Wave Privacy Notice

Effective August 18, 2025

The Orange County Transportation Authority (“Authority” or “OCTA”) is committed to protecting your privacy and the confidentiality of any personal data you may provide through the OCTA’s “Wave” system, which includes the Wave card and mobile application. This Privacy Notice (“Notice”) outlines how we collect, use, disclose, and safeguard your personal data when you use the Wave fare media, open an account, or access the Authority’s fare management platforms.
The OCTA limits the collection of personal data to what is necessary to carry out its operational responsibilities and to administer optional programs in which you choose to participate. Personal data maintained by the OCTA is protected in accordance with applicable California state and U.S. federal laws governing data privacy and security.
By continuing to use these services, you acknowledge and accept the terms of this Privacy Notice, our Conditions of Use, and the practices described herein. We encourage you to review this Notice periodically. If material changes are made, we will provide notice through the Wave mobile application, user account notices, or the OCTA’s website.

Notice, Choice, and Consent
Prior to the collection of any personal data from you, we will provide clear notice at the point of collection, specify what personal data is being gathered, the purpose for its collection, and how it will be used. By using this website and related services, you acknowledge and agree to the terms of this Privacy Notice. You may withdraw your consent from the collection or use of your personal information at any time, subject to applicable laws and OCTA’s established procedures. This ensures transparency and allows you to make informed decisions about sharing your data. Our commitment to notice and consent reflects our dedication to transparency and ensures you have the opportunity to make informed decisions regarding the processing of your personal data.

Collection of Personal Data
The Authority does not collect personally identifiable information from users who simply browse the Wave website or access the Wave mobile application, except for Internet Protocol (IP) addresses. IP addresses are logged to assist in application and website management but are not shared with third parties unless required by law. These logs primarily contain non-personally identifiable data, including browser types, device types, operating systems, page visits, session duration, and login activity. Temporary session cookies and analytics tools may also be used to monitor performance, enhance user experience, and secure the application. These cookies can be managed or disabled through your browser settings. Authority staff may analyze this technical information to improve the functionality and reliability of the Wave system.

Personal Data You Send
When registering for or using the Wave system, we may collect:
• Full name, address, email address, and phone number
• Payment information (processed by secure third parties)
• Account login credentials (e.g., username, password)
• Eligibility details for fare discounts (e.g., photo ID for reduced fare media, date of birth)
• Fare usage data (e.g., trip history, fare type)
• Device information (when using the Wave mobile application)

How OCTA Uses and Shares Your Personal Data
The OCTA collects and uses personal data related to the Wave system to manage fare payment, enable account services, support customer service, and analyze ridership trends in a deidentified format. The OCTA does not sell or share this data for commercial purposes.
The OCTA only discloses this data to service providers acting on its behalf or as required by law (e.g., valid warrants, public safety needs, or court proceedings).
OCTA may share personal data collected through its Wave system with the following categories of third parties, but only as necessary to perform services on behalf of the Authority or as required by law:
• Technology vendors and service providers supporting fare collection, customer service, and system administration, who are contractually prohibited from accessing personal data unless explicitly authorized by OCTA for defined purposes such as system performance monitoring and maintenance;
• Payment processors for handling fare transactions in compliance with applicable security standards;
• Law enforcement agencies or public authorities in response to valid legal process or for public safety purposes;
• Government agencies as necessary for compliance with legal obligations, investigations, or transit operations; and
• Auditors and legal advisors engaged to review compliance or investigate claims.
While unregistered Wave cards can be used anonymously, registered users have access to special features like fare capping and account balance protection.
Account holders may request access to, correction of, or deletion of their personal data, or closure of your Wave account in accordance with applicable privacy laws and the Authority’s established procedures. Upon account closure, the Authority will retain and deidentify personal data in accordance with its data retention policies. If you believe that any information associated with your Wave account is inaccurate, incomplete, or being used inappropriately, you may contact the Authority to dispute or request correction. Requests will be processed in accordance with OCTA procedures and applicable legal requirements. For details on how to submit a request, please see the “Contact Us” section at the end of this Notice.

