BILL ANALYSIS �
SENATE JUDICIARY COMMITTEE
Senator Ellen M. Corbett, Chair
2009-2010 Regular Session
SB 1268 (Simitian)
As Amended April 5, 2010
Hearing Date: April 13, 2010
Fiscal: Yes
Urgency: No
SK:jd
SUBJECT
Toll Bridges, Lanes, and Highways: Electronic Toll Collection
Mechanisms:
Disclosure of Personal Information
DESCRIPTION
This bill would impose privacy restrictions on transportation
agencies, such as the California Department of Transportation
(Caltrans), the Bay Area Toll Authority, and any entity that
operates a toll bridge, lane, or highway. Specifically, this
bill would prohibit these entities from selling, or providing to
any other person, the personally identifiable information of
either subscribers of an electronic toll collection system or
anyone who uses a toll bridge, lane, or highway that utilizes an
electronic toll collection system. This bill would specify
several exceptions to this prohibition and include a
privacy-policy notice requirement to subscribers, as specified.
BACKGROUND
Existing law authorizes the use of automatic vehicle
identification systems for toll collection. Systems such as
FasTrak have gained popularity with motorists who subscribe in
order to prepay tolls and avoid a stop at the toll plaza. The
FasTrak Web site describes the system, "As your vehicle enters
the toll lane, the toll tag (1) that is mounted on your
vehicle's windshield is read by the antennae (2). As your
vehicle passes through, your FasTrak account is charged the
proper amount. Feedback is provided to you on an electronic
display (3). If your vehicle does not have a toll tag, the
system classifies you as a violator and cameras take photos of
(more)
�
SB 1268 (Simitian)
Page 2 of ?
your vehicle and your license plate for processing." According
to the Metropolitan Transportation Commission, the only
information stored on the FasTrak tag is the tag number; there
is no customer personal information stored on the actual tag.
Instead, that information is stored at the FasTrak customer
service center.
Systems such as FasTrak track subscriber usage and account
balance. They also have the ability to track information such
as location and speed of the vehicle, time of day, and other
personal information. As noted above, electronic toll systems
may capture photos of vehicles and license plates in order to
identify toll violators. As a result, transportation agencies
that operate these systems may collect and store significant
amounts of personal information about California's motorists.
Some transportation agencies that use automatic vehicle location
technology to monitor traffic flow and collect tolls have
privacy policies that mirror closely some of the provisions of
this bill, but the author notes that these policies can vary
among transportation agencies. In order to address these
concerns and ensure that personally identifiable information
collected using electronic toll collection systems is not
inappropriately used for marketing purposes, this bill would
impose various privacy restrictions on transportation agencies
that use electronic toll collection systems.
This bill was approved by the Transportation and Housing
Committee on April 6, 2010 by a vote of 8-0.
CHANGES TO EXISTING LAW
Existing law provides that, among other rights, all people have
an inalienable right to pursue and obtain privacy. (Cal.
Const., art. I, Sec. I.)
Existing law , the Information Practices Act (IPA), imposes
limitations on state agencies' collection and disclosure of
personal information and specifically declares that the right to
privacy is a personal and fundamental right and that all
individuals have a right of privacy in information pertaining to
them. (Civ. Code Sec. 1798.1.) The IPA also provides that an
individual's name and address may not be distributed for
commercial purposes, sold, or rented by an agency unless such
action is specifically authorized by law. (Civ. Code Sec.
1798.60.) The IPA applies to state agencies such as Caltrans,
but does not apply to transportation agencies or other local
�
SB 1268 (Simitian)
Page 3 of ?
entities. (Civ. Code Sec. 1798.3.)
Existing law provides that Caltrans has exclusive jurisdiction
to grant franchises, privileges, or licenses for the
construction or operation of toll bridges, toll roads, and toll
ferries and for the taking and keeping of tolls from the
bridges, roads, and ferries situated wholly or in part within
the state. (Sts. & Hy. Code Sec. 30800.)
Existing law permits Caltrans to fix the rate of tolls and to
make orders and prescribe rules and regulations concerning toll
roads, toll bridges, or toll ferries. (Sts. & Hy. Code Secs.
