Liability of Transportation Entity for the Unintentional Release of Secure Data or the Intentional Release of Monitoring Data on Movements or Activities of the Public (2016)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

28 officers were acting in good faith because their “inves- tigatory stops [were] based on reasonable, articulable suspicion [that] do not violate state constitutional law principles.”404 The officers were not liable for an intentional infliction of emotional distress, because their actions were not intentional, and the plaintiff did not allege or prove any physical harm or genuine and serious mental distress.405 In 1996, the New York Court of Appeals held in Brown v. State406 that “a cause of action to recover damages may be asserted against the State for a violation of the Equal Protection and Search and Seizure Clauses of the Constitution.”407 In Brown, an elderly woman had been attacked near a college campus by someone described as a black male.408 To assist the police with their investigation, the univer- sity provided the state police and campus police with the name and address of every black male attending the university.409 When questioning stu- dents, the state and local police stopped and inter- rogated every nonwhite male that they encountered during a 5-day period.410 The incident led to a class action on behalf of the nonwhite males who were stopped and interrogated, who alleged that the actions of the police were unconstitutional.411 Fol- lowing the precedent set in Bivens, the court held that there was an implied right of action: “implying a damage remedy here is consistent with the pur- pose underlying the duties imposed by these provi- sions and is necessary and appropriate to ensure the full realization of the rights they state.”412 However, unlike in Bivens, an immunity defense was not available because New York had waived immunity for the acts of its officers and employees.413 Although in Brown, the New York Court of Appeals recognized an implied cause of action for a violation of the right to privacy, an appellate court in New York in Augat v. State414 held that because the plaintiffs had adequate common law tort remedies, their claims based on alleged violations of the right to due process or freedom of association were not cognizable.415 The court distinguished the Brown case on the basis that the plaintiff in Brown did not have an adequate, alternative remedy under the common law as the plaintiffs had in Augat.416 Finally, some states do not recognize an implied cause of action for a state constitutional violation, such as Tennessee.417 VI. RIGHT TO PRIVACY UNDER STATE STATUTES A. Introduction In the absence of a federal statute applicable to privacy and the states, statutes in some states may be a source of privacy law applicable to the collec- tion, use, disclosure, and/or retention by transporta- tion agencies of secure data or monitoring data. Some states’ laws on the protection of information collected by state agencies mandate “openness on the kind of information being collected; avenues of access for the citizens to see what information is being collected about them and to make appropriate corrections; limitations on secondary usage of indi- vidual information; and security requirement for how that information is maintained.”418 404 Id. at 1094, 1096. 405 Id. at 1095–1096. 406 89 N.Y.2d 172, 652 N.Y.S.2d 223, 674 N.E.2d 1129 (1996). 407 Id. at 188, 652 N.Y.S.2d at 232–233, 674 N.E.2d at 1138–1139. 408 Id. at 176–177, 652 N.Y.S.2d at 225, 674 N.E.2d at 1131. 409 Id. at 177, 652 N.Y.S.2d at 225–226, 674 N.E.2d at 1131–1132. 410 Id. at 177, 652 N.Y.S.2d at 226, 674 N.E.2d at 1132. 411 Id. at 175–176, 652 N.Y.S.2d at 225, 674 N.E.2d at 1131. 412 Id. at 189, 652 N.Y.S.2d at 233, 674 N.E.2d at 1139– 1140. 413 Id. at 195, 652 N.Y.S.2d at 237, 674 N.E.2d at 1143 (citing N.Y. Court of Claims Act § 9(2)). 414 244 A.D.2d 835, 666 N.Y.S.2d 249 (3d Dep’t 1997). 415 Id. at 837, 666 N.Y.S.2d at 251–252. 416 Id. at 837–838. 666 N.Y.S.2d at 251–252. Further- more, the court in Augat did not address whether there was a cause of action for the constitutional violations alleged by the plaintiffs because their notice of intention to file was untimely. Augat, 666 N.Y.S.2d at 251, 244 A.D.2d at 836–837. 417 Wooley v. Madison County, Tennessee, 209 F. Supp. 2d 836 (W.D. Tenn. 2002). See Humble, supra note 390. 