COLUMBUS, Ohio — A months-long experiment by 10 Investigates is now helping the Ohio Bureau of Motor Vehicles determine if there has been any illegal misuse of drivers’ personal information.
Ohio BMV Registrar Charlie Norman told 10 Investigates that the results of our investigation is now aiding his agency in trying to root out if there has been a potential violation of federal law.
Here’s what happened:
Since 2010, the Ohio Bureau of Motor Vehicles has made more than $250 million selling drivers’ personal information to third parties.
The money is used to help cover administrative and operating costs of the Ohio BMV.
But 10 Investigates wanted to know what happens to drivers’ information after that sale? What are those third parties doing with that information?
As part of our investigation, we purchased a car for the purposes of testing the Ohio BMV’s system.
We wanted to know if the Ohio BMV’s sale of personal driver data was linked to those direct mailed solicitations for things like extended auto warranties.
If there was a direct link, it could represent a violation of a federal law designed to protect drivers’ privacy.
Here’s what we found:
In September, Chief Investigative Reporter Bennett Haeberle purchased a 2021 Buick Encore news car from WBNS 10TV and registered it in his name. About five weeks later, he started to receive mailed solicitations warning him of a “final notice” that the extended warranty on his new Buick was about to expire.
Haeberle called the company. A representative who answered the phone number on the mailer – which 10 Investigates is not naming at this time – said they purchased the personal information from another party – but would not say who.
Haeberle sold the car back to WBNS 10TV about 60 days later. After that transaction, the station started receiving mailers from extended auto warranty companies about five weeks later.
Why does that matter?
If those mailed solicitations - like those offers for the extended auto warranties - were the result of the Ohio BMV’s sale of driver’s personal data, it could be a violation of a federal law – known as the Drivers Privacy Protection Act.
The law was designed to protect driver data, but it also has 14 exemptions that allow third parties like court systems or insurance companies or automotive manufacturers to buy the data to send you things like vehicle safety recalls or other important information.
One thing the law doesn’t allow is for companies to use that data to send you direct marketing solicitations without your permission.
As part of our experiment, 10 Investigates tried to narrow the scope of potential leaks of Haeberle’s personal data. His insurance company told him prior to the vehicle purchase that it would not sell his data for direct marketing or solicitations. And there was no dealership involved – Haeberle bought the car in a peer-to-peer sale with the station WBNS-TV.
That would leave only one entity – the Ohio BMV – which would’ve known that he had recently purchased a vehicle.
We shared our findings with Texas attorney Joe Malley who specializes in privacy matters. We asked him if got these mailers after our contact with the Ohio BMV, does that represent a violation of federal law?
Malley said: “If you can track it back to the BMV yes. The issue is can you track it back?”
10 Investigates showed Malley the mailers we received and explained how they arrived weeks after titling the car with the Ohio BMV. We asked him if he thought the companies behind the mailers were getting our identities from the sale of driver data from the Ohio BMV.
“Yes, I believe the source does start with the (BMV) data – as to who all is involved is a different story. And who knows what is a different story,” he said.
The challenge, Malley said, is that even though the Ohio BMV sold the data to third-party entities, the driver and car title data may have been purchased by one entity – we’ll call them Company X – may not have been the entity who sent you the mailed solicitation. That could have been another group, we’ll call them “company Y.”
10 Investigates also found Ohio drivers with similar experiences.
“None of this was happening until I registered my car,” said Barb Woodruff. “I was looking for ways to opt-out and when someone tells me there is no way to opt-out, I have a problem with that.”
Woodruff told 10 Investigates that her Chevy sedan was transferred into her name through a divorce. She says after titling the car in her name, she started to received mailed solicitations, which she thought was odd because she considers herself a very private person and uses a P.O. Box to receive her mail instead of her home address.
The mailed solicitations came directly to her house. And Woodruff said she noticed them only after her contact with the Ohio BMV.
John Kaminsky got similar mailers weeks after buying car and titling it with the Ohio BMV. He said his dealer assured him they didn’t sell his personal information.
“I expect the state to have some discretion and have my best interests at heart,” he said.
In an interview this month with Ohio BMV Registrar Charlie Norman, 10 Investigates pressed Norman about if the Ohio BMV’s sale of driver data was responsible for getting unwanted mailers.
“The only entity we went through to title this car was the BMV… that’s what I am trying to pin down, how do you think it could be anything else?” Haeberle asked Norman.
Norman said: “Well that same insurance company that gets our bulk data tells us they are not using it for that purpose. It’s hard to say. That’s what the investigation is looking at and we are trying to figure out if there is a bad actor, who is it.”
In wake of our investigation, the Ohio Bureau of Motor Vehicles says it has now narrowed the scope of its own investigation looking to see if there is a leak of driver data and a direct link between the Ohio BMV’s sale of driver personal data to and those solicitations that end up in your mailbox.
When 10 Investigates’ Chief Investigative Reporter Bennett Haeberle asked: “Who else would it have been? How would it not have been you guys?”
Norman said: “I’m not sure. It could’ve come from a data aggregator. For all we know it was random. I don’t think that’s the case, Bennett, but that’s what we are looking into.”
Norman said the Ohio BMV recently began inserting fake driver data and car title information into its system hoping to root out any potential violators. But because the bulk driver title data is updated once per month and sold to third parties, it could early March – or later - before the Ohio BMV knows if someone is misusing driver data for an illegal purpose.
Norman says his agency has continued to reduce who can get access to the data and they’re now trying replicate what happened to 10 Investigates.
“It certainly – it helped. We are thankful. We are appreciative of (you) bringing it to our attention. It’s gonna help us make sure we don’t have bad actors in our system.”
10 Investigates reached out to a BMV spokeswoman Sunday night asking if there any updates on their investigation. On Monday morning, she replied that the BMV had not received any solicitation yet based on its insertion of fake data into its system.