Privacy Policy for Protection of Personally Identifiable Information
EZ Access
The EZ Access fare system is an account-based solution used by transit passengers to obtain regional transportation services. When a transit passenger uses a EZ Access fare media, certain forms of Personally Identifiable Information may be collected. This Privacy Policy describes what types of Personally Identifiable Information are collected and how San Diego Metropolitan Transit System and its contractors (MTS) manages and stores Personally Identifiable Information to ensure your privacy.
1. Personally, Identifiable Information - What Types are Collected
Personally, Identifiable Information means any information that identifies or describes a person, including but not limited to, travel pattern data, address, telephone number, email address or credit card number.
For registered EZ Access accounts, MTS does request that certain Personally Identifiable Information be provided to set up your account. Collection of Personally Identifiable Information occurs when you provide your account information through either the EZ Access Mobile App or the EZ Access website (https://access.sdmts.com [1]).
The following is a description of what Personally Identifiable Information that may be collected:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Use of Information
MTS uses Personally Identifiable Information to more efficiently administer your registered EZ Access account functions. MTS also collects Aggregated Travel Information through your use of the EZ Access account. Aggregated Travel Information includes sale transactions and validation information. MTS uses this information in a format that does not identify any individual EZ Access account subscriber. Personally Identifiable Information such as your name, address and billing information are removed before it is used for Aggregated Travel Information. MTS does share Aggregated Travel Information with San Diego Association of Governments ("SANDAG") and North County Transit District ("NCTD") for data analysis purposes.
MTS will not use your Personally Identifiable Information collected from registered EZ Access accounts to send you emails or mail marketing advertisements for any other MTS service or product. However, MTS reserves the right to continue to email or mail important notices concerning use of your registered EZ Access account and this Privacy Policy.
3. Third Party Access to Personally Identifiable Information
MTS only provides access of Personally Identifiable Information to the below described parties and entities:
i. MTS Departments and contractors: Access to Personally Identifiable Information is limited only to certain approved personnel and only for certain approved purposes necessary to administer your account. MTS controls access by providing only certain employees with the necessary log in credentials. The MTS Access operations staff, MTS Access Contractors and MTS management have access to your Personally Identifiable Information as required to perform account functions and to investigate customer complaints.
ii. Law Enforcement Purposes: Per state law, MTS must make Personally Identifiable Information available to a law enforcement agency pursuant to a search warrant or to a Peace Officer without a search warrant if there is good cause to believe the delay of obtaining a search warrant would cause an adverse result in an investigation.
4. Personally Identifiable Information – Where it is Stored
Safeguarding and protection of Personally Identifiable Information is a high priority for MTS. Personally Identifiable Information is only held in the back-office components that are within a protected datacenter. All access to the system is controlled through access control and all components are within a dedicated fare collection network with no direct internet access. Connections to the system require encryption. Access to the system requires Two-Factor Authentication.
5. Storage Period
State law requires that MTS only store Personally Identifiable Information from a registered EZ Access account with credit card information to the extent it is necessary to perform account functions such as billing, account settlement or enforcement activities. All other stored Personally Identifiable Information that is not necessary to perform account functions, such as a credit card number that has expired, will be discarded within 4 years and 6 months from the date of expiration. In addition, any personal account information connected to an expired EZ Access account will be discarded within 4 years and 6 months from the date the EZ Access account has expired.
6. Cookies
Cookies are small data elements that a Web site can use to facilitate the user’s ongoing Access, such as by remembering names and passwords until the session has ended. Cookies may be saved by your internet browser when you use the https://access.sdmts.com [1] website. You may be able to set parameters on your computer that allow you to accept cookies or to have your browser notify you each time a cookie is offered. You may also set your internet browser to reject cookies. MTS does not collect or retain your Personally Identifiable Information through the use of cookies.
7. Security
Please do not send highly sensitive information, such as a credit card number, over email. MTS cannot guarantee that incoming email before received by MTS will not be intercepted. Despite the protections established within this Privacy Policy, if any unauthorized Access to or use of Personally Identifiable Information occurs, MTS will notify you of a breach in security of the system following discovery in one or more of the following ways: email, mail, posting of the breach on https://access.sdmts.com [1], posting of the breach on the EZ Access Mobile App, or by notifying the media.
8. Changes to a registered EZ Access Account
You may review and request changes to your Personally Identifiable Information through either the https://access.sdmts.com [1] website or calling the 888-517-9627.
9. Children's Privacy Policy
The Children's Online Privacy Protection Act ("COPPA") imposes certain requirements on operators of websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
If MTS has actual knowledge that we have collected Personally Identifiable Information online from children under the age of 13, MTS will make all reasonable efforts to obtain parental or legal guardian consent before any further use of the Personally Identifiable Information occurs. When MTS obtains parental or legal guardian consent, MTS will maintain reasonable procedures to protect the confidentiality, security and integrity of the Personally Identifiable Information collected from children under the age of 13.
When MTS does not obtain parental or legal guardian consent to use Personally Identifiable Information for children under the age of 13, MTS will no longer maintain the Personally Identifiable Information in any retrievable form.
10. Effective Date
The Effective Date of this Privacy Policy is May 1, 2022.
11. Changes to Privacy Policy
MTS will endeavor to make all appropriate revisions to this Privacy Policy as changes to MTS’s collection and management of Personally Identifiable Information occur. When material changes occur to the Privacy Policy, MTS will notify you in one or more of the following ways: updating the Privacy Policy posted on https://access.sdmts.com [1] Web site; updating the Privacy Policy posted on the EZ Access Mobile App; updating the Privacy Policy posted on https://www.sdmts.com [2] Web site, sending rider alerts on Twitter or Facebook; posting fliers on buses and trolleys; posting fliers on information boards at Trolley Stations; and/or posting fliers at the main lobby of MTS Offices.
12. History of Changes to Privacy Policy
Date |
Activity |
May 1, 2022 |
MTS issues original Policy |