Data Use and Government Hypocrisy

    Government bodies like Congress, state legislatures, and regulatory agencies often try to saddle private businesses with obligations that the governments themselves cannot comply with. Such regulatory actions habitually hit red on the hypocrisy meter. This blog is about privacy, the regulation of data deletion or non-deletion, why not all data “de-linking” is created equal, and, of course, government hypocrisy. I also discuss how California and New York are going where no man has gone before.[1]

    Captain Jean-Luc Picard and Mr. Data. Still image of Season 4, Episode 14, “Clues”, CBS

    I am going to start by introducing you to Beda Koorey, a 75-year-old widow and grandmother on Long Island and her encounters with the New York DMV that will send you into orbit when you read it. I also convey that while the New York DMV could and should find ways to suppress Koorey’s data for financial harm at her expense, they still need to use that information for fraud prevention and identification, as private companies do, to prevent financial harm.

    The New York DMV Can’t Help Grandma

    One of the more recent examples of government data double standards came from Long Island. The Washington Post reported in December 2024 about Beda Koorey, a 75-year-old widow and grandmother on Long Island.[2] Even though she stopped driving in 2020, she continued to receive “hundreds of incorrect traffic violation accusations and thrusting her into a seemingly never-ending bureaucratic nightmare with DMV officials.” This went on for years. Before he passed away, Koorey’s husband, a Star Trek fan, loved his vanity plate “NCC 1701,” the call letters of the starship USS Enterprise in the TV and movie franchise.[3]

    Even after she turned the plates back to DMV, Koorey slams the motor vehicle agency for “giving her what she described as an infuriating, soul-crushing runaround for years. She also criticized companies that sell fake personalized license plates that authorities can mistake as authentic.” The Post added that “[o]ver the past four years, Koorey has received hundreds of traffic citations from all over the United States — and beyond — even though she stopped driving in 2020. She said she has spent nearly every day since explaining to authorities in far-flung jurisdictions, most of which she’s never been to, that she no longer has the plates before proving her claim by giving them the New York DMV document showing she gave them up and officials then destroyed them.” She told the Post, “while chocking up,” that the DMV and collectors “’have all tortured me for four years. I just want to cry, it’s such a mess.’”[4]

    The New York DMV Hits Red on the Hypocrisy Meter

    The New York DMV through up its hands at the problem. “Walter McClure, spokesman for the New York DMV, said…there’s no such thing as ’de-linking’ a customer’s information from a plate that was once registered to them.”[5] This is crazy!

    New York imposes certain “de-linking” on businesses all the time. For example, New York requires credit bureaus to allow consumers to freeze, temporarily thaw, and remove credit freezes.[6] The law also has freeze and removal provisions minors under age 16.[7] One of the leading privacy bills in New York, the Data Privacy Act, passed the state senate in 2024. Although it mandates an opt-out process by businesses for consumers, it also exempts (as it does in other states) data uses to, among other things, fraud, malicious or deceptive activities.[8]

    And it’s not just New York. Federal law requires credit bureaus to opt-out of preapproved offers of credit.[9] California passed the Delete Act in 2024 allowing residents to request their personal information be deleted by “data brokers.”[10]  The nuttiness of this bill deserves its own blog. For now, I will point readers to criticism by others.[11] New Jersey has Daniel’s Law. As first passed in 2020, the once-sensible law allowed judges to remove their names and addresses from “data broker” lists. Yet, in 2023, the law was amended in ways that are unconstitutional, harmful to consumers, and a haven for plaintiff attorneys.[12] Even the state’s own New Jersey Election Law Enforcement Commission (ELEC) cannot comply with the law.[13] This law is also worthy of a separate blog, but for now, you can find helpful information from a Troutman blog.

    Goose, Meet Gander: The Private Sector De-Links All the Time

    Credit freezes for adults, credit freezes for minors, state privacy laws, the Delete Act, Daniel’s Law. These are a few examples of places where the private sector must “de-link” a consumer. Imagine if a consumer exercised his or her legal rights under these laws and a data company said, “sorry, we cannot de-link you.” That company would feel the force of law through private rights of action and lawsuits from the FTC and state attorneys general. What is good for the goose is not always good for the gander, it seems.