418 Douma and Deckenbach, supra note 2, at 308–309 (citing cOLO. Rev. sTaT. § 24.72.204(3)(a) (2008); cONN. geN. sTaT. aNN. § 4.190 (2007); fLa. sTaT. aNN. § 282.318 (2009); haW. Rev. sTaT. § 286.172 (2009); MiNN. sTaT. § 13.01 (2005); N.Y. pUB. Off. § 91 (2008); and OhiO Rev. cOde aNN. § 1347.01 (2009)). See also deL. cOde aNN. tit. 29, §§ 9017C-9021C (2015); iOWa cOde § 22.11 (2015) (“Each state agency shall adopt rules which describe the nature and extent of the personally identifiable informa- tion collected by the agency.”); Me. Rev. sTaT. tit. 1, §§ 541– 42 (2015) (“Each public entity that has a publicly accessi- ble site on the internet...shall develop a policy regarding its practices relating to personal information and shall post notice of those practices on its publicly accessible site.”); Mass. aNN. LaWs ch. 66A, § 3 (2015) (stating that “the Secretary of each executive office shall promulgate regulations to carry out purposes of this chapter which shall be applicable to all agencies.”); MiNN. sTaT. aNN. § 13.15 (2015) (“A governmental entity that creates, col- lects, or maintains electronic access data...must inform persons gaining access to the entity’s computer of the cre- ation, collection, or maintenance of the information.”); MONT. cOde aNN. § 2-17-550-53 (2015); and Tex. gOv’T

29 Although some states ban or limit the use of certain types of technology or devices (see Section VI.E), there seem to be no state laws “that specifically address pri- vacy rights and transportation technologies.”419 Even when state privacy laws are applicable, only some states’ privacy laws authorize a private right of action for a violation of an individual’s privacy.420 B. Specific State Privacy Statutes The state privacy statutes applicable to personal information collected and maintained by state agen- cies have a variety of names.421 State statutory pro- visions that require state and/or local agencies to give notice of a breach of the security of personal data that they collect, use, or maintain are discussed in Section VII. Some states’ statutes mirror the Privacy Act’s pro- tection against disclosure of personal information, as well as the Privacy Act’s protection of agencies for non-intentional, non-willful disclosures.422 California’s Information Practices Act (IPA) of 1977 states that: (a) The right to privacy is being threatened by the indis- criminate collection, maintenance, and dissemination of personal information and the lack of effective laws and legal remedies. (b) The increasing use of computers and other sophisticated information technology has greatly magnified the potential risk to individual privacy that can occur from the mainte- nance of personal information. (c) In order to protect the privacy of individuals, it is neces- sary that the maintenance and dissemination of personal information be subject to strict limits.423 California’s IPA governs the collection, use, and disclosure of personal information held by state agen- cies; however, the statute does not apply to city or county agencies.424 In California, each agency must keep only that amount of personal information that is “relevant and necessary to accomplish a purpose of the agency required or authorized by the California Constitution or statute or mandated by the federal government.”425 As discussed in Section VI.C, the IPA provides an individual with a private right of action to redress a violation of a privacy right. In Colorado, each governmental entity is required to create a privacy policy to standardize the “collec- tion, storage, transfer, and use of personally identifi- able information” within each such governmental entity.426 However, the statute does not create a “pri- vate cause of action based on alleged violations” of the section.427 In Massachusetts, state agencies must “maintain personal data with such accuracy, completeness, timeliness, pertinence, and relevance as is necessary to assure fair determination of a data subject’s quali- fications”428 and have policies for safeguarding indi- viduals’ private information.429 Furthermore, a state agency may not “collect or maintain more personal data than are reasonably necessary for the perfor- mance of the [agency’s] statutory function.”430 Hold- ers of personal information must identify one indi- vidual who is responsible for a data system to prevent access to or the dissemination of personal data.431 Government agencies are authorized to promulgate necessary rules and regulations.432 In contrast to Colorado, Massachusetts law creates a private cause of action for a violation of its privacy law.433 The Minnesota Government Data Privacy Act (MGDPA) “regulates the collection, creation, storage, 423 caL. civ. cOde § 1798.1 (2015) (emphasis added). 