Modern parking facilities collect substantial amounts of personal data through their normal operations. License plate recognition systems photograph and record vehicle locations. Payment systems collect credit card data. Mobile parking apps collect location data and usage patterns. Security cameras record individuals continuously. As privacy law has evolved, these data collection activities have created compliance obligations that facility managers must understand and address.
This guide covers the major privacy compliance frameworks applicable to parking operations, the specific risks each creates, and the operational practices that support compliance.
What Data Parking Facilities Collect
Before addressing compliance, inventory what data your facility actually collects:
License plate data: LPR systems capture license plate images and translate them into plate numbers. When linked to payment or permit records, these records can reconstruct detailed movement histories. Many states have specific laws addressing LPR data collection and retention.
Payment card data: Any system that processes credit or debit cards is subject to Payment Card Industry Data Security Standard (PCI DSS) requirements. This includes PARCS pay stations, mobile payment apps, and permit payment portals.
Mobile app and location data: Parking apps that guide users to available spaces or facilitate mobile payment collect location data and usage histories. These data are subject to mobile privacy laws and app store privacy policy requirements.
Video surveillance: CCTV and security camera systems capture video of individuals in the facility continuously. Many jurisdictions have laws requiring notice of surveillance and limiting retention periods.
Biometric data: Emerging parking access systems using facial recognition or fingerprint readers collect biometric data subject to specific laws in Illinois (BIPA), Texas, and Washington, with more states adopting biometric privacy requirements.
State Privacy Laws: The Patchwork Framework
The United States has no comprehensive federal privacy law, resulting in a state-by-state compliance landscape that affects parking operators with facilities in multiple states.
California Consumer Privacy Act (CCPA) and CPRA: California’s privacy laws apply to businesses that meet certain thresholds for revenue, data volume, or data sales. For covered businesses, California residents have rights to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale of personal information. Parking operators that sell or share license plate data with third parties (such as for debt collection or enforcement services) should carefully evaluate their obligations under CCPA.
Illinois Biometric Information Privacy Act (BIPA): BIPA is the most significant biometric privacy law in the United States. It requires written consent before collecting biometric identifiers, limits retention, and creates a private right of action for violations. The statutory damages — $1,000 to $5,000 per violation per individual — have generated enormous class action litigation. Parking operators considering facial recognition or fingerprint access systems in Illinois must comply with BIPA before deployment.
State LPR laws: Several states have enacted laws specifically governing license plate reader data. State laws vary on collection limits, retention periods, sharing restrictions, and security requirements. If your facility uses LPR, research the applicable state requirements for each jurisdiction where you operate.
PCI DSS: Payment Card Data Security
Payment Card Industry Data Security Standard (PCI DSS) applies to any organization that processes, stores, or transmits cardholder data. For parking facilities, this includes:
- PARCS pay stations and exit verifiers that accept credit or debit cards
- Online permit payment portals
- Mobile apps that accept payment
- Any systems that store card numbers, CVV codes, or cardholder data
PCI DSS compliance involves technical security controls (network segmentation, encryption, access controls, logging), operational controls (background checks for personnel with access to cardholder data, security awareness training), and assessment and reporting requirements (annual self-assessment questionnaire or third-party assessment depending on transaction volume).
The practical implications for parking facility managers:
Do not store card numbers. PARCS systems should never store full card numbers or CVV codes. Confirm with your vendor that the system uses point-to-point encryption and tokenization to avoid storing raw card data.
Assess your scope. Work with a qualified security assessor to determine your applicable PCI DSS requirements based on transaction volume and how card data flows through your systems.
Validate your vendors. Any vendor who processes cards on your behalf must demonstrate PCI DSS compliance. Request current PCI attestations from payment processing vendors.
Video Surveillance: Notice and Retention
Security cameras in parking facilities collect video that may constitute personal data under applicable privacy laws. Key compliance considerations:
Notice: Post visible notice that surveillance cameras are in use. The notice requirement varies by jurisdiction; California and many other states require posted notice that surveillance is occurring.
Retention limits: Some jurisdictions limit how long video surveillance footage may be retained without a legal basis. Establish a retention policy that meets legal requirements and operational needs (typically 30 to 90 days for routine surveillance) and automate deletion of footage beyond the retention period.
Access controls: Limit who within the organization can access surveillance footage and under what circumstances. Establish procedures for responding to law enforcement requests for footage.
Data sharing: Be cautious about sharing surveillance footage with third parties. Law enforcement requests should be reviewed by counsel before compliance. Commercial sharing of footage (with other property owners, security services, or marketing firms) may trigger privacy law requirements.
Privacy Policy and Notice Requirements
CCPA and similar state laws require businesses to provide privacy notices to individuals at or before collection of personal information. For parking facilities, this typically means:
Website privacy policy: If your facility has a website used for payment, permit management, or reservations, a current privacy policy describing data collection and use practices is required.
Mobile app privacy policy: Apps that process personal data require in-app privacy disclosures and privacy policy links in the app store.
On-site signage: For data collected on-site (LPR, video surveillance), consider on-site signage that references a privacy policy where individuals can learn more about data practices.
FAQ
Does my small parking facility have to comply with CCPA? CCPA applies to for-profit businesses that operate in California and meet at least one of: (1) annual gross revenue over $25 million; (2) annually buying, selling, or sharing personal information of 100,000 or more consumers or households; or (3) deriving 50 percent or more of annual revenue from selling personal information. Many smaller parking operators will not meet these thresholds, but should evaluate them specifically.
How long can I retain LPR data? Retention requirements vary by state. In the absence of specific state law, best practice is to retain LPR data for the minimum period needed for the operational purpose — typically 30 to 90 days for enforcement and billing, with longer retention only for data associated with specific incidents or open disputes. Consult your privacy counsel on applicable requirements for each state where you operate.
What should I do if I have a data breach involving parking customer data? Most states have data breach notification laws requiring notification to affected individuals and state regulators when personal information is exposed. Contact your legal counsel immediately to assess notification obligations and timelines. Most notification laws require notice within 30 to 60 days of discovery.
Do we need a separate privacy officer for parking operations? The need for a dedicated privacy officer depends on the scale and complexity of data collection. Parking operations that are part of larger organizations should integrate with the parent organization’s privacy program. Standalone parking operations with significant data collection should designate a responsible individual for privacy compliance, even if it is not a full-time role.