BILL ANALYSIS �Ó
SB 34
Page 1
Date of Hearing: July 7, 2015
ASSEMBLY COMMITTEE ON PRIVACY AND CONSUMER PROTECTION
Mike Gatto, Chair
SB
34 (Hill) - As Amended July 2, 2015
SENATE VOTE: 25-12
SUBJECT: Automated license plate recognition systems: use of
data.
SUMMARY: Imposes a variety of security, privacy and public
hearing requirements on the use of automated license plate
recognition (ALPR) systems, as well as a private right of action
and provisions for remedies. Specifically, this bill:
1)Requires that data collected through the use or operation of
an ALPR system be treated as personal information for purposes
of existing data breach notification laws applying to
agencies, persons, or businesses that conduct business in
California and own or license computerized data including
personal information.
2)Requires an ALPR operator and ALPR end-user to maintain
reasonable security procedures and practices, including
operational, administrative, technical, and physical
safeguards, to protect information from unauthorized access,
destruction, use, modification, or disclosure.
�
SB 34
Page 2
3)Requires an ALPR operator and ALPR end-user to implement and
maintain a usage and privacy policy, as specified, which shall
be available in writing to the public, and conspicuously
posted on the operator or end-user's website if one exists.
4)Requires the ALPR operator usage and privacy policy to
include, at a minimum, all of the following:
a) The authorized purposes for using the ALPR system
and collecting ALPR information.
b) A description of the job title or other designation
of the employees and independent contractors, and their
training requirements, who are authorized to use the ALPR
system or collect and access ALPR information.
c) A description of how the use of how the ALPR system
will be monitored for compliance with privacy laws.
d) The purposes of, process for, and restrictions on,
the sale, sharing, or transfer of ALPR information to
other persons.
e) The title of the official custodian, or owner, of
the ALPR system responsible for implementing the policy.
f) A description of the reasonable measures that will
be used to ensure the accuracy of ALPR information and a
process to correct data errors.
�
SB 34
Page 3
g) The length of time ALPR information will be
retained, and the process the ALPR operator will utilize
to determine if and when to destroy retained ALPR
information.
5)Requires ALPR operators to maintain a record of access to ALPR
information, including the date and time of access, the
license plate number which was queried, the username of the
person who accessed the information, and the purpose for
accessing the information.
6)Requires the ALPR end-user's usage and privacy policy to
include, at a minimum, all of the following:
a) The authorized purposes for accessing and using ALPR
information.
b) A description of the job title or other designation
of the employees and independent contractors, and their
training requirements, who are authorized to access and
use ALPR information.
c) A description of how the use of ALPR systems will be
monitored to ensure the security of the information
accessed or used, and compliance with privacy laws and
the process for periodic system audits, as specified.
d) The purposes of, process for, and restrictions on,
�
SB 34
Page 4
the sale, sharing, or transfer of ALPR information to
other persons.
e) The title of the official custodian, or owner, of
the ALPR information responsible for implementing this
section.
f) A description of the reasonable measures that will
be used to ensure the accuracy of ALPR information and a
process to correct data errors.
g) The length of time ALPR information will be
retained, and the process the ALPR end-user will utilize
to determine if and when to destroy retained ALPR
information.
7)Allows an individual who has been harmed by a violation of
these requirements to bring a civil action against a person
who knowingly caused the violation.
8)Authorizes a court to award any or all of the following
remedies:
a) Actual damages, but not less than liquidated damages
in the amount of two thousand five hundred dollars
($2,500);
b) Punitive damages upon proof of willful or reckless
disregard of the law;
c) Reasonable attorney's fees and other litigation
costs reasonably incurred; and,
�
SB 34
Page 5
d) Other preliminary and equitable relief as the court
determines to be appropriate.
9)Requires that a public agency that operates or intends to
operate an ALPR system to provide an opportunity for public
comment at a public meeting of the agency's governing body
before implementing the program.
10)Prohibits a public agency from selling, sharing or
transferring ALPR information, except to another public agency
and only as permitted by law, although data hosting services
are exempted.
11)Defines the terms "automated license plate recognition
end-user," "automated license plate recognition information,"
"automated license plate recognition operator," "automated
license plate recognition system," "person," and "public
agency."
EXISTING LAW:
1)Provides, pursuant to the California Constitution, that all
people have inalienable rights, including the right to pursue
and obtain privacy. (Cal. Const., art. I, Sec. 1.)