424 caL. civ. cOde § 1798.14 (2015). 425 Id. 426 cOLO. Rev. sTaT. § 24-72-501-02(1) (2015). 427 cOLO. Rev. sTaT. § 24-72-502(3) (2015). 428 Mass. aNN. LaWs ch. 66A, § 2(h) (2015). 429 Mass. aNN. LaWs ch. 66A, § 2(a) (2015). 430 Mass. aNN. LaWs ch. 66A, § 2(l) (2015). 431 Mass. aNN. LaWs ch. 66A, § 2(a) (2015). 432 Mass. aNN. LaWs ch. 66A, § 3 (2015). 433 Mass. aNN. LaWs ch. 214, § 3B (2015). cOde aNN. § 2054.126 (2015) (requiring state agencies to post their privacy policy on their Web site and to include a statement in their policy “specifying other policies neces- sary to protect from public disclosure personal informa- tion submitted by a member of the public to a state agen- cy’s Internet site”). 419 Douma and Deckenbach, supra note 2, at 309. 420 Id. at 308–309. 421 See California’s Information Practices Act of 1977 (IPA), caL. civ. cOde § 1798, et seq. (2015); Illinois’ Per- sonal Information Protection Act, 815 iLL. cOMp. sTaT. § 530/1, et seq. (2015); Louisiana’s Database Security Breach Notification Law, La. Rev. sTaT. § 51:3071, et seq. (2015); Maine’s Notice of Risk to Personal Data Act, MaiNe Rev. sTaT. tit. 10, § 1346, et seq. (2015); Michigan’s Identity Theft Protection Act, Mich. cOMp. LaWs § 445.63, et seq. (2015); Minnesota’s Government Data Privacy Act, MiNN. sTaT. § 13.01, et seq. (2015); Nevada’s Security of Personal Information, Nev. Rev. sTaT. § 603A.030, et seq. (2015); Oklahoma’s Security Breach Notification Act, OkLa. sTaT. § 24-161, et seq. (2015); Pennsylvania’s Breach of Personal Information Notification Act, 73 pa. cONs. sTaT. § 2301, et seq. (2015); Rhode Island’s Identity Theft Protection Act of 2005, R.i. geN. LaWs § 11-49.2-1, et seq. (2015); Tennessee’s Identity Theft Deterrence Act of 1999, TeNN. cOde § 47-18- 2101, et seq. (2015); and Virginia’s Government Data Col- lection and Dissemination Practices Act, va. cOde aNN. § 2.2-3800, et seq. (2015). 422 Indiana Fair Information Practices Act, iNd. cOde aNN. §§ 4-1-6-1 to 4-1-6-8 (2015) and § 4-1-6-19(d) (2015) (defining state agency). See also Massachusetts Fair Infor- mation Practices Act, Mass. geN. LaWs ch. 66A, §§ 1-3 (2015) (imposing duties on state agencies regarding per- sonal data they maintain); N.Y. pUB. Off. LaW § 95 (2015); Government Data Collection and Dissemination Practices Act, va. cOde aNN. §§ 2.2-3800 and 2.2-3801(2) (2015).

30 C. Whether There Are Separate Claims Based on the Owner or Type of Data or on the Collection, Use, Disclosure, or Maintenance of Data Although some state privacy laws include a provi- sion authorizing a private right of action for a viola- tion of the statute,445 the statutes reviewed for the digest have not established different claims based on the owner or type of data and/or the data’s man- ner of collection, use, disclosure, or maintenance. Although the state statutes generally do not distin- guish between intentional and non-intentional vio- lations of the state’s requirements applicable to an agency’s handling of personal information, a few statutes were located that seem to limit a cause of action to an intentional, willful, or knowing viola- tion of privacy. For example, California’s IPA provides that an individual may bring a civil action against an agency if the agency: (a) Refuses to comply with an individual’s lawful request to inspect pursuant to subdivision (a) of Section 1798.34. (b) Fails to maintain any record concerning any individ- ual with such accuracy, relevancy, timeliness, and com- pleteness as is necessary to assure fairness in any deter- mination relating to the qualifications, character, rights, opportunities of, or benefits to the individual that may be made on the basis of such record, if, as a proximate result of such failure, a determination is made which is adverse to the individual. (c) Fails to comply with any other provision of this chapter, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual.446 The IPA does not create separate claims based on different types of data or a government agency’s means of collection, use, disclosure, or retention of the data. Under the IPA there are two possible claims for damages. First, under subsection (b) an individual may claim damages for an agency’s fail- ure to maintain an accurate and complete record “relating to the qualifications, character, rights, opportunities of, or benefits to the individual that may be made on the basis of such record.” Second, under subsection (c) an individual may claim dam- ages for the agency’s failure “to comply with any other provision of this chapter, or any rule promul- gated