BILL ANALYSIS                                                                                                                                                                                                    Ó



                                                                      SB 34


                                                                    Page  1





          SENATE THIRD READING


          SB  
          34 (Hill)


          As Amended  July 13, 2015


          Majority vote


          SENATE VOTE:  25-12


           ------------------------------------------------------------------ 
          |Committee       |Votes|Ayes                  |Noes                |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
          |----------------+-----+----------------------+--------------------|
          |Transportation  |13-1 |Frazier, Achadjian,   |Melendez            |
          |                |     |Bloom, Campos, Chu,   |                    |
          |                |     |Daly, Dodd, Eduardo   |                    |
          |                |     |Garcia, Gomez,        |                    |
          |                |     |Linder, Medina,       |                    |
          |                |     |Nazarian, O'Donnell   |                    |
          |                |     |                      |                    |
          |----------------+-----+----------------------+--------------------|
          |Privacy         |11-0 |Gatto, Wilk, Baker,   |                    |
          |                |     |Calderon, Chang,      |                    |
          |                |     |Chau, Cooper,         |                    |
          |                |     |Dababneh, Dahle,      |                    |
          |                |     |Gordon, Low           |                    |
          |                |     |                      |                    |
          |----------------+-----+----------------------+--------------------|
          |Appropriations  |14-3 |Gomez, Bloom, Bonta,  |Bigelow, Gallagher, |
          |                |     |Calderon, Chang,      |Jones               |








                                                                      SB 34


                                                                    Page  2





          |                |     |Daly, Eggman, Eduardo |                    |
          |                |     |Garcia, Holden,       |                    |
          |                |     |Quirk, Rendon,        |                    |
          |                |     |Wagner, Weber, Wood   |                    |
          |                |     |                      |                    |
          |                |     |                      |                    |
           ------------------------------------------------------------------ 


          SUMMARY:  Imposes a variety of security, privacy, and public  
          hearing requirements on the use of automated license plate  
          recognition (ALPR) systems, as well as a private right of action  
          and provisions for remedies.  Specifically, this bill: 


          1)Requires that data collected through the use or operation of  
            an ALPR system be treated as personal information for purposes  
            of existing data breach notification laws applying to  
            agencies, persons, or businesses that conduct business in  
            California and own or license computerized data including  
            personal information.
          2)Requires an ALPR operator and ALPR end-user to maintain  
            reasonable security procedures and practices, including  
            operational, administrative, technical, and physical  
            safeguards, to protect information from unauthorized access,  
            destruction, use, modification, or disclosure.


          3)Requires an ALPR operator and ALPR end-user to implement and  
            maintain a usage and privacy policy, as specified, which shall  
            be available in writing to the public, and conspicuously  
            posted on the operator or end-user's website if one exists. 


          4)Requires the ALPR operator usage and privacy policy to  
            include, at a minimum, all of the following:


             a)   The authorized purposes for using the ALPR system and  








                                                                      SB 34


                                                                    Page  3





               collecting ALPR information.
             b)   A description of the job title or other designation of  
               the employees and independent contractors, and their  
               training requirements, who are authorized to use the ALPR  
               system or collect and access ALPR information.


             c)   A description of how the use of how the ALPR system will  
               be monitored for compliance with privacy laws.


             d)   The purposes of, process for, and restrictions on, the  
               sale, sharing, or transfer of ALPR information to other  
               persons.


             e)   The title of the official custodian, or owner, of the  
               ALPR system responsible for implementing the policy.


             f)   A description of the reasonable measures that will be  
               used to ensure the accuracy of ALPR information and a  
               process to correct data errors.


             g)   The length of time ALPR information will be retained,  
               and the process the ALPR operator will utilize to determine  
               if and when to destroy retained ALPR information.


          5)Requires ALPR operators to maintain a record of access to ALPR  
            information, including the date and time of access, the  
            license plate number which was queried, the username of the  
            person who accessed the information, and the purpose for  
            accessing the information.
          6)Requires the ALPR end-user's usage and privacy policy to  
            include, at a minimum, all of the following:










                                                                      SB 34


                                                                    Page  4





             a)   The authorized purposes for accessing and using ALPR  
               information.
             b)   A description of the job title or other designation of  
               the employees and independent contractors, and their  
               training requirements, who are authorized to access and use  
               ALPR information.


             c)   A description of how the use of ALPR systems will be  
               monitored to ensure the security of the information  
               accessed or used, and compliance with privacy laws and the  
               process for periodic system audits, as specified.


             d)   The purposes of, process for, and restrictions on, the  
               sale, sharing, or transfer of ALPR information to other  
               persons.


             e)   The title of the official custodian, or owner, of the  
               ALPR information responsible for implementing this section.


             f)   A description of the reasonable measures that will be  
               used to ensure the accuracy of ALPR information and a  
               process to correct data errors.


             g)   The length of time ALPR information will be retained,  
               and the process the ALPR end-user will utilize to determine  
               if and when to destroy retained ALPR information.


