Amended in Assembly July 2, 2015

Amended in Senate April 22, 2015

Senate BillNo. 34


Introduced by Senator Hill

begin insert

(Coauthor: Assembly Member Gatto)

end insert

December 1, 2014


An act to amend Sections 1798.29 and 1798.82 of, and to add Title 1.81.23 (commencing with Section 1798.90.5) to Part 4 of Division 3 of, the Civil Code, relating to personal information.

LEGISLATIVE COUNSEL’S DIGEST

SB 34, as amended, Hill. Automated license plate recognition systems: use of data.

(1) Existing law authorizes the Department of the California Highway Patrol to retain license plate data captured by license plate recognition (LPR) technology, also referred to as an automated license plate recognition (ALPR) system, for not more than 60 days unless the data is being used as evidence or for the investigation of felonies. Existing law prohibits the department from selling the data or from making the data available to an agency that is not a law enforcement agency or an individual that is not a law enforcement officer.

Existing law authorizes the department to use LPR data for the purpose of locating vehicles or persons reasonably suspected of being involved in the commission of a public offense, and requires the department to monitor the internal use of the data to prevent unauthorized use and to submit to the Legislature, as a part of the annual automobile theft report, information on the department’s LPR practices and usage.

This bill would impose specified requirements on an “ALPR operator” as defined, including, among others,begin delete ensuring that the information the ALPR operator collects is protected with certain safeguards, and implementing andend delete maintainingbegin delete specifiedend deletebegin insert reasonableend insert security proceduresbegin insert and practices to protect ALPR informationend insert andbegin insert implementingend insert a usage and privacy policy with respect to thatbegin delete information.end deletebegin insert information, as specified. The bill would impose similar requirements on an “ALPR end-user,” as defined.end insert

The bill would require an ALPR operator that accesses or provides access to ALPR information to maintain a specified record of that access.

begin delete

This bill would also require an “ALPR end-user,” as defined, to implement and maintain a specified usage and privacy policy.

end delete

The bill would, in addition to any other sanctions, penalties, or remedies provided by law, authorize an individual who has been harmed by a violation of these provisions to bring a civil action in any court of competent jurisdiction against a person who knowingly causedbegin delete that violation.end deletebegin insert the harm.end insert

The bill would require a publicbegin delete agencyend deletebegin insert agency, as defined,end insert thatbegin delete considers implementing a program to gather information through the use ofend deletebegin insert operates or intends to operateend insert an ALPR system to provide an opportunity for public comment at a regularly scheduled public meeting of the governing body of the public agency beforebegin delete it implementsend deletebegin insert implementingend insert the program.begin insert The bill would also prohibit a public agency from selling, sharing, or transferring ALPR information, except to another public agency, as specified.end insert

(2) Existing law requires any agency, and any person or business conducting business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the system or data, as defined, following discovery or notification of the security breach, to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Existing law defines “personal information” for these purposes to include an individual’s first name and last name, or first initial and last name, in combination with one or more designated data elements relating to, among other things, social security numbers, driver’s license numbers, financial accounts, and medical information.

This bill would include information or data collected through the use or operation of an automated license plate recognition system, when that information is not encrypted and is used in combination with an individual’s name, in the definition of “personal information” discussed above.

Vote: majority. Appropriation: no. Fiscal committee: yes. State-mandated local program: no.

The people of the State of California do enact as follows:

P3    1

SECTION 1.  

Section 1798.29 of the Civil Code is amended
2to read:

3

1798.29.  

(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
6of the breach in the security of the data to any resident of California
7whose unencrypted personal information was, or is reasonably
8believed to have been, acquired by an unauthorized person. The
9disclosure shall be made in the most expedient time possible and
10without unreasonable delay, consistent with the legitimate needs
11of law enforcement, as provided in subdivision (c), or any measures
12necessary to determine the scope of the breach and restore the
13reasonable integrity of the data system.

14(b) Any agency that maintains computerized data that includes
15personal information that the agency does not own shall notify the
16owner or licensee of the information of any breach of the security
17of the data immediately following discovery, if the personal
18information was, or is reasonably believed to have been, acquired
19by an unauthorized person.