thereunder, in such a way as to have an maintenance, dissemination, and access to govern- ment data in government entities.”434 The MGDPA does not use the term “secure data,” but the Act applies to all “data in which any individual is or can be identified as the subject of that data.”435 The MGDPA also does not use the term “monitoring data” but defines the term “not data on individuals” to mean that there is no identification of individuals in the data.436 In Ohio, the privacy statutes that govern personal information systems require every state or local agency that maintains a personal information sys- tem to take steps and implement procedures to mon- itor the accuracy of the data and protect personal information in the system.437 Agencies are directed to “collect, maintain, and use” only personal infor- mation that is necessary and relevant to the agen- cies’ functions as required by law.438 The term “per- sonal information” is defined as “any information that describes anything about a person, or that indi- cates actions done by or to a person, or that indicates that a person possesses certain personal character- istics, and that contains, and can be retrieved from a system by, a name, identifying number, symbol, or other identifier assigned to a person.”439 Virginia’s Government Data Collection and Dis- semination Practices Act (GDCDPA) states that “an individual’s privacy is directly affected by the extensive collection, maintenance, use and dissem- ination of personal information”440 and that proce- dures must be established for systems having records on individuals.441 The Virginia statute applies to “any agency…or governmental entity of the Commonwealth or of any unit of local govern- ment,”442 as well as any entity, public or private, having a contract to operate “a system of personal information….”443 The GDCDPA requires govern- ment agencies and entities to adhere to 10 princi- ples of information practice.444 434 MiNN. sTaT. § 13.01, subdiv. 3 (2015) (emphasis added). 435 MiNN. sTaT. § 13.02, subdiv. 5 (2015). 436 MiNN. sTaT. § 13.02, subdiv. 4 (2015). 437 OhiO Rev. cOde §§ 1347.0 and 1347.05(F) and (G) (amendments effective Sept. 29, 2015). The terms “state agency” and “local agency” are defined in OhiO Rev. cOde § 1347.01 (2015). 438 OhiO Rev. cOde § 1347.05(H) (2015). 439 OhiO Rev. cOde § 1347.01(E) (2015). 440 va. cOde aNN. § 2.2-3800(B)(1) (2015). 441 va. cOde aNN. § 2.2-3800(B)(4) (2015). 442 va. cOde aNN. § 2.2-3801 (2015). 443 Id. 444 va. cOde aNN. § 2.2-3800(C)(1)-(10) (2015). 445 See, however, cOLO. Rev. sTaT. § 24-72-501-02(3) (2015); fLa. sTaT. § 627.4091(3) (2015); and S.C. cOde aNN. § 30-2-300(3) (2015) (stating that “an affected individual may petition the court for an order directing compliance with this section, but liability may not accrue”). 446 caL. civ. cOde § 1798.45 (2015).

31 Likewise, in Ohio, although an action may be brought for certain intentional violations as permit- ted by statute, claims are not differentiated based on the type of personal information or the manner of its collection, use, disclosure, or maintenance. Ohio Rev. Code § 1347.10(A) applies to a wrongful disclosure of personal information. The statute authorizes a person to bring a cause of action against any person when the injured person has been harmed by the use of personal information contained in a personal information system. How- ever, the claim must be based on one or more of four kinds of intentional conduct.455 (1) Intentionally maintaining personal information that he knows, or has reason to know, is inaccurate, irrelevant, no longer timely, or incomplete and may result in such harm; (2) Intentionally using or disclosing the personal informa- tion in a manner prohibited by law; (3) Intentionally supplying personal information for storage in, or using or disclosing personal information maintained in, a personal information system, that he knows, or has reason to know, is false; (4) Intentionally denying to the person the right to inspect and dispute the personal information at a time when inspection or correction might have prevented the harm.456 In authorizing a private right of action for dam- ages, the Ohio privacy statute does not use the terms state or local agency in Section 1347.10(A), but does use the terms state or local agency in subpart B in regard to injunctions.457 Moreover, Section 1347.10(A) does not provide that a state or local agency may be held liable for damages, but subsec- tion (B) authorizes an action for an injunction adverse effect on an individual.”447 An agency may be