Privacy Plus+ 

Privacy, Technology and Perspective 

Texas is Making Millions/Year Selling Personal Information.  Our state government has generated over $450 million in the last 5 years by selling drivers’ personal information, including names, drivers’ license numbers, dates of birth, photos and other information maintained by both the Texas Department of Public Safety and Texas Department of Motor Vehicles.  The Dallas Morning News’ “Watchdog,” Dave Lieber, reported that story, and you can read it at the following link:

The sale of personal information by a state government isn’t new or surprising.  We have previously written on California’s similar commercialization of its drivers’ personal information. You can read that post here: 

Lawful under federal law?

The federal Driver’s Privacy Protection Act (DPPA), 18 U.S.C. § 2721, requires all States to protect the privacy of personal information contained in a person’s motor vehicle record and limits the use of such records to certain purposes.  Under that law, an individual’s photograph or image, among other things, is classified as “highly restricted personal information,” which cannot be released — except in certain specific, enumerated circumstances — absent an individual’s “express consent.”  The Texas DMV even references that statute on its website here:

Lawful under state law?

Texas’s sale of drivers’ personal information must also be lawful under its state law, including its Motor Vehicle Records Disclosure Act and Public Information Act. Links to each appear as follows:

Motor Vehicle Records Disclosure Act:

Public Information Act:

Texas’s Motor Vehicle Records Disclosure Act prohibits the disclosure and use of personal information contained in motor vehicle records, except as authorized by the individual or by law.  Hence, the State’s sale of personal information, like driver’s license numbers, license plate numbers, and VIN numbers would be prohibited without the requisite authorizations – either consent, or another specific lawful basis.  There is no indication that Texas drivers ever consented to the State’s disclosure and commercialization of their motor vehicle records, much less their drivers’ license information, so another lawful basis must be found and examined.

Further, under the Texas Public Information Act, Chapter 552 of the Texas Government Code, it is mandatory for a governmental body to withhold certain confidential information from public disclosure.  “Section 552.130 provides information relating to a motor vehicle operator’s license, driver’s license, motor vehicle title or registration, or personal identification document issued by an agency of this state or another state or country is excepted from public release. See Gov’t Code § 552.130. Accordingly, the State must withhold all vehicle identification numbers, driver’s license and license plate numbers, and states of issuance within the remaining information under section 552.130 of the Government Code.”  The preceding quote comes directly from a letter issued by the Office of the Texas Attorney General, which you can read here:

Recall, too, that Texas also regulates the disclosure of biometric information by the state government. Under 560.002 of the Texas Government Code, “[a] governmental body that possesses a biometric identifier of an individual… may not sell, lease, or otherwise disclose the biometric identifier to another person unless… the individual consents to the disclosure.” See Gov’t Code § 560.002. There, a “biometric identifier” means a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry.  See Texas Gov’t Code § 560.001(1), a link to which is here:

We believe it is helpful to think of the DPPA, and many of the state statutes that make up the tangled thicket of the lawful use of drivers’ information, as following a structure of, “The state can’t [sell it], unless it can [under some specific condition].”  

These sorts of statutory structures call for a cautious approach, clear analysis, and thoughtful mapping of proposed uses against permitted conditions.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.