30803, 30807.)
Existing law permits the use of automatic vehicle identification
systems for toll collection. (Sts. & Hy. Code Sec. 27564.)
This bill would prohibit transportation agencies, including
Caltrans, the Bay Area Toll Authority, and any entity that
operates a toll bridge, lane, or highway, from selling, or
providing to any other person, the personally identifiable
information of either: (1) subscribers of an electronic toll
collection system; or (2) anyone who uses a toll bridge, lane,
or highway that utilizes an electronic toll collection system.
This bill would specify that such personally identifiable
information includes, but is not limited to, an individual's
travel pattern data, address, telephone number, bank account
information, or credit card number.
This bill would require a transportation agency that uses an
electronic toll collection system to establish a privacy policy
concerning the collection and use of personally identifiable
information and to provide a copy of that policy to subscribers
in a manner that is conspicuous and meaningful. This bill would
require that the policy include the following:
1. the types of personally identifiable information collected by
the agency;
2. the categories of third-party persons or entities with whom
the agency may share personally identifiable information;
3. the process by which a transportation agency notifies
subscribers of material changes to its privacy policy;
4. the effective date of the privacy policy; and
5. the process by which a subscriber may review and request
changes to any of his or her personally identifiable
information.
�
SB 1268 (Simitian)
Page 4 of ?
This bill would permit a transportation agency, within practical
business and costs constraints, to store an individual's
personally identifiable information such as account name, credit
card number, billing address, vehicle information, and other
basic account information required to perform functions such as
billing, account settlement, or enforcement activities. All
other information must be discarded six months after the closure
date of the billing cycle or 60 days after the bill has been
paid, whichever occurs last.
This bill would require a transportation agency to take every
effort, within practical business and costs constraints, to
purge the personal account information within 60 days after the
date the account is closed or terminated. This bill would
provide that in no case may a transportation agency maintain
personal information more than 150 days after an account is
closed or terminated.
This bill would provide that a transportation agency may only
make personally identifiable information available to a law
enforcement agency pursuant to a search warrant. Absent a
provision in the search warrant to the contrary, this bill would
require law enforcement to immediately, but not more than 15
days, notify the individual that his or her records have been
obtained by law enforcement. Law enforcement would further be
required to provide the individual a copy of the search warrant
and the identity of the law enforcement agency or peace officer
to whom the records were provided.
This bill would permit a peace officer, when conducting a
criminal or traffic collision investigation, to obtain an
individual's personally identifiable information if the officer
has good cause to believe that a delay in obtaining the
information by seeking a search warrant would result in imminent
danger to the health or safety of a member of the public. In
this case, this bill would require the peace officer to provide
the transportation agency with a written statement describing
the basis for the good-cause belief and also provide the
individual with notice, immediately or within no more than 15
days, that his or her information was obtained.
This bill would not prohibit a transportation agency from
providing aggregated traveler information where all personally
identifiable information has been removed.
�
SB 1268 (Simitian)
Page 5 of ?
This bill would permit a transportation agency to share data
with another agency solely to comply with interoperability
specifications and standards concerning electronic toll
collection devices and technologies.
This bill would permit a transportation agency to communicate
exclusively with subscribers about its transportation-related
products and services on behalf of itself or the agency with
which it contracts through a contracted third-party vendor using
personally identifiable information limited to the subscriber's
name, address, and electronic mail address. This bill would
require that each communication must contain a clear and
conspicuous notice and instructions to the subscriber about the
process for terminating any such future communications.
This bill would define "electronic toll collection system" to
mean a system where a transponder, camera-based vehicle
identification system, or other electronic medium is used to
deduct payment of a toll from a subscriber's account or to
establish an obligation to pay a toll.
This bill would provide that, in addition to any other remedies
provided by law, a person whose personally identifiable
information has been knowingly sold or otherwise provided in
violation of the bill may bring an action to recover either
actual damages or $2,500 for each individual violation,
whichever is greater, and reasonable costs and attorney's fees.