held liable for a violation of §§ 1798.45(b) or (c) for an individual’s actual damages, including damages for mental suffering, and reasonable attorney’s fees and costs as determined by the court.448 Massachusetts’s privacy law applies to any holder of personal information. A holder is any agency that “collects, uses, maintains or disseminates personal data or any person or entity which contracts or has an arrangement with an agency whereby it holds personal data as part or as a result of performing a governmental or public function or purpose.”449 Any holder violating any provision of the privacy law may be held “liable to any individual who suf- fers any damage as a result of such violations,” including exemplary damages.450 In Minnesota, the MGDPA does not establish different claims based on a particular type of data or how the data were collected, used, disclosed, or maintained. Rather, the MGDPA applies to all data “collected, created, received, maintained or dissemi- nated by any government entity regardless of its physical form, storage media or conditions of use.”451 State agencies are responsible for the accurate “col- lection, use and dissemination of any set of data on individuals and other government data.”452 When a government entity enters into a contract with a private entity for data services, “all of the data cre- ated, collected, received, stored, used, maintained, or disseminated by the private person in perform- ing those functions [are] subject to the require- ments” of the MGDPA.”453 If there is a breach in security, “[a] government entity that collects, cre- ates, receives, maintains, or disseminates private or confidential data on individuals must provide a notification of the breach.454 447 caL. civ. cOde § 1798.45(b) and (c) (2015) (emphasis added). Under caL. civ. cOde § 1798.45(a), an individual may bring an action when an agency “[r]efuses to comply with an individual’s lawful request to inspect pursuant to § 1798.34(a),” in which case the plaintiff may recover attor- ney’s fees. caL. civ. cOde § 1798.46(b) (2015). 448 caL. civ. cOde §§ 1798.48(a) and (b) (2015). 449 Mass. aNN. LaWs ch. 66A, § 1 (2015). 450 Mass. aNN. LaWs ch. 214, § 3B (2015) (emphasis added) (stating also that “[n]otwithstanding any liability for actual damages as may be shown, such holder shall be liable for exemplary damages of not less than one hundred dollars for each violation together with such costs and rea- sonable attorney’s fees as may be incurred in said action”). 451 MiNN. sTaT. § 13.02, subdiv. 7 (2015) (emphasis added). 452 MiNN. sTaT. § 13.02, subdiv. 17 (2015) (emphasis added). 453 MiNN. sTaT. § 13.05, subdiv. 11 (2015) (emphasis added). 454 MiNN. sTaT. § 13.055, subdiv. 2(a) (2015) (emphasis added). 455 The term “system” is defined to mean, inter alia, “any collection or group of related records that are kept in an organized manner and that are maintained by a state or local agency, and from which personal information is retrieved by the name of the person or by some identifying number, symbol, or other identifier assigned to the person.” OhiO Rev. cOde § 1347.01(F) (2015). 456 OhiO Rev. cOde §§ 1347.10(A)(1)-(4) (2015). Section § 1347.10(A) states that one “who is harmed by the use of personal information that relates to him and that is main- tained in a personal information system may recover dam- ages in civil action from any person who directly and proxi- mately caused the harm….” 457 OhiO Rev. cOde § 1347.10(B) (2015) (“Any person who, or any state or local agency that, violates or proposes to violate any provision of this chapter may be enjoined by any court of competent jurisdiction. …An action for an injunction may be prosecuted by the person who is the subject of the violation, by the attorney general, or by any prosecuting attorney.”)

32 D. Privacy Policies Required by States Some states direct government agencies to adopt and implement privacy regulations and/or to display a privacy policy.466 Arkansas requires a state agency having a Web site to include a privacy policy on its Web site and to describe the data being collected and how the data will be used.467 Arizona law requires government agencies to “develop and establish commercially reasonable procedures to ensure that entity identifying infor- mation or personal identifying information that is collected or obtained by [a] governmental agency is secure and cannot be accessed, viewed or acquired unless authorized by law.”468 Arizona also mandates that agency Web sites have a privacy policy disclos- ing the information “gathering and