COLUMBUS, Ohio — A months-long investigation by 10 Investigates found Ohio’s Bureau of Motor Vehicles has made more than $250 million over the past decade selling personal information from driver and vehicle records to third parties.
Viewers’ responses to our report – through social media comments and emails - have expressed concern about this practice.
Here’s how we discovered it:
10 Investigates submitted an open records request and reviewed state records of purchasers that found both local governments, private insurance companies, data brokers, credit agencies and private investigators are among the private entities that have purchased driver information.
Our investigation, which including both direct contact with other states’ departments of motor vehicles, and a review of state records, lawsuits and published news reports, found that at least 35 states across the country sell or provide access to drivers’ personal information.
The practice is legal but comes with several restrictions.
A federal law, known as the Drivers Privacy Protection Act, works to withhold the release of driver personal information.
But the law also has 14 exemptions that allows for government agencies or private companies to access the information for limited purposes such research, insurance underwriting, court notices, auto safety recalls along with other permissible uses.
Since our story aired Thursday night, viewers have commented that they think the practice is wrong.
Others have suggested that they believe robocalls or direct mailer solicitations they received regarding extended auto warranties might be directly tied to the BMV’s sale of their personal information.
Earlier this week, we asked Ohio BMV Registrar Charlie Norman about this.
“I think it could be any number of sources besides us. If you finance your car it could your bank. It could be any number of ways, people share data probably a lot more than they should,” Norman said.
But Texas privacy attorney Joe Malley says data purchased from state motor vehicle agencies can get co-mingled with other private companies’ data – making tracking who’s responsible difficult.
“Most industries – once you mix these databases together – they can’t even tell the source of it. And that’s how they can claim it’s not from the DMV.”
News reports dating back to 2019 show unintended exposure and data breaches involving driver information have occurred in at least three states. And impermissible use of this information resulted in a $5 million legal settlement from a federal lawsuit in North Carolina.
In that case, a North Carolina couple sued claiming a data broker – LexisNexis – “violated the DPPA by allegedly disclosing the couples’ crash reports to a third party… which reached out to them for the purposes of marketing and solicitation.”
Data brokers, insurance companies and credit agencies are among the top purchasers of driver data here in Ohio.
Norman said the state is in the process of an overhaul and has already limited the number of so-called bulk requesters over the years. Plans are in the works, Norman says, to further limit what personal information can be accessed and new contracts with vendors are expected to require them to facilitate third-party security checks to ensure that breaches and impermissible uses of the data are not occurring.