20(c) The notification required by this section may be delayed if
21a law enforcement agency determines that the notification will
22impede a criminal investigation. The notification required by this
23section shall be made after the law enforcement agency determines
24that it will not compromise the investigation.

25(d) Any agency that is required to issue a security breach
26notification pursuant to this section shall meet all of the following
27requirements:

28(1) The security breach notification shall be written in plain
29language.

30(2) The security breach notification shall include, at a minimum,
31the following information:

32(A) The name and contact information of the reporting agency
33subject to this section.

34(B) A list of the types of personal information that were or are
35reasonably believed to have been the subject of a breach.

P4    1(C) If the information is possible to determine at the time the
2notice is provided, then any of the following: (i) the date of the
3breach, (ii) the estimated date of the breach, or (iii) the date range
4within which the breach occurred. The notification shall also
5include the date of the notice.

6(D) Whether the notification was delayed as a result of a law
7enforcement investigation, if that information is possible to
8determine at the time the notice is provided.

9(E) A general description of the breach incident, if that
10information is possible to determine at the time the notice is
11provided.

12(F) The toll-free telephone numbers and addresses of the major
13credit reporting agencies, if the breach exposed a social security
14number or a driver’s license or California identification card
15number.

16(3) At the discretion of the agency, the security breach
17notification may also include any of the following:

18(A) Information about what the agency has done to protect
19individuals whose information has been breached.

20(B) Advice on steps that the person whose information has been
21breached may take to protect himself or herself.

22(4) In the case of a breach of the security of the system involving
23personal information defined in paragraph (2) of subdivision (g)
24for an online account, and no other personal information defined
25in paragraph (1) of subdivision (g), the agency may comply with
26this section by providing the security breach notification in
27electronic or other form that directs the person whose personal
28information has been breached to promptly change his or her
29password and security question or answer, as applicable, or to take
30other steps appropriate to protect the online account with the
31agency and all other online accounts for which the person uses the
32same user name or email address and password or security question
33or answer.

34(5) In the case of a breach of the security of the system involving
35personal information defined in paragraph (2) of subdivision (g)
36 for login credentials of an email account furnished by the agency,
37the agency shall not comply with this section by providing the
38security breach notification to that email address, but may, instead,
39comply with this section by providing notice by another method
40described in subdivision (i) or by clear and conspicuous notice
P5    1delivered to the resident online when the resident is connected to
2the online account from an Internet Protocol address or online
3location from which the agency knows the resident customarily
4accesses the account.

5(e) Any agency that is required to issue a security breach
6notification pursuant to this section to more than 500 California
7residents as a result of a single breach of the security system shall
8electronically submit a single sample copy of that security breach
9notification, excluding any personally identifiable information, to
10the Attorney General. A single sample copy of a security breach
11notification shall not be deemed to be within subdivision (f) of
12Section 6254 of the Government Code.

13(f) For purposes of this section, “breach of the security of the
14system” means unauthorized acquisition of computerized data that
15compromises the security, confidentiality, or integrity of personal
16information maintained by the agency. Good faith acquisition of
17personal information by an employee or agent of the agency for
18the purposes of the agency is not a breach of the security of the
19system, provided that the personal information is not used or
20subject to further unauthorized disclosure.

21(g) For purposes of this section, “personal information” means
22either of the following:

23(1) An individual’s first name or first initial and last name in
24combination with any one or more of the following data elements,
25when either the name or the data elements are not encrypted:

26(A) Social security number.

27(B) Driver’s license number or California identification card
28number.

29(C) Account number, credit or debit card number, in
30combination with any required security code, access code, or
31password that would permit access to an individual’s financial
32account.

33(D) Medical information.

34(E) Health insurance information.

35(F) Information or data collected through the use or operation
36of an automated license plate recognition system, as defined in
37Section 1798.90.5.

38(2) A user name or email address, in combination with a
39password or security question and answer that would permit access
40to an online account.

P6    1(h) (1) For purposes of this section, “personal information”
2does not include publicly available information that is lawfully
3made available to the general public from federal, state, or local
4government records.