COMMENT
1. Stated need for the bill
The author writes:
This bill is intended to protect the privacy of motorists in
California by controlling the use of personal information that
is collected and stored by electronic toll collection systems
. . . Existing restrictions on information sharing and sales
are policy-based and vary between transportation agencies. SB
1268 will assure that these privacy protections are codified
in statute and extended to all transportation agencies that
have, or may acquire, electronic data-collection technologies.
. . . MTC [the Metropolitan Transportation Commission] has
implemented its TravInfo 511 system which allows drivers to
dial 5-1-1 from their telephone to hear free up-to-the-minute
�
SB 1268 (Simitian)
Page 6 of ?
traffic information. A crucial part of this system is a
website to provide commuters with real-time traffic
information . . . The system relies on an elaborate
data-gathering network that MTC and Caltrans have been
installing along area freeways in recent years. 511 is able
to provide real-time traffic information by monitoring the
speed and location of drivers equipped with FasTrak devices as
they move past strategically placed meters. MTC reports that
the data is encrypted for anonymity and discarded daily, with
no historical database being maintained.
While helpful to motorists looking for the quickest or easiest
possible route to their destinations, the additional use of
FasTrak devices originally purchased for electronic payment of
tolls on bridges and toll roads, begs the question of driver
privacy. There is a legitimate concern that information
originally collected for FasTrak uses (i.e. location, speed,
time of day, license plate number, make/model of vehicle, home
address, etc.) could be disseminated to other companies or
organizations for marketing purposes.
Privacy Rights Clearinghouse writes in support of the bill,
stating:
Subscriber privacy has further been put in jeopardy due to
storage of subscriber information, including travel pattern
data and toll transactions, for indefinite periods of time by
transportation agencies. The stored data include information
on accounts that have closed and tickets that have been
resolved for years. This creates data-rich files on all
subscribers, which could then be accessed by third-parties
without the permission of the subscriber. SB 1268 would
remedy this unnecessary amassing of subscriber data by
creating clear guidelines for data retention and data
destruction.
2. Bill would require privacy policy and related notice
This bill would require that a transportation agency that uses
an electronic toll collection system establish a privacy policy
regarding the collection and use of personally identifiable
information. That policy must be provided to individuals who
subscribe to the system in a manner that is conspicuous and
meaningful. The policy must also include specified information,
including the types of personally identifiable information
collected by the agency, the categories of third-party persons
�
SB 1268 (Simitian)
Page 7 of ?
or entities with whom the agency may share personally
identifiable information, the process by which a transportation
agency notifies subscribers of material changes to its privacy
policy, the effective date of the privacy policy, and the
process by which a subscriber may review and request changes to
any of his or her personally identifiable information.
This bill's requirements concerning the content of the privacy
policy track existing Business and Professions Code Section
22575, added by the author's AB 68 (Simitian, Ch. 829, Stats.
2003), which imposes requirements on commercial Web site
operators and online services that collect personally
identifiable information about California residents. In
addition, these requirements appear to be consistent with some
transportation agencies use of subscribers' personal
information. For example, FasTrak's privacy policy describes
all of the elements required by this bill.
a. Manner in which the privacy policy is provided to
subscribers
This bill would require that the agency's privacy policy be
provided to subscribers "in a manner that is conspicuous and
meaningful." This phrase is not defined, however, and in
order to ensure that a subscriber is provided this important
information, the author has agreed to amend the bill to
require that a paper copy of the privacy policy be included
with the transponder or other electronic toll collection
mechanism when it is provided to the subscriber.
Suggested amendment:
On page 2, line 27, after "meaningful" insert "including by
providing a copy to the subscriber with the electronic toll
collection mechanism, such as a transponder or other device
or, if the system does not use a mechanism, with the
application materials."
b. Ensuring users of toll bridges and roads are provided
notice of the agency's privacy policy
Although the privacy protections contained in this bill apply
to individuals who subscribe to an electronic toll system as
well as users of toll bridges and roads, the privacy-policy
notice requirement applies only to subscribers to the system.
As a result, the bill requires only that subscribers be
provided a copy of the privacy policy, but not users of the
�
SB 1268 (Simitian)
Page 8 of ?
toll bridges and roads. In order to ensure that users of
those bridges and roads receive sufficient notice of how the
agency collects and uses personally identifiable information,
the author has agreed to amend the bill to require that the
privacy policy be posted on the homepage of the agency's
Internet Web site.
