TAMPA (FOX 13) - Sen. Bill Nelson called Friday for a federal investigation into the state’s profit-making sales of Floridians’ private driver data, calling the practice “unconscionable.”
Nelson said in a letter to the U.S. Department of Justice that he’s concerned the state of Florida is violating the federal Driver Privacy Protection Act by selling the private information of millions of drivers without their express consent.
“The fact that the state is making a profit by selling Floridians’ personal information on the open market is simply unconscionable,” he said in a letter to Attorney General Loretta Lynch.
Nelson’s request comes in the wake of a series of FOX 13 investigations that raised serious red flags about the Florida Department of Highway Safety and Motor Vehicles’ practices of selling federally-protected driver data to dozens of third-party companies.
“That's why I have written to the Attorney General, citing this law and the evidence that was produced by a Florida TV station, as to whether this practice in fact is violation the federal law,” Nelson said, referring to the FOX 13 investigations.
The federal DPPA law, part of the Violent Crime Control and Law Enforcement Act of 1994, has several situations in which an entity can be exempt from the law. Based on the intent of the law, courts have held the exemptions are supposed to be narrowly interpreted.
Congress passed the law in the mid-'90s, responding to growing concerns that sale of state DMV data posed considerable risks to an individual's privacy, financial security, and physical safety, and that states were selling the data as a revenue generator.
In an emailed statement from a spokesperson, DHSMV Executive Director Terry Rhodes said her department “does not sell driver or motor vehicle information.”
In fact, the state generated more than $150 million in revenue by selling driver records in bulk to more than 75 third party companies who claimed one of the federal DPPA exemptions.
A FOX 13 investigation found the state’s “vetting” process primarily consisted of looking up whether a business had a valid Florida business registration. Even then, some of the companies on the state’s sales list did not have a valid Florida business license. Other companies seemed to have no footprint at all other than a business registration; some did not have a website or contact information. One company's physical location was traced to a condo near Fort Lauderdale.
Our analysis also found some of the companies granted access by the state of Florida had been banned from buying driver data in other states. Still other companies on the state’s sales list have been sued for violations of the federal driver privacy law.
FOX 13 also found the state DMV posted some of the companies on the DHSMV website, linking to websites where customers could by driver information for a few dollars. It was unclear what verification process, if any, was used by the websites to determine whether online buyers really qualified for the data, which can include private information such as date of birth, home address, and full name.
In the emailed statement, Rhodes went on to say driver or motor vehicle information is “produced as required by the Federal Driver Privacy Protection Act (DPPA) and Florida's public records laws.”
States can be more stringent in terms of the privacy protections afforded by the DPPA, but they can’t be less so.
The federal Driver Privacy Protection Act does not require states to sell entire databases of driver information to third parties, nor does it require that states allow buyers to re-sell the data.
That’s what Florida does, however. The state, in effect, hands off responsibility of the private records of 15 million Florida residents to third-party companies that haven’t been vetted.
Rhodes did not respond to follow-up questions asking her to explain why the state of Florida believes it’s in the best interests of the public to release federally-protected, private driver records in this manner.
Read more below.
The DHSMV also released a “Fact Sheet” about sales of driver data.
Here’s our FOX 13 Investigates Fact Sheet Fact Check:
1) DHSMV: The Driver Privacy Protection Act, 18 United States Code, Section 2721, keeps personal information private by limiting those who can have it.
FOX 13 Investigates Fact Check: This is true. At issue is whether the state of Florida is following the intent of the law, which is that states should keep citizens’ information private because there are security, privacy and safety risks to making it available to third parties.
2) DHSMV: DPPA restricts public access to your social security number, driver license or identification card number, name, address, telephone number and medical or disability information, contained in motor vehicle and driver license records. Additionally, emergency contact information and email addresses are restricted pursuant to Section 119.0712(2), Florida Statutes.
FOX 13 Investigates Fact Check: This is true; the DPPA does restrict it. But when a company tells the Florida DMV that they fall under one of the DPPA exemptions, and the state approves it, those restrictions are lifted. (Social Security numbers, photos, and medical information are never supposed to be sold.)
