TAMPA, Fla. - Ron Carmony is a car guy. When he and his wife moved from Indiana to Florida last fall, they moved their four cars with them.
About two weeks after he registered his vehicles with the state motor vehicle department, he started receiving official-looking notices in the mail. They contained his full name and his brand new address, along with the year, make and model of the cars he owned. The mailings were filled with warnings – in bold, red letters – that he needed to act quickly and call a toll-free number because his warranty could be running out.
He already had warranties on his cars. The mailings were direct mail advertisements from marketers peddling the kind of “vehicle service contract” offers that attorneys general in several states have warned against.
Within three months, he’d received more than 30 notices. He wondered how the marketers were able to use the information he provided to the DMV.
"The only thing that changed is we registered the cars in Florida," he said. "We didn't have any creditors and we've always had them insured. We never received them before, and all of a sudden we start receiving them. In my opinion, there is a correlation.”
Carmony says the concern goes beyond junk mail. If marketers got ahold of his state driver information -- which is supposed to be private and protected under federal law -- then who else has it?
"They don't know whose hands it’s getting into,” he said of the DMV. “And I like to think we do have some privacy when we deal with our state government."
The Carmonys are among dozens of viewers who contacted FOX 13 about why they believe marketers have accessed their DMV information, after a FOX 13 investigation raised questions about the privacy of state driver records.
FOX 13 put the security of information provided to the DMV to the test when this reporter transferred a vehicle title. At that point, the state of Florida was the only entity that held the vehicle information -- full name and home address, in that combination -- in one record. All other factors stayed the same: it was already insured.
Soon, it became clear that the state was no longer the only entity that had the information. Within days, the mailbox was full of advertisements about the vehicle for the first time.
After hearing the results of FOX 13’s investigation, the DHSMV said it would investigate a possible data leak. After FOX 13’s story aired, the state has declined to answer multiple requests for information regarding the security and privacy of Floridians’ driver records – and what they were doing to track down possible data leaks.
The DHSMV sells bulk data to more than 70 companies who claim they have a right to it under the Driver Privacy Protection Act, the federal law that’s supposed to keep your information private. But the DPPA, created more than two decades ago, also contains 14 broad exemptions to the act.
Anyone claiming an exemption has the potential buy access to the state of Florida’s entire database, which includes more than 15 million driver records and 18 million vehicle registrations. Last year alone, the Driver Highway Safety and Motor Vehicle department made $73 million selling bulk datasets to vendors.
The DHSMV’s entire annual budget is approximately $450 million.
The DHSMV says it’s not about revenue: They sell your information in bulk because the companies have a right to it under federal law.
So, how do they know the companies are actually using your personal information appropriately?
"Anyone who comes to the department and requests that [private driver information] is heavily vetted," DHSMV spokeswoman Alexis Bakofsky insisted in an interview in Tallahassee last month.
During the interview, Bakofsky and spokeswoman Beth Frady said they would gather more information in order to provide answers about how the state vets the companies. The state has yet to answer the question, despite multiple requests.
Robert Ellis Smith, editor of Privacy Journal, says the federal Driver Privacy Protection Act leaves too many exemptions that allow private information to be exposed by states selling records to private companies.
"They think the worst thing that happens is you get a piece of paper that you don't like,” he said. “But it goes beyond that.”
States like Florida that sell bulk data essentially put their responsibility to protect millions of personal driver records into the hands of multiple third parties, he said.
He points out the Driver Privacy Protection Act was created in 1994, before the age of online data breaches. It was also put into effect well before vendors purchasing from the state could then set up shop online to resell the information.
Some vendors that have signed contracts with the state of Florida will resell the driver information purchased online. Multiple companies will send your private driver records to anyone willing to check a box online, claiming they fall under one of several DPPA exemptions that allows them access to the information.
"It can help stalkers find their way to your home,” he said.
Smith said there’s another security concern with states transferring millions of records to third parties: a foreign power could match the lists with people serving in the military, for example.
The state has repeatedly tried to distance itself from correlations between their DMV data and the data used by marketers. A spokeswoman said drivers provide their personal information to any number of places that might leak it out: creditors, auto shops, and car insurance companies, for instance.
Hours before FOX 13’s first investigation aired, they denied a connection once again, claiming the mailers received by this reporter could not have come from the DMV, since their own database contained a one-letter spelling error that a government employee had mistakenly entered into this reporter’s driver record.
“To be clear, the department does not have and never has had the correct spelling of your street address, which means the data that was disseminated as part of public records requests would also not have the correct spelling,” spokeswoman Beth Frady said in an email that day.
Data brokers and direct mail marketers, however, use a number of software programs to collate and process data. One of the programs often used is the NCOA, a U.S. Postal Service database that’s used to clean data for things like spelling errors.
The Department of Justice is the ultimate enforcement arm of the DPPA, with oversight over state use of driver records. Under the law, citizens can also sue DPPA violators for $2,500 per misuse of information.
Smith says Congress needs to tighten up the Driver Privacy Protection Act to make it provide more protection.
Asked what he thought it would take for that to happen, he pauses.
“I’m afraid what it takes is outrage: someone really getting hurt from this information source,” he said. “I wish that weren’t true, but that’s what it takes – some atrocity that occurs.”
If you believe your private driver information has been accessed by third parties, the state wants to hear from you – and so do we. Please email us your story at firstname.lastname@example.org.
To contact the DHSMV: “Customers with concerns regarding the dissemination of their information in accordance with state and federal law who would like the department to research those concerns as part of a formal complaint may send their information to HSMV-Records@flhsmv.gov,” Frady says.