Legal Issues Concerning Transit Agency Use of Electronic Customer Data (2017)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

3LEGAL ISSUES CONCERNING TRANSIT AGENCY USE OF ELECTRONIC CUSTOMER DATA By Larry W. Thomas, The Thomas Law Firm, Washington, DC INTRODUCTION This digest discusses transit agencies’ use of contactless electronic payment systems for the collection of fares. The systems, however, may be used for other purposes, such as to collect data to improve customer service or to assess transit needs and trends. The technology may be used to collect and archive customers’ personally identifiable infor- mation (PII), travel data, or other personal informa- tion (collectively referred to hereafter as “personal data”). The technology, laws, and standards applica- ble to electronic payment systems and data privacy and security have evolved significantly since prior Transportation Research Board (TRB) reports on the subject.1 Sections I through IV of the digest discuss elec- tronic payment systems that transit agencies may use, their privacy policies, privacy risks associated with their collection of customers’ electronic personal data, and the agencies’ control of access to and protection of any data they collect. Section I of the digest describes the various kinds of electronic payment systems that are in use or available for use by transit agencies, how current technology enables agencies to provide their customers with a variety of payment options, and the ways that an agency’s collection of personal data may benefit the agency’s operations. Section II analyzes transit agencies’ privacy policies that govern their collec- tion and use of customers’ data and how their poli- cies may be important in defending against any privacy claims by customers. Section III identifies some of the privacy risks that are associated with transit agencies’ collection of customers’ electronic personal data, whereas Section IV discusses tran- sit agencies’ control of access to and protection of customers’ data. As explained in Section V, transit agencies that accept payment via a customer’s credit or debit card must comply with the Payment Card Industry Data Security Standards (PCI DSS). Indeed, some state statutes either refer to the PCI DSS or require that any merchant accepting payment in a manner that requires a bank-issued credit or debit card must comply with the PCI DSS. Section VI examines whether government-owned transit agencies that collect customers’ electronic personal data may have immunity in some states from tort claims; assuming there is no immunity, whether a customer may have a claim against a transit agency for breach of an express or implied contract regarding an agency’s collection, use, or disclosure of a customer’s personal data; and whether there are, nevertheless, threshold legal issues that may preclude a claim in contract or tort against a transit agency. Sections VII through X discuss whether there are any federal or state constitutional or statutory provi- sions or judicial decisions that afford protection for customers’ electronic personal data. Accordingly, Section VII discusses whether there are any privacy rights under the United States Constitution that affect a government-owned transit agency’s collec- tion of customers’ personal data that are enforceable by a Bivens-type, implied constitutional claim or a § 1983 claim. Section VIII discusses whether there are any federal statutes that are implicated by a government-owned or privately owned transit agen- cy’s collection of customers’ electronic personal data. Because privacy rights are largely a matter of state law, Sections IX through XI discuss whether there are state constitutional and statutory provi- sions that protect individuals’ data. As a conse- quence, Section IX discusses whether any state constitutions or state judicial decisions recognize a constitutional right to privacy. Section X examines whether there are state statutes that establish a right to privacy in personal data that transit agen- cies collect. Section XI analyzes whether state 1 See Mark Mcnulty, Privacy issues in Public transPortation (Legal Research Digest No. 14, Transit Cooperative Research Program, Transportation Research Board, 2000), http://onlinepubs.trb.org/onlinepubs/tcrp/ tcrp_lrd_14.pdf (last accessed Sept. 24, 2016), and Paul stePhen DeMPsey, Privacy issues with the use of sMart carDs (Legal Research Digest No. 25, Transit Cooperative Research Program, Transportation Research Board, 2008), hereinafter referred to as “Dempsey,” http://www. tcrponline.org/PDFDocuments/TCRP_LRD_25.pdf (last accessed Sept. 24, 2016).