BILL ANALYSIS �Ó
SENATE JUDICIARY COMMITTEE
Senator Noreen Evans, Chair
2013-2014 Regular Session
AB 179 (Bocanegra)
As Amended June 19, 2013
Hearing Date: June 25, 2013
Fiscal: Yes
Urgency: No
TH
SUBJECT
Public Transit: Disclosure of Personal Information
DESCRIPTION
Under existing law, transportation agencies and other entities
that operate toll bridges, toll highways, and toll lanes are
prohibited from selling or providing to third parties any
personally identifiable information obtained through a person's
participation in an electronic toll collection system (ETC) or
use of a toll facility, with certain exceptions. Existing law
requires these entities to establish a privacy policy that must
be provided to users and subscribers, and prohibits these
entities from revealing personally identifiable information to
law enforcement agencies absent a search warrant. These
entities are required to discard collected personally
identifiable information no more than 4 years after a
subscriber's account is closed or settled.
This bill would extend these existing privacy protections to
transportation agencies and entities that employ an electronic
transit fare collection system (ETFC) for the payment of transit
fares.
BACKGROUND
In 2010, the Legislature passed SB 1268 (Simitian, Ch. 489,
Stats. 2010) which prohibited transportation agencies from
selling or otherwise disclosing to third parties any personally
identifiable information collected about subscribers to
electronic toll collection systems (ETC) or users of toll
bridges, lanes, or highways that employed ETC systems. SB 1268
(more)
�
AB 179 (Bocanegra)
Page 2 of ?
features a number of privacy protections in addition to these
broad disclosure prohibitions, including a requirement to
discard retained personally identifiable information no later
than 4 years after an ETC subscriber's account is closed or
settled, and a requirement to establish a privacy policy
regarding the collection and use of personally identifiable
information. The provisions in SB 1268 addressed stated
concerns that the collection of toll information could be used
to analyze a user's driving patterns or locational data, by
codifying certain privacy protections in statute and replacing
any agency-based privacy policies that may have existed before
its enactment.
Shortly after SB 1268 was passed, similar concerns began to
surface about electronic transit fare collection systems (ETFC).
Generally speaking, these systems permit public transit users
to purchase or acquire a stored value card which, after the user
adds funds to his or her card, can be used at payment points on
transit systems in lieu of cash or fare vouchers. The Transit
Access Pass Card (TAP Card) used by transit agencies in Los
Angeles describes its functionality as follows:
While not a pass in itself, the TAP card is an important
innovation for L.A. County transit riders. The durable
plastic card contains a smart chip that allows you to buy
and electronically load Metro passes, participating
regional and local transit line passes, electronic cash, or
any combination of the three. In other words, TAP becomes
your "transit fare wallet" - holding your passes and cash,
paying fares to the exact penny, and freeing you up from
carrying around loose change. It even recognizes free
transfers! (Welcome to TAP < http://taptogo.net> [as of
June 21, 2013].)
Like electronic toll collection systems, data collected through
the use of an EFTC system could be used to analyze a user's
travel patterns or locational history. One newspaper
articulated the privacy concerns associated with the use of the
Clipper card, an EFTC system for the San Francisco Bay Area, as
follows:
As the use of the Clipper card increases, what many people
may be unaware of is that technology in the card allows
local transit agencies to collect data on a passenger's
whereabouts and travel habits from a chip in each card. . .
. As riders swipe the cards to ride busses or trains, a
�
AB 179 (Bocanegra)
Page 3 of ?
unique identification number is logged. Passengers who
register their card with Clipper - a process that is
optional but offers perks - have personal information
linked to the data that is collected at each fare gate they
enter. . . . With new technology comes major concerns over
privacy . . . [Just as with] FasTrak [ETC] information,
which could pinpoint when and where a person was driving,
had become so personal and specific that divorce lawyers
were subpoenaing the information to prove infidelity[, the]
very same thing could happen with public transportation . .
. While there have been no reports of serious infringements
of privacy by [transportation agencies], civil rights
groups warn that pervasive technology that can track the
movements of citizens could one day be used to track
political activities and personal movements. (Brent Begin,
Clipping Privacy, The San Francisco Examiner, Sunday,
November 7, 2010, pp. 14-15.)
