BILL ANALYSIS �
SENATE TRANSPORTATION & HOUSING COMMITTEE BILL NO: SB 1268
SENATOR ALAN LOWENTHAL, CHAIRMAN AUTHOR: simitian
VERSION: 4/5/10
Analysis by: Jennifer Gress FISCAL: Yes
Hearing date: April 6, 2010
SUBJECT:
Disclosure of personal information
DESCRIPTION:
This bill prohibits, with some exceptions, a transportation
agency from selling or otherwise providing personally
identifiable information of a person who subscribes to an
electronic toll collection system or who uses a toll facility
that employs such system and establishes time periods up to
which an agency may retain that information. This bill also
establishes a minimum amount of money a person whose personally
identifiable information was knowingly sold or otherwise
provided may receive in damages and costs.
ANALYSIS:
Toll agencies may employ an automatic vehicle identification
system, referred to in this bill as an electronic toll
collection system, to facilitate toll operations. FasTrak is
the most common example of an automatic vehicle identification
system in use in California. FasTrak systems allow subscribers
to prepay tolls thereby eliminating the need to stop at the toll
plaza. The system has three components: a transponder or toll
tag, which is placed inside the vehicle; an antenna over the
roadway that reads the transponder and deducts the toll amount
from a subscriber's account; and video cameras that capture
vehicles' license plates to identify toll evaders. The FasTrak
system tracks a subscriber's usage and account balance. A
monthly or quarterly statement itemizing bridge use and account
balance is sent to subscribers via the postal mail or email.
Even though each toll agency operates only those facilities
within its jurisdiction, existing law requires that the
California Department of Transportation (Caltrans) and toll
operators develop functional specifications and standards for
automatic vehicle identification systems so that vehicle owners
�
SB 1268 (SIMITIAN) Page 2
not be required to purchase or install more than one device to
use on all toll facilities in the state. This functionality is
known as interoperability.
In addition to FasTrak-type systems, some toll operators permit
pay-by-plate toll payment which involves the use of on-road
vehicle license plate identification technology. There are
several ways in which pay-by-plate may work. For example, a
person who uses a toll facility and does not have a FasTrak
account or other automatic vehicle identification system could
telephone or access the website of a toll operator, enter the
license plate number of his or her vehicle, and pay the toll.
Alternatively, a person may set up a pre-paid account so that
tolls are deducted any time a vehicle uses the toll facility and
his or her license plate number is captured.
Laws and regulations governing the use of personal information
collected by automated systems are limited and somewhat
fragmented. Existing law prohibits any information obtained
through the use of automated devices from being used for any
purpose other than to identify and obtain the mailing address of
toll evasion violators or of persons entering a toll highway,
toll lane, or toll bridge where pay-by-plate toll payment is
permitted by the toll operator. Additionally, the Bay Area Toll
Authority, as the toll operator for the seven state-owned toll
bridges that employ FasTrak, is required to give vehicle owners
the option of opening and maintaining an account with cash or
check and without requiring them to provide their name or
address. Finally, most toll operators have adopted some sort of
privacy policy for account holders on their own accord.
This bill establishes a framework guiding how a transportation
agency may use personally identifiable information of a person
who subscribes to an electronic toll collection system or uses a
facility that employs an electronic toll collection system. In
so doing, this bill:
Defines a "transportation agency" as Caltrans, the Bay Area
Toll Authority, any entity operating a toll bridge, toll lane,
or toll highway within the state, or any entity under contract
with any of the above entities.
Prohibits a transportation agency from selling or otherwise
providing personally identifiable information, including but
�
SB 1268 (SIMITIAN) Page 3
not limited to, travel pattern data, address, telephone
number, bank account, or credit card information of any
person.
Allows a transportation agency to provide such information to
a law enforcement agency pursuant to a search warrant,
provided the law enforcement agency immediately notifies the
person that his or her records have been obtained and provides
a copy of the search warrant and the identity of the law
enforcement agency or officer to whom the records were given.
Provides that a peace officer may obtain personally
identifiable information when conducting a criminal or traffic
collision investigation without a search warrant if the
officer has good cause to believe that a delay in obtaining a
warrant would result in imminent danger to the health or
safety of a member of the public. In this situation, the
officer must provide the transportation agency a written
statement setting forth his or her basis for good cause,
notify the person immediately, but no later than 15 days from
the day his or her records have been obtained, and provide the
person the basis for obtaining the records. An officer may
request a court order for a 30-day extension of the notice
requirement if he or she believes notification would interfere
with the investigation.
Requires a transportation agency to establish a privacy policy
and provide it to subscribers in a manner that is conspicuous
and meaningful. The privacy policy shall address the
following issues:
o The type of personally identifiable information that
is collected,
o The categories of third-party persons with whom the
agency may share the information,
o The process by which an agency notifies subscribers
of changes to the policy,
�
SB 1268 (SIMITIAN) Page 4
o The effective date of the policy, and
o The process by which a subscriber may review and
request changes to any of his or her information.
Allows a transportation agency to store personally
identifiable information, such as account name, credit card
number, billing address, vehicle information, and other basic
account information for purposes of billing, account
settlement, or enforcement. All other information must be
discarded six months after the closure of the billing cycle or
60 days after the bill has been paid, whichever occurs last.
