Aug 31, 2010California has been issuing RFID transponders for electronic toll collection since 1993, when the San Joaquin Hills and Foothill/Eastern Transportation Corridor Agencies (TCA), which manage Orange County's 67-mile public toll-road system, deployed the technology on the Foothills Toll Road. Currently, more than 2 million drivers across the state carry FasTrak transponders in their vehicles, in order to bypass long lines at tollbooths (the system deducts a toll from a user's account each time an RFID reader mounted at a toll booth reads the tag of that person's car). And the San Joaquin Hills and Foothill/Eastern agencies are just two of many transportation organizations that use the tags for electronic toll collection. No current California laws govern how such agencies are to handle the personally identifiable data linked to each FasTrak account, but the state's legislature recently passed a bill, known as SB 1268, that sets down minimal requirements to ensure that a driver's private data is protected.
California's governor, Arnold Schwarzenegger, now has until Sept. 30 to sign the bill into law. While his office spokespeople say the governor has yet to take a position regarding the bill, he did approve a previous bill related to RFID technology, SB 31, in 2008, making it illegal to surreptitiously read (or "skim") RFID tags embedded in identity documents, while vetoing another measure, SB 29, that would have required schools to acquire parental consent before issuing RFID-enabled identity cards to students (see Schwarzenegger Signs Anti-Skimming RFID Measure But Vetoes Bill on School IDs).
SB 1268 would prohibit transit agencies from selling or providing personally identifiable information linked to a FasTrak account to a third party. The bill would also require that all transit agencies that read FasTrak tags establish a privacy policy regarding personally identifiable information linked to such accounts, and to provide the policy to subscribers and also post it on their Web sites. What's more, it would set a four-and-a-half year limit on the length of time that agencies could store account data after an account has been closed and all toll violations have been paid.
"Stripped down to its bare essence, this bill says, 'Let's not sell or share travel info. Let's respect drivers' locational privacy, and let's not keep [their] data into perpetuity,'" says California Senator Joe Simitian, who authored SB 1268, as well as the SB 29 and SB 31 bills introduced in 2008. If Governor Schwarzenegger signs SB 1268, Simitian believes the state will be the first in the United States to adopt such legislation.
To date, Simitian says, no privacy infringements linked to transit agencies reading FasTrak tags—which transmit a unique ID number linked to the account holder's name, contact information and debit account—have occurred. However, he notes, without legal guidelines, the potential for such violations exists. "One scenario," he says, "would be that a transit agency sells some information to Bob's Bar and Grill, and then you start getting advertisements for specials at the restaurant," because FasTrak could show that you drive by that establishment daily.
Simitian says he penned the bill so that the agencies that collect FasTrak data—which include the California Department of Transportation, the Bay Area Toll Authority (BATA), the TCA and any other entity operating a toll bridge, toll lane or toll highway within the state, or any entity under contract with any of the above entities—would be required to follow consistent rules that lay out a minimum requirement for how long FasTrak transaction data can be stored on the various agencies' computer systems.
The Bay Area Toll Authority manages the administration of the tolling system on the seven state-owned bridges spanning the San Francisco Bay (the Golden Gate Bridge, Highway and Transportation District, which also employs FasTrak for toll collection, owns the Golden Gate Bridge).
"We do not have any problem with this piece of legislation," Rentschler says in regard to SB 1268. "Privacy and customer service are our two priorities, and we want to err on the side of privacy." However, he notes, if the bill passes, BATA would need to purge the information it has stored on closed accounts. "In the past, we have not destroyed data. We archived it, simply because it was easier to close and leave than to have a process to destroy it. Plus, by storing it, people were able to later reopen the account."
The San Joaquin Hills and Foothill/Eastern agencies are neutral on the bill in its current form, says Barbara Daly, the government affairs manager for the TCA. "We opposed the bill initially, because it called for destroying account data 60 days after an account was closed," she states, explaining that it sometimes takes more than that amount of time to collect late payments after an account has been closed.
The two TCA members will also need to revise their privacy statements in order to clarify how they will handle personally identifiable data, Daly says, but this is something they were planning to do anyway.
