North Carolina and South Carolina, following state and federal laws, provide personal information to companies in exchange for fees. Direct marketing is prohibited.
CHARLOTTE, N.C. — At a time when hackers and data leaks are jeopardizing personal information, North Carolina and South Carolina made a combined $172 million selling driver and vehicle data over a span of just three years, according to a WCNC Charlotte analysis of public records.
State and federal public records laws pave the way for companies to access names, addresses, a person’s driving record, registration details and more from motor vehicle departments in exchange for a fee. And no member of the public can opt out.
‘Who are they selling it to and why would they do it?’
The Drivers Privacy Protection Act allows for the public release of personal information in certain cases for approved purposes like court notices, insurance, auto safety recalls, and research.
“I’m not happy with that at all,” Charlotte driver Dorothy Karpeh said after WCNC Charlotte informed her about the public records exemption. “Who are they selling it to and why would they do it?”
DMV records show North Carolina and South Carolina have provided driver information to law firms, private investigators, insurance companies and data brokers.
“I’m sure a lot of people don’t know. I didn’t know,” Charlotte driver Nicholas Singh said when WCNC Charlotte told him. “I know other websites [sell our information), but I didn’t expect the DMV, a governmental website, to do such a thing.”
MORE FROM ‘WHERE’S THE MONEY?’: Charlotte man who lost his job in 2019 finally gets unemployment back pay
State records show companies, including bulk buyers, have secured millions of driver records from the North Carolina Division of Motor Vehicles alone in recent years, resulting in more than $123 million in revenue for the state, an average of $41 million a year.
North Carolina Department of Transportation spokesperson Steve Abbott said any money received goes to the state’s highway fund.
“To me, it’s a good thing, because it helps improve our roads,” Abbott said of the revenue.
‘Data is worth gold now’
Privacy attorney Joe Malley said companies have legitimate reasons to rely on DMV data, but direct marketing is not one of the allowable uses. Still, Malley is convinced DMV data are the main source of car warranty offers that regularly arrive in people’s mailboxes.
“Data is worth gold now and there’s a lot of entities that want to buy it and these states are cashing in,” Malley said. “That’s the source of the extended warranty billion-dollar empire. It’s the easiest way to get it. Those extended auto warranties, I would say with about a 99%, assuredly, it’s coming from a state driver database.”
Abbott, though, is quick to remind people DMVs are far from the only source of driver data.
“They may not be getting that from the DMV,” he said. “I can’t say for sure we’re the biggest or smaller purveyor of the information, but there’s a lot of stuff out there.”
Abbott said in the rare cases where buyers have violated the rules of use in the past, the state has taken action, banning some. However, the NCDMV reports the agency hasn’t banned any service providers or discontinued any agreements since 2018.
MORE INVESTIGATIONS ON WCNC CHARLOTTE: ‘Overcrowding can be a problem’ at mental health facilities, Charlotte clinic discloses
“You’re not supposed to use (the data) to contact individuals,” Abbott said. “If we do find out, you’re gone. You no longer have access to it.”
“Do you think the state’s doing enough to be good stewards of this data?” WCNC Charlotte asked him.
“If someone thinks they’re being violated, we have to be notified,” Abbott replied. “We’re not going and checking on every single thing… We don’t get a lot of complaints.”
‘A lot of these companies will stay away from states that have extensive screening’
Malley said that the reactive approach, which relies largely on an unaware public to file complaints, isn’t good enough. He thinks states should insert fake driver profiles in their data, so they can track if the information is misused.
“A lot of these companies will stay away from states that have extensive screening,” Malley said.
Neither North Carolina nor South Carolina would reveal if the states rely on test data to root out fraud.
DMV records show South Carolina collects substantially less revenue from driver data than its counterpart to the north. Still, over the course of three years, South Carolina earned more than $49 million, the equivalent of more than $16 million a year, according to public records.
DMV records show buyers have received everything from monthly title and registration information to newly licensed drivers/address changes. Money collected there is also used for infrastructure improvements, a South Carolina Department of Transportation spokesperson said.
“In accordance with the Federal Drivers Privacy Protection Act, the SCDMV discloses personally identifiable information (PII) only when the entity requesting the information is using for an exemption listed in that law,” SCDMV Chief of Strategic Communications and Community Affairs Kyle McGahee said. “In those cases, the SCDMV may disclose PII from driver records (which includes information listed on a driver’s license) and vehicle records (including name, address, and vehicle information) to those who meet exemption criteria as specified in federal law. The SCDMV is specifically prohibited from providing any driver’s license photographs, social security numbers, and medical information to private entities.”
According to McGahee, SCDMV has suspended the sale of data “on occasion” when audits found “receiving organizations were failing to adequately meet the information security requirements we mandate.” Those companies are allowed to again receive data once they comply with required security measures, he said.
Much to the dismay of DeleteMe CEO Rob Shavell, North Carolina and South Carolina are far from the only states granting the buying public access to driver data. In fact, it’s more common than not.
“It is unbelievable that all of these institutions, including DMVs across every state, are able to sell our data, make money from it, without us having a say in it,” Shavell told WCNC Charlotte.
Both North Carolina and South Carolina outline their DMV data rules on their websites.
NCDMV maintains the agency does not sell records for profit, but rather follows state law, which requires the agency to make the information available to those meeting the “legally-required criteria.” By law, the cost to receive bulk data is 3 cents per individual record, which includes the cost to search, identify and produce the records requested, according to a spokesperson.
LexisNexis Risk Solutions is the top buyer of DMV records in North Carolina and also one of South Carolina’s top customers. The company told WCNC Charlotte it buys driver’s license information “to verify addresses or identities within guidelines set for permissible use,” while not using the information “for marketing purposes or other business functions outside of these guidelines.” The company said its services “are subject to strict state and federal regulations.”
Federal court records show a Charlotte couple recently reached a $5 million class-action settlement with the company after claiming the data broker violated the law “by allegedly disclosing” their crash reports to third parties “for the purposes of marketing and solicitation.” As part of the settlement, the company denied any wrongdoing, but agreed to ban “the use of purchased crash reports for marketing and solicitation purposes,” the company told WCNC Charlotte.
In a statement, the company said those crash reports are different than the DMV data it buys.
“We reached a class-wide settlement with the Gastons involving their claim that LexisNexis violated the Driver’s Privacy Protection Act (DPPA) by assisting law enforcement agencies in providing the public with online access to crash reports,” the statement said in part. “Although we disagreed with their interpretation of the law, we chose to settle the case to avoid further litigation and in light of current uncertainties and challenges about the application of the DPPA to crash reports. More importantly, the settlement includes no admission of wrongdoing or liability on the part of LexisNexis Risk Solutions or any other LexisNexis entity. We continue to stand behind our ability to support law enforcement customers in providing access to automobile accident reports. Our solutions help law enforcement agencies decrease automobile accident report request processing times, improve internal processes and provide greater efficiency to those who need the reports for the claims process. Also, our service frees up law enforcement agencies to focus on public safety issues, such as community relations. As part of the settlement, we are prohibiting the use of purchased crash reports for marketing and solicitation purposes.”
According to NCDOT, LexisNexis “continues to be a service provider.”
An agency spokesperson said qualified requestors are required to certify annually that “they are using the records for the approved purposes.”