BILL ANALYSIS �Ó
SB 34
Page 1
SENATE THIRD READING
SB
34 (Hill)
As Amended July 13, 2015
Majority vote
SENATE VOTE: 25-12
------------------------------------------------------------------
|Committee |Votes|Ayes |Noes |
| | | | |
| | | | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Transportation |13-1 |Frazier, Achadjian, |Melendez |
| | |Bloom, Campos, Chu, | |
| | |Daly, Dodd, Eduardo | |
| | |Garcia, Gomez, | |
| | |Linder, Medina, | |
| | |Nazarian, O'Donnell | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Privacy |11-0 |Gatto, Wilk, Baker, | |
| | |Calderon, Chang, | |
| | |Chau, Cooper, | |
| | |Dababneh, Dahle, | |
| | |Gordon, Low | |
| | | | |
|----------------+-----+----------------------+--------------------|
|Appropriations |14-3 |Gomez, Bloom, Bonta, |Bigelow, Gallagher, |
| | |Calderon, Chang, |Jones |
�
SB 34
Page 2
| | |Daly, Eggman, Eduardo | |
| | |Garcia, Holden, | |
| | |Quirk, Rendon, | |
| | |Wagner, Weber, Wood | |
| | | | |
| | | | |
------------------------------------------------------------------
SUMMARY: Imposes a variety of security, privacy, and public
hearing requirements on the use of automated license plate
recognition (ALPR) systems, as well as a private right of action
and provisions for remedies. Specifically, this bill:
1)Requires that data collected through the use or operation of
an ALPR system be treated as personal information for purposes
of existing data breach notification laws applying to
agencies, persons, or businesses that conduct business in
California and own or license computerized data including
personal information.
2)Requires an ALPR operator and ALPR end-user to maintain
reasonable security procedures and practices, including
operational, administrative, technical, and physical
safeguards, to protect information from unauthorized access,
destruction, use, modification, or disclosure.
3)Requires an ALPR operator and ALPR end-user to implement and
maintain a usage and privacy policy, as specified, which shall
be available in writing to the public, and conspicuously
posted on the operator or end-user's website if one exists.
4)Requires the ALPR operator usage and privacy policy to
include, at a minimum, all of the following:
a) The authorized purposes for using the ALPR system and
�
SB 34
Page 3
collecting ALPR information.
b) A description of the job title or other designation of
the employees and independent contractors, and their
training requirements, who are authorized to use the ALPR
system or collect and access ALPR information.
c) A description of how the use of how the ALPR system will
be monitored for compliance with privacy laws.
d) The purposes of, process for, and restrictions on, the
sale, sharing, or transfer of ALPR information to other
persons.
e) The title of the official custodian, or owner, of the
ALPR system responsible for implementing the policy.
f) A description of the reasonable measures that will be
used to ensure the accuracy of ALPR information and a
process to correct data errors.
g) The length of time ALPR information will be retained,
and the process the ALPR operator will utilize to determine
if and when to destroy retained ALPR information.
5)Requires ALPR operators to maintain a record of access to ALPR
information, including the date and time of access, the
license plate number which was queried, the username of the
person who accessed the information, and the purpose for
accessing the information.
6)Requires the ALPR end-user's usage and privacy policy to
include, at a minimum, all of the following:
�
SB 34
Page 4
a) The authorized purposes for accessing and using ALPR
information.
b) A description of the job title or other designation of
the employees and independent contractors, and their
training requirements, who are authorized to access and use
ALPR information.
c) A description of how the use of ALPR systems will be
monitored to ensure the security of the information
accessed or used, and compliance with privacy laws and the
process for periodic system audits, as specified.
d) The purposes of, process for, and restrictions on, the
sale, sharing, or transfer of ALPR information to other
persons.
e) The title of the official custodian, or owner, of the
ALPR information responsible for implementing this section.
f) A description of the reasonable measures that will be
used to ensure the accuracy of ALPR information and a
process to correct data errors.
g) The length of time ALPR information will be retained,
and the process the ALPR end-user will utilize to determine
if and when to destroy retained ALPR information.