5(2) For purposes of this section, “medical information” means
6any information regarding an individual’s medical history, mental
7or physical condition, or medical treatment or diagnosis by a health
8care professional.

9(3) For purposes of this section, “health insurance information”
10means an individual’s health insurance policy number or subscriber
11identification number, any unique identifier used by a health insurer
12to identify the individual, or any information in an individual’s
13application and claims history, including any appeals records.

14(i) For purposes of this section, “notice” may be provided by
15one of the following methods:

16(1) Written notice.

17(2) Electronic notice, if the notice provided is consistent with
18the provisions regarding electronic records and signatures set forth
19in Section 7001 of Title 15 of the United States Code.

20(3) Substitute notice, if the agency demonstrates that the cost
21of providing notice would exceed two hundred fifty thousand
22dollars ($250,000), or that the affected class of subject persons to
23be notified exceeds 500,000, or the agency does not have sufficient
24contact information. Substitute notice shall consist of all of the
25following:

26(A) Email notice when the agency has an email address for the
27subject persons.

28(B) Conspicuous posting of the notice on the agency’s Internet
29Web site page, if the agency maintains one.

30(C) Notification to major statewide media and the Office of
31Information Security within the Department of Technology.

32(j) Notwithstanding subdivision (i), an agency that maintains
33its own notification procedures as part of an information security
34policy for the treatment of personal information and is otherwise
35consistent with the timing requirements of this part shall be deemed
36to be in compliance with the notification requirements of this
37section if it notifies subject persons in accordance with its policies
38in the event of a breach of security of the system.

39(k) Notwithstanding the exception specified in paragraph (4) of
40subdivision (b) of Section 1798.3, for purposes of this section,
P7    1“agency” includes a local agency, as defined in subdivision (a) of
2Section 6252 of the Government Code.

3

SEC. 2.  

Section 1798.82 of the Civil Code is amended to read:

4

1798.82.  

(a) A person or business that conducts business in
5California, and that owns or licenses computerized data that
6includes personal information, shall disclose a breach of the
7security of the system following discovery or notification of the
8breach in the security of the data to a resident of California whose
9unencrypted personal information was, or is reasonably believed
10to have been, acquired by an unauthorized person. The disclosure
11shall be made in the most expedient time possible and without
12unreasonable delay, consistent with the legitimate needs of law
13enforcement, as provided in subdivision (c), or any measures
14necessary to determine the scope of the breach and restore the
15reasonable integrity of the data system.

16(b) A person or business that maintains computerized data that
17includes personal information that the person or business does not
18own shall notify the owner or licensee of the information of the
19breach of the security of the data immediately following discovery,
20if the personal information was, or is reasonably believed to have
21been, acquired by an unauthorized person.

22(c) The notification required by this section may be delayed if
23a law enforcement agency determines that the notification will
24impede a criminal investigation. The notification required by this
25section shall be made promptly after the law enforcement agency
26determines that it will not compromise the investigation.

27(d) A person or business that is required to issue a security
28breach notification pursuant to this section shall meet all of the
29following requirements:

30(1) The security breach notification shall be written in plain
31language.

32(2) The security breach notification shall include, at a minimum,
33the following information:

34(A) The name and contact information of the reporting person
35or business subject to this section.

36(B) A list of the types of personal information that were or are
37reasonably believed to have been the subject of a breach.

38(C) If the information is possible to determine at the time the
39notice is provided, then any of the following: (i) the date of the
40breach, (ii) the estimated date of the breach, or (iii) the date range
P8    1within which the breach occurred. The notification shall also
2include the date of the notice.

3(D) Whether notification was delayed as a result of a law
4enforcement investigation, if that information is possible to
5determine at the time the notice is provided.

6(E) A general description of the breach incident, if that
7information is possible to determine at the time the notice is
8provided.

9(F) The toll-free telephone numbers and addresses of the major
10credit reporting agencies if the breach exposed a social security
11number or a driver’s license or California identification card
12number.

