Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
3LEGAL ISSUES CONCERNING TRANSIT AGENCY USE OF ELECTRONIC CUSTOMER DATA By Larry W. Thomas, The Thomas Law Firm, Washington, DC INTRODUCTION This digest discusses transit agenciesâ use of contactless electronic payment systems for the collection of fares. The systems, however, may be used for other purposes, such as to collect data to improve customer service or to assess transit needs and trends. The technology may be used to collect and archive customersâ personally identifiable infor- mation (PII), travel data, or other personal informa- tion (collectively referred to hereafter as âpersonal dataâ). The technology, laws, and standards applica- ble to electronic payment systems and data privacy and security have evolved significantly since prior Transportation Research Board (TRB) reports on the subject.1 Sections I through IV of the digest discuss elec- tronic payment systems that transit agencies may use, their privacy policies, privacy risks associated with their collection of customersâ electronic personal data, and the agenciesâ control of access to and protection of any data they collect. Section I of the digest describes the various kinds of electronic payment systems that are in use or available for use by transit agencies, how current technology enables agencies to provide their customers with a variety of payment options, and the ways that an agencyâs collection of personal data may benefit the agencyâs operations. Section II analyzes transit agenciesâ privacy policies that govern their collec- tion and use of customersâ data and how their poli- cies may be important in defending against any privacy claims by customers. Section III identifies some of the privacy risks that are associated with transit agenciesâ collection of customersâ electronic personal data, whereas Section IV discusses tran- sit agenciesâ control of access to and protection of customersâ data. As explained in Section V, transit agencies that accept payment via a customerâs credit or debit card must comply with the Payment Card Industry Data Security Standards (PCI DSS). Indeed, some state statutes either refer to the PCI DSS or require that any merchant accepting payment in a manner that requires a bank-issued credit or debit card must comply with the PCI DSS. Section VI examines whether government-owned transit agencies that collect customersâ electronic personal data may have immunity in some states from tort claims; assuming there is no immunity, whether a customer may have a claim against a transit agency for breach of an express or implied contract regarding an agencyâs collection, use, or disclosure of a customerâs personal data; and whether there are, nevertheless, threshold legal issues that may preclude a claim in contract or tort against a transit agency. Sections VII through X discuss whether there are any federal or state constitutional or statutory provi- sions or judicial decisions that afford protection for customersâ electronic personal data. Accordingly, Section VII discusses whether there are any privacy rights under the United States Constitution that affect a government-owned transit agencyâs collec- tion of customersâ personal data that are enforceable by a Bivens-type, implied constitutional claim or a § 1983 claim. Section VIII discusses whether there are any federal statutes that are implicated by a government-owned or privately owned transit agen- cyâs collection of customersâ electronic personal data. Because privacy rights are largely a matter of state law, Sections IX through XI discuss whether there are state constitutional and statutory provi- sions that protect individualsâ data. As a conse- quence, Section IX discusses whether any state constitutions or state judicial decisions recognize a constitutional right to privacy. Section X examines whether there are state statutes that establish a right to privacy in personal data that transit agen- cies collect. Section XI analyzes whether state 1 See Mark Mcnulty, Privacy issues in Public transPortation (Legal Research Digest No. 14, Transit Cooperative Research Program, Transportation Research Board, 2000), http://onlinepubs.trb.org/onlinepubs/tcrp/ tcrp_lrd_14.pdf (last accessed Sept. 24, 2016), and Paul stePhen DeMPsey, Privacy issues with the use of sMart carDs (Legal Research Digest No. 25, Transit Cooperative Research Program, Transportation Research Board, 2008), hereinafter referred to as âDempsey,â http://www. tcrponline.org/PDFDocuments/TCRP_LRD_25.pdf (last accessed Sept. 24, 2016).