7)Allows an individual who has been harmed by a violation of
these requirements to bring a civil action against a person
who knowingly caused the violation.
8)Authorizes a court to award any or all of the following
remedies:
�
SB 34
Page 5
a) Actual damages, but not less than liquidated damages in
the amount of $2,500;
b) Punitive damages upon proof of willful or reckless
disregard of the law;
c) Reasonable attorney's fees and other litigation costs
reasonably incurred; and,
d) Other preliminary and equitable relief as the court
determines to be appropriate.
9)Requires that a public agency that operates or intends to
operate an ALPR system to provide an opportunity for public
comment at a public meeting of the agency's governing body
before implementing the program.
10)Prohibits a public agency from selling, sharing or
transferring ALPR information, except to another public agency
and only as permitted by law, although data hosting services
are exempted.
11)Defines the terms "automated license plate recognition
end-user," "automated license plate recognition information,"
"automated license plate recognition operator," "automated
license plate recognition system," "person," and "public
agency."
FISCAL EFFECT: According to the Assembly Appropriations
Committee:
1)The state's Data Breach Protection Law requires a public
agency or California business that owns or licenses
computerized data containing personal information to disclose
�
SB 34
Page 6
a breach of the system's security or data to any California
resident whose unencrypted personal information was acquired
by an unauthorized person. If the costs to provide
notifications exceed $250,000, or if the breach affected more
than 500,000 persons, the agency or business can use one of
several alternative methods of notification, including posting
a notice on the entity's website.
2)The California Highway Patrol (CHP) could incur unknown, but
likely minor costs to provide notifications in the event of a
data breach. Because the department's ALPR system contains
several million plates at any one time, it would likely use
the less costly alternative means of notification. Other
provisions of this bill are consistent with existing
requirements placed on the CHP's use of ALPR.
3)Potentially significant, but nonreimbursable costs to comply
with this bill's requirements for those local law enforcement
agencies that elect to operate ALPR systems. Similar to the
CHP, local agencies could also incur notification-related
costs in the event of a data breach of their ALPR systems.
COMMENTS: ALPR is a common public safety enforcement method
that utilizes optical character recognition to read vehicle
license plates. ALPR systems typically use infrared lighting
and a variety of algorithms to take a picture of a license
plate, identify any text, and determine the proper letter/number
sequence on the plate. This technology also allows an ALPR
camera to capture license plate images at any time of the day or
night. Once a license plate is scanned, in most cases, the
license plate sequence is then checked against a variety of
databases to determine if the vehicle is stolen, has outstanding
tickets, or whether the registered owner possesses outstanding
arrest warrants. If a "hit" occurs, the ALPR system alerts the
appropriate law enforcement entity. While many law enforcement
and local government entities utilize ALPR technology, ALPR
�
SB 34
Page 7
hardware and systems are generally developed and managed by
non-governmental entities.
Aside from the California Highway Patrol and local
transportation agencies, existing law is silent on how
government agencies and businesses manage and protect the data
gathered by ALPR systems. The author introduced this bill to
institute a number of usage and privacy standards for the
operation of ALPR systems within the state. Additionally, the
author notes that this bill also provides an opportunity for
public input on the usage and standards of ALPR system that are
used by government entities, something the author contends most
government entities do not practice.
With the use of ALPR technology by government agencies and
private industry becoming commonplace, states are now discussing
how to best use and manage the data collected through these
systems. According to the National Conference of State
Legislators (NCSL), 18 states have introduced legislation
attempting to establish or revise standards and privacy
requirements related to ALPR systems. Additionally, nine states
have enacted laws in some form that address the use and
management of data collected through ALPR systems.
This bill aims to establish a minimal set of privacy standards
for personal data collected by a person or entity using ALPR
technology.
Please see the policy committee analysis for a full discussion
of this bill.
Analysis Prepared by:
�
SB 34
Page 8
Manny Leon / TRANS. / (916) 319-2093 FN:
0001432