Westfield Valley Fair drew public criticism in early 2022 when it announced a new “controlled parking plan.” Under the plan, Westfield would charge mall visitors and employees a fee for parking at the mall. Westfield promoted the plan as a “broader focus on security” and said that, among other things, it would deter people from parking at the mall before traveling to nearby San Jose International Airport.
What Westfield failed to mention in its initial online post [Westfield Controlled Parking Plan Website 3.7.22] was how the controlled parking plan would be carried out. The new system includes scanning all license plates that enter and exit the paid parking facilities, tracking those plates throughout the garages and printing the license plate numbers on parking stubs.
Stephanie Sparks is the Chair of the Privacy Data Security Group at Hoge Fenton, a Bay Area law firm. She says the process of scanning and tracking license plates at Valley Fair raises some concerns.
“My questions are, why do they need license plate data? How long are they keeping it? And how is it being stored? Is it in a protected database? And who has access to it?” said Sparks. “Are they selling it to the Facebooks or the Googles for use? Or are they providing it to their marketing?”
Westfield’s Use of Parking Data
Prior to announcing the plan, Westfield outsourced the operation of its parking facilities to LAZ Parking, the second-largest parking management service in the United States.
Both Westfield and LAZ Parking state in their online parking policies that the data gathered will not be used for marketing purposes. Still, neither are entirely transparent about how the data is protected and who has access to it.
“We understand the importance of respecting and maintaining our guests’ privacy. The automatic license plate readers (ALPR) at our center’s parking structures are used for customer service purposes in accordance with applicable laws,” said a Westfield spokesperson. “ALPR data is never sold or used for marketing purposes. Our ALPR reader usage and privacy policy is on our website.”
Westfield’s online ALPR policy is a single-page document that says data is stored for 30 days “unless increased due to legal obligations.” The document does not give details about the data protection provided.
In terms of access, Westfield says personnel for SKIDATA, Inc./Sentry Control Systems, LAZ Parking Management, Park Assist, Center Management and Concierge and Center Security all have access and are trained on the “operation and proper use of the ALPR system(s).”
LAZ Parking’s License Plate Recognition policy, posted on its website and last updated on July 2021, is more robust but equally vague.
The policy says license plate data is stored with “Our trustworthy independent third-party service providers.” The Weekly reached out to LAZ Parking several times for more details but received no response.
When it comes to access, authorized users at LAZ Parking include “staff personnel, employees, contractors, facility managers and their designee(s), program managers and their designee(s), assistant parking managers, parking supervisors, auditors, IT personnel and bookkeepers.”
Legal Ramifications of Valley Fair’s Controlled Parking Plan
Under current law, none of this is a problem.
Westfield Valley Fair operates in two separate cities, San Jose and Santa Clara. Neither city has laws or ordinances that prevent these types of license plate readers.
“Businesses and HOAs do not require permitting or registration with SCPD,” said Lt. Cuong Phan with the Santa Clara Police Department (SCPD). “However, we encourage the installation to prevent and deter crime. Furthermore, we do seek permission from business owners to access the data during the course of our investigation(s).”
Similarly, San Jose says it does not “regulate ALPR use in private garages.”
When it comes to data privacy, both cities, like a majority of the ones in California, leave it up to the state and federal governments to set the tone.
While data privacy laws will soon change in California, it hasn’t happened yet.
Proposition 24: California Privacy Rights Act 2020
In November 2020, California voters approved Proposition 24, also known as the California Privacy Rights Act (CPRA). The CPRA expands upon the California Consumer Privacy Act of 2018 (CCPA), but it does not go into effect until January 2023.
Among the additions in the CPRA is the requirement that a business does not share a consumer’s personal information at the consumer’s request and that businesses provide consumers an opt-out option.
Currently, Westfield Valley Fair has little to no signage telling drivers that they are using license plate readers and that plates are recorded and stored. The ticket machine flashes a brief notice about the license plate readers as drivers pull up, but not everyone sees it. Sparks wonders if that’s enough.
“It has to be at the point that I’m trying to enter into the garage,” said Sparks. “I should have an opportunity to read the privacy notice and see, ‘We’re going to take a picture of your license plate and this is how we’re going to use it and these are the people we share it with.’ Give me the choice of whether or not I want them to collect that data or reverse my car and back up.
“That’s really, at a high level, the principles behind the privacy laws,” continued Sparks. “To give the consumer notice of what data is being collected from them, how it’s going to be used and give them a choice if they want to opt-out or not have that data collected. It shouldn’t be compelled.”
Sparks also wonders if this system will be just as legal when the CPRA takes effect in January 2023. That’s when the definition of “personal information” changes.
“There is a very broad definition of what personal information is. It’s not just your credit card numbers or your driver’s license number like under the Data Breach laws…but personal information under these new laws is any information that can lead to the identity of the person,” said Sparks. “So, to me, our driver’s license plate can lead to the identification of the person who owns that registered car, that license plate. The car that that license plate’s registered to.”
Sparks says that because the parking system tracks when you enter and exit and where you park, there are other data privacy concerns at play.
“It also has geolocation data on the date and time. It tells where you were on a certain date and time. You were in your car. You were at Westfield Mall shopping,” said Sparks. “So, there’s other information than just the license plate the reader is collecting, like the fact that it does lead to a person and it can tell you where that person was at a certain date and time.”
