Driver Privacy in California: Lessons from CETCPA Litigation

Written by

Eric Slav Dotan

Privacy Enterprise Lead

September 4, 2025

The collection and use of drivers’ personal information has long raised concerns about surveillance and misuse. At the federal level, Congress addressed these issues in 1994 with the Driver’s Privacy Protection Act (DPPA), passed in response to high-profile stalking cases involving Department of Motor Vehicles (DMV) records. The DPPA prohibits state DMVs from disclosing personal information in motor vehicle records without authorization, subject to narrow exceptions. It also provides a federal cause of action, allowing individuals to seek damages when their DMV data is unlawfully obtained or shared.

But the DPPA’s reach is limited: it governs only DMV records. It does not cover other transportation data such as data generated when people use toll roads, electronic passes, or transit systems. California also passed a unique law in 2015, the Electronic Toll Collection Privacy Act (CETCPA), protecting drivers from the disclosure of toll and transit fare data.

What’s at stake is the freedom of transportation. Laws like the DPPA, state Automated License Plate Recognition (ALPR) statutes passed in over a dozen states, and CETCPA all reflect the same principle: transportation data is personal, and must be shielded from misuse.

Protections Under CETCPA

While most data privacy laws target private companies, CETCPA is one of the few US data privacy laws that extend accountability to government agencies. It also has a private right of action, opening a rare and important avenue for challenging governmental misconduct via class action.

CETCPA targets operators of toll lanes and transit smartcards who might be tempted to share or profit from users’ movement data. The law prohibits transportation agencies from selling or providing any toll or transit account holder’s personally identifiable information (PII) to any other person or entity, except in limited situations allowed by statute. PII is defined expansively to include information that identifies or describes a person, including travel pattern data, telephone number, email, license plate, photograph, bank account info, etc.

Statutory damages are $2,500 per violation (or $4,000 each if the PII was provided three or more times) or actual damages, whichever is greater. Prevailing plaintiffs can also recover reasonable attorneys’ fees and costs.

California also has Automated License Plate Recognition (ALPR) statutes (Civil Code § 1798.90.5 et seq., enacted by SB 34 in 2015) which regulate automated license plate reader systems capturing license plate images and location data. California law mandates that ALPR operators, like police departments, implement reasonable security measures, usage policies, and limits on data sharing. Like CETCPA, California’s ALPR law includes a private cause of action: any person harmed by unauthorized use or disclosure of ALPR data (or by a security breach of an ALPR.

**The Latest CETCPA Case: Cheng v. Los Angeles County Metropolitan Transportation Authority (LA Metro)**

A new digital privacy class action filed on September 2, 2025 targets the LA Metro’s TAP card system (branded “TapToGo”), which lets riders load fares electronically for use across LA County transit agencies. The complaint of Cheng v. Los Angeles County Metropolitan Transportation Authority alleges that LA Metro’s TapToGo website and app were embedded with third-party tracking tools, specifically Google Analytics and Google’s advertising service DoubleClick, that transmitted users’ personal data to Google without the users’ knowledge or consent. If true, these facts fit squarely into a CETCPA violation.

Here’s why:

TapToGo as an “Electronic Transit Fare Collection System”: CETCPA’s privacy protections explicitly apply to transit fare systems that use electronic passes, which LA Metro’s TAP card qualifies as. TAP account holders are “subscribers” of an electronic transit fare system under the statute’s definitions. Therefore, LA Metro is a transportation agency subject to §31490, and TAP users are protected persons under the law.

Personally Identifiable Information (PII) at Issue: The complaint alleges that TapToGo transmitted riders’ data to Google Analytics and DoubleClick, including account and usage details. CETCPA defines PII broadly, covering names, email addresses, phone numbers, card serial numbers, and even travel pattern data. Cookies, unique identifiers, and route or station check-ins all qualify, since they describe or can identify a rider. In short: any non-anonymized TAP user data sent to Google constitutes PII under §31490.

“Knowingly” Providing PII to Third Parties: CETCPA requires proof the agency knowingly disclosed PII. Here, LA Metro allegedly embedded Google Analytics and DoubleClick code into TapToGo, ensuring user data would flow to Google. That deliberate integration, not a breach or accident, meets the “knowing” standard. Courts in similar contexts, such as VPPA cases, have held that installing third-party trackers constitutes knowing disclosure. CETCPA doesn’t require profit, only that PII was “provided.” Its exceptions (law enforcement requests, billing, user consent) don’t cover sharing data with analytics vendors. If proven, each TapToGo disclosure to Google triggers $2,500–$4,000 in statutory damages.

Sparse Case Law Interpreting CETCPA

There is surprisingly little case law interpreting CETCPA. Transportation privacy statutes have only recently been tested in court, often ending in early dismissals or settlements rather than definitive rulings. This LA Metro TAP lawsuit could be a significant precedent for how courts interpret CETCPA and other transportation privacy statutes.

Thompson v. Orange County Transportation Authority (OCTA)

This case is an unpublished appellate decision that narrowly construed the statute’s private right of action. In Thompson, a driver received a toll evasion notice by mail, successfully contested it, but then sued because the agency’s follow-up letter contained a marketing pitch for a FasTrak account. He argued the agencies violated §31490 by using his name and address to solicit him, and by including marketing material in a required notice.

The court affirmed dismissal of the case, holding that this scenario did not trigger the private right of action because CETCPA’s remedy in §31490(q) is limited to when PII is provided to a third party. In this case, the letter was sent directly to the plaintiff (and any disclosure to the postal service was mandated by law in order to mail the notice). There was no allegation that OCTA gave his data to an outside entity, and the statute’s marketing restriction unfortunately had no standalone remedy.

The case failed because no third-party disclosure = no CETCPA cause of action in the court’s view.

In re Toll Roads Litigation

This consolidated litigation led to major settlements in 2018–2021 rather than trial. Drivers alleged that California toll road operators violated §31490 by sharing drivers’ PII with dozens of third parties. For example, the agencies sent unpaid toll information to the DMV, which would then hold vehicle registration renewals hostage until tolls were paid. Facing potentially massive statutory damages, the agencies settled. In 2021, Orange County’s toll road operators agreed to a $41 million settlement.

Two other regional cases (one against San Diego’s SANDAG and another involving the Bay Area’s toll authority) also resolved via settlement. The Toll Roads litigation delivered relief to drivers and forced changes in practice, but it produced little judicial interpretation of CETCPA since no court issued a final ruling on the merits.

Looking Forward

Both cases suggest that the LA Metro TapToGo lawsuit could be at the vanguard of a broader trend: using privacy laws to police the technologies that governments deploy in transportation. So far, most litigation has focused on toll roads and obvious sharing with government agencies or contractors. The Metro case goes a step further, targeting commercial data-sharing with Google in a public transit context. It aligns with a growing sensitivity to digital privacy: consider the recent wave of lawsuits against companies for embedding tracking pixels or analytics that leak user data. Now that mindset is reaching transit agencies.

We may see more suits against transit authorities, toll operators, or even private mobility services, whenever they hand off user data to third-party tech firms without consent. The lack of deep precedent means each new case could set important benchmarks, such as clarifying what counts as “knowingly” or what qualifies as a prohibited disclosure. For now, plaintiffs can look to the statutory text and analogies to other privacy laws to guide their arguments. And agencies, seeing the writing on the wall, would be wise to audit their own data-sharing practices proactively.

This Might Interest You:

‍