13(G) If the person or business providing the notification was the
14source of the breach, an offer to provide appropriate identity theft
15prevention and mitigation services, if any, shall be provided at no
16cost to the affected person for not less than 12 months, along with
17all information necessary to take advantage of the offer to any
18person whose information was or may have been breached if the
19breach exposed or may have exposed personal information defined
20in subparagraphs (A) and (B) of paragraph (1) of subdivision (h).

21(3) At the discretion of the person or business, the security
22breach notification may also include any of the following:

23(A) Information about what the person or business has done to
24protect individuals whose information has been breached.

25(B) Advice on steps that the person whose information has been
26breached may take to protect himself or herself.

27(4) In the case of a breach of the security of the system involving
28personal information defined in paragraph (2) of subdivision (h)
29for an online account, and no other personal information defined
30in paragraph (1) of subdivision (h), the person or business may
31comply with this section by providing the security breach
32notification in electronic or other form that directs the person whose
33personal information has been breached promptly to change his
34or her password and security question or answer, as applicable, or
35to take other steps appropriate to protect the online account with
36the person or business and all other online accounts for which the
37person whose personal information has been breached uses the
38same user name or email address and password or security question
39or answer.

P9    1(5) In the case of a breach of the security of the system involving
2personal information defined in paragraph (2) of subdivision (h)
3for login credentials of an email account furnished by the person
4or business, the person or business shall not comply with this
5section by providing the security breach notification to that email
6address, but may, instead, comply with this section by providing
7notice by another method described in subdivision (j) or by clear
8and conspicuous notice delivered to the resident online when the
9resident is connected to the online account from an Internet
10Protocol address or online location from which the person or
11business knows the resident customarily accesses the account.

12(e) A covered entity under the federal Health Insurance
13Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
14et seq.) will be deemed to have complied with the notice
15requirements in subdivision (d) if it has complied completely with
16Section 13402(f) of the federal Health Information Technology
17for Economic and Clinical Health Act (Public Law 111-5).
18However, nothing in this subdivision shall be construed to exempt
19a covered entity from any other provision of this section.

20(f) A person or business that is required to issue a security breach
21notification pursuant to this section to more than 500 California
22residents as a result of a single breach of the security system shall
23electronically submit a single sample copy of that security breach
24notification, excluding any personally identifiable information, to
25the Attorney General. A single sample copy of a security breach
26notification shall not be deemed to be within subdivision (f) of
27Section 6254 of the Government Code.

28(g) For purposes of this section, “breach of the security of the
29system” means unauthorized acquisition of computerized data that
30compromises the security, confidentiality, or integrity of personal
31information maintained by the person or business. Good faith
32acquisition of personal information by an employee or agent of
33the person or business for the purposes of the person or business
34is not a breach of the security of the system, provided that the
35personal information is not used or subject to further unauthorized
36disclosure.

37(h) For purposes of this section, “personal information” means
38either of the following:

P10   1(1) An individual’s first name or first initial and last name in
2combination with any one or more of the following data elements,
3when either the name or the data elements are not encrypted:

4(A) Social security number.

5(B) Driver’s license number or California identification card
6number.

7(C) Account number, credit or debit card number, in
8combination with any required security code, access code, or
9password that would permit access to an individual’s financial
10account.

11(D) Medical information.

12(E) Health insurance information.

13(F) Information or data collected through the use or operation
14of an automated license plate recognition system, as defined in
15Section 1798.90.5.

16(2) A user name or email address, in combination with a
17password or security question and answer that would permit access
18to an online account.

19(i) (1) For purposes of this section, “personal information” does
20not include publicly available information that is lawfully made
21available to the general public from federal, state, or local
22government records.

23(2) For purposes of this section, “medical information” means
24any information regarding an individual’s medical history, mental
25or physical condition, or medical treatment or diagnosis by a health
26care professional.

27(3) For purposes of this section, “health insurance information”
28means an individual’s health insurance policy number or subscriber
29identification number, any unique identifier used by a health insurer
30to identify the individual, or any information in an individual’s
31application and claims history, including any appeals records.

32(j) For purposes of this section, “notice” may be provided by
33one of the following methods:

34(1) Written notice.

35(2) Electronic notice, if the notice provided is consistent with
36the provisions regarding electronic records and signatures set forth
37in Section 7001 of Title 15 of the United States Code.

