A few months ago, payment machines went up at Point Ruston (a popular new mixed-use development here in Tacoma, for the out-of-town readers), and it became clear that the formerly free parking would soon become less so. Kate Martin at The News Tribune got the lowdown on the forthcoming setup. Plenty of folks grumbled, as they’d gotten used to having parking for the nice waterfront family area, regardless of whether they were shopping.

This is not, for the moment, my concern.

What stands out to me is exactly how payment and validation will be accomplished. In most garages either you pay by the slot number, pay for a ticket to put on your dashboard, or get a ticket and then pay on exit. Here’s how it works at Point Ruston:

A photograph of your license plate will be taken on entry and exit, and computers will read the information from the picture.

If you stay more than an hour, parking will cost you.

If you want to pay at the machine, punch in your license plate number at the machine, and pay for your time.

If you want to get validated, take your license plate number (or a picture of it) to a business, and they will enter it in the system, and it will give you some free time.

Validation doesn’t stack, but it does reset with each new entry.

If you don’t pay, they can look you up in the state’s license plate registry and bill you after the fact.

On first glance, it does feel a little creepy that they are photographing your license plate, but is it really all that different than other methods? I would say yes, and I would say it in several ways.

(Caveat for the rest of this post: I am not a lawyer or legal expert of any sort. I am a guy who knows very well how data can be used to paint a picture of behavior, with some experience reading privacy policies. Take that for what it’s worth.)

Your License Plate is Personal Information

If you push a button for a ticket at the entrance, and pay in cash at exit, there is an electronic record that SOMEONE parked for that amount of time, but not who. That’s why they put the gate up until you pay: they aren’t set up to know who you are if you try to skip out. They can go back and review security footage if you crash through the barrier, but they haven’t fundamentally associated your transaction with your identity.

But who pays cash these days? Can’t they track you by your credit card number? Well, yes and no. There are a LOT of legal hurdles to the processing of digital transactions, and restrictions on the use of the data. Businesses are in much better shape tracking your behavior if they have another method. This is what rewards cards at retail stores are for—they give you a little bit of free stuff, and you give them your name, phone number, and a full transaction history without the legal baggage of payment info.

But now, instead of just your payment info and a ticket, the garage is explicitly tracking something that can be uniquely associated, if not exactly to you, then at least to your household. Whether or not they know exactly who you are, they do know the overall usage pattern of that car.

Okay, but how much does that really tell them about me?

There are legal restrictions on license plate lookups in Washington state. The Department of Licensing has a Contracted Plate Search system that qualified businesses (those with a valid business need to get that info) can access to associate license plates with registered vehicle owners.

Republic Parking (who operate this garage) almost certainly have access to the system. After all, they need to be able to bill or ticket delinquent drivers, and manage towing of abandoned vehicles. However, since the system is intended for these purposes, and not to build a customer database, they would be on squishy ground if they tried to use one for the other, and I suspect that the DOL wouldn’t be happy about that, so let’s be nice and assume that Republic doesn’t look up your identity except for entirely kosher reasons.

Now let your mind linger for a while on what I said above, about businesses avoiding legal problems with payment info by getting you to hand over information all on your own. We’ll come back to that.

So what else is this data for?

Like any good business that collects data, and processes transactions, Republic Parking has a Privacy Policy, and a Terms & Conditions document. It’s generally a good idea to read both, to get a clear(ish) picture of what’s going on with data. I’ll be focusing on the Privacy Policy here, but it’s interesting to note that this doesn’t list “license plate” as Personal Information, covered by the rest of the policy. However, the T&C does call out license plate as Personal Information, so taken together, the bases are covered.

Privacy policies are full of legalese, both to cover all possible asses and to discourage laypeople from bothering to read them, but here are a couple highlights, on three of the most important privacy aspects of any data-driven system: data use (what else are we using this for?), data sharing (who else will we give this to?) and data retention (how long will we keep this?).

“Republic Parking will only use the information collected for the purposes specified during the collection process identified in this Policy or as authorized by law.”

“Republic Parking will only use the Personal Information as specified during the collection process to conduct the related business transaction, for other reasonable business purposes, or as authorized by law.”

“Republic Parking may disclose your Personal Information to third parties that are directly involved with the processing or storage of that Personal Information, for specified business purposes such as payment processing, unless otherwise prescribed by law.”

