BILL ANALYSIS SB 1268 Page 1 Date of Hearing: June 21, 2010 ASSEMBLY COMMITTEE ON TRANSPORTATION Bonnie Lowenthal, Chair SB 1268 (Simitian) - As Amended: May 28, 2010 SENATE VOTE : 24-10 SUBJECT : Electronic toll collection systems: privacy SUMMARY : Prohibits transportation agencies from selling or disseminating personal information of their subscribers, with exceptions; imposes penalties for breaching this restriction. Specifically, this bill : 1)Prohibits transportation agencies from selling or disseminating personal information about persons who subscribe to electronic toll or fare payment systems. 2)Requires transportation agencies that use electronic toll collection systems to establish privacy policies and provide those policies to subscribers. 3)Requires privacy policies to address, at a minimum, the following: a) The type of information collected by the transportation agency; b) The types of third-party persons or entities with whom the transportation agency may share personal information; c) The process by which subscribers are informed of changes in the privacy policy; d) The effective date of the privacy policy; and, e) The process by which a subscriber may review their own personal information. 4)Authorizes transportation agencies to store specific account related information such as an account holder's name, credit card number, and billing addresses; beginning July 1, 2011, all other information must be discarded six months after the closure date of a billing cycle or 60 days after the bill has SB 1268 Page 2 been paid, whichever occurs last. 5)Beginning July 1, 2011, requires transportation agencies to make every effort to purge data on closed accounts within 60 days; in no case may data be stored longer than 150 days after an account has been closed or terminated. 6)Allows transportation agencies to make personally identifiable information available to law enforcement agencies, pursuant to a search warrant; generally requires a law enforcement agency to notify, within five days, a person that their information has been obtained from the transportation agency. 7)Allows peace officers conducting criminal or traffic collision investigations to obtain personally identifiable information of subscribers if the officer has good cause to believe that a delay in obtaining the information via a search warrant may result in an imminent danger to the health or safety of a member of the public; requires that notice of obtaining the data be given to the subscriber, with exceptions. 8)Allows transportation agencies to provide aggregated traveler information that relates to a group or category of subscribers, provided that personally identifiable information has been removed. 9)Allows the sharing of data among transportation agencies, in order to comply with state inter-operability requirements for electronic toll collection systems. 10)Allows transportation agencies to communicate to their subscribers exclusively about their products and services through contracted third party vendors using the subscribers' names and addresses, provided that the transportation agency has received the subscriber's express written consent to receive the communication. 11)For purposes of these provisions, defines "transportation agency" as the Department of Transportation (Caltrans), the Bay Area Toll Authority, any entity operating a toll bridge, toll lane, or toll highway, or any entity operating under contract with such an agency. 12)Defines other key terms. SB 1268 Page 3 13)Provides that a breach in the use of personal information may result in an action to recover actual damages or $2,500, whichever is greater, for each individual violation, in addition to attorney's fees. 14)If a person's information has been knowingly sold or otherwise provided three or more times, the penalty increases to actual damages or $4,000, whichever is greater, in addition to attorney's fees. 15)Stipulates that this bill's provisions do not preclude compliance with a specific court-ordered settlement agreement. 16)Authorizes a transportation agency to impose an administrative fee to cover costs associated with implementing these privacy requirements. EXISTING LAW: Authorizes Caltrans, cities, counties, public transit agencies, and special districts, to assess tolls and fares for the use of transportation facilities under their respective jurisdictions. FISCAL EFFECT: Unknown COMMENTS: According to the author, SB 1268 is intended to protect the privacy of motorists in California by controlling the use of personal information that is collected and stored by electronic toll collection systems. The author states that SB 1268 provides important privacy protections to drivers by: 1) prohibiting a transportation agency that operates a toll facility from releasing or selling personal identifying information of subscribers to an automatic toll collecting service: and, 2) establishing a data retention period for how long agencies can retain personal information in their systems. Supporters of this bill suggest that California has witnessed a growing trend of attorneys, law enforcement agencies, and other entities requesting and obtaining data on electronic toll collection system users via a subpoena. They support the personal information protections provided for in SB 1268. Transportation agencies generally support this bill's provisions related to privacy protections for their toll customers, SB 1268 Page 4 including the inclusion of penalties for violating these privacy protections. However, these agencies are strongly opposed to provisions in the bill that require that personal data be purged within 60 days of closing or terminating an account. They argue that, under an existing four-year statute of limitations for civil actions, the bill's purging requirements would allow consumers to question their toll charges for up to four years after the date of the activity but would remove the opportunity for toll operators to retain information to support charging the tolls or to otherwise provide documental evidence to establish a defense in a civil action. Transportation agencies have also expressed operational concerns with this bill's purging requirements that could require significant modifications to their business systems to have to purge data on a rolling basis, such as daily or weekly. The agencies would prefer the latitude to purge data within a routine that fits their existing business systems but no longer than 5 years. Suggested amendments: The committee is concerned that overly aggressive purge requirements could leave transportation agencies defenseless in civil actions. The bill's purge requirements should mirror the timeframes set forth in the statute of limitations. This will provide a regular, routine purging of personal data but within timeframes that do not invite jeopardy for transportation agencies in civil actions. Double-referral: This bill is double-referred to the Assembly Judiciary Committee. REGISTERED SUPPORT / OPPOSITION : Support American Civil Liberties Union Consumer Action Consumer Federation of California Electronic Frontier Foundation Privacy Rights Clearinghouse Opposition Orange County Transportation Authority San Diego Association of Governments SB 1268 Page 5 South Bay Expressway Transportation Corridor Agencies Analysis Prepared by : Janet Dawson / TRANS. / (916) 319-2093