38(3) Substitute notice, if the person or business demonstrates that
39the cost of providing notice would exceed two hundred fifty
40thousand dollars ($250,000), or that the affected class of subject
P11   1persons to be notified exceeds 500,000, or the person or business
2does not have sufficient contact information. Substitute notice
3shall consist of all of the following:

4(A) Email notice when the person or business has an email
5address for the subject persons.

6(B) Conspicuous posting of the notice on the Internet Web site
7page of the person or business, if the person or business maintains
8one.

9(C) Notification to major statewide media.

10(k) Notwithstanding subdivision (j), a person or business that
11maintains its own notification procedures as part of an information
12security policy for the treatment of personal information and is
13otherwise consistent with the timing requirements of this part, shall
14be deemed to be in compliance with the notification requirements
15of this section if the person or business notifies subject persons in
16accordance with its policies in the event of a breach of security of
17the system.

18

SEC. 3.  

Title 1.81.23 (commencing with Section 1798.90.5)
19is added to Part 4 of Division 3 of the Civil Code, to read:

20 

21Title 1.81.23.  COLLECTION OF LICENSE PLATE
22INFORMATION

23

 

24

1798.90.5.  

The following definitions shall apply for purposes
25of this title:

26(a) “Automated license plate recognition end-user” or “ALPR
27end-user” means a person that accesses or usesbegin insert anend insert ALPR
28begin delete information,end deletebegin insert system,end insert but does not includebegin delete aend deletebegin insert any of the following:end insert

29begin insert(1)end insertbegin insertend insertbegin insertAend insert transportation agency when subject to Section 31490 of
30the Streets and Highways Code.

begin insert

31(2) A person that is subject to Sections 6801 to 6809, inclusive,
32of Title 15 of the United States Code and state or federal statutes
33or regulations implementing those sections, if both of the following
34apply:

end insert
begin insert

35(A) The person is subject to compliance oversight by a state or
36federal regulatory agency with respect to those sections.

end insert
begin insert

37(B) The person has agreed to comply with and is subject to the
38privacy policy of the ALPR operator providing the information.

end insert
begin insert

39(3) A person, other than a law enforcement agency, to whom
40information may be disclosed as a permissible use pursuant to
P12   1Section 2721 of Title 18 of the United States Code, if the person
2has agreed to comply with and is subject to the privacy policy of
3the ALPR operator providing the information.

end insert

4(b) “Automated license plate recognition information,” or
5“ALPR information” means information or data collected through
6the use of an ALPR system.

7(c) “Automated license plate recognition operator” or “ALPR
8operator” means a person that operates an ALPR system,begin delete or that
9stores or maintains ALPR information,end delete
but does not include a
10transportation agency when subject to Section 31490 of the Streets
11and Highways Code.

12(d) “Automated license plate recognition system” or “ALPR
13system” means abegin delete systemend deletebegin insert searchable computerized database
14resulting from the operationend insert
of one or more mobile or fixed
15cameras combined with computer algorithms to read and convert
16images of registration plates and the characters they contain into
17computer-readable data.

18(e) “Person”begin delete includes a law enforcement agency, government
19agency, private entity, or individual.end delete
begin insert means any natural person,
20public agency, partnership, firm, association, corporation, limited
21liability company, or other legal entity.end insert

22(f) “Public agency” meansbegin delete and includes every state agency and
23every local agency.end delete
begin insert the state, any city, county, or city and county,
24or any agency or political subdivision of the state or a city, county,
25or city and county, including, but not limited to, a law enforcement
26agency.end insert

27

1798.90.51.  

An ALPR operator shall do all of the following:

begin delete

28(a) (1) Ensure that ALPR information is protected with
29reasonable operational, administrative, technical, and physical
30safeguards to ensure its confidentiality and integrity.

end delete
begin delete

31(2) Implement and maintain

end delete

32begin insert(end insertbegin inserta)end insertbegin insertend insertbegin insertMaintainend insert reasonable security procedures andbegin delete practices in
33orderend delete
begin insert practices, including operational, administrative, technical,
34and physical safeguards,end insert
to protect ALPR information from
35unauthorized access, destruction, use, modification, or disclosure.

