x
Breaking News
More () »

Is the Colorado DMV selling data to car warranty companies?

The Colorado Attorney General's Office is investigating if data sold by the DMV was used by car warranty companies.

DENVER — The postcard-shaped warnings showed up in Dave Burritt's mailbox a week after he registered his 2012 Chevrolet Impala with the Colorado Division of Motor Vehicles (DMV). 

One read, in bold font, “The factory warranty on your 2012 Chevy may have expired or is about to expire.”

Another said, “By neglecting to activate your repair plan, you will be responsible for paying for all repairs out of pocket.”

RELATED: How do robocalls work?

RELATED: What you can do to stop robocalls

Burritt said he immediately suspected his legally-required interactions with the DMV were to blame. 

“Somebody definitely sold my information,” he said.

He said he thought about hopping on the phone with the DMV folks, but then thought about calling 9NEWS. 

“I thought if I just called the state, I was going to get the runaround, but maybe 9NEWS would be interested," Burritt said. 

We were, and now the state has launched an investigation of its own.

What happens to your DMV data?

It’s hardly a secret these days: Google “DMV data sales” and you’ll come up with all sorts of stories on what journalists across the country have uncovered.

Colorado is one of numerous states that's sold personal information to people and companies willing to purchase it.

What you might not know is who is purchasing the bulk of the data from Colorado.

For more than a decade, a private company known as NIC – operating in the state under the name Colorado Interactive – has paid the state hundreds of thousands of dollars a year to have access to title and registration information. 

According to records supplied to 9Wants to Know under the state’s open records laws, NIC paid Colorado $635,947.04 in 2020 to receive millions of records.

Colorado Interactive (CI) then, according to its filings with the Securities and Exchange Commission, resells that data for a profit. In many ways, CI acts as a data middleman.

It buys the data and then resells it to anyone interested.

Last year, it resold DMV data to 11 different “subvendors,” according to records obtained by 9Wants to Know. It’s all perfectly legal under the terms of a federal law known as the Driver’s Privacy Protection Act. DPPA allows for 14 distinct uses of DMV data.

Credit: 9WTK

Think about things like car recalls and background checks.

“There are tons of entities that are legal that are using it properly,” said Texas attorney Joseph Malley. 

Malley has made a living for decades suing companies and people for improper use of DMV data under the DPPA.

Not on the exception list?

“You cannot use any of the DMV data for direct marketing,” he said. 

This is where Burritt’s story comes back into play, and he has the postcards to prove it.

Why 9Wants to Know bought a car for $1

Late last year, Burritt decided to buy a car to help him run errands for his mother. He already had a car, but he needed one with a low passenger-side door.

“Nice and low,” he said. “Something she could get into.”

He quickly found a 2012 Chevy Impala on Craigslist that fit the need. He paid cash and insured it right away.

A COVID-19 scare kept him from registering it until January. A week after he went down to the DMV, the postcards started arriving in his mailbox.

The only people who knew he registered the car when he did?  His mom, his wife and the folks at the DMV.

It’s why 9Wants to Know decided to put Burritt’s theory to the test.

Earlier this year, we convinced our station and our management to let me, investigative reporter Chris Vanderveen, buy a 2014 Ford Escape owned by KUSA-TV for $1. 

Credit: 9NEWS
An aerial view of the car Chris Vanderveen bought for $1.

As required by law, I insured it right away, and used a different insurance company than Burritt did. I also checked with the insurance company’s data protection policy. In writing, a representative said the company does not sell private data to anyone.

I then walked into the Colorado DMV and registered the car under my name.

One week later, some of the same postcards that showed up in Burritt’s mailbox showed up in mine. 

It’s not supposed to work this way.

Malley said Coloradans should be concerned about the leak in their data. 

“I’ve been tracking these [car warranty] companies around the country myself," he said. "I know who they are, and they’re working in Colorado right now getting your data. They shouldn’t be." 

The contract between the Colorado Department of Revenue and Colorado Interactive (also known as NIC Colorado) specifically forbids any DMV data to be used for such things as car warranty pitches. Within the contract, obtained by 9Wants to Know, the language says anyone who obtains the data from the state “shall not use any PI [personal information] obtained under this agreement for direct mail or email solicitations.”

A spokesperson for NIC Colorado told 9Wants to Know, “It would be inappropriate for NIC to comment on behalf of the Colorado Department of Revenue.”

“I can assure you that NIC Colorado conducts regular reviews to ensure its policies and practices are compliant with the federal Driver’s Privacy Protection Act (DPPA). The DPPA requires certain mandatory disclosures of driver records for consumer protection and public welfare purposes, such as motor vehicle or driver safety and theft, motor vehicle emissions and motor vehicle product recalls,” added NIC spokesperson Kara Cowie.

Mark Ferrandino is the newly appointed executive director of the Colorado Department of Revenue, which oversees the Colorado DMV.

He said since learning of Burritt’s and my story regarding unsolicited car warranty company postcards, the Colorado DMV has launched an investigation along with the Office of the Colorado Attorney General to try to figure out if data sold by the DMV was used by the car warranty companies.

The investigation is ongoing.

In the meantime, Malley told 9Wants to Know the state needs to do more to protect drivers’ personal information from winding up in the hands of direct marketers.

“They’ve become careless," he said. "Totally, totally careless." 

And it’s not just car warranty companies Malley said he’s worried about. The DPPA initially passed through Congress after the murder of actress Rebecca Schaeffer in West Hollywood.

The gunman found her using information acquired through the state DMV.

“This should be treated very, very seriously,” Malley said.

Have you gotten one of these mailers? Chris Vanderveen wants to hear about it. Tell him in the form below. 

SUGGESTED VIDEOS: Investigations from 9Wants to Know