Parking facilities collect substantial personal data: names and contact information for monthly permit holders, payment card data for transient transactions, license plate records from LPR systems, and increasingly detailed vehicle movement patterns. This data collection occurs at scale — a large commercial parking operation may process tens of thousands of transactions monthly — and is subject to a growing body of federal and state privacy law. Understanding the applicable privacy framework, what obligations apply to different categories of parking data, and how to structure data governance is essential for operators who want to manage compliance risk responsibly.

Federal Privacy Framework: The DPPA

The Driver’s Privacy Protection Act (DPPA), 18 U.S.C. § 2721-2725, is the primary federal law governing access to motor vehicle records. The DPPA restricts who can obtain personal information from state motor vehicle records (which include registered owner information associated with license plates) and how that information can be used.

What the DPPA restricts: State DMV records containing personal information — name, address, Social Security number, phone number, photograph, height, weight, gender, age — cannot be disclosed without the individual’s consent except for enumerated permissible purposes (law enforcement, government functions, research, motor vehicle safety, insurance, licensed private investigators in defined circumstances, and others).

Parking operator implications: Parking operators generally cannot directly access state DMV registered owner information for license plates without a permissible purpose. Enforcement-related lookups (identifying the registered owner of an abandoned vehicle or a vehicle with multiple unpaid citations) require law enforcement involvement or a specific DPPA-permissible arrangement. Parking operators who receive DMV owner information through permissible channels (from law enforcement, from a data vendor operating under a permissible purpose) must use the information only for the stated purpose and cannot resell or disclose it for other uses.

LPR data and the DPPA: LPR systems record plate data; plate data can be used to look up registered owner information. The plate lookup itself (rather than the plate observation) is what the DPPA governs. LPR data aggregation and sale to parties who then perform DPPA-governed lookups without permissible purpose creates legal exposure.

State Consumer Privacy Laws

Several states have enacted comprehensive consumer privacy laws that impose obligations on businesses that collect personal information from state residents:

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): California’s privacy law applies to for-profit businesses that meet thresholds related to revenue, data volume, or percentage of revenue from data sales. For parking operators that meet thresholds, CCPA/CPRA obligations include: privacy notice at point of collection, rights to know/access, deletion, and opt-out of sale or sharing, and reasonable security measures. Monthly parker accounts, reservation records, and loyalty program data typically constitute personal information subject to CCPA if the business meets the applicability thresholds.

Other state privacy laws: Virginia, Colorado, Connecticut, Texas, Iowa, Indiana, and Tennessee have enacted comprehensive consumer privacy laws modeled partly on CCPA. Additional states have enacted or are considering similar legislation. The patchwork of state laws creates compliance complexity for operators active in multiple states.

Key obligations common to state privacy laws: Privacy notice (informing individuals what personal information is collected, why, and who it is shared with), rights to access and deletion for consumer-provided data, reasonable security requirements, and data breach notification obligations.

LPR-Specific Privacy Regulations

LPR systems collect vehicle location data at scale, raising privacy concerns distinct from transactional personal data:

State LPR laws: Several states have enacted LPR-specific statutes that restrict how private entities (including parking operators) collect, retain, and share LPR data:

  • Utah: Restricts LPR data retention to 90 days for private entities.
  • Arkansas, New Hampshire, and others: Have enacted restrictions on LPR data retention and use by private entities.
  • California: CCPA applies to LPR data if it constitutes personal information, and additional automotive privacy obligations may apply.

Data minimization principle: Even in states without specific LPR statutes, good data governance calls for minimizing LPR data retention to the minimum period necessary for operational purposes. LPR records for vehicles with no violation, permit, or transaction relationship have very limited operational justification for long retention. A 30-day retention maximum for non-violation LPR records is a defensible baseline in most jurisdictions.

Data sharing restrictions: LPR data shared with third parties (including law enforcement, commercial data aggregators, or other parking operators) may implicate the DPPA and state privacy laws depending on the content and use. Parking operators should have documented policies for LPR data sharing requests and should not share LPR data with commercial aggregators for surveillance or commercial tracking purposes.