36(b) (1) Implementbegin delete and maintainend delete a usage and privacy policy in
37order to ensure that the collection, use, maintenance, sharing, and
38dissemination of ALPR information is consistent with respect for
39individuals’ privacy and civil liberties. The usage and privacy
40policy shall be availablebegin insert to the publicend insert in writing, and, if the ALPR
P13   1operator has an Internet Web site, the usage and privacy policy
2shall be posted conspicuously on that Internet Web site.

3(2) The usage and privacy policy shall, at a minimum, include
4all of the following:

5(A) The authorized purposes for usingbegin insert theend insert ALPRbegin delete systemsend deletebegin insert systemend insert
6 and collecting ALPR information.

7(B) A description ofbegin insert the job title or other designation ofend insert the
8employees and independent contractors who are authorized to use
9begin insert or access theend insert ALPRbegin delete systems,end deletebegin insert system, orend insert to collect ALPR
10begin delete information, and to access ALPRend delete information. The policy shall
11identify the training requirements necessary for those authorized
12employees and independent contractors.

13(C) A description of how thebegin delete use ofend delete ALPRbegin delete systemsend deletebegin insert systemend insert will
14be monitored to ensurebegin insert the security of the information andend insert
15 compliance withbegin delete allend delete applicable privacybegin delete laws and a process for
16periodic system audits, including audits of the access log required
17by Section 1798.90.52.end delete
begin insert laws.end insert

begin delete

18(D) A description of reasonable measures that will be used to
19ensure the accuracy of ALPR information and a process to correct
20data errors.

end delete
begin delete

21(E) A description of how the ALPR operator will comply with
22the security procedures and practices implemented and maintained
23pursuant to subdivision (a).

end delete
begin delete

24(F) The length of time ALPR information will be stored or
25retained.

end delete
begin insert

26(D) The purposes of, process for, and restrictions on, the sale,
27sharing, or transfer of ALPR information to other persons.

end insert
begin delete

28(G)

end delete

29begin insert(E)end insert Thebegin insert title of theend insert official custodian, or owner, ofbegin insert theend insert ALPR
30begin delete information and which employees and independent contractors
31have the responsibility and accountability for implementing
32subdivision (a) and this subdivision.end delete
begin insert system responsible for
33implementing this section.end insert

begin delete

34(H) The purpose of, and process for, sharing or disseminating
35ALPR information with other persons.

end delete
begin insert

36(F) A description of the reasonable measures that will be used
37to ensure the accuracy of ALPR information and correct data
38errors.

end insert
begin insert

P14   1(G) The length of time ALPR information will be retained, and
2the process the ALPR operator will utilize to determine if and when
3to destroy retained ALPR information.

end insert
4

1798.90.52.  

If an ALPR operator accesses or provides access
5to ALPR information, the ALPR operator shall maintain a record
6of that access. At a minimum, the record shall include all of the
7following:

8(a) The date and time the information is accessed.

9(b) The license plate number or other data elements used to
10query the ALPRbegin delete database orend delete system.

11(c) Thebegin delete nameend deletebegin insert usernameend insert of the person who accesses the
12information, and, as applicable, the organization or entity with
13whom the person is affiliated.

14(d) The purpose for accessing the information.begin insert end insert

15

1798.90.53.  

begin insert

An ALPR end-user shall do all of the following:

end insert

16begin insert(a)end insertbegin insertend insertbegin insertMaintain reasonable security procedures and practices,
17including operational, administrative, technical, and physical
18safeguards, to protect ALPR information from unauthorized access,
19destruction, use, modification, or disclosure.end insert
begin insert end insertbegin delete(a)end deletebegin deleteend deletebegin deleteAn ALPR
20end-user shall implement and maintainend delete

21begin insert(b)end insertbegin insertend insertbegin insert(1)end insertbegin insertend insertbegin insertImplement end inserta usage and privacy policy in order to ensure
22that the access, use, sharing, and dissemination of ALPR
23information is consistent with respect for individuals’ privacy and
24civil liberties. The usage and privacy policy shall be availablebegin insert to
25the publicend insert
in writing, and, if the ALPR end-user has an Internet
26Web site, the usage and privacy policy shall be posted
27conspicuously on that Internet Web site.

