28M.7 Regional transit district customer data — disclosure restrictions — penalty.
1. Data concerning applicants, users, and customers of a regional transit district collected by or through personalized internet services or a fare collection system shall be considered private and not subject to disclosure except as provided in this section.
2. A regional transit district may disclose aggregate data on user and customer transaction history and fare card use to governmental entities, organizations, school districts, educational institutions, and employers that subsidize or provide fare cards to their clients, students, or employees. Governmental entities, organizations, school districts, educational institutions, and employers may use the aggregate data only for purposes of measuring and promoting fare card use and evaluating the cost-effectiveness of their fare card programs. The disclosure of nonaggregate or personalized data on user and customer transaction history and fare card use to governmental entities, organizations, school districts, educational institutions, and employers shall be strictly prohibited.
3. A regional transit district may disclose data concerning applicants, users, and customers collected by or through personalized internet services or a fare collection system to another governmental entity to prevent a breach of security regarding electronic systems maintained by the regional transit district or the governmental entity, or pursuant to a subpoena issued in connection with a civil or criminal investigation.
4. A violation of this section is punishable by a civil penalty in an amount not to exceed five thousand dollars for each violation.
2014 Acts, ch 1073, §2; 2015 Acts, ch 30, §28