SB 893, as amended, Hill. Automated license plate recognition systems: use of data.
Existing
end deletebegin insert(1)end insertbegin insert end insertbegin insertExistingend insert law authorizes the Department of the California Highway Patrol to retain license plate data captured by license plate recognition (LPR) technology, also referred to as an automated license plate recognition (ALPR) system, for not more than 60 days unless the data is being used as evidence or for the investigation of felonies. Existing law prohibits the department from selling the data or from making the data available to an agency that is not a law enforcement agency or an individual that is not a law enforcement officer.
Existing law authorizes the department to use LPR data for the purpose of locating vehicles or persons reasonably suspected of being involved in the commission of a public offense, and requires the department to monitor the internal use of the data to prevent unauthorized use and to submit to the Legislature, as a part of the annual automobile theft report, information on the department’s LPR practices and usage.
This bill wouldbegin delete impose similar restrictions on a person, as defined, that operates an ALPR system by prohibiting the sale of ALPR data, and otherwise prohibiting a person from sharing the data, except with a law enforcement agency or officer, as specified. This bill would provide that ALPR data retained for more than 5 years may be accessed only for law enforcement purposes, pursuant to a warrant or other court order. It wouldend deletebegin insert
impose specified requirements on an “ALPR operator,” as defined, including, among others, complying with all applicable statutory and constitutional requirements and the provisions of the bill, ensuring that the information or data the ALPR operator collects is protected with certain safeguards, and to implement and maintain specified security procedures and a usage and privacy policy with respect to that information or data.end insert
begin insertThis bill would also prohibit an ALPR operator from engaging in certain acts, including, among others, collecting any information or data other than the license plate number, the date and time the information or data is collected, and the location coordinates where the information or data is collected. The bill would further prohibit a public agency from disclosing, distributing, making available, selling, accessing, or otherwise providing that information or data, to any private entity or individual unless authorized by a court order, or as part of civil or criminal discovery. Unless otherwise authorized, the bill would prohibit a person authorized to access or distribute that information or data from further disclosing, distributing, making available, selling, accessing, or otherwise providing that information or data to another person for any purpose. The bill would require an ALPR operator that accesses or provides access to information or data collected through the use or operation of an ALPR system to maintain a specified record of that access.end insert
begin insertThe bill would, in addition to any other sanctions, penalties, or remedies provided by
law,end insert authorize an individualbegin delete whose information
is sold or disclosed in violation of these provisionsend delete to bring a civil actionbegin delete and would entitle the individual to recover any and all consequential and incidental damages, including all costs and attorney’s fees.end deletebegin insert in any court of competent jurisdiction against a person who knowingly obtains, discloses, or uses information or data collected through the use of an ALPR system for a purpose not authorized by the bill, and would authorize a court to award specified remediesend insertbegin insert.end insert
(2) Existing law requires any agency, and any person or business conducting business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose in specified ways, any breach of the security of the system or data, as defined, following discovery or notification of the security breach, to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Existing law defines “personal information” for these purposes to include an individual’s first name and last name, or first initial and last name, in combination with one or more designated data elements relating to, among other things, social security numbers, driver’s license numbers, financial accounts, and medical information.
end insertbegin insertThis bill would include information or data collected through the use or operation of an automated license plate recognition system, when that information or data is not encrypted, in the definition of “personal information” discussed above. By creating new duties for local officials, the bill would impose a state-mandated local program.
end insertbegin insertThe California Constitution requires the state to reimburse local agencies and school districts for certain costs mandated by the state. Statutory provisions establish procedures for making that reimbursement.
end insertbegin insertThis bill would provide that, if the Commission on State Mandates determines that the bill contains costs mandated by the state, reimbursement for those costs shall be made pursuant to these statutory provisions.
end insertVote: majority.
Appropriation: no.
Fiscal committee: begin deleteno end deletebegin insertyesend insert.
State-mandated local program: begin deleteno end deletebegin insertyesend insert.