This bill would extend privacy protections in existing law that
currently apply to ETC users and transit agencies to
transportation agencies and entities that employ an ETFC for the
payment of transit fares.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. 1.)
Existing case law permits a person to bring an action in tort
for the invasion of privacy, and provides that in order to state
a claim for violation of the constitutional right to privacy a
plaintiff must establish the following three elements: (1) a
legally protected privacy interest; (2) a reasonable expectation
of privacy in the circumstances; and (3) conduct by the
defendant that constitutes a serious invasion of privacy. (Hill
v. National Collegiate Athletic Assn. (1994) 7 Cal.4th 1.)
Existing law recognizes four types of activities considered to
be an invasion of privacy giving rise to civil liability,
including the public disclosure of private facts. (Id.)
Existing law prohibits transportation agencies, as defined, from
selling or otherwise providing to any other person or entity
personally identifiable information of any person who subscribes
to an electronic toll collection system or who uses a toll
bridge, toll lane, or toll highway that employs an electronic
�
AB 179 (Bocanegra)
Page 4 of ?
toll collection system. (Sts. & Hy. Code Sec. 31490(a).)
Existing law requires a transportation agency that employs an
electronic toll collection system to establish a privacy policy
regarding the collection and use of personally identifiable
information, and to provide to subscribers of that system a copy
of the privacy policy in a manner that is conspicuous and
meaningful, such as by providing a copy to the subscriber with
the transponder or other device used as an electronic toll
collection mechanism, or, if the system does not use a
mechanism, with the application materials. (Sts. & Hy. Code
Sec. 31490(b).)
Existing law requires a transportation agency to conspicuously
post its privacy policy on its Internet Web site. The policy
shall include, but need not be limited to, a description of the
following:
the types of personally identifiable information that is
collected by the agency;
the categories of third-party persons or entities with whom
the agency may share personally identifiable information;
the process by which a transportation agency notifies
subscribers of material changes to its privacy policy;
the effective date of the privacy policy; and
the process by which a subscriber may review and request
changes to any of his or her personally identifiable
information. (Sts. & Hy. Code Sec. 31490(b).)
Existing law permits a transportation agency, within practical
business and cost constraints, to store only personally
identifiable information of a person such as the account name,
credit card number, billing address, vehicle information, and
other basic account information required to perform account
functions such as billing, account settlement, or enforcement
activities. All other information shall be discarded no more
than four years and six months after the closure date of the
billing cycle and the bill has been paid and all toll
violations, if applicable, have been resolved. (Sts. & Hy. Code
Sec. 31490(c).)
Existing law provides that a transportation agency shall take
every effort, within practical business and cost constraints, to
purge the personal account information of an account that is
closed or terminated. In no case shall a transportation agency
maintain personal information more than four years and six
months after the date an account is closed or terminated. (Sts.
�
AB 179 (Bocanegra)
Page 5 of ?
& Hy. Code Sec. 31490(d).)
Existing law states that a transportation agency may make
personally identifiable information of a person available to a
law enforcement agency only pursuant to a search warrant.
Absent a provision in the search warrant to the contrary, the
law enforcement agency shall immediately, but in any event
within no more than five days, notify the person that his or her
records have been obtained and shall provide the person with a
copy of the search warrant and the identity of the law
enforcement agency or peace officer to whom the records were
provided. (Sts. & Hy. Code Sec. 31490 (e)(1).)
Existing law permits a peace officer, when conducting a criminal
or traffic collision investigation, to obtain the personally
identifiable information of a person from a transportation
agency if the officer has good cause to believe that a delay in
obtaining this information by seeking a search warrant would
cause an adverse result, as specified. (Sts. & Hy. Code Sec.
31490 (e)(2).)
Existing law permits a transportation agency to use an
individual's personally identifiable information for the
following purposes:
to provide aggregated traveler information derived from
collective data that relates to a group or category of persons
from which personally identifiable information has been
removed;
to provide the license plate number of an intermodal chassis
to the owner of the chassis for purposes of locating the
driver of the chassis in the event the driver fails to pay the
toll;
to share data with another transportation agency solely to
comply with interoperability specifications and standards, as
specified, regarding electronic toll collection devices and
technologies;
to perform financial and accounting functions such as billing,
account settlement, enforcement, or other financial activities
required to operate and manage the toll facilities; and
to communicate about products and services offered by itself,
a business partner, or the agency with which it contracts, to
subscribers of the transportation agency through a contracted
third-party vendor using personally identifiable information
limited to the subscriber's name, address, and electronic mail
address, provided that the transportation agency has received
the subscriber's express written consent to receive the
�
AB 179 (Bocanegra)
Page 6 of ?
communications. (Sts. & Hy. Code Sec. 31490 (f)-(j).)