2)Permits the California Highway Patrol (CHP) to retain license
plate data captured by a license plate reader for no more than
60 days, except in circumstances when the data is being used
as evidence or for all felonies being investigated, including,
but not limited to, auto theft, homicides, kidnapping,
burglaries, elder and juvenile abductions, Amber Alerts, and
�
SB 34
Page 6
Blue Alerts. (Vehicle Code (VC) Section 2413(b)
3)Prohibits the CHP from selling ALPR data for any purpose and
making it available to an agency that is not a law enforcement
agency or an individual who is not a law enforcement officer.
The data may be used by a law enforcement agency only for
purposes of locating vehicles or persons when either is
reasonably suspected of being involved in the commission of a
public offense. (VC 2413(c))
4)Requires the CHP to monitor internal use of the ALPR data to
prevent unauthorized use. (VC 2413(d))
5)Requires the CHP to report to the Legislature its ALPR
practices and usage, including the number of ALPR data
disclosures, a record of the agencies to which data was
disclosed and for what purpose, and any changes in policy that
affect privacy concerns. (VC 2413(e))
6)Requires, pursuant to the Data Breach Protection Law, a public
agency, or a person or business conducting business in
California, that owns or licenses computerized data that
includes personal information to disclose a breach of the
security of the system or data following discovery or
notification of the security breach, to any California
resident whose unencrypted personal information was, or is
reasonably believed to have been, acquired by an unauthorized
person. (Civil Code (CC) Section 1798.29; CC 1798.82)
FISCAL EFFECT: According to the Senate Appropriations
Committee:
�
SB 34
Page 7
Potentially significant local law enforcement agency costs to
comply with the provisions of this measure, to the extent
those entities wish to operate ALPR systems. As the use or
access of ALPR systems is not a mandated activity, the
implementation of additional security, privacy, and access
protocols and procedures are estimated to be non-reimbursable
by the state.
Potential periodic minor to significant costs to public
(State/Local) and private ALPR operators, to issue data breach
notifications. Private entities and public agencies are
already subject to data breach notification law, so costs
would be dependent on the frequency and size of data breaches
specific to unencrypted ALPR data, and the process of
notification utilized by each agency.
COMMENTS:
1)Purpose of this bill . This bill is intended to bring greater
transparency to the use of ALPR systems by requiring operators
and end-users, as defined, to adopt an ALPR usage and privacy
policy, and also requiring public agencies to hold a public
hearing before utilizing an ALPR system. This bill is
author-sponsored.
2)Author's statement . According to the author, "While at least
seven other states have already passed laws to regulate
automatic license plate reader (ALPR) systems, current
California law has not kept up with the rapid adoption of the
technology. Except for the California Highway Patrol (CHP)
and transportation agencies, current California law doesn't
require any privacy safeguards or establish any protocols for
the use of ALPR systems."
�
SB 34
Page 8
"Not only has the law failed to keep up with the quick
adoption of ALPR, but the entities using ALPR have also been
slow in crafting their own internal policies. For example,
according to the International Association of Chiefs of
Police, only 48% of police agencies across the country have
developed policies that govern ALPR use and privacy."
3)Automated License Plate Reader technology . An ALPR system is
one or more mobile or fixed cameras combined with computer
algorithms that can read and convert images of automobile
registration plates and the characters they contain into
computer-readable data showing the license plate itself, as
well as the time, date and place of the picture. ALPR systems
can also provide a "contextual" photo of the car itself,
making information about car make and model, distinguishing
features, state of registration, and driver and passage
potentially available as well.
It is important to note that while ALPR does not identify a
specific person by itself and is not considered "personally
identifiable information", it can be linked to an identifiable
person through a registration database, like that operated by
the Department of Motor Vehicles.
ALPR systems operate by automatically scanning any license
plate within range. Some ALPR systems can scan up to 2,000
license plates per minute. In the private sector, ALPR
systems are used to monitor parking facilities and assist
repossession companies in identifying vehicles, and even gated
communities use ALPRs to monitor and regulate access.
When used by law enforcement, each scanned license plate is
checked against a variety of databases, such as the federal
�
SB 34
Page 9
AMBER Alert for missing children, or the National Crime
Information Center, which aggregates 21 different databases
tracking categories such as stolen property, sex offenders,
immigration violators, gang affiliates, and known violent
persons. If one of the license plates photographed by the
system gets a hit based on a match with one of the databases
or some other 'hot list', the ALPR system can alert the law
enforcement officer in real time so she or he can take action.