Suggested amendment:
On page 2, line 27, after the period, insert "A
transportation agency shall conspicuously post its privacy
policy on its Internet Web site. For purposes of this
section, "conspicuously post" has the same meaning as that
term is defined in Section 22577(b)(1)-(4) of the Business
and Professions Code."
3. Personally identifiable information
This bill would prohibit transportation agencies that operate
electronic toll collection systems from selling or providing
personally identifiable information including, but not limited
to, an individual's travel pattern data, address, telephone
number, bank account information, or credit card number.
Although this list is not intended to be exhaustive, it does
omit a few items of personally identifiable information which
appear to be collected by some transportation agencies. For
example, the FasTrak system collects other personal information
such as email address, license plate number, and "other
information that personally identifies a FasTrak user." In
order to ensure that an individual's personally identifiable
information is protected, the author has agreed to amend the
bill to insert a definition of "personally identifiable
information" in the bill.
Suggested amendment:
On page 2, beginning on line 8, strike ", including, but not
limited to, travel pattern data, address, telephone number,
bank account information, or credit card number,"
On page 6, insert a new subdivision (n) to read: "(n) For
purposes of this section, "personally identifiable
information" means any information that identifies or
describes a person, including, but not limited to, travel
pattern data, address, telephone number, email address,
�
SB 1268 (Simitian)
Page 9 of ?
license plate number, photograph, bank account information, or
credit card number."
4. Communications for transportation-related products and
services
a. Marketing to users of toll bridges and roads
Under this bill, a transportation agency would be permitted to
communicate exclusively with its subscribers about its
transportation-related products and services "on behalf of
itself or the agency with which it contracts" through a
contracted third-party vendor using personally identifiable
information limited to the subscriber's name, address, and
electronic mail address. This provision applies only to
subscribers, but not to users of toll bridges and roads. In
the event that the transportation agency captures a user's
license plate, however, the agency is able, through the
Department of Motor Vehicles, to obtain personally
identifiable information (such as name and address) about the
user. These users do not have a subscription-based
relationship with the agency, however, and it is arguably
inappropriate to permit marketing to these individuals. As a
result, the author has agreed to amend the bill to prohibit
marketing to users of toll bridges and roads.
�
SB 1268 (Simitian)
Page 10 of ?
Suggested amendment:
Add a new subdivision (k) to read:
A transportation agency may not use a non-subscriber's
personally identifiable information obtained using an
electronic toll collection system to market products or
services to that non-subscriber.
b. Marketing to subscribers of an electronic toll
collection system
This bill currently requires that each communication must
contain a clear and conspicuous notice and instructions to the
subscriber about the process for terminating any future
communications. This language is intended to provide
subscribers with the ability to opt-out of marketing
communications, but it inadvertently does not contain a
substantive requirement that transportation agencies offer the
opportunity to opt-out of future communications. In order to
address this issue, the bill should be amended to actually
contain such a requirement.
Suggested amendment:
On page 5, line 5, after the period, insert "A
transportation agency shall provide a person who receives a
communication pursuant to this subdivision with an
opportunity to opt-out of future communications and shall
establish a process for terminating those future
communications."
In the alternative, however, because an opt-in requirement is
more protective of a subscriber's privacy because it requires
that the subscriber consent to the marketing before it occurs,
the Committee may wish to amend the bill to instead subject
this marketing to an opt-in. The following amendments would
accomplish this:
Suggested amendments:
On page 5, line 5, after "address" insert "provided that
the transportation agency has received the subscriber's
express written consent to receive such communications"
On page 5, line 5, delete "Each communication shall
�
SB 1268 (Simitian)
Page 11 of ?
contain a clear and conspicuous notice and instructions to
the subscriber regarding the process for terminating any
future communication about a transportation-related product
or service."