The people of the State of California do enact as follows:
begin insertSection 1798.29 of the end insertbegin insertCivil Codeend insertbegin insert is amended to
2read:end insert
(a) Any agency that owns or licenses computerized
4data that includes personal information shall disclose any breach
5of the security of the system following discovery or notification
6of the breach in the security of the data to any resident of California
7whose unencrypted personal information was, or is reasonably
8believed to have been, acquired by an unauthorized person. The
9disclosure shall be made in the most expedient time possible and
10without unreasonable delay, consistent with the legitimate needs
11of law enforcement, as provided in subdivision (c), or any measures
12necessary to determine the scope of the breach and restore the
13reasonable integrity of the data system.
14(b) Any agency that maintains computerized data that includes
15personal information that
the agency does not own shall notify the
P4 1owner or licensee of the information of any breach of the security
2of the data immediately following discovery, if the personal
3information was, or is reasonably believed to have been, acquired
4by an unauthorized person.
5(c) The notification required by this section may be delayed if
6a law enforcement agency determines that the notification will
7impede a criminal investigation. The notification required by this
8section shall be made after the law enforcement agency determines
9that it will not compromise the investigation.
10(d) Any agency that is required to issue a security breach
11notification pursuant to this section shall meet all of the following
12requirements:
13(1) The security breach notification shall be written in plain
14language.
15(2) The security breach notification shall include, at a minimum,
16the following information:
17(A) The name and contact information of the reporting agency
18subject to this section.
19(B) A list of the types of personal information that were or are
20reasonably believed to have been the subject of a breach.
21(C) If the information is possible to determine at the time the
22notice is provided, then any of the following: (i) the date of the
23breach, (ii) the estimated date of the breach, or (iii) the date range
24within which the breach occurred. The notification shall also
25include the date of the notice.
26(D) Whether the notification was delayed as a result of a law
27enforcement investigation, if that
information is possible to
28determine at the time the notice is provided.
29(E) A general description of the breach incident, if that
30information is possible to determine at the time the notice is
31provided.
32(F) The toll-free telephone numbers and addresses of the major
33credit reporting agencies, if the breach exposed a social security
34number or a driver’s license or California identification card
35number.
36(3) At the discretion of the agency, the security breach
37notification may also include any of the following:
38(A) Information about what the agency has done to protect
39individuals whose information has been breached.
P5 1(B) Advice on steps that the person whose information has been
2breached may
take to protect himself or herself.
3(4) In the case of a breach of the security of the system involving
4personal information defined in paragraph (2) of subdivision (g)
5for an online account, and no other personal information defined
6in paragraph (1) of subdivision (g), the agency may comply with
7this section by providing the security breach notification in
8electronic or other form that directs the person whose personal
9information has been breached to promptly change his or her
10password and security question or answer, as applicable, or to take
11other steps appropriate to protect the online account with the
12agency and all other online accounts for which the person uses the
13same user name or email address and password or security question
14or answer.
15(5) In the case of a breach of the security of the system involving
16personal information defined in paragraph (2) of subdivision (g)
17
for login credentials of an email account furnished by the agency,
18the agency shall not comply with this section by providing the
19security breach notification to that email address, but may, instead,
20comply with this section by providing notice by another method
21described in subdivision (i) or by clear and conspicuous notice
22delivered to the resident online when the resident is connected to
23the online account from an Internet Protocol address or online
24location from which the agency knows the resident customarily
25accesses the account.
26(e) Any agency that is required to issue a security breach
27notification pursuant to this section to more than 500 California
28residents as a result of a single breach of the security system shall
29electronically submit a single sample copy of that security breach
30notification, excluding any personally identifiable information, to
31the Attorney General. A single sample copy of a security breach
32notification shall not
be deemed to be within subdivision (f) of
33Section 6254 of the Government Code.
34(f) For purposes of this section, “breach of the security of the
35system” means unauthorized acquisition of computerized data that
36compromises the security, confidentiality, or integrity of personal
37information maintained by the agency. Good faith acquisition of
38personal information by an employee or agent of the agency for
39the purposes of the agency is not a breach of the security of the
P6 1system, provided that the personal information is not used or
2subject to further unauthorized disclosure.
