Texas DMV Sells Personal Information To Hundreds Of Companies; Drivers Not Allowed To Opt-Out

[Erica Absetz <eabsetz () opensecurityfoundation org>]

http://www.techdirt.com/articles/20130212/21285321958/texas-dmv-sells-personal-information-to-hundreds-companies-drivers-not-allowed-to-opt-out.shtml

Fun, dubious, privacy-violating stuff happening out in Texas where the
Dept. of Motor Vehicles has made a tidy sum selling the information it
collects (including names, addresses and makes/models owned) to a
variety of private companies.

The Texas DMV claims its "top priority" is protecting drivers'
information, but that hardly seems to be the case when it's pulling in
$2.1 million a year selling it off. There are protections in place,
but they are flimsy at best.

"The Texas Department of Motor Vehicles is the custodian of over 22
million currently registered vehicles in the state of Texas," Randy
Elliston, Director of the Texas DMV, explained. "All of those records
that are in our database, however, are protected under the Driver
Privacy Protection Act."

Randy Elliston says the Driver Privacy Protection Act (DPPA) limits
who can buy your information and what they can do with it.

It would be interesting to see what these "limits" are. The
spreadsheet obtained by CBS 11 of Dallas, TX shows that 2,448
different entities purchased this information from the DMV last year.
The purchasers listed range from towing companies to debt collectors
to university parking lot patrols. Elliston states that the purchasing
companies are not allowed to use the information for direct contact or
advertising purposes.

A brief look at the spreadsheet seems to indicate the opposite: auto
dealers make up the largest percentage of purchasers. Moreover,
Elliston seems to have his facts wrong on the Driver Privacy
Protection Act, at least as it pertains to Texas drivers.

The Driver Privacy Protection Act is a federal law. And the fine print
actually says businesses can use your information for marketing or
solicitations if the state has obtained your consent. That means, some
drivers can opt in or out of these databases.

Problem is – Texas didn't adopt that portion of the law. So, drivers
in the Lone Star State are stuck.

This has opened up driver data to nearly anyone who wants it. The
spreadsheet shows insurance companies, debt collection agencies, title
loan specialists, towing services and auctioneers all have access to
these records. The response from Elliston? If you don't like it,
complain about it.

Elliston says if you feel like your information is being abused you
can report the company. "It has occurred in the past and when it has
we've pulled the company's ability to use that data," Elliston noted.

Well, that is one way to deal with an influx of unsolicited mail after
registering your vehicle to comply with state law. Another, better,
way to deal with it would be to adopt the opt-in/out language that's
currently missing. Registering a vehicle isn't optional, but having
your name, address and vehicle info turned over to whoever requests it
certainly should be.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.