dissemination practices” related to the Internet.469 The statute requires that agencies describe at a minimum the information an agency obtains from individuals online,470 how the information is to be used,471 and the circumstances under which an agency would disclose the information to other entities.472 California requires agencies that collect PII to establish a privacy policy and provide a copy of the policy to subscribers.473 Illinois requires that Web sites of state agencies not “use permanent cookies or other invasive track- ing programs that monitor and track website view- ing habits,”474 unless the tracking adds user value and is “disclosed through a comprehensive online privacy statement.”475 Similarly, South Carolina requires state agencies to develop privacy policies to ensure that personal information is only used to fulfill a legitimate public purpose and directs that agencies “minimize instances where personal information is disseminated.”476 against a state or a local agency.458 Although the term “individual” is defined elsewhere in the stat- ute, the term “person” is not defined. The terms “state agency” and “local agency” are defined, but the definitions do not include natural persons.459 Section 1347.15(B) of the Ohio statute requires each state agency to adopt rules regulating access to the confidential personal information that the agency keeps. If a person is harmed by a violation of an agency rule required by subsection B, the person may bring an action in the court of claims against any person who “directly and proximately caused the harm.”460 The Ohio statute further directs that: (1) No person shall knowingly access confidential personal information in violation of a rule of a state agency described in division (B) of this section. (2) No person shall knowingly use or disclose confidential personal information in a manner prohibited by law.…461 A violation of either subsection is also a violation of a state statute as provided under Ohio Rev. Code § 124.341(A).462 Under Virginia’s GDCDPA, an injunction may be sought against any person or agency that is violating or that is about to violate a provision of the privacy law.463 There is no provision in the Virginia statute for the recovery of damages except in the limited situation of a violation of Va. Code Ann. Section 2.2- 3808(A)(1). The section provides that, unless disclo- sure is required by law, an agency or a public officer, appointee, or employee of an agency may not require an individual to disclose his or her Social Security number or deny “any service, privilege, or right to an individual” who refused to disclose his or her Social Security number.464 If there is a willful and knowing violation of Section 2.2-3808(A), a civil penalty may be imposed in the amount set by the statute.465 458 Id. 459 OhiO Rev. cOde §§ 1347.01(A) and (B) (2015). See OhiO Rev. cOde § 1347.12(A)(5) (2015) (individual defined as a natural person). 460 OhiO Rev. cOde §§ 1347.15(G) (2015). 461 OhiO Rev. cOde §§ 1347.15(H)(1) and (2) (2015) (emphasis added). 462 OhiO Rev. cOde §§ 1347.15(H)(4) (2015). OhiO Rev. cOde § 124.341 is entitled “violation or misuse–whistle- blower protection.” 463 Va. cOde aNN. § 2.2-3809 (2015). 464 Va. cOde aNN. § 2.2-3808(A)(1) (2015). 465 Va. cOde aNN. § 2.2-3809 (2015) (providing that if an agency or a specific public officer, appointee, or employee of an agency commits a violation, a court may impose a civil penalty of not less than $250 or more than $1,000 and that for a second or subsequent violation a court may impose a penalty of not less than $1,000 or more than $2,500). 466 See caL. sTs. & high. § 31490 (2015); Mass. aNN. LaWs ch. 66A, § 3 (2015) (stating that “the Secretary of each execu- tive office shall promulgate regulations to carry out the pur- poses of this chapter which shall be applicable to all agen- cies….”); and Texas TRaNsp. cOde §§ 730.004–730.007 (2015). See also Ben F. Overton & Katherine E. Giddings, The Right of Privacy in Florida in the Age of Technology and the Twenty- First Century: A Need for Protection from Private and Com- mercial Intrusion, 25 fLa. sT. U. L. Rev. 25, 44–50 (1997). 467 aRk. cOde aNN. §§ 25-1-114(a)-(b) (2015). 468 aRk. cOde aNN. §§ 41-4172 (2015). 469 aRk. cOde aNN. §§ 41-4152 (2015). 470 aRk. cOde aNN. §§ 41-4152(2) (2015). 471 aRk. cOde aNN. §§ 41-4152(4) (2015). 472 aRk. cOde aNN. §§ 41-4172(5) (2015). 473 caL. sTs. & high. § 31490 (2015). 474 5 iLL. cOMp. sTaT. § 177/10 (2015). 475 5 iLL. cOMp. sTaT. § 177/10(b)(2) (2015). 476 S.C. cOde aNN. §§ 30-2-20 and 30-2-300(3) (2015).