3(g) For purposes of this section, “personal information” means
4begin delete eitherend deletebegin insert anyend insert of the following:
5(1) An individual’s first name or first initial and last name in
6combination with any one or more of the following data elements,
7when either the name or the data elements are not encrypted:
8(A) Social security number.
9(B) Driver’s license number or California identification card
10number.
11(C) Account number, credit or debit card number, in
12combination with any required security code, access code, or
13password that would permit access to an individual’s financial
14account.
15(D) Medical information.
16(E) Health insurance information.
17(2) A user name or email address, in
combination with a
18password or security question and answer that would permit access
19to an online account.
20(3) Information or data collected through the use or operation
21of an automated license plate recognition system, as defined in
22Section 1798.90.5, when that information or data is not encrypted.
23(h) (1) For purposes of this section, “personal information”
24does not include publicly available information that is lawfully
25made available to the general public from federal, state, or local
26government records.
27(2) For purposes of this section, “medical information” means
28any information regarding an individual’s medical history, mental
29or physical condition, or medical treatment or diagnosis
by a health
30care professional.
31(3) For purposes of this section, “health insurance information”
32means an individual’s health insurance policy number or subscriber
33identification number, any unique identifier used by a health insurer
34to identify the individual, or any information in an individual’s
35application and claims history, including any appeals records.
36(i) For purposes of this section, “notice” may be provided by
37one of the following methods:
38(1) Written notice.
P7 1(2) Electronic notice, if the notice provided is consistent with
2the provisions regarding electronic records and signatures set forth
3in Section 7001 of Title 15 of the United States Code.
4(3) Substitute notice, if the
agency demonstrates that the cost
5of providing notice would exceed two hundred fifty thousand
6dollars ($250,000), or that the affected class of subject persons to
7be notified exceeds 500,000, or the agency does not have sufficient
8contact information. Substitute notice shall consist of all of the
9following:
10(A) Email notice when the agency has an email address for the
11subject persons.
12(B) Conspicuous posting of the notice on the agency’s Internet
13Web site page, if the agency maintains one.
14(C) Notification to major statewide media and the Office of
15Information Security within the Department of Technology.
16(j) Notwithstanding subdivision (i), an agency that maintains
17its own notification procedures as part of an information security
18policy for the
treatment of personal information and is otherwise
19consistent with the timing requirements of this part shall be deemed
20to be in compliance with the notification requirements of this
21section if it notifies subject persons in accordance with its policies
22in the event of a breach of security of the system.
23(k) Notwithstanding the exception specified in paragraph (4) of
24subdivision (b) of Section 1798.3, for purposes of this section,
25“agency” includes a local agency, as defined in subdivision (a) of
26Section 6252 of the Government Code.
begin insertSection 1798.82 of the end insertbegin insertCivil Codeend insertbegin insert is amended to read:end insert
(a) Any person or business that conducts business
29in California, and that owns or licenses computerized data that
30includes personal information, shall disclose any breach of the
31security of the system following discovery or notification of the
32breach in the security of the data to any resident of California
33whose unencrypted personal information was, or is reasonably
34believed to have been, acquired by an unauthorized person. The
35disclosure shall be made in the most expedient time possible and
36without unreasonable delay, consistent with the legitimate needs
37of law enforcement, as provided in subdivision (c), or any measures
38necessary to determine the scope of the breach and restore the
39reasonable integrity of the data system.
P8 1(b) Any person or business that
maintains computerized data
2that includes personal information that the person or business does
3not own shall notify the owner or licensee of the information of
4any breach of the security of the data immediately following
5discovery, if the personal information was, or is reasonably
6believed to have been, acquired by an unauthorized person.
7(c) The notification required by this section may be delayed if
8a law enforcement agency determines that the notification will
9impede a criminal investigation. The notification required by this
10section shall be made after the law enforcement agency determines
11that it will not compromise the investigation.
12(d) Any person or business that is required to issue a security
13breach notification pursuant to this section shall meet all of the
14following requirements:
15(1) The security breach
notification shall be written in plain
16language.
17(2) The security breach notification shall include, at a minimum,
18the following information:
19(A) The name and contact information of the reporting person
20or business subject to this section.
21(B) A list of the types of personal information that were or are
22reasonably believed to have been the subject of a breach.