Public Records and Legal Disclosure
Records related to your Wave account may be subject to the California Public Records Act (Government Code §6250 et seq.). We may disclose such records upon lawful request.

Data Retention and Anonymization for Wave
The OCTA retains personal data related to Wave accounts only as long as necessary for operational, legal, or enforcement-related reasons. Personal data is retained for no longer than four years and six months after account closure. When feasible, data is deidentified to support planning and reporting functions. Inactive accounts may be classified as dormant and handled per the OCTA's Dormant Account and Unclaimed Funds Policy.

Children’s Privacy
The OCTA does not knowingly allow individuals under the age of 13 to create or register a Wave account. The Wave system is intended for individuals aged 13 and older.
Personal data associated with a minor’s registered Wave card is protected in accordance with this Privacy Notice. Parents or guardians may access, update, or delete information related to their child’s account. If parental consent is revoked, the OCTA will take reasonable steps to delete the child’s personal data and may deactivate the account, as appropriate.

Site Security
To protect our systems and its users, we actively monitor network traffic to detect and prevent unauthorized attempts to alter information, upload malicious content, or cause harm. By using the Authority’s website, you expressly consent to this monitoring.
In line with applicable laws and leading practices, the OCTA employs industry and national standards specific to the physical, technical, and administrative safeguards necessary to protect personal data from loss, misuse, alteration, theft, unauthorized access, and disclosure. However, as with any online platform, absolute security cannot be guaranteed.
By contract the OCTA requires its third-party service providers such as payment processors and application developers, to implement security practices aligned with industry standards, including but not limited to the Payment Card Industry Data Security Standard (PCI-DSS) and National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) as well as the OCTA’s internal requirements for data protection and user privacy.
You as the user of OCTA services are responsible for the safeguarding of your own credentials, identification numbers, or other sensitive information related to your access to or your use of OCTA’s services.

Do Not Sell
With the importance of protecting user personal data in mind, we do not rent, sell or give away any information identifying you individually to third parties for marketing or mailing list purposes without your permission. When permission is granted by you and data is subsequently provided, the third parties are contractually bound to only use the information provided for purpose(s) specified in your consent.
Personal data collected by OCTA’s Wave system is not used for marketing or promotional purposes without your express consent.

Links to Other Sites
This Notice does not apply to third-party websites linked through OCTA services. Users are encouraged to review those sites' privacy notices.

Your Rights Under California Streets and Highways Code §31490
For the purposes of this Privacy Notice and in accordance with California Streets and Highways Code Section 31490, OCTA’s “Wave” system is an account-based fare payment program that meets the definition of and constitutes an automated transit fare collection system, functionally equivalent to an "electronic toll collection system" as defined by state regulation. The definition includes any system that electronically collects fares or processes transit payments, and in doing so, may capture, store, or transmit personal data, including data related to the location, travel behavior, or identity of a registered user.
Pursuant to California Streets and Highways Code Section 31490, we have included in this Privacy Notice the types of information collected, the categories of third parties with whom the information may be shared, and how we will notify you of changes to the Privacy Notice along with the effective date.
As a user of the Wave system, which qualifies as an automated transit fare collection system under SHC §31490, you are entitled to the following rights:
• Access your personal transit data collected by the Authority, including trip history and location-based information.
• Request correction or deletion of inaccurate or outdated personal information.
• Receive advance notice of any material changes to this Privacy Notice.
• Limit disclosure of personally identifiable travel data unless required by a valid warrant, subpoena, or court order.

Contact Us
We take reasonable steps to ensure that all personal data we collect is maintained as submitted to you by us, so that our records reflect your information for its intended purposes, which may include customer correspondence, compliance and legal considerations, auditing, security and fraud prevention, and preserving or defending our rights.
If you have questions about this Privacy Notice or wish to update, correct, and/or request to remove your personal data, please contact the Authority at:
• Email: [email protected]
• Mail: Orange County Transportation Authority, P.O. Box 14184, Orange, CA 92863-1584