�
SB 1268 (Simitian)
Page 12 of ?
c. Transportation-related products and services
As noted above, this bill would allow a transportation agency
to communicate exclusively with its subscribers about its
transportation-related products and services "on behalf of
itself or the agency with which it contracts" through a
contracted third-party. This language is intended to capture
instances where an agency wishes to inform subscribers about
products and services regarding toll collection, such as a new
manner for payment. The author has agreed to amend the bill
to make clear that the communications sent by the
transportation agency relate to products and services that are
offered by the agency in relation to the electronic toll
system.
Suggested amendment:
On page 4, line 40, delete "transportation" and insert
"toll"
On page 5, line 1, strike "on behalf of" and insert "offered
by"
On page 5, line 8, delete "transportation" and insert "toll"
5. Penalties
This bill would permit a person whose personally identifiable
information has been knowingly sold or otherwise provided in
violation of the bill to bring an action to recover either
actual damages or $2,500 for each individual violation,
whichever is greater, and reasonable costs and attorney's fees.
As introduced, this bill would have also provided for penalties
in the case where a transportation agency knowingly sold or
otherwise provided a person's personally identifiable
information three or more times in violation of the bill.
Although this provision was intended to contain graduated
penalties, it did not and the most recent amendments to the bill
delete this section. Graduated penalty structures help to
encourage compliance and provide a deterrent to violations. It
is arguably appropriate to include a graduated penalty structure
in this instance where transportation agencies using electronic
toll collection systems hold significant personal information
about motorists, including location information. As a result,
the author has agreed to amend the bill so that this provision
is reinserted and the penalties for three or more violations be
�
SB 1268 (Simitian)
Page 13 of ?
increased to $4,000.
Suggested amendment:
On page 6, on line 15 insert "(2) A person whose personally
identifiable information has been knowingly sold or otherwise
provided three or more times in violation of this section may
bring an action to recover either actual damages or four
thousand dollars ($4,000) for each individual violation,
whichever is greater, and may also recover reasonable costs
and attorney's fees."
6. Personally identifiable information may be disclosed pursuant
to a search warrant
Under this bill, a transportation agency may only make
personally identifiable information available to a law
enforcement agency pursuant to a search warrant. A peace
officer who is conducting a criminal or traffic collision
investigation could obtain an individual's personally
identifiable information if the officer has good cause to
believe that a delay in obtaining the information by seeking a
search warrant would result in imminent danger to the health or
safety of a member of the public. In both cases, notice must be
provided to the individual "immediately, but not more than 15
days." A 15-day timeframe is arguably too lengthy and so the
author has agreed to amend the bill to require that notification
be given immediately, but in no event within more than five
days. In addition, amendments are necessary to tighten up the
search warrant provision.
Suggested amendment:
On page 3, line 24, after "may" insert "only"
On page 3, line 28, strike "not more than 15 days" and insert
"in no event within more than five days"
On page 4, line 8, strike "within no more than 15 days" and
insert "but in no event within more than five days"
7. Interaction with existing agreements
This bill would require a transportation agency to take every
effort, within practical business and cost constraints, to purge
personal account information within 60 days after the date the
�
SB 1268 (Simitian)
Page 14 of ?
account is closed or terminated. This bill would provide that
in no case may a transportation agency maintain personal
information more than 150 days after an account is closed or
terminated. Some transportation agencies have raised concerns
about the proscriptions on data retention contained in this
bill. For example, according to the Orange County
Transportation Authority, as a result of a lawsuit, it and the
Transportation Corridor Agencies are required to retain
information for five years. The author's office notes, however
that the five-year retention requirement appears to apply to
documents, not data and only to those documents relating to toll
violations, not non-violators.
8. Suggested technical and clarifying amendments
The author has agreed to the following amendments to clarify the
language of the bill:
On page 2, line 28, after "to," insert "a description of"
Support : American Civil Liberties Union; Electronic Frontier
Foundation; Privacy Rights Clearinghouse
Opposition : None Known
HISTORY
Source : Author
Related Pending Legislation : None Known
Prior Legislation : AB 198 (Nation, 2003), which was
substantially similar to this bill, was gutted and amended to
deal with an unrelated subject matter.
Prior Vote : Senate Transportation and Housing Committee (Ayes
8, Noes, 0)
**************