23(C) If the information is possible to determine at the time the
24notice is provided, then any of the following: (i) the date of the
25breach, (ii) the estimated date of the breach, or (iii) the date range
26within which the breach occurred. The notification shall also
27include the date of the notice.
28(D) Whether notification was delayed as
a result of a law
29enforcement investigation, if that information is possible to
30determine at the time the notice is provided.
31(E) A general description of the breach incident, if that
32information is possible to determine at the time the notice is
33provided.
34(F) The toll-free telephone numbers and addresses of the major
35credit reporting agencies if the breach exposed a social security
36number or a driver’s license or California identification card
37number.
38(3) At the discretion of the person or business, the security
39breach notification may also include any of the following:
P9 1(A) Information about what the person or business has done to
2protect individuals whose information has been breached.
3(B) Advice on steps that the person whose information has been
4breached may take to protect himself or herself.
5(4) In the case of a breach of the security of the system involving
6personal information defined in paragraph (2) of subdivision (h)
7for an online account, and no other personal information defined
8in paragraph (1) of subdivision (h), the person or business may
9comply with this section by providing the security breach
10notification in electronic or other form that directs the person whose
11personal information has been breached promptly to change his
12or her password and security question or answer, as applicable, or
13to take other steps appropriate to protect the online account with
14the person or business and all other online accounts for which the
15person whose personal information has been breached uses the
16same user name or email address and password or security question
17or answer.
18(5) In the case of a breach of the security of the system involving
19personal information defined in paragraph (2) of subdivision (h)
20for login credentials of an email account furnished by the person
21or business, the person or business shall not comply with this
22section by providing the security breach notification to that email
23address, but may, instead, comply with this section by providing
24notice by another method described in subdivision (j) or by clear
25and conspicuous notice delivered to the resident online when the
26resident is connected to the online account from an Internet
27Protocol address or online location from which the person or
28business knows the resident customarily accesses the account.
29(e) A covered entity under the federal Health Insurance
30Portability and Accountability Act of 1996 (42 U.S.C. Sec. 1320d
31et seq.) will be deemed to have complied with the notice
32
requirements in subdivision (d) if it has complied completely with
33Section 13402(f) of the federal Health Information Technology
34for Economic and Clinical Health Act (Public Law 111-5).
35However, nothing in this subdivision shall be construed to exempt
36a covered entity from any other provision of this section.
37(f) Any person or business that is required to issue a security
38breach notification pursuant to this section to more than 500
39California residents as a result of a single breach of the security
40system shall electronically submit a single sample copy of that
P10 1security breach notification, excluding any personally identifiable
2information, to the Attorney General. A single sample copy of a
3security breach notification shall not be deemed to be within
4subdivision (f) of Section 6254 of the Government Code.
5(g) For purposes of this section, “breach of the security of the
6system”
means unauthorized acquisition of computerized data that
7compromises the security, confidentiality, or integrity of personal
8information maintained by the person or business. Good faith
9acquisition of personal information by an employee or agent of
10the person or business for the purposes of the person or business
11is not a breach of the security of the system, provided that the
12personal information is not used or subject to further unauthorized
13disclosure.
14(h) For purposes of this section, “personal information” means
15begin delete eitherend deletebegin insert anyend insert of the following:
16(1) An individual’s first name or first initial and last name in
17combination with any one or more of the following data elements,
18when either the
name or the data elements are not encrypted:
19(A) Social security number.
20(B) Driver’s license number or California identification card
21number.
22(C) Account number, credit or debit card number, in
23combination with any required security code, access code, or
24password that would permit access to an individual’s financial
25account.
26(D) Medical information.
27(E) Health insurance information.
28(2) A user name or email address, in combination with a
29password or security question and answer that would permit access
30to an online account.
31(3) Information or data collected through the use or operation
32of an automated license plate recognition system, as defined in
33Section 1798.90.5, when that information or data is not encrypted.
34(i) (1) For purposes of this section, “personal information” does
35not include publicly available information that is lawfully made
36available to the general public from federal, state, or local
37government records.
