BILL ANALYSIS �
Senate Appropriations Committee Fiscal Summary
Senator Christine Kehoe, Chair
1268 (Simitian)
Hearing Date: 05/27/2010 Amended: 05/19/2010
As proposed to be amended
Consultant: Jacqueline Wong-HernandezPolicy Vote: T&H 8-0,
Judiciary 3-1
_________________________________________________________________
____
BILL SUMMARY: SB 1268 prohibits, with some exceptions, a
transportation agency from selling or otherwise providing
personally identifiable information of a person who subscribes
to an electronic toll collection system or who uses a toll
facility that employs such system and establishes time periods
up to which an agency may retain that information. This bill
would specify several exceptions to this prohibition and include
a privacy-policy notice requirement to subscribers, as
specified. This bill authorizes local transportation authorities
to charge a fee to electronic toll collection system users
recover the costs of implementing these provisions. This bill
also provides that a transportation agency may only make
personally identifiable information available to a law
enforcement agency pursuant to a search warrant, with specified
exceptions and notification requirements.
_________________________________________________________________
____
Fiscal Impact (in thousands)
Major Provisions 2010-11 2011-12
2012-13 Fund
User privacy protections
Prohibits sales/sharing $0
$0 $0 Local*
Retention restrictions Unknown potential
costs, recovered by fees Local*
*Transit authorities
_________________________________________________________________
____
STAFF COMMENTS:
This bill places new requirements on entities that administer
�
electronic toll collection systems, which are primarily local
transit authorities. Fee authority is provided in the bill to
allow any transportation agency affected by this bill to charge
fees to electronic toll collection system users to recover the
costs of implementing the privacy protections afforded by this
bill.
Transportation agencies would be prohibited from selling or
otherwise providing to any other person or entity personally
identifiable information of any person who subscribes to an
electronic toll collection system or who uses a toll bridge,
toll lane, or toll highway that employs an electronic toll
collection system. CalTrans is already statutorily prohibited
from selling consumer information it retains, and local transit
authorities have indicated that they do not sell or share users'
personally identifiable information.
This bill would require a transportation agency that uses an
electronic toll collection system to establish a privacy policy
concerning the collection and use of personally identifiable
information, and to post the policy on its website. The privacy
policy must include: 1) The types of personally identifiable
information collected by the agency;
Page 2
SB 1268 (Simitian)
2) the categories of third-party persons or entities with whom
the agency may share personally identifiable information; 3) the
process by which a transportation agency notifies subscribers of
material changes to its privacy policy; 4) the effective date of
the privacy policy; and 5) the process by which a subscriber may
review and request changes to any of his or her personally
identifiable information.
This bill would further require that transportation agencies
"within practical business and cost constraints," store only
personally identifiable information of a person such as the
account name, credit card number, billing address, vehicle
information, and other basic account information required to
perform account functions such as billing, account settlement,
or enforcement activities. All other information must be
discarded six months after the closure date of the billing cycle
or 60 days after the bill has been paid, whichever occurs last.
Additionally, this bill provides that a transportation agency
shall "within practical business and cost constraints," purge
the personal account information of an account within 60 days
�
after the date the account is closed or terminated.
The cost of purging information will vary by transportation
agency, and depend largely on the agency's data system. For more
advanced, modern systems, purging specified information should
be a relatively simple process addition to the computer system.
For antiquated systems, a new platform maybe need to be
constructed to allow for continual purging, based on activity
dates. In either case, this bill allows fees to be charged to
electronic toll system users to cover the cost of implementing
this bill. Because the bill employs subjective language stating
the requirement is for the tasks to be completed "within
practical business and cost constraints", it is unclear whether
expensive system fixes would be able to be enforced.
The bill provides for civil penalties and civil actions against
an entity that sells a user's personally identifiable
information that is protected by these provisions.
The proposed amendments would: 1) Indicate that obligation to
discard specified personally identifiable information would
begin on July 1, 2011; 2) specify that transportation agencies
are not prohibited from communicating about products and
services offered by itself, a business partner, or the agency
with which it contracts, to subscribers of the transportation
agency through a contracted third-party vendor using personally
identifiable information limited to the subscriber's name,
address, and electronic mail address, provided that the
transportation agency has received the subscriber's express
written consent to receive the communications; 3) clarify that
the provision prohibiting a transportation agency from using a
nonsubscriber's personally identifiable information obtained
using an electronic toll collection system to market products or
services to that nonsubscriber shall not apply to toll-related
products or services contained in a notice of toll evasion
issued pursuant to Section 23302 of the Vehicle Code; and 4)
make non-substantive, technical changes to the bill.