(a) Except as otherwise provided in this section, a transportation agency may not sell or otherwise provide to any other person or entity personally identifiable information of any person who subscribes to an electronic toll or electronic transit fare collection system or who uses a toll bridge, toll lane, or toll highway that employs an electronic toll collection system.
(b) A transportation agency that employs an electronic toll collection or an electronic transit fare collection system shall establish a privacy policy regarding the collection and use of personally identifiable information and provide to subscribers of that system a copy of the privacy policy in a manner that is conspicuous and meaningful, such as by providing a copy to the subscriber with the transponder, electronic transit pass, or other device used as an electronic toll or transit fare collection mechanism, or, if the system does not use a mechanism, with the application materials. A transportation agency shall conspicuously post its privacy policy on its Internet Web site. For purposes of this subdivision, “conspicuously post” has the same meaning as that term is defined in paragraphs (1) to (4), inclusive, of subdivision (b) of Section 22577 of the Business and Professions Code. The policy shall include, but need not be limited to, a description of the following:
(1) The types of personally identifiable information that is collected by the agency.
(2) The categories of third-party persons or entities with whom the agency may share personally identifiable information.
(3) The process by which a transportation agency notifies subscribers of material changes to its privacy policy.
(4) The effective date of the privacy policy.
(5) The process by which a subscriber may review and request changes to any of his or her personally identifiable information.
(c) A transportation agency may, within practical business and cost constraints, store only personally identifiable information of a person such as, to the extent applicable, the account name, credit card number, billing address, vehicle information, and other basic account information required to perform account functions such as billing, account settlement, or enforcement activities. All other information shall be discarded no more than four years and six months after the billing cycle has concluded, the bill has been paid, and all toll or fare violations, if applicable, have been resolved.
(d) A transportation agency shall make every effort, within practical business and cost constraints, to purge the personal account information of an account that is closed or terminated. In no case shall a transportation agency maintain personal information more than four years and six months after the date an account is closed or terminated.
(e) (1) A transportation agency may make personally identifiable information of a person available to a law enforcement agency only pursuant to a search warrant. Absent a provision in the search warrant to the contrary, the law enforcement agency shall immediately, but in any event within no more than five days, notify the person that his or her records have been obtained and shall provide the person with a copy of the search warrant and the identity of the law enforcement agency or peace officer to whom the records were provided.
(2) This section does not prohibit a peace officer, as defined in Section 830.1 or 830.2 of the Penal Code, when conducting a criminal or traffic collision investigation, from obtaining personally identifiable information of a person if the officer has good cause to believe that a delay in obtaining this information by seeking a search warrant would cause an adverse result, as defined in subparagraphs (A) to (E), inclusive, of paragraph (2) of subdivision (a) of Section 1524.2 of the Penal Code.
(f) This section does not prohibit a transportation agency in subdivision (a) from providing aggregated traveler information derived from collective data that relates to a group or category of persons from which personally identifiable information has been removed.
(g) This section does not prohibit a transportation agency, with respect to an electronic toll collection system, from providing the license plate number of an intermodal chassis to the owner of the chassis for purposes of locating the driver of the chassis in the event the driver fails to pay a toll.
(h) This section, with respect to an electronic toll collection system, does not prohibit a transportation agency from sharing data with another transportation agency solely to comply with interoperability specifications and standards adopted pursuant to Section 27565 regarding electronic toll collection devices and technologies. A third-party vendor may not use personally identifiable information obtained under this subdivision for a purpose other than described in this subdivision.
(i) Subdivision (d) shall not prohibit a transportation agency, or its designee, from performing financial and accounting functions such as billing, account settlement, enforcement, or other financial activities required to operate and manage the electronic toll collection system or transit fare collection system. This section, with respect to electronic transit fare collection systems, does not prohibit the sharing of data between transportation agencies for the purpose of interoperability between those agencies. A third-party vendor may not use personally identifiable information obtained under this subdivision for a purpose other than as described in this subdivision.
(j) This section does not prohibit a transportation agency from communicating, either directly or through a contracted third-party vendor, to subscribers of an electronic toll collection system or an electronic transit fare collection system about products and services offered by, the agency, a business partner, or the entity with which it contracts for the system, using personally identifiable information limited to the subscriber’s name, address, and electronic mail address, provided that the transportation agency has received the subscriber’s express written consent to receive the communications.
(k) A transportation agency may not use a nonsubscriber’s personally identifiable information obtained using an electronic toll collection or electronic transit fare collection system to market products or services to that nonsubscriber. This subdivision shall not apply to toll-related products or services contained in a notice of toll evasion issued pursuant to Section 23302 of the Vehicle Code.
(l) For purposes of this section, “transportation agency” means the Department of Transportation, the Bay Area Toll Authority, any entity operating a toll bridge, toll lane, or toll highway within the state, any entity administering an electronic transit fare collection system and any transit operator participating in that system, or any entity under contract with any of the above entities.
(m) For purposes of this section, “electronic toll collection system” is a system where a transponder, camera-based vehicle identification system, or other electronic medium is used to deduct payment of a toll from a subscriber’s account or to establish an obligation to pay a toll, and “electronic transit fare collection system” means a system for issuing an electronic transit pass that enables a transit passenger subscriber to use the transit systems of one or more participating transit operators without having to pay individual fares, where fares are instead deducted from the subscriber’s account as loaded onto the electronic transit pass.
(n) For purposes of this section, “person” means any person who subscribes to an electronic toll collection or electronic transit fare collection system or any person who uses a toll bridge, toll lane, or toll road that employs an electronic toll collection system.
(o) For purposes of this section, “personally identifiable information” means any information that identifies or describes a person including, but not limited to, travel pattern data, address, telephone number, email address, license plate number, photograph, bank account information, or credit card number. For purposes of this section, with respect to electronic transit fare collection systems, “personally identifiable information” does not include photographic or video footage.
(p) For purposes of this section, “interoperability” means the sharing of data, including personally identifiable information, across multiple transportation agencies for the sole purpose of creating an integrated transit fare payment system, integrated toll payment system, or both.
(q) (1) In addition to any other remedies provided by law, a person whose personally identifiable information has been knowingly sold or otherwise provided in violation of this section may bring an action to recover either actual damages or two thousand five hundred dollars ($2,500) for each individual violation, whichever is greater, and may also recover reasonable costs and attorney’s fees.
(2) A person whose personally identifiable information has been knowingly sold or otherwise provided three or more times in violation of this section may bring an action to recover either actual damages or four thousand dollars ($4,000) for each individual violation, whichever is greater, and may also recover reasonable costs and attorney’s fees.
(r) Nothing in subdivisions (c) and (d) shall preclude compliance with a court order or settlement agreement that has been approved on or before April 25, 2010.
(s) A transportation agency that employs an electronic toll collection or electronic transit fare collection system may impose an administrative fee on persons who use those systems in an amount sufficient to cover the cost of implementing this section.
(Amended by Stats. 2013, Ch. 375, Sec. 3. (AB 179) Effective January 1, 2014.)