Congressional Reps Want To Know Why The California DMV Is Making $50 Million A Year Selling Driver Data

Congressional legislators -- apparently caught off guard by one state's revenue stream -- are asking the California Department of Motor Vehicles a $50 million question: why the hell are you selling residents' personal data?

A group of nearly a dozen lawmakers led by member of Congress Anna Eshoo wrote to the California Department of Motor Vehicles (DMV) on Wednesday looking for answers on how and why the organization sells the personal data of residents. The letter comes after Motherboard revealed last year that the DMV was making $50 million annually from selling drivers' information.

As Karl Bode noted last year when covering this revelation, this sale of data is codified. The Driver's Privacy Protection Act doesn't do much to protect drivers' privacy. It may prevent abuse of this data by government employees but none of that affects private sector access where the real money is made.

The data from the California DMV is sold to a variety of data brokers. The public records request that resulted in this windfall of transparency about the DMV's windfall of actual money didn't name any of its customers. But did show a steady increase in revenue over the five years the records covered.

The letter [PDF] signed by nine members of Congress -- including California Congressional rep Ted Lieu -- asks the DMV a lot of pointed questions about its practice of profiting off data Californians are forced to hand over in exchange for licenses. It asks the questions the records obtained by Motherboard left unanswered. First off, the legislators want to know who this data is being sold to.

What types of organizations has the DMV disclosed drivers' data to in the past three years? In particular, has the DMV sold or otherwise disclosed data to debt collection agencies, private investigators, data brokers, or law enforcement agencies?

Has the DMV ever disclosed drivers' photos to federal, state, or local law enforcement agencies or given such agencies access to a database of drivers' photos?

What specific fields of personal information have been sold or disclosed to third parties by the DMV in the past three years?

Have Social Security numbers or driver's license photos ever been disclosed?

The legislators also want to know if this data is being shared with ICE and other federal agencies for the purposes of locating undocumented immigrants. It also asks if Californians can ask to opt out of the data sales/sharing and whether the agency would honor any of these requests.

The legislators note that they're concerned about this practice they probably should have already been aware of -- especially the two California assembly members who also signed the letter.

[W]e're troubled by press reports about the California DMV's disclosure of vast quantities of data which could enable invasive biometric policing and be a symptom of a deeper privacy malady. [...] What information is being sold, to whom it is sold, and what guardrails are associated with the sale remain unclear.

The DMV has already answered some of these questions... sort of. In a statement to Motherboard, the DMV said the $50 million/year it makes on data sales only offsets the cost of "administering its requester program." It denies selling information to marketers. It did not deny selling info to data brokers or other common customers for DMV data, like credit reporting agencies.

"The DMV takes its obligation to protect personal information very seriously. Information is only released according to California law, and the DMV continues to review its release practices to ensure information is only released to authorized persons/entities and only for authorized purposes. For example, if a car manufacturer is required to send a recall notice to thousands of owners of a particular model of car, the DMV may provide the car manufacturer with information on California owners of this particular model through this program," the statement added.

"Only released according to California law." That's the problem. The law allows the DMV to sell data to private companies. It takes a few purchases to add up to $50 million. Handing out info to car manufacturers for recalls is probably something the DMV does for a minimal cost, if it even charges anything for it. The DMV's statement sounds good but really says nothing. No one will really know what happens to the data the DMV collects until it starts handing over detailed answers to these questions from Congress.