33 devices installed in their automobiles.483 Virginia law provides that data may be accessed from a device on a motor vehicle that collects electronic information, not just devices installed by manufacturers, only by the vehicle’s owner or the owner’s agent or legal representative.484 Although there are federal regulations that apply to EDRs, the federal regulations are not designed to protect driver privacy and do not require an owner’s consent to the release of data after an accident.485 F. State Legislative Trends and Proposed Legislation With one exception, transportation agencies responding to the survey reported that there are no proposed changes in state law or regulations that would affect their collection of secure data or moni- toring data.486 The National Conference of State Legislatures publishes information on proposed state legislation.487 1. California In California, Senate Bill 34, introduced Decem- ber 1, 2014, would regulate operators of an Auto- matic License Plate Reader (ALPR) to ensure, inter alia, that the data an operator collects is protected by “specified security procedures and a usage and privacy policy with respect to that information.”488 The bill provides that “[i]n addition to any other E. State Laws Banning or Restricting the Use of Certain Technology New Hampshire prohibits highway surveillance, a term that the state defines as “the act of determin- ing the ownership of a motor vehicle or the identity of a motor vehicle’s occupants...through the use of a camera or other imaging device or any other device….”477 There are some exceptions, such as for investigations of particular violations or for the operation of a toll collection system.478 Other states ban the use of specific technology. As of 2013, according to one source, 12 states banned speed cameras; 9 states banned red light cameras; and several states were considering banning the use of such cameras.479 A Pennsylvania statute provides: (1) No automated red light enforcement system shall be uti- lized in such a manner as to take a frontal view recorded image of the vehicle as evidence of having committed a violation. (2)…[C]amera equipment deployed as part of an automated red light enforcement system as provided in this section must be incapable of automated or user-controlled remote intersection surveillance by means of recorded video images. Recorded images collected as part of the automated red light enforcement system must only record traffic violations and may not be used for any other surveillance purposes.…480 There is an exemption allowing for the issuance of a court order for the above data to be provided for “criminal law enforcement action.”481 Furthermore, the statute provides that informa- tion collected shall not be deemed a public record under…the Right-to- Know Law. The information shall not be discoverable by court order or otherwise, nor shall it be offered in evidence in any action or proceeding which is not directly related to a violation of this section or any ordinance or resolution of the city….482 Some states, such as California, regulate EDRs by requiring manufacturers to disclose data-tracking 477 N.H. Rev. sTaT. aNN. §§ 236:130(I)-(III)(b)-(e) (2015). 478 Id. 479 See Emmarie Huetteman, Traffic Cameras Draw More Scrutiny by States, N.Y. TiMes, Apr. 1, 2013, available at: http://www.nytimes.com/2013/04/02/us/traffic-cameras- draw-more-scrutiny-by-states.html?_r=0 (last accessed Oct. 12, 2015). See also Douma and Deckenbach, supra note 2, at 309 (citing caL. veh. cOde §§ 21455.5 (Supp. 2003) and 21455.6 (2000); N.J. sTaT. aNN. § 39:4-103.1 (2002); OR. Rev. sTaT. § 810.343-39 (2007); UTah cOde aNN. § 41-69-608 (2005); and Wis. sTaT. § 349.02 (2005) (banning photo radars)). 480 75 Pa. cONs. sTaT., Vehicles, §§ 3116(e)(1) and (2) (2015). 481 Id. 482 75 Pa. cONs. sTaT., Vehicles, § 3116(e)(3) (2015). 483 Douma and Deckenbach, supra note 2, at 309 (citing caL. veh. cOde § 9951(c) (2014)); Phillips and Kohm, supra note 3, at P16; Garry, Douma, and Simon, supra note 2, at 125 N 109 (citing caL. veh. cOde § 9951(a) (2012); cOLO. Rev. sTaT. § 12-6-402(a) (2012); Me. Rev. sTaT. tit. 29-A, § 1972(3) (2012); and N.H. Rev. sTaT. § 357-G:1(III) (2012)). 484 va. cOde aNN. § 46.1088.6(B) (2015). 485 Phillips and Kohm, supra note 1, at P19 (citing 49 C.F.R. §§ 563.1–563.12 and § 563.11). 486 Alabama DOT, Arkansas DOT, Arizona DOT, Dis- trict of Columbia DOT, Florida DOT, Indiana DOT, City of Minneapolis–Public Works Dept., MoDOT, Montana DOT, North Dakota DOT, Oklahoma DOT, Rhode Island DOT, South Carolina DOT, and Utah DOT. The exception was the Oregon DOT (citing HB 2919, HB 2356, HB 2596, HB 3142, HB 3154, SB 316, SB 377, SB 514, SB 601, SB 639, SB 640, SB 641, SB 711, and SB 904). The Maine DOT and Ohio DOT did not respond to the question. 487 See NCSL Privacy and Security, http://www.ncsl.org/ research/telecommunications-and-information-technol- ogy/privacy-and-security.aspx, and NCSL Automated License Plate Readers/State Legislation, http://www.ncsl. org/research/telecommunications-and-information- technology/2014-state-legislation-related-to-automated- license-plate-recognition-information.aspx (last accessed Oct. 12, 2015). 488 For full text see http://leginfo.legislature.ca.gov/ faces/billTextClient.xhtml?bill_id=201520160SB34 &search_keywords=privacy (last accessed Oct. 12, 2015).