According to a May 16, 2014, article in the Los Angeles Times
entitled "Use of license plate photo databases is raising
privacy concerns", the ALPR business is booming: "The industry
is growing rapidly. A 2010 study showed a third of large
police departments using plate readers. In 2012, the most
recent data available, a survey found more than 70% of the
nation's police departments had the scanners."
A 2014 report by the American Civil Liberties Union of
Northern California (ACLU) found that, of 60 cities and 58
counties surveyed, a total of 57 combined had ALPR systems -
but only 16 of those jurisdictions had a public policy
governing their use, and only eight had hearings with public
input before deploying the systems. And while the ACLU
estimates known public spending on ALPR systems to be nearly
$15 million, it maintains that "[t]he resulting data is almost
certainly just the tip of the iceberg, especially since
surveillance technology acquired through outside resources
(such as federal government grants, police foundations or
surveillance vendors) may sidestep some or all of the normal
local decision-making process."
According to the National Conference on State Legislatures,
ALPR bills have been introduced or are pending in at least 17
other states in 2015.
4)Law enforcement use of ALPR systems . ALPR systems can be used
to serve four specific public safety goals: (a) crime
analysis; (b) alert law enforcement officials that a license
plate number on a "hot list" is nearby; (c) monitor the
�
SB 34
Page 10
movements of vehicles operated by individuals with travel
restrictions; and (d) identify criminal conduct that was
otherwise unnoticed. Hot lists may be compiled by the local
law enforcement agency utilizing the ALPR system or by other
state or federal government agencies. The purpose of these
lists is to signal a law enforcement official that a vehicle
displaying a license plate number that is included on a hot
list is near an ALPR camera.
The databases built and maintained for law enforcement use are
large and growing. According to the author, "A database that
is maintained on behalf of various northern California law
enforcement agencies reportedly has over 100 million unique
license plate scans. A database maintained on behalf of San
Diego law enforcement agencies reportedly has well over 49
million license plate scans. A company that maintains an ALPR
database for private companies, such as insurance companies,
collections agencies, and private investigators, has over 1
billion license plate scans."
The provision of these systems and related database services
are also big business. The LA Times article made mention of
one of the most well-known companies in this space,
Livermore-based Vigilant Solutions. "Vigilant in particular
has seen its appeal among law enforcement officers grow
because it can offer police departments access to a trove of
more than 2 billion scans, maintained by an affiliated
company, Digital Recognition Network. That database is fed by
cameras attached to vehicles driven by repossession agents
roving the nation's roadways. The two companies have 160
employees. Vigilant reports having more than 3,500 law
enforcement clients that either use the company's cameras or
access its data. Digital Recognition Network has more than 250
customers. A Vigilant representative estimated that the
entire industry brings in as much as $500 million a year."
5)Existing ALPR restrictions on law enforcement . A 2011
�
SB 34
Page 11
transportation budget trailer bill restricted the use of ALPR
technology by the California Highway Patrol (CHP). Pursuant
to AB 115 (Committee on Budget), Chapter 38, Statutes of 2011,
the CHP is only authorized to retain data captured by ALPR
systems for 60 days, except where the data is being used for
felony investigations or as evidence. The CHP is also
prohibited from selling the data for any purpose or making the
data available to an agency or person other than law
enforcement agencies or officers. The data may only be used
by law enforcement agencies for purposes of locating vehicles
or persons reasonably suspected of being involved in the
commission of a public offense. The CHP is required to
monitor the internal use of ALPR data to prevent unauthorized
use, and to regularly report to the Legislature on its ALPR
practices and uses.
6)Privacy concerns related to the use of ALPR systems .
According to a 2009 report by the International Association of
Chiefs of Police, "LPR systems have the potential to reveal to
the government individuals' driving habits. As LPR systems
become more widespread, and as law enforcement agencies
improve their information sharing capabilities, the potential
to monitor where and when a particular vehicle has traveled is
enhanced. Recording driving habits could implicate First
Amendment concerns."
"Specifically, LPR systems have the ability to record vehicles'
attendance at locations or events that, although lawful and
public, may be considered private. For example, mobile LPR
units could read and collect the license plate numbers of
vehicles parked at addiction counseling meetings, doctors'
offices, health clinics, or even staging areas for political
protests.
"Several prominent privacy groups view information concerning
individuals' locations as inherently prone to abuses,
including expanding data uses beyond the original purposes of
�
SB 34
Page 12
collection, sharing data with third parties beyond reasonable
expectations, and heightening individuals' vulnerability to
crime."