          7)Allows an individual who has been harmed by a violation of  
            these requirements to bring a civil action against a person  
            who knowingly caused the violation.  
          8)Authorizes a court to award any or all of the following  
            remedies:









                                                                      SB 34


                                                                    Page  5






             a)   Actual damages, but not less than liquidated damages in  
               the amount of $2,500;
             b)   Punitive damages upon proof of willful or reckless  
               disregard of the law;


             c)   Reasonable attorney's fees and other litigation costs  
               reasonably incurred; and,


             d)   Other preliminary and equitable relief as the court  
               determines to be appropriate.


          9)Requires that a public agency that operates or intends to  
            operate an ALPR system to provide an opportunity for public  
            comment at a public meeting of the agency's governing body  
            before implementing the program. 
          10)Prohibits a public agency from selling, sharing or  
            transferring ALPR information, except to another public agency  
            and only as permitted by law, although data hosting services  
            are exempted. 


          11)Defines the terms "automated license plate recognition  
            end-user," "automated license plate recognition information,"  
            "automated license plate recognition operator," "automated  
            license plate recognition system," "person," and "public  
            agency."


          FISCAL EFFECT:  According to the Assembly Appropriations  
          Committee:


          1)The state's Data Breach Protection Law requires a public  
            agency or California business that owns or licenses  
            computerized data containing personal information to disclose  








                                                                      SB 34


                                                                    Page  6





            a breach of the system's security or data to any California  
            resident whose unencrypted personal information was acquired  
            by an unauthorized person.  If the costs to provide  
            notifications exceed $250,000, or if the breach affected more  
            than 500,000 persons, the agency or business can use one of  
            several alternative methods of notification, including posting  
            a notice on the entity's website.


          2)The California Highway Patrol (CHP) could incur unknown, but  
            likely minor costs to provide notifications in the event of a  
            data breach.  Because the department's ALPR system contains  
            several million plates at any one time, it would likely use  
            the less costly alternative means of notification.  Other  
            provisions of this bill are consistent with existing  
            requirements placed on the CHP's use of ALPR.


          3)Potentially significant, but nonreimbursable costs to comply  
            with this bill's requirements for those local law enforcement  
            agencies that elect to operate ALPR systems.  Similar to the  
            CHP, local agencies could also incur notification-related  
            costs in the event of a data breach of their ALPR systems.


          COMMENTS:  ALPR is a common public safety enforcement method  
          that utilizes optical character recognition to read vehicle  
          license plates.  ALPR systems typically use infrared lighting  
          and a variety of algorithms to take a picture of a license  
          plate, identify any text, and determine the proper letter/number  
          sequence on the plate.  This technology also allows an ALPR  
          camera to capture license plate images at any time of the day or  
          night.  Once a license plate is scanned, in most cases, the  
          license plate sequence is then checked against a variety of  
          databases to determine if the vehicle is stolen, has outstanding  
          tickets, or whether the registered owner possesses outstanding  
          arrest warrants.  If a "hit" occurs, the ALPR system alerts the  
          appropriate law enforcement entity.  While many law enforcement  
          and local government entities utilize ALPR technology, ALPR  








                                                                      SB 34


                                                                    Page  7





          hardware and systems are generally developed and managed by  
          non-governmental entities.  


          Aside from the California Highway Patrol and local  
          transportation agencies, existing law is silent on how  
          government agencies and businesses manage and protect the data  
          gathered by ALPR systems.  The author introduced this bill to  
          institute a number of usage and privacy standards for the  
          operation of ALPR systems within the state.  Additionally, the  
          author notes that this bill also provides an opportunity for  
          public input on the usage and standards of ALPR system that are  
          used by government entities, something the author contends most  
          government entities do not practice.  


          With the use of ALPR technology by government agencies and  
          private industry becoming commonplace, states are now discussing  
          how to best use and manage the data collected through these  
          systems.  According to the National Conference of State  
          Legislators (NCSL), 18 states have introduced legislation  
          attempting to establish or revise standards and privacy  
          requirements related to ALPR systems.  Additionally, nine states  
          have enacted laws in some form that address the use and  
          management of data collected through ALPR systems.   


          This bill aims to establish a minimal set of privacy standards  
          for personal data collected by a person or entity using ALPR  
          technology.  




          Please see the policy committee analysis for a full discussion  
          of this bill.


          Analysis Prepared by:                                             








                                                                      SB 34


                                                                    Page  8





                          Manny Leon / TRANS. / (916) 319-2093  FN:  
          0001432