34 5. Massachusetts There are several bills pending in the Massachu- setts legislature to regulate the use of ALPRs.495 House Bill 3102 would allow the data to be used only by law enforcement agencies for legitimate law enforcement purposes and by the department of transportation for the purpose of assessing and col- lecting tolls.496 Senate Bill 1817 and House Bill 3009 are similar, but would expand the permissible uses of ALPRs to parking enforcement, to the control of access to secured areas, and for “the immediate com- parison of captured plate data with data held by the Registry of Motor Vehicles, Department of Criminal Justice Information Services, the National Crime Information Center, and the Federal Bureau of Investigation…”497 Each bill has been referred to the Joint Committee on Transportation. 6. New York In New York, a bill would establish a New York state automatic identification technology privacy task force.498 With some exceptions for law enforce- ment functions, the bill would prohibit the disclo- sure of highway, bridge, tunnel, and other thorough- fare toll and transit records.499 Another bill proposes to establish an email privacy act in regard to elec- tronic messaging and individual location.500 A fourth bill introduced in the Senate also would prohibit the disclosure of highway, bridge, tunnel, and other thoroughfare toll and transit records except for law enforcement purposes or to support public entities’ official functions.501 7. North Carolina In North Carolina, House Bill 876 requires a search warrant to obtain locational data from a cell sanctions, penalties, or remedies provided by law, an individual who has been harmed by a violation of this title may bring a civil action in any court of com- petent jurisdiction against a person who knowingly caused that violation.”489 As of June 2015, the bill had been re-referred to the Assembly Committee on Privacy and Consumer Protection. 2. Florida In Florida, the Florida Privacy Protection Act, introduced in February 2015, would have pro- tected digital data from unreasonable searches and seizures, including a prohibition of the use of certain technology by law enforcement without a warrant. The bill died in the Judiciary Committee on April 28, 2015.490 A similar bill in the Senate died in the Criminal Justice Committee on May 1, 2015.491 3. Georgia As in other states, there is a bill pending in the Georgia legislature on the use of ALPRs. House Bill 93 would allow law enforcement to exchange data obtained from ALPRs, prohibit law enforce- ment from retaining information gathered from ALPRs for more than 90 days, and impose crimi- nal penalties for the misuse of captured license plate data.492 4. Illinois A bill entitled “Freedom from Automatic License Plate Reader Surveillance Act” was introduced this term in the Illinois Senate to limit the use of ALPRs by the state to toll collection, traffic enforcement, and criminal investigations.493 A similar bill was introduced in the House entitled the “Automated License Plate Recognition System Act” to limit the use of ALPRs to investigations by law enforcement agencies. If enacted, unless the data are necessary for an ongoing investigation, any data collected by ALPRs could be retained only for 30 days.494 489 Senate Bill 34 § 1798.90.54(a). 490 House Bill 571. Status: April 28, 2015, died in the Judiciary Committee. 491 Senate Bill 1530. Status: May 1, 2015, died in the Criminal Justice Committee. 492 House Bill 93. Status: April 2, 2015, House With- drawn, recommitted. 493 Senate Bill 1753. Status: March 27, 2015, re-referred to Assignments. See http://www.ilga.gov/legislation/default. asp (must link to “Senate Bills 1701–1800”) (last accessed Oct. 12, 2015). 494 House Bill 3289. Status: May 15, 2015, re-referred to Assignments. 495 S. 1817, Status: April 15, 2015, referred to Committee on Transportation; H. 3009, Status: January 20, 2015, referred to the Committee on Transportation; SH 3102, Status: January 20, 2015, in Joint Committee on Transpor- tation. 496 Draft H. 3102 §§ 2(a)–(b). See https://malegislature. gov/Bills/189/House/H3102 (last accessed Oct. 12, 2015). 497 Draft Bills S. 1817 and H. 3009 §§ 2(a)(1)–(2), (4). See https://malegislature.gov/Bills/189/Senate/S1817 and https:// malegislature.gov/Bills/189/House/H3009 (last accessed Oct. 12, 2015). 498 Assembly Bill A00119. Status: January 7, 2015, referred to Consumer Affairs and Protection. See http:// assembly.state.ny.us/leg/ (keyword “privacy”) (last accessed Oct. 12, 2015). 499 Assembly Bill A03975. Status: June 2, 2015, reported referred to rules. 500 Assembly Bill A00793. Status: January 7, 2015, referred to codes. 501 Senate Bill S02173. Status: May 28, 2015, referred to governmental operations.