Existing law prohibits a transportation agency from using a
nonsubscriber's personally identifiable information obtained
through an electronic toll collection system to market products
or services to that nonsubscriber, but does not prohibit a
transportation agency from using such information to communicate
about toll-related products or services in a notice of toll
evasion, as specified. (Sts. & Hy. Code Sec. 31490 (k).)
Existing law defines "transportation agency" to mean the
Department of Transportation, the Bay Area Toll Authority, any
entity operating a toll bridge, toll lane, or toll highway
within the state, or any entity under contract with any of the
above entities. (Sts. & Hy. Code Sec. 31490 (l).)
Existing law defines "electronic toll collection system" as a
system where a transponder, camera-based vehicle identification
system, or other electronic medium is used to deduct payment of
a toll from a subscriber's account or to establish an obligation
to pay a toll. (Sts. & Hy. Code Sec. 31490 (m).)
Existing law defines "person" to mean any person who subscribes
to an electronic toll collection system or any person who uses a
toll bridge, toll lane, or toll road that employs an electronic
toll collection system. (Sts. & Hy. Code Sec. 31490 (n).)
Existing law defines "personally identifiable information" to
mean any information that identifies or describes a person
including, but not limited to, travel pattern data, address,
telephone number, e-mail address, license plate number,
photograph, bank account information, or credit card number.
(Sts. & Hy. Code Sec. 31490 (o).)
Existing law provides that, in addition to any other remedies
provided by law, a person whose personally identifiable
information has been knowingly sold or otherwise provided in
violation of this section may bring an action to recover either
actual damages or two thousand five hundred dollars ($2,500) for
each individual violation, whichever is greater, and may also
recover reasonable costs and attorney's fees. Existing law also
provides that a person whose personally identifiable information
has been knowingly sold or otherwise provided three or more
times in violation of this section may bring an action to
recover either actual damages or four thousand dollars ($4,000)
for each individual violation, whichever is greater, and may
also recover reasonable costs and attorney's fees. (Sts. & Hy.
�
AB 179 (Bocanegra)
Page 7 of ?
Code Sec. 31490 (p).)
Existing law permits a transportation agency that employs an
electronic toll collection system to impose an administrative
fee on persons who use that system in an amount sufficient to
cover the cost of implementing this section. (Sts. & Hy. Code
Sec. 31490 (r).)
This bill would apply the above provisions to a transportation
agency that employs an electronic transit fare collection
system, as well as to any person who subscribes to such a
system.
This bill would permit the sharing of data between
transportation agencies, with respect to electronic transit fare
collection systems, for the purpose of interoperability between
those agencies.
This bill would permit a transportation agency to communicate,
either directly or through a contracted third-party vendor, to
subscribers of an electronic toll collection system or an
electronic transit fare collection system about products and
services offered by the agency, a business partner, or the
entity with which it contracts for the system, using personally
identifiable information limited to the subscriber's name,
address, and electronic mail address, provided that the
transportation agency has received the subscriber's express
written or oral consent to receive the communications.
This bill would re-define "transportation agency" to mean the
Department of Transportation, the Bay Area Toll Authority, any
entity operating a toll bridge, toll lane, or toll highway
within the state, any entity administering an electronic transit
fare collection system and any transit operator participating in
that system, or any entity under contract with any of the above
entities.
This bill would re-define "electronic transit fare collection
system" to mean a system for issuing an electronic transit pass
that enables a transit passenger subscriber to use the transit
systems of one or more participating transit operators without
having to pay individual fares, where fares are instead deducted
from the subscriber's account as loaded onto the electronic
transit pass.
This bill would re-define "person" to mean any person who
�
AB 179 (Bocanegra)
Page 8 of ?
subscribes to an electronic toll collection or electronic
transit fare collection system or any person who uses a toll
bridge, toll lane, or toll road that employs an electronic toll
collection system.
