TAMPA (FOX 13) - Unless your name is Joseph Sample, the Florida man whose face is on the state’s official example of a driver’s license, you should expect the state to protect your personal information from getting into the wrong hands.
Under federal law, a state’s motor vehicles department cannot “knowingly disclose or otherwise make available” your personal information. That’s everything the DMV may have, including your full name, date of birth, home address, height (and in some states, weight), and the year, make and model of the car you drive.
The Driver Privacy Protection Act has some exceptions, though. Your information can be used by any government agency in order to carry out its functions. Congress also carved out some exemptions for certain businesses to have access to the information under specific circumstances.
Alexis Bakofsky, a spokeswoman for the Department of Highway Safety and Motor Vehicles, listed some examples of companies that would have a federally allowable reason to access your information: insurance companies, who need information for underwriting; manufacturers, in order to provide recall notices; and trucking companies, to verify records submitted by potential employees.
"Never is any of this for any marketing purposes,” she said during an interview at the DHSMV headquarters in Tallahassee.
If a company claims to have a federally allowable reason to access personal driver information, the DHSMV will sell bulk data - the personal driver information of every Floridian - for one cent per record. That price was set by state legislators.
“Unless a company meets one of those exemptions that are laid out [in the DPPA], the department cannot and does not release any of that protected information,” Bakofsky said.
“This is not for marketing purposes,” she reiterated.
The data should not be for marketing purposes. The federal law says state motor vehicle departments cannot make personal information available for marketers unless it has obtained the “express consent” of the individual. It’s not a situation where someone has to opt out to stay off the marketing list. Under the law, a marketer shouldn’t have a driver’s personal information unless that person has gone out of their way to opt in by submitting a notice to the state, in writing, that they want their personal information available to marketers.
But it appears that marketers may be getting ahold of driver data. FOX 13 Investigates discovered a correlation between individuals providing personal driver information to the state and then receiving direct mail advertisements from marketers trying to sell service contracts for vehicles.
The Direct Mail Pipeline
You may have received them in your own mailbox. They often carry vague, but dire warnings such as “FINAL NOTICE” and suggest that your car’s warranty is about to expire and you better “RESPOND IMMEDIATELY” or else “YOU WILL BE RESPONSIBLE FOR PAYING FOR ALL YOUR REPAIRS.”
The marketers seem to be using the very information a person provides to the state motor vehicles department: the mailing will show the driver’s full name, and the year, make and model of the car the person drives.
It would be easy for some recipients to assume that the warning is somehow coming from the vehicle manufacturer or, ironically, the state itself, given the accurate information about the driver and their vehicle and vague or confusing information about whose product is being marketed.
The DHSMV says it does not have any agreements to sell data with companies selling warranty products. Bakofsky said the marketers could be getting the information from any number of places where drivers provide their information.
"They’re providing it to dealerships, insurance companies, creditors -- all of those don't fall under the same [DPPA and state] guidelines that our department falls under," she said.
FOX 13 Investigates put the driver data to peddler pipeline to the test when I registered and titled a vehicle into my name. The DHSMV was the only entity linking just my name with just that vehicle at my home address. Nothing else changed, because I was simply transferring a title on a family-owned vehicle, and it was already listed on my car insurance. I had not taken the vehicle to a shop or dealership for service, nor did I notify any other entities about the title and registration change.
Within 10 days, I started receiving the mailings for the first time. Lots of them. They kept coming for weeks.
I presented my findings to the DHSMV.
“We can certainly look into that. We take any kind of complaint, any consumer complaint very seriously," Bakofsky said during our June interview.
That was four weeks ago. The afternoon of our broadcast date, spokeswoman Beth Frady said that department members had earlier in the day, for the first time, discovered that their own records had a spelling error in the name of the street on which I live: a letter was missing.
She said the department did not believe the information used by marketers could have come from them, because the mailings did not show the same one-letter spelling discrepancy.
FOX 13 stands by the story – not only because of the timing of the mailings, but because this reporter is not the only person who has received the solicitations soon after providing information to Florida’s motor vehicles department. It’s possible that the companies behind the direct mail marketing have the same capabilities to flag and correct misspelled street names as, say, an online store that prompts a correction when a shopper enters a misspelled address at checkout.
"Your state department for vehicles should be concerned about the connection, because it's quite possible that they are the ones exposing the information,” said Eva Velasquez with the San Diego-based Identity Theft Resource Center, adding that it may be the case that the state is inadvertently making the information available to marketers. “But the correlation there between going in and getting these mailings is far too strong."
The Driver’s Privacy Protection Act
Congress passed the Driver Privacy Protection Act more than two decades ago, in response to a growing awareness of privacy and security risks from states selling personal driver information as a source of revenue.
The federal DPPA law was partly prompted by the 1989 murder of actress Rebecca Schaeffer, who was murdered after her stalker found her home address in California DMV records.
Safety isn’t the only risk with driver data getting into the wrong hands.
Velasquez says thieves who gain access to bulk driver records could combine the information with other datasets to steal a person’s identity.
"The more data sources where they can go and get this information that's real and accurate, the better they'll be at pretending to be you," she said.
Then there are the questions about the companies themselves. Attorneys General in several states have issued warnings about deceptive vehicle warranty notices, which have included examples of some of the same companies' marketing materials that have shown up in Florida residents' mailboxes. The warnings, however, do not say where marketers got the driver information in the first place. The state of Missouri created a task force to address issues associated with the marketing practices.
A mailing might display multiple company names, generic names or no names at all. A few examples:
- A “FINAL NOTICE” from something called the “Vehicle Service Center” also lists the name “American Auto Shield, Sunpath, Interstate, Royal and NASC.” The mailing says their records “indicate that you HAVE NOT CONTACTED us to get your service contract up-to-date.”
- An “URGENT AND TIME SENSITIVE” mailing lists the name “Vehicle Repair Network” but also lists “Royal Administration Services or Sunpath Ltd.”
- A company called “Repair Defense Network” says “YOU WILL BE RESPONSIBLE FOR PAYING FOR ANY REPAIRS” if the factory warranty has expired. It also lists the names “MBP Network, Inc.,” “American Auto Shield, Inc.,” “Royal Administration Services,” and “Interstate National Dealer Services of Florida, Inc.”
FOX 13 requested interviews and information from the companies by calling the numbers listed on the mailings. Employees reached by phone at each entity promised that “someone” would get back to us, but someone did not get back to us.
Bulk Data Sales
Some states sell driver records in bulk, and Florida is one of them. As long as a company or individual says they’ll use the data for the right reasons, your personal information is sold.
Florida sells most drivers’ records for one cent each to bulk buyers. Those pennies add up. Last year, the DHSMV sold bulk data to more than 80 companies, generating more than $73 million in revenue. Some of the top buyers for bulk driver data include the companies Acxiom and Lexis Nexis.
The DHSMV creates contracts with those companies to transmit new data every 24 hours from servers housed in a locked down building in Tallahassee.
Depending on the company, the could include your full name, home address, the year, make and model of the car you drive, your height, and your date of birth.
“Never would they ever get any identification photo, Social Security number, medical information -- that's never provided," Bakofsky said.
So, can you opt out?
“No,” Bakofsky said. “But people should rest assured that all their data is protected.”
Maybe. The DHSMV says it’s still investigating where the marketers got the information.
If something like this has happened to you, the state wants to hear from you – and so do we. Please email us your story at firstname.lastname@example.org.
Email the state motor vehicles department at HSMV-Records@flhsmv.gov. The state requests that you send copies of mailers that use information consistent with information you provided when you registered or titled a vehicle or applied for a driver’s license.