Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
8advertisers or to other third parties without a card- userâs consent.53 II. TRANSIT AGENCIESâ AGREEMENTS AND PRIVACY POLICIES GOVERNING THE COLLECTION AND USE OF CUSTOMERSâ ELECTRONIC DATA Because of the importance of protecting transit usersâ privacy, âtransit agencies must clearly commu- nicate how they collect, use, and handle personal information.â54 Transit agenciesâ agreements, terms of use, and privacy policies are especially important defenses in whole or in part to any claims for breach of privacy. As noted in Section X.D, some statesâ laws specifically require private and public entities that collect data on individuals to have a privacy policy and to inform the public of the entityâs policy. Fifteen agencies that responded to the survey reported having an agreement, terms of use, and/or privacy policy that they use in connection with elec- tronic payment systems.55 Eighteen agencies reported, however, that they do not have an agree- ment, terms of use, and/or privacy policy. Sixteen agencies said that they have a Web site that collects customersâ personal data when they use the site, but 17 agencies do not. The summary of the transit agenciesâ responses to the survey includes links to the agenciesâ agreements, privacy policies, and terms of use. Appendix D includes copies of agree- ments, privacy policies, and terms of use that some transit agencies provided. An example of a thorough privacy policy is MTCâs policy for its Clipper card. The policy identifies the types of information collected from its Clipper customers and the third parties with whom MTC may share PII. It also explains how customers are notified of material changes to the policy.56 MTC defines PII to include information that identifies or 53 See MTC Clipper® Program Privacy Policy, at FAQ (updated Nov. 12, 2014), hereinafter referred to as âMTC Clipper Program Privacy Policy,â https:// www.clippercard.com/ClipperWeb/privacy.do (last accessed Sept. 24, 2016). 54 Quibria, supra note 2, at 17 (footnote omitted). 55 See, e.g., ORCA Privacy Statement, http://www. soundtransit.org/sites/default/files/orca_privacy.pdf (last accessed Sept. 24, 2016); Miami-Dade County Transit Store, FAQ, https://transitstore.miamidade.gov/home/faq (last accessed Sept. 24, 2016); Metropolitan Atlanta Rapid Transit Authority, Breezecard Privacy Statement, http:// www.breezecard.com/htm/privacy_statement.html (last accessed Sept. 24, 2016); Southeastern Pennsylvania Transportation Authority, SEPTA Key FAQ, http://www. septa.org/key/faq.html (last accessed Sept. 24, 2016). According to the FAQ, SEPTA is launching the SEPTA Key and will be releasing a policy on data retention. 56 MTC Clipper Program Privacy Policy, supra note 53. 57 Id. at 1. 58 Id. 59 Id. at 2. 60 Id. at 1. 61 Id. 62 Id. at 3. 63 Id. 64 Id. at 1. 65 Id. at 3. describes a person or that may be linked directly to a specific individual, such as a personâs name, mail- ing address, business name, alternate contact infor- mation, telephone number, email address, telefax number, credit card number security code and expi- ration date, and Clipper card serial number, as well as a personâs âtravel pattern data.â57 Travel pattern data are collected as a result of an individualâs use of the Clipper card and Web site.58 Travel pattern data consist of a Clipper userâs trip start and end points, routes used, and dates and times traveled, but the information either is not associated with a specific individual to create anonymous data or is combined with other data to create aggregate data.59 MTC may provide aggregate data to others to generate statistical reports to manage the Clipper programâs operations.60 The term âaggregate dataâ is defined in the policy to mean âstatistical information that is derived from collective data that relates to a group or category of persons from which PII has been removed,â so that the data only reflect âanony- mous people.â61 Aggregate data contain no informa- tion that could be used to identify or contact Clipper card customers.62 MTC may, however, âremove all PII from data developed as a byproduct of the use of the Clipper® FPS to create Anonymous Data that may be disclosed to third parties. MTC may use Anonymous Data for any of its statutorily- authorized purposes and may make Anonymous Data available to third parties.â63 MTC states that except as otherwise provided in its policy, it does not provide PII collected from customersâ Clipper accounts to any third party with- out a customerâs consent, that PII will never be provided to advertisers, and that MTC will maintain a secure environment for a customerâs personal information.64 The Clipper privacy policy cautions patrons, however, that they are responsible for safe- guarding âpasswords, PINs, and other authentica- tion information that may be used to access a Clipper® account.â65 MTCâs policy also informs patrons that MTC uses PII to process enrollments, manage accounts, respond to ques- tions, send customer emails about Clipper® program updates, provide information regarding significant changes