This bill would re-define "personally identifiable information"
to mean any information that identifies or describes a person
including, but not limited to, travel pattern data, address,
telephone number, email address, license plate number,
photograph, bank account information, or credit card number.
However, "personally identifiable information" would not include
photographic or video footage unless that information is used
for purposes of assessing a toll or fare.
COMMENT
1. Stated need for the bill
The author writes:
A hole in SB 1268 is that it did not include electronic
transit fare collection systems which allow public
transportation users to link their checking or banking
account to an electronic transit pass so all they have to
do is tap or swipe the card to a reader and their fare is
automatically deducted from their account. These systems
can create an even more robust profile of a subscriber's
everyday travels, where they got on public transportation,
where they got off, what time of day, how often they
traveled a particular route, and so forth. AB 179 will
ensure that folks who subscribe to these electronic transit
fare collection systems will have the same privacy
protections that subscribers of electronic toll collection
systems currently enjoy.
AB 179 extends the current privacy protections afforded to
users of electronic toll collection systems such as FasTrak
to users of electronic transit fare collection systems such
as the TAP Card in Los Angeles or the Clipper Card in the
San Francisco Bay Area. The bill controls the use of
personal information that is collected and stored by
electronic transit fare collection systems (i.e., travel
pattern data, location, time of day, address, telephone
number, e-mail address, bank account information, credit
card number, etc.).
�
AB 179 (Bocanegra)
Page 9 of ?
The bill provides four significant privacy protections:
[p]rohibits the sale or dissemination of personal data
collected by transportation agencies;
[l]imits how long personal data can be retained;
[r]equires conspicuous and meaningful notice to
subscribers of transportation agencies' privacy policies;
and
[p]rovides a civil remedy for drivers whose personal
information is improperly released to recover damages,
reasonable costs and attorney's fees.
2. Protection of user privacy
Staff notes that the right to privacy is a fundamental right
protected by Section 1 of Article I of the Constitution of
California. This bill builds upon that fundamental right by
extending existing statutory privacy protections for users of
electronic toll collection systems (ETC) to users of electronic
transit fare collection systems (ETFC). The data and personal
information collected by each payment system raises similar
privacy concerns regarding a transit agency or third party's
ability to analyze this information and discern an individual
subscriber's locational or usage patterns. The Privacy Rights
Clearinghouse, in support, states:
AB 179 would protect the privacy of public transportation
patrons who use an electronic transit pass by controlling
the use of personal information that is collected every
time the pass is swiped, or tapped. Such data elements
include travel patterns, location, time of day, address,
telephone number, bank account information, credit card
number, and so on. AB 179 would extend the privacy
protections that users of electronic toll collection
systems currently enjoy to users of the TAP Card, Clipper
Card or any other electronic transit fare collection
system.
As is required for transit agencies that operate ETC systems,
this bill would require ETFC operators to establish a privacy
policy regarding the collection and use of personally
identifiable information. That policy must contain specified
information, including the types of personally identifiable
information collected by the agency, the categories of
third-party persons or entities with whom the agency may share
personally identifiable information, the process by which a
transportation agency notifies subscribers of material changes
�
AB 179 (Bocanegra)
Page 10 of ?
to its privacy policy, the effective date of the privacy policy,
and the process by which a subscriber may review and request
changes to any of his or her personally identifiable
information.
This bill would also prohibit transportation agencies that
operate ETFC systems from selling or providing to third parties
the personally identifiable information of system patrons
including, but not limited to, an individual's travel pattern
data, address, telephone number, bank account information, or
credit card number. As in existing law governing ETC operators,
transportation agencies operating ETFC systems would be
permitted to communicate with subscribers about products and
services offered by the agency, a business partner, or the
entity with which it contracts for the system, by using certain
collected personally identifiable information, provided the
subscriber has given express written consent to receive such
communications. This bill would slightly alter this
requirement, allowing subscribers to orally consent to receiving
these communications as well. This bill would also apply to
ETFC operators the existing restriction making personally
identifiable information available to a law enforcement agency
only pursuant to a search warrant, except where a peace officer
who is conducting a criminal or traffic collision investigation
requests such information and has good cause to believe that a
delay in obtaining this information by seeking a search warrant
would cause an adverse result.
