Unlike Facebook, Texas sells data
State discloses personal info to outside parties
AUSTIN — Private companies aren’t the only ones sharing users’ personal information with outside groups — some Texas state agencies do it, too.
Earlier this week, Facebook CEO Mark Zuckerberg was grilled during two separate congressional hearings over revelations that Cambridge Analytica, a political research firm that worked with Donald Trump’s presidential campaign, improperly harvested detailed personal information on as many as 87 million Facebook users.
The news sparked an uproar among Facebook users across the country, igniting a debate over whether it’s appropriate for private companies to share personal information with third parties without asking for users’ consent. Facebook does not sell data, Zuckerberg
said repeatedly during his testimony.
But public entities share data, too — and sometimes sell it. Several state agencies have made millions of dollars disclosing or even selling similar personal information about Texans derived from voter registrations and driver’s licenses, without notifying people.
Long-disclosed practice
It’s been a common practice by many states for years.
From January 2015 to July 2017, more than 800 outside groups either asked for a fee estimate or were given voter registration data from the Texas secretary of state’s office. Political campaigns and think thanks account for many of the requests.
Spokesperson Sam Taylor said the SOS office is required by state law to release voter registration records to anyone who requests them, and anyone requesting the data must sign an affidavit promising the information won’t be used for advertising or promoting commercial products or services.
“This is all part of the law prescribed by the Legislature, which our agency is obligated to follow,” he said.
The information cannot include a person’s Social Security number, according to the state election code.
State law also allows for anyone to purchase driving records, as long as the people requesting data meet certain requirements. For example, requesters are expected to have a permitted use such as law enforcement or businesses involving motor vehicles. Another example noted by state officials is towing companies that work with landowners to enforce posted parking restrictions.
The state made nearly $3 million off the processing and release of personal information on motor vehicle records requests last year, according to data from the Texas Department of Motor Vehicles.
Relevant state law has sweeping definitions for “personal information” regarding driving records, allowing anyone to make a request that includes an individual’s photograph or computerized image, Social Security number, driver identification number, name and address, but not their ZIP code, telephone number, or medical or disability information, all of which is protected under privacy laws.
Lawmaker concerns
In recent years, some legislators have tried to pin down exactly what kinds of personal information state agencies collect and sell to third parties — and then stop them from disclosing it. While the DMV informationgathering practices and $3 million sales figure are well-known to officials, no one comprehensively tracks how many state agencies sell or release data and how much money is collected for it.
Last legislative session, state Rep. Giovanni Capriglione, RSouthlake, proposed a cybersecurity bill that called for an audit of Texas systems, a review of state digital data storage and a statewide response plan that could be used in the event of a cyberattack.
House Bill 8, or the Texas Cybersecurity Act, eventually passed, but a late amendment that would have barred all state agencies, under any circumstance, from selling an individual’s “precise geographic location,” internet browsing history and application usage was removed after facing resistance.
“I thought it would be a nobrainer to say the state shouldn’t be able to sell information on where you’re located,” Capriglione said. “This is more of a commercial interest. But we got a lot of pushback there.”
‘Hypocritical’
Capriglione said he plans to raise the privacy issue again next session, once the Legislature reconvenes in January. Capriglione was also recently tasked to chair the House Select Committee on Cybersecurity, and he said he plans to ask “every agency that comes up” to let him know “what kind of information is being collected and what information is being sold.”
“It seems like no one understands that the government — federal, state, local — is collecting this information and selling it themselves,” he said. “It just seems a little hypocritical on the parts of some officials to be aghast that private companies are selling birthdays, while the state and others are doing the exact same thing.”
“It seems like no one understands that the government — federal, state, local — is collecting this information and selling it themselves.”
State Rep. Giovanni Capriglione, R-Southlake