DMVs have been selling drivers’ data -- Why you should care
The news broke last week that Departments of Motor Vehicles across the United States have been selling drivers’ personally identifiable information to thousands of companies, including insurance agencies, towing companies and even private investigators.
While many of the DMVs selling drivers’ PII admitted they have not been peddling drivers’ license images or Social Security numbers, this incident still reflects a major breach of licensed drivers’ trust in DMVs and other government entities.
While most consumers are becoming more aware of the data they provide to non-government organizations, most would be surprised to learn that the DMV has been flipping their data for years for as little as one cent per record. This is a bargain compared to what certain PII can go for on the dark web. Social Security numbers and general, non-financial institution login credentials can go for a dollar per record, according to PrivacyAustralia.
However, this news is especially disturbing since there are millions of drivers under the age of 18 in the U.S., meaning DMVs were more than likely benefiting from the sale of minors’ personally identifiable information (PII). Minors do not have the full legal capacity of adults, for example, they cannot vote, consent to medical treatment, sue or be sued, or enter into certain types of contracts until they reach the age of 18, although the age varies from state to state.
Just last week, Google agreed to a $170 million fine for violating children’s privacy on YouTube. This news raises the question of what repercussions these DMVs may face for a similar breach of privacy.
Vice’s discovery of the DMVs’ shady practice also found out that the DMV has been selling drivers’ PII to private investigators since the enactment of the Driver's Privacy Protection Act (DPPA) in 1994. Many have criticized the DPPA, especially since the barriers to becoming a private investigator vary widely across the states.
For example, in New York one merely needs to complete and submit the state’s private investigator application; by contrast, California hopefuls must secure a license from the California Department of Consumer Affairs Bureau of Security and Investigative Services, have three years’ minimum experience with reference checks, pass a two-hour examination, and more.
However, the looming enactment of the California Consumer Privacy Act (CCPA) and recent fines from the Federal Trade Commission (FTC) against Google and Facebook foreshadow a future with a drastically altered DPPA. A drumbeat of data breaches, regulatory actions, and digital brand trust debacles have heightened consumers' sensitivity around the information they share with organizations over several years.
May 2018 saw the enactment of the European Union’s General Data Protection Regulation (GDPR), and in the same year, 446,515,334 records were compromised from 1,244 data breaches in the United States, according to findings from the Identity Theft Resource Center. In fact, this represents a 125.95 percent increase in exposed consumer records from 2017 even though the number of reported data breaches decreased by approximately 23.77 percent, meaning that the impact of breaches is becoming more significant.
The privacy conundrum impacts all organizations that process and benefit from consumers’ PII, even government agencies. Consumers may not be willing to do business with or provide an organization with accurate or sufficient personal data if they are not sure about how that data will be used or have concerns about its security.
A key lesson organizations should take away from these recent breaches and fines is increasing data transparency and control can lead to a competitive edge, especially as 87 percent of consumers will take their business elsewhere if they do not trust how a company is handling their PII, according to PwC.
Improved consent and delegation mechanisms need to be put in place to ensure there are advocates acting on behalf of minors serving as the first line of defense to protect their data. Such mechanisms would in turn strengthen the bonds of digital trust for all service users.