begin delete

28(b)

end delete

29begin insert(2)end insert The usage and privacy policy shall, at a minimum, include
30all of the following:

begin delete

31(1)

end delete

32begin insert(A)end insert The authorized purposes for accessing and using ALPR
33information.

begin delete

34(2)

end delete

35begin insert(B)end insert A description ofbegin insert the job title or other designation ofend insert the
36employees and independent contractors who are authorized to
37access and use ALPR information. The policy shall identify the
38training requirements necessary for those authorized employees
39and independent contractors.

begin delete

40(3)

end delete

P15   1begin insert(C)end insert A description of how thebegin delete access and use ofend delete ALPR
2begin delete informationend deletebegin insert systemend insert will be monitored to ensurebegin insert the security of the
3information accessed or used, andend insert
compliance with all applicable
4privacy laws and a process for periodic system audits.

begin delete

5(4) The length of time ALPR information will be retained by
6the ALPR end-user and the process the ALPR end-user will utilize
7to determine if and when to destroy the retained ALPR information.

end delete
begin insert

8(D) The purposes of, process for, and restrictions on, the sale,
9sharing, or transfer of ALPR information to other persons.

end insert
begin delete

10(5)

end delete

11begin insert(E)end insert Thebegin insert title of theend insert official custodian, or owner, ofbegin insert theend insert ALPR
12begin delete information.end deletebegin insert information responsible for implementing this section.end insert

begin delete

13(6) The purpose of, and process for, sharing or disseminating
14ALPR information with other persons.

end delete
begin delete

15(7)

end delete

16begin insert(F)end insert A description ofbegin delete howend delete thebegin delete end-user will implementend delete reasonable
17begin delete securityend delete measuresbegin delete to secureend deletebegin insert that will be used to ensure the accuracy
18ofend insert
ALPR informationbegin delete from unauthorized access, destruction, use,
19modification, or disclosure.end delete
begin insert and correct data errors.end insert

begin delete

20(8) Which employees and independent contractors have the
21responsibility and accountability for implementing subdivision (a)
22and this subdivision.

end delete
begin insert

23(G) The length of time ALPR information will be retained, and
24the process the ALPR end-user will utilize to determine if and when
25to destroy retained ALPR information.

end insert
26

1798.90.54.  

(a) In addition to any other sanctions, penalties,
27or remedies provided by law, an individual who has been harmed
28by a violation of thisbegin delete titleend deletebegin insert title, including, but not limited to,
29unauthorized access or use of ALPR information or a breach of
30security of an ALPR system,end insert
may bring a civil action in any court
31of competent jurisdiction against a person who knowingly caused
32begin delete that violation.end deletebegin insert the harm.end insert

33(b) The court may award a combination of any one or more of
34the following:

35(1) Actual damages, but not less than liquidated damages in the
36amount of two thousand five hundred dollars ($2,500).

37(2) Punitive damages upon proof of willful or reckless disregard
38of the law.

39(3) Reasonable attorney’s fees and other litigation costs
40reasonably incurred.

P16   1(4) Other preliminary and equitable relief as the court determines
2to be appropriate.

3

1798.90.55.  

Notwithstanding any other law orbegin delete regulation, aend delete
4begin insert regulation:end insert

5begin insert(a)end insertbegin insertend insertbegin insertAend insert public agency thatbegin delete considers implementing a program to
6gather information through the use ofend delete
begin insert operates or intends to operateend insert
7 an ALPR system shall provide an opportunity for public comment
8at a regularly scheduled public meeting of the governing body of
9the public agency beforebegin delete it implementsend deletebegin insert implementingend insert the program.

begin insert

10(b) A public agency shall not sell, share, or transfer ALPR
11information, except to another public agency, and only as otherwise
12permitted by law. For purposes of this section, the provision of
13data hosting services shall not be considered the sale, sharing, or
14transferring of ALPR information.

end insert

CORRECTIONS:

Text--Page 14.




O

Corrected 7-9-15—See last page.     97