“Republic Parking only retains Personal Information for as long as reasonably needed for business purposes and as authorized by law.”

There is a phrase you’ll see a few times, in a few forms: “reasonable business purposes.” To me, reasonable business purposes means “things we haven’t thought of yet, or things that make sense for our business but that we don’t want you to immediately think of when you give us your info.” This is universal ass-covering: they will use your data for whatever they think is good for business, and keep it for as long as it is useful, while still being able to tell the Trib things like “Data collected by the system is maintained in Republic Parking’s system, and old data is eventually overwritten. It is not sold to a third party.”

So they know when I park. So what?

It’s not like a parking garage is going to market parking to you, right? This doesn’t tell them a ton, beyond general time frames. To really track your behavior, they’d need to know what individual businesses you visited, and it’s not like every business will know your license pla…

…oh.

Want to park for free? Get validated at a business! But this isn’t just a stamp on your ticket: each business in Point Ruston is equipped with a terminal connected to the Republic Parking system. Hand them your license plate number, they punch it in, and your account is automatically credited with the appropriate number of hours. And knows what business you are at.

Need more time? Validate again, and it will reset the clock. You are strongly encouraged to log your license plate at every single business, so that you are always covered. And Republic always knows where you went.

Which brings us to data sharing. From a a marketing standpoint, all the businesses would love to know what other businesses you visit. Ice cream and coffee shops would love to know that you go see all the Marvel movies on opening day, for example, so they know when to send you a coupon. But if Republic is collecting this info for their own business, can they really share it around?

“Republic Parking may disclose your Personal Information to third parties that are directly involved with the processing or storage of that Personal Information, for specified business purposes such as payment processing.”

Thing one: every business with a validation terminal is directly involved with the processing of that Personal Information.

Thing two: payment processing is an example of specified business purposes, not a comprehensive list.

And finally, there is this: at least one of those businesses (maybe more, I haven’t been to them all) is specifically equipped to match customer identities to individual visits and purchases, without using government lookup systems or payment information. Cinemark would be just thrilled if you’d like to join Connections (to collect rewards points for later use) or Movie Club (for sweet beverage discounts and a single discounted monthly movie pass), and accept their privacy policy that allows them to share your information via joint marketing agreements.

I did promise we’d get back around to using customer rewards cards to avoid legal concerns, right?

Once an agency with an interest in data collection knows your name, email address and phone number, the sky’s the limit. They know anything that’s public about you on Facebook, or any other source, and can purchase large data sets full of valuable marketing data, associated with those details.

Things I know, and things I do not know

Here are several things I can’t tell you with any amount of certainty:

That Republic will use your license plate details for anything but the parking transaction.

That Republic, Point Ruston and the businesses therein have any kind of data sharing agreement that lets them pool validation and other information to identify you and map your behavior.

That Cinemark has any joint marketing agreement with their Point Ruston neighbors.

That you will eventually start receiving targeted marketing from Point Ruston based on your shopping and date night history.

These are all speculative, and I will leave it to proper journalists who know what they’re doing to suss out any details that are available to be sussed out. Here are a few things I can tell you, though:

From a technological standpoint, they absolutely can do all of the above, with the systems we know to be in place.

do all of the above, with the systems we know to be in place. Their privacy policy seems, to a data-but-not-legal expert, broad enough in all the right places to permit all of the above, should they choose to.

And then everything might change.

Last excerpt from a privacy policy, I promise:

“Should Republic Parking require your information for purposes other than those specified during collection or as permitted by this Policy, we will seek your consent where required, or a notification will be provided to you prior to the new use.”

You probably have Facebook. You probably agreed to their privacy policy without reading it. You probably get notices from time to time that they’ve updated their policy, and you don’t read those. Every once in a while, you’ll see a kerfuffle online because somebody noticed a change that bothers them. It might bother you. And then you probably ignore the next change, too.

A privacy policy that is subject to change means that even if you read the current version, and are happy with it, if they ever come up with a new use of your data, and are concerned they aren’t covered, they can amend the policy, and be mostly confident that you won’t be paying attention. So the big concern is this: even if they aren’t doing all these things, even if a lawyer comes along and says I’m wrong, and the language of their policies is sufficient to restrict their behavior, the infrastructure is there, and the policies can change. They are now equipped to identify you, track your behavior from business to business, and send you targeted marketing. Whether they actually do so or not is likely just a matter of time.