Requires a transportation agency to "take every effort, within
practical business and cost constraints," to purge personal
account information within 60 days after the date the account
is closed or terminated and specifies that in no case may a
transportation agency retain personal information more than
150 days after the date an account is closed or terminated.
Establishes a minimum of $2,500 that a person whose personally
identifiable information was knowingly sold or otherwise
provided may receive in damages and costs.
Specifies that the bill does not prohibit a transportation
agency from doing the following:
o Providing aggregated traveler information that
relates to a group or category of subscribers from which
personally identifiable information has been removed.
o Providing the license plate number of an intermodal
chassis to the owner of the chassis for purposes of
locating the driver of the chassis in the event the
driver fails to pay the toll.
o Sharing data with another transportation agency
�
SB 1268 (SIMITIAN) Page 5
solely to comply with interoperability specifications and
standards adopted in accordance with existing law.
o Performing financial and accounting functions such
as billing, account settlement, enforcement, or other
financial activities required to operate and manage the
toll facilities.
o Communicating exclusively about its
transportation-related products and services on behalf of
itself or the agency with which it contracts to
subscribers of the transportation agency through a
contracted third-party vendor using personally
identifiable information limited to the subscriber's
name, address, and electronic mail address.
COMMENTS:
1.Purpose . According to the author, this bill is intended to
protect the privacy of motorists in California by controlling
the use of personal information that is collected and stored
by electronic toll collection systems (e.g., FasTrak).
Examples of personal information include travel pattern data,
location, speed, time of day, address, telephone number, bank
account information, and credit card numbers.
In addition to facilitating toll payment, FasTrak transponders
are also used to collect traffic information such as travel
times. The signal emitted by a transponder is detected by
sensors or meters that have been placed along the roadway on
certain highway segments. These data are aggregated and used
to provide real-time traffic information via Caltrans'
changeable message signs and services as the Bay Area's
511.org.
The author states that there is a legitimate concern that
information originally collected for purposes of electronic
toll collection or the provision of travel information could
be provided to other companies or organizations for marketing
purposes. Existing restrictions on information sharing and
sales vary among transportation agencies. By codifying the
standards contained in this bill, the author contends the bill
will assure that privacy protections extend to all
transportation agencies that have, or may acquire, electronic
�
SB 1268 (SIMITIAN) Page 6
data collection technologies.
2.Unclear implications for existing agreements . Toll operators
may enter into a number of agreements, with each other, with
the DMV, and in some cases as part of a legal settlement
regarding access to and storage of personal information. The
implications of this bill on these existing agreements are
unclear and should be explored further if this bill moves
forward.
Interoperability agreements. The bill does not prohibit a
transportation agency from sharing data with another agency
solely to comply with interoperability specifications and
standards contained in existing law regarding electronic toll
collection devices, which among other things, requires that
the vehicle owner not be required to purchase or install more
than one device to use on all toll facilities in the state.
To achieve the objective of interoperability, toll agencies
enter into agreements with one another that allow for the
sharing of data about subscribers so that a vehicle with an
account held by one agency can use the same transponder on a
toll facility operated by another agency. While existing law
requires that one transponder be able to be used on all
facilities, it does not require that only one account is
maintained. In fact, existing law states that a subscriber
"may be required to have a separate account or financial
arrangement for the use of these facilities." For this
reason, it is unclear that this provision of the bill is
sufficiently broad to allow agencies to share information
about its subscribers in the same way as toll operators do
today.
DMV agreements. A toll agency may also have an agreement with
DMV about the use of personal information the toll agency
obtains when attempting to determine the name and address of a
vehicle's registered owner when it failed to pay a toll for
purposes of issuing a notice of toll violation.
Legal settlements. The Orange County Transportation Authority
(OCTA) indicates that, as a result of a lawsuit, it and the
Transportation Corridor Agencies (TCA) are required to retain
information for five years.
If this bill moves forward, the author may wish to consider
how the provisions of this bill interact with these existing
agreements to ensure that the bill achieves his objective of
�
SB 1268 (SIMITIAN) Page 7
ensuring drivers' privacy while also ensuring convenience for
drivers and meeting all other legal requirements.
3.Purging data . The bill requires that a transportation agency
"purge" personal account information within 60 days after the
date the account is closed or terminated. After a certain
period of time, many toll operators archive data they have
collected. The author may wish to specify whether or not this
provision is intended to apply proactively to data collected
as of the operative date of this bill or retroactively to all
data that a toll agency has ever collected.
4.AB 198 (Nation) . This bill is similar to AB 198 (Nation),
which was introduced in the 2003-2004 Legislative Session. An
early version of that bill, which contained many provisions
that this bill contains, passed the Senate Transportation
Committee hearing 11 to 0. The bill was later gut and amended
to deal with a different subject matter.
5.Double-referral . This bill is double-referred to this
committee and the Judiciary Committee. If this bill is passed
in this committee, it will therefore be referred to the
Judiciary Committee. If the author or the committee requests
that amendments be adopted when this bill is heard in this
committee, the amendments should be taken in the Judiciary
Committee so that the bill may be heard in that committee on
April 13th.
POSITIONS: (Communicated to the Committee before noon on
Wednesday,
March 31, 2010)
SUPPORT: None received.
OPPOSED: None received.