As with ETC operators, this bill would permit a person whose
personally identifiable information has been knowingly sold or
otherwise provided in violation of the bill by an ETFC
transportation agency or third-party contractor to bring an
action to recover either actual damages or $2,500 for each
individual violation, whichever is greater, and reasonable costs
and attorney's fees. For a person whose personally identifiable
information has been knowingly sold or otherwise provided three
or more times in violation of this bill, the statutory damages
amount increases to $4,000 per violation.
3. Video surveillance
Several interested parties expressed concern that the bill, as
introduced, would have hindered a transportation agency's
ability to disclose photographic or videographic information
collected as part of an agency's physical security system. They
suggested that the breadth of personal identifying information
�
AB 179 (Bocanegra)
Page 11 of ?
covered by the bill could inadvertently impact a transportation
agency's ability to disclose, for example, videographic evidence
collected from a bus equipped with video recording devices that
documented an assault on a passenger or employee. In response
to these concerns, the author has amended the definition of
"personally identifiable information" to not include
photographic or video footage unless that information is used
for purposes of assessing a toll or fare, so that if a passenger
were assaulted on a bus, the passenger would be able to obtain
copies of relevant footage from the transportation agency for
later use in a civil case against the assailant.
4. Prior opposition
Staff notes that several transportation agencies were opposed to
prior versions of this bill. As the author explains:
Prior to amendments taken in [the] Assembly Transportation
Committee, several transportation agencies were concerned
about the legal implications of requiring a subscriber's
personal identifiable information to be purged after 6
months. Opponents claimed that a 6 month data retention
period would conflict with the 4 years statute of
limitations to bring suit under California's Unfair
Competition law (UCL), Business & Professions Code Section
17200 et seq. While public entities are exempt from the
UCL, opponents argued that a private entity that is under
contract with a public transportation agency to manage a
toll facility, transit fare collection facility or the data
collected thereof, would be subject to the UCL. While we
do not believe that such a private entity would be subject
to the UCL as they do not exercise autonomy over fines and
fee schedules and as such cannot engage in "unfair
competition" given that they work under the direction of a
transportation agency, we nevertheless amended the bill to
restore the 4.5 [year] data retention period . . .
established by SB 1268 (Simitian, 2010).
The Metropolitan Transportation Commission, which was among the
transportation agencies in opposition, noted that "[b]ased on
standard accounting requirements, the timeframe it takes for a
toll violation to wind its way through the DMV-hold process and
our review of the circumstances when records dating back several
years have been needed to resolve disputes," the shortened data
retention period originally proposed "would impose unworkable
restrictions on the retention of account information for
�
AB 179 (Bocanegra)
Page 12 of ?
electronic transit fare collection systems." However, following
the amendments taken on April 24, 2013, Metropolitan
Transportation Commission and the other opposed transportation
agencies removed their opposition to this bill.
Support : American Civil Liberties Union of California; Consumer
Federation of California; Los Angeles County Metropolitan
Transportation Authority; Privacy Rights Clearinghouse
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation :
SB 1268 (Simitian, Chapter 489, Statutes of 2010) imposed
privacy restrictions on transportation agencies, such as the
California Department of Transportation, the Bay Area Toll
Authority, and any entity that operates a toll bridge, lane, or
highway, by prohibiting these entities from selling, or
providing to any other person, the personally identifiable
information of either subscribers of an electronic toll
collection system or anyone who uses a toll bridge, lane, or
highway that utilizes an electronic toll collection system,
except as provided. This bill also required these entities to
provide a privacy policy to subscribers, as specified.
AB 539 (Williams, 2011) would have permitted a transportation
agency or its designee to share certain data regarding a
vehicle's use of toll facilities with another transportation
agency, whether in the state or not, solely as part of a
nationwide interoperability toll collection program. This bill
died in the Senate Committee on Transportation and Housing.
Prior Vote :
Assembly Transportation Committee (Ayes 16, Noes 0)
Assembly Appropriations Committee (Ayes 16, Noes 0)
Assembly Floor (Ayes 70, Noes 1)
Senate Transportation and Housing Committee (Ayes 10, Noes 0)
**************
�
AB 179 (Bocanegra)
Page 13 of ?