3) DHSMV: Florida, and every other state in the country, provide driver and motor vehicle records within the guidelines of the Federal Driver Privacy and Protection Act (DPPA).
FOX 13 Investigates Fact Check: Not exactly. States have run afoul of the DPPA law before, including Florida. Florida also does things differently than many other states. It releases entire DMV databases to companies through an online portal or via FTP (File Transfer Protocol). It also allows some companies to re-sell the data, something that is not required by federal law, and not done by every other state in the country.
4) DHSMV: Under Florida law, motor vehicle and driver license information are public information.
FOX 13 Investigates Fact check: State law mirrors federal law on the privacy restrictions of driver data. States have to follow federal law on this, but they can be more stringent.
5) DHSMV: Requesting parties can request personal information only if they meet an exemption covered by law.
FOX 13 Investigates Fact check: Our FOX 13 investigation found that when a company wants access to your private records, the state DHSMV primarily relies on the company’s word that they have a legitimate claim to one of the federal DPPA exemptions. Their vetting process consists of checking to see whether a company has a valid business registration.
6) DHSMV: Unless explicitly permitted by law, requesting parties never receive highly restricted personal information including an individual’s photo, social security number, medical or disability information.
FOX 13 Investigates Fact check: This is what the law says, though human error and hacking are both risks to the state’s online data exchanges with commercial buyers.
7) DHSMV: The department automatically blocks personal information in all motor vehicle and driver license records maintained at the department.
FOX 13 Investigates Fact Check: This could be true for license records “maintained at the department.” It is not true for private driver data sold to third parties.
8) DHSMV: The department does not seek out requesting parties to produce records. Any protected personal information must meet very specific exemptions in order to be produced. Produced records cannot be used for any marketing purposes and each requesting party is still liable under the federal driver privacy and protection act to use the data in accordance with federal and state law.
FOX 13 Investigates Fact Check: Our own investigation found evidence the Florida DHSMV has been making driver records available to marketers through “downstream” transfers of the database and direct sales to businesses that identify as marketing companies.
9) DHSMV: Every requesting party who submits a public records request for protected driver license and/or motor vehicle data must submit a statement of what records they are requesting and the matching federal Driver Privacy and Protection Act (DPPA) exemption. In order to receive the data, the requesting party must individually certify or enter into a Memorandum of Understanding (MOU) with the department. A certification or MOU outlines the federal and state protections relating to the data, process for receiving the data, certification and attestation requirements and ramifications of any misuse. Not until a certification or MOU is signed by the head of the requesting party attesting that they understand and agree to comply with those regulations is data provided.
FOX 13 Investigates Fact Check: The MOU is the state’s term for contracts with third party companies. In practice, it offers little protection to citizens once the databases get into the wrong hands, according to records reviewed by FOX 13.
In one instance, the DHSMV was transferring records to National Recall and Data Services, a company whose owner, Charles Holley, had been banned from buying DMV data in other states. The DHSMV had been giving Holley a direct pipeline to Florida DMV data until one day after FOX 13 asked about it. The state said they hadn’t received a copy of his “attestation” for six months. The state also said it could not provide a copy of the public record showing how Holley claimed he was going to use federally-protected data because DHSMV staffers couldn’t find it.
10) DHSMV: Per law, examples of requesting parties who may access personal information are:
- Law enforcement agencies
- Auto Manufacturers (for recalling vehicles or parts)
- Government agencies or entities (to verify safe driving history)
- Towing entities (to notify owners of towed or impounded vehicles)
- Any person or agency that has written permission by the individual
FOX 13 Investigates Fact Check: This is true, but there are also many other exemptions, such as the “statistical report” and “research” exemptions. The law does not qualify who qualifies as a researcher or a statistician, or under what circumstances those exemptions apply.
FOX 13 Investigates wants to hear from you. Contact the reporter directly at firstname.lastname@example.org.