    Not All De-Linking is the Same: Some Linking is Required for Fraud Prevention

    While the New York DMV could and should find ways to prevent the general reuse of Beda Koorey’s Star Trek license plate, they must still use that information for fraud prevention and identification, as private companies do. For example, credit freeze laws still allow a credit bureau to help consumers by updating their data internally. When a consumer with a frozen credit report pays a bill, that is still recorded internally with the credit bureaus. Data is often shared internally and externally for fraud prevention and authentication, as permitted under state privacy laws, for example.

    “Those with the most to hide
    will be the ones that hide the most.”

    Eric J. Ellman

    Keeping data internally is critical for consumer protection. The mass deletion of data for fraud prevention, authentication, and identification would have disastrous impacts. In short, those with the most to hide will be the ones that hide the most.

    Take the Delete Act, for example. Hundreds of data providers offer a tremendous range of beneficial services to companies, non-profits, government agencies, and academic institutions. If a significant number of California residents are deleted from those datasets, the data will become deeply corrupted and increasingly incomplete, inaccurate, and unusable. That loss of accurate data in the market would hamper marketing efforts for California businesses, reduce competition, hurt non-profits, curtail quality research, and create new advantages for giant companies that have built closed data systems. California families would also see an immediate and costly impact in higher prices, less choice, closed businesses, more digital fraud, and fewer ad-funded services.

    Let’s return to New York for a moment. There is substantial fraud committed relating to drivers’ licenses and license plates. In 2021, the state inspector general’s office investigated alleged widespread cheating in New York’s driver permit program.[14] In 2023, the state DMV started targeting the use of fake license plates, saying drivers are using them to avoid insurance and registration requirements, tolls and skirt speed cameras.[15] All this is to say that DMV information should not be “de-linked” for fraud prevention and authentication. Wholesale data deletion would decrease verification and increase fraud.

    Returning to earth

    It’s frustrating for the New York DMV to say that it cannot “de-link” data for Beda Koorey. The private sector does this all the time. But not all de-linking is created equal. Connecting data to consumers is critical for fraud prevention, authentication, and verification. Deleting data willy nilly is exactly what the fraudsters want. Those with the most to hide will be the ones that hide the most.

    Eric J. Ellman's avatar

    Eric J. Ellman

    [1] Where No Man Has Gone Before, Wiki.

    [2] Jonathon Edwards, Grandmother gets hundreds of false tickets due to Star Trek vanity plates, Wash. Post, Dec. 13, 2024.

    [3] Id.

    [4] Id.

    [5] Id.

    [6] N.Y. Gen. Bus. L. § 380-T.

    [7] Id., § 380-U.

    [8] N.Y. S. 365-B (2023-2024).

    [9] 15 U.S. Code § 1681b(e).

    [10] Laws 2024, Ch. 702 (formerly S.B. 362), § 6 (to be codified at Cal. Civ. Code § 1798.99.86.

    [11] Further reading about how bad the Delete Act is for consumers can be found in a letter from the California Chamber of Commerce. Also, a second letter from a broad cross-section of the United States business community spanning various industries, including financial services, health care, package delivery and logistics, cable and telecommunications, transportation, retail, utilities, real estate, insurance, entertainment, auto, magazine publishing, market research, Internet and online services, advertising and marketing.

    [12] See, Phillip N. Yannella and Tim Dickens, Daniel’s Law: the next wave in privacy litigation, Thompson Reuters, March 20, 2024.

    [13] Joe Donohue, ELEC’s acting executive director, said that “[i]f someone comes to us right now that’s on that list and wants it removed, we’ll do it, but even then, we’re technically violating our own statute. It compels us to violate our own statute.” Nikita Biryukov, Elections watchdog asks for Daniel’s Law tweaks, more time to investigate, New Jersey Monitor, May 1, 2024. In early-2024, the New Jersey Election Law Enforcement Commission’s Annual Report, 2023 said that the “Commission and staff members believe it would be impossible to fully comply even if the two statutes were not fundamentally at odds.” Annual Report, 9.

    [14] Brian Lyons, New York inspector general investigates DMV cheating allegations, Nov. 16, 2021.

    [15] Press release, DMV Investigators Crack Down On Use Of False License Plates, N.Y. Dep’t. of Motor Vehicles, May 23, 2023.

    Eric J. Ellman
    , , ,