Payment Card Data: PCI DSS and Privacy

Payment card data — the cardholder’s name, card number, expiration date, and security code — is governed primarily by PCI DSS (a contractual requirement of card network agreements) rather than a standalone privacy law, but state data breach laws apply if card data is compromised:

Data minimization: Parking operators should not store payment card data beyond what is operationally necessary. Tokenization (replacing the actual card number with a transaction-specific token) enables recurring charges without storing actual card numbers. Most modern PARCS payment integrations support tokenization; operators should confirm their payment processor’s tokenization capability.

State breach notification laws: All 50 states have enacted data breach notification laws that require notification to affected individuals and (in some states) to state regulators when personal information including payment card data is compromised. Breach notification timelines vary by state (30 to 90 days is typical) and are triggered when the operator becomes aware of the breach.

Data Governance Framework for Parking Operators

Privacy notice: Any parking operation that collects personal information (monthly accounts, reservations, LPR, payment card data) should have a privacy notice that describes what data is collected, why, how it is used, how long it is retained, and who it is shared with. Privacy notices should be publicly accessible (on the facility website or posted at the facility) and updated when data practices change.

Data retention schedule: Define specific retention periods for each category of parking data and enforce them operationally:

  • Monthly account records: Duration of account plus required accounting retention (typically 7 years)
  • Transaction records: Accounting and compliance retention (typically 7 years)
  • LPR records without associated transaction: 30 to 90 days
  • LPR records with associated transaction or enforcement action: Duration of the associated matter plus standard retention
  • Payment card data (tokenized): Transaction record retention only; raw card data should not be retained

Vendor data governance: Parking operators share data with multiple technology vendors (PARCS vendors, LPR vendors, mobile app platforms). Each data sharing relationship should be governed by a data processing agreement that defines: what data is shared, how it may be used, retention limits, security requirements, and breach notification obligations.

Staff training: Staff who handle personal information (monthly parker account management, lost and found property containing identification) should receive training on privacy obligations specific to their role.

Frequently Asked Questions

Does the CCPA apply to a small parking operator? CCPA applies to for-profit businesses that meet any of these thresholds: annual gross revenue above $25 million; buy, sell, or receive personal information of 100,000+ California consumers or households annually; or derive 50%+ of annual revenue from selling personal information. Many small operators do not meet these thresholds. Larger multi-facility operators should assess CCPA applicability based on their specific revenue and data volume.

Can a parking operator share LPR data with law enforcement on request? Sharing with law enforcement is a permissible purpose under the DPPA for data that falls within the statute. However, parking operators should consult legal counsel before establishing a routine practice of sharing LPR data with law enforcement, both to ensure the DPPA permissible purpose applies and to address state LPR law requirements. A documented policy and process for responding to law enforcement requests is advisable.

What is required in a parking facility privacy notice? A parking facility privacy notice should minimally include: categories of personal information collected (names, payment data, plate numbers), purposes of collection (account management, payment processing, access control, enforcement), data retention periods by category, whether data is shared and with whom (processors, vendors, law enforcement upon proper request), and how individuals can contact the operator with privacy questions or requests. The specific content requirements depend on the applicable state privacy laws.

How long should parking transaction records be retained? Transaction records are business records subject to accounting and tax retention requirements — typically 7 years in most jurisdictions. Records that are subject to ongoing dispute, litigation, or enforcement action should be retained until the matter is fully resolved. LPR records associated with transactions should follow the transaction record retention schedule; LPR records with no associated transaction should be retained for a shorter period (30 to 90 days).

Takeaway

Parking data privacy compliance is a growing area of operational obligation as state privacy laws multiply and LPR data regulations become more common. The foundational compliance posture for parking operators — DPPA-compliant LPR data practices, tokenized payment card handling, state-compliant breach notification readiness, and a documented privacy notice — is accessible at any scale. Operators who design their data governance practices proactively (collecting only necessary data, retaining it for defined periods, governing third-party sharing by contract) are better positioned to adapt to evolving privacy regulations than those who address privacy as a retrospective compliance reaction. Legal counsel with privacy expertise should be engaged to assess specific obligations based on the operator’s state presence, data volume, and revenue.