV.
The practice of selling personal information is relatively common.
10 Investigates found at least 35 states either sell or provide access to this information to government agencies and private companies. The findings of our investigation were based on our direct contact with several states’ departments of motor vehicles, along with lawsuits, state records and published news reports.
While a federal law known as the Drivers Privacy Protection Act works to limit who can gain access to drivers’ personal information, the law does have 14 exemptions that allow for government agencies and private companies to access the information under permissible uses.
Some of those range from research to legal services to safety recalls, which means data brokers, court systems, insurance agencies, towing companies, credit agencies, automotive companies that issue vehicle safety recalls, and – in many states – private investigators can pay for and gain access to drivers’ personal information.
Richard Harp is a private investigator from Pickerington who bought data. When asked if the data was pretty robust, he said: “Oh very much so.”
Harp told 10 Investigates that the motor vehicle information has prevented him from having to conduct long surveillance of people and can quickly provide him with information he needs to help a client find a person they are looking for.
Harp said he understood how some might feel concerned about privacy issues, but noted that there are restrictions on who can get it.
But privacy experts have expressed concern that states need to do more to better protect this data from impermissible uses at a time when data breaches, robocalls, mailer solicitations and identity theft are recurring issues.
The DPPA prevents personal information extracted from motor vehicles to be used for direct solicitations or marketing.
Drivers’ personal data “worth gold”
Texas attorney Joe Malley, who specializes in personal privacy cases, says violations happen and that said states – like big tech companies – are well aware of the value that personal information from driver and vehicle data holds.
“It is a commodity. A lot of these states are making a lot of money: Texas, Florida,” said Malley. “They know – like all these other online entities – Google, Facebook and some of these other entities that the data is worth gold now.”
Drivers interviewed by 10 Investigates seemed unaware of the state’s practice.
“I think that’s wrong. I believe that that's private. I don't believe that they should be selling that,” said Frenchetta Collins, who spoke to Chief Investigative Reporter Bennett Haeberle at a Columbus BMV location where she and others were waiting to renew their licenses.
Steve Hiltner, who was also renewing his license, said: “I wished they'd tell us. It'd be nice to know that the state is letting us know what they're doing with our data.”
A cash cow?
During an interview with 10 Investigates this week, Ohio BMV Director Charlie Norman was asked if the tens of millions of dollars in revenue the state makes each year equates to a “cash cow” for Ohio.
His response: “You know I don't think so. We are legislatively and statutorily required to charge this fee...”
The state charges a fee for certified copies of the records which is where much of the revenue is generated.
Norman said that he believes the state does a good job of protecting drivers’ personal information but acknowledged that his agency is also undergoing a bit of an overhaul – with a plan in place to create more restrictions on who can access the personal information. Norman said he plans to have new contracts with vendors and encrypt some of the data with a BMV code that the vendor could then access. Norman said there will also be additional requirements that companies pay for outside independent audits.
When 10 Investigates asked Norman if the state could do a better job of informing drivers of this practice, he said: “well, to be clear. These are public records. Well whether you get a ticket or get your license suspended that's a public record. It's important to note there are many permissible uses…”
When pressed further, Norman acknowledged that the state probably could do a better job of making drivers aware, saying “you’re probably right…”
States’ ‘big mistake’
Malley told 10 Investigates that states like Ohio should insert fake driver profiles into their system in order to test to see if private companies or other entities who bought the data are performing impermissible uses with that personal information.
It’s something Ohio currently does not do.
“That’s a big mistake,” Malley said, adding that it’s the only way to catch private companies violating clauses contained within federal law.
Norman told 10 Investigates that the state is in the process of planning to do just that but that no timeline exists for when the state plans to make the change to test for leaks or impermissible uses.
“We are constantly looking for ways to improve the process. I don't suspect that we will stop after we improve this. After we find a way to put the data in we are going to look for more ways to make data more safe."
Concern with extended auto-warranty mailers
Malley said one of the more common impermissible uses of this data lies within the extended auto warranty mailers.
Through his legal work, Malley said he believes the source of these mailers originates with state sales of driver and vehicle data.
Norman denied this, stating that people share personal information with their bank, oil change companies and insurers – all who could have fine-print agreements that allow for direct marketing or solicitations.
Breaches and impermissible uses
10 Investigates’ research into this topic also found data breaches involving driver data and impermissible uses have happened in a number of states including California, Texas, Illinois and recently North Carolina where a data broker company LexisNexis settled a lawsuit last fall for $5.1 million after a couple sued alleging that their personal information was used by another third party for direct solicitation – a violation of federal law. Attorneys for LexisNexis and the couple who sued have not returned messages seeking comment.