The ACLU's July 2013 report "You Are Being Tracked" puts the
concern more bluntly: "Automatic license plate readers have
the potential to create permanent records of virtually
everywhere any of us has driven, radically transforming the
consequences of leaving home to pursue private life, and
opening up many opportunities for abuse. The tracking of
people's location constitutes a significant invasion of
privacy, which can reveal many things about their lives, such
as what friends, doctors, protests, political events, or
churches a person may visit. In our society, it is a core
principle that the government does not invade people's privacy
and collect information about citizens' innocent activities
just in case they do something wrong. Clear regulations must
be put in place to keep the government from tracking our
movements on a massive scale."
7)Proposed Committee amendments . According to the California
Bankers Association, the current language contained in the
definition of an ALPR end-user was intended to exempt the
financial services industry (because it is already regulated
under the federal Gramm-Leach-Bliley Act for data security) -
but the language still requires adherence to the privacy
policy of an ALPR operator.
To effect that change, the Committee and author may wish to
consider the following amendments:
At Civil Code Section 1798.90.5 (a)(2), strike the words "(B)
The person has agreed to comply with and is subject to the
privacy policy of the ALPR operator providing the information."
At Civil Code Section 1798.90.5 (a)(3), strike the words ", if
the person has agreed to comply with and is subject to the
�
SB 34
Page 13
privacy policy of the ALPR operator providing the information"
At Civil Code Section 1798.90.52, renumber the existing language
under subdivision (a), and add the following language as (b):
"Require that the ALPR information only be used for the
authorized purposes described in the usage and privacy policy
required by section 1798.90.51(b)."
Additionally, representatives of law enforcement have pointed
out that, in addition to data hosting services, law
enforcement occasionally contracts with private towing
companies to impound vehicles. It was not the intent of the
section prohibiting sale or sharing of information by public
agencies to interfere with such activity, and so the following
amendment would exempt towing services as well:
At Civil Code Section 1798.90.55(b), after the word
"hosting" add "and towing"
8)Previous legislation . SB 893 (Hill), of 2014, would have
placed restrictions on the use of ALPR technology by both
public-sector and private-sector users, in a manner similar to
this bill. SB 893 failed passage on the Senate Floor.
SB 1330 (Simitian) of 2011 would have placed restrictions on
the use of license plate recognition (LPR) technology by
private entities, including restrictions on the retention,
use, and sale of such data. SB 1330 failed passage on the
Senate Floor.
AB 115 (Committee on Budget), Chapter 38, Statutes of 2011,
�
SB 34
Page 14
allows the California Highway Patrol (CHP) to retain data
captured by ALPR systems for no more than 60 days, and also
prohibits the CHP from selling ALPR data or making it
available to anyone other than law enforcement agencies.
SB 854 (Committee on Budget and Fiscal Review) of 2010 would
have authorized the California Highway Patrol to retain ALPR
data for not more than 72 hours unless the data is being used
as evidence or for a legitimate law enforcement purpose, and
also would have prohibited CHP from selling ALPR data or
making the data available to an agency that is not a law
enforcement agency or an individual that is not a law
enforcement officer. SB 854 failed passage on the Senate
Floor.
AB 1614 (Committee on Budget and Fiscal Review) of 2010 would
have authorized the California Highway Patrol to retain ALPR
data for not more than 72 hours unless the data is being used
as evidence or for a legitimate law enforcement purpose, and
also would have prohibited CHP from selling ALPR data or
making the data available to an agency that is not a law
enforcement agency or an individual that is not a law
enforcement officer. AB 1614 died on the Senate Floor.
9)Potential chaptering conflicts with other bills . Because this
bill would amend the code sections related to California's
data breach notification law, it presents a potential
chaptering conflict with four other measures: AB 259
(Dababneh), AB 739 (Irwin), AB 964 (Chau), and SB 570
(Jackson).
�
SB 34
Page 15
10)Double referral . This bill was double-referred to the
Assembly Transportation Committee, where it was heard on June
22, 2015 and passed out on a 13-1 vote.
REGISTERED SUPPORT / OPPOSITION:
Support
Bay Area Civil Liberties Coalition
California Civil Liberties Advocacy
Citizens for Criminal Justice Reform California
Conference of California Bar Associations
Media Alliance
Small Business California
Opposition
None received.
�
SB 34
Page 16
Analysis Prepared by:Hank Dempsey / P. & C.P. / (916)
319-2200