38(2) For purposes of this section, “medical information” means
39any information regarding an individual’s medical history, mental
P11 1or physical condition, or medical treatment or diagnosis by a health
2care professional.
3(3) For purposes of this section, “health insurance information”
4means an individual’s health
insurance policy number or subscriber
5identification number, any unique identifier used by a health insurer
6to identify the individual, or any information in an individual’s
7application and claims history, including any appeals records.
8(j) For purposes of this section, “notice” may be provided by
9one of the following methods:
10(1) Written notice.
11(2) Electronic notice, if the notice provided is consistent with
12the provisions regarding electronic records and signatures set forth
13in Section 7001 of Title 15 of the United States Code.
14(3) Substitute notice, if the person or business demonstrates that
15the cost of providing notice would exceed two hundred fifty
16thousand dollars ($250,000), or that the affected class of subject
17persons to be notified exceeds
500,000, or the person or business
18does not have sufficient contact information. Substitute notice
19shall consist of all of the following:
20(A) Email notice when the person or business has an email
21address for the subject persons.
22(B) Conspicuous posting of the notice on the Internet Web site
23page of the person or business, if the person or business maintains
24one.
25(C) Notification to major statewide media.
26(k) Notwithstanding subdivision (j), a person or business that
27maintains its own notification procedures as part of an information
28security policy for the treatment of personal information and is
29otherwise consistent with the timing requirements of this part, shall
30be deemed to be in compliance with the notification requirements
31of this section if the
person or business notifies subject persons in
32accordance with its policies in the event of a breach of security of
33the system.
Title 1.81.23 (commencing with Section 1798.90.5)
36is added to Part 4 of Division 3 of the Civil Code, to read:
begin delete(a)end deletebegin delete end deleteThe following definitions shall apply for
5purposes of this title:
6(a) “ALPR operator” means a person that uses or operates an
7ALPR system, or accesses, stores, or maintains information or
8data collected through the use or operation of an ALPR system.
9(1)
end delete
10begin insert(b)end insert “Automated license plate recognition system” or “ALPR
11system” means a system of one or more mobile or fixedbegin delete high-speedend delete
12 cameras combined with computer algorithms tobegin insert read andend insert convert
13images of registration platesbegin insert and the characters they containend insert into
14computer-readable data.
15(2)
end delete
16begin insert(c)end insert “Person” includes a law enforcement agency, government
17agency, private entity, or individual.
18(b) A person that operates an ALPR system shall not sell ALPR
19data for any purpose.
20(c) A person that operates an ALPR system shall not make
21ALPR data
available to an agency that is not a law enforcement
22agency or an individual who is not a law enforcement officer. The
23data shall not be shared for any purpose other than providing for
24public safety, conducting criminal investigations, and ensuring
25compliance with the law.
26(d) ALPR data that has been retained for more than five years
27may be accessed only for law enforcement purposes, pursuant to
28a warrant or other court order.
29(d) “Public agency” means and includes every state agency
30and every local agency.
An individual whose information is sold or
32disclosed in violation of this title may bring a civil action and shall
33be entitled to recover any and all consequential and incidental
34damages, including all costs and attorney’s fees.
An ALPR operator shall do all of the following:
36(a) Comply with all applicable statutory and constitutional
37requirements and this title.
38(b) (1) Ensure that the information or data collected through
39the use or operation of the ALPR system is protected with
P13 1reasonable operational, administrative, technical, and physical
2safeguards to ensure its confidentiality and integrity.
3(2) Implement and maintain reasonable security procedures
4and practices appropriate for the nature of the information or data
5collected, in order to protect the information or data from
6unauthorized access, destruction, use, modification, or disclosure,
7and to ensure compliance with this title.
8(c) Implement and maintain a usage and privacy policy in order
9
to ensure that the information or data collected through the use
10or operation of the ALPR system is consistent with respect for
11individuals’ privacy and civil liberties. The usage and privacy
12policy shall be available in writing, and, if the ALPR operator has
13an Internet Web site, the usage and privacy policy shall be posted
14conspicuously on that Internet Web site.
An ALPR operator shall not do either of the
16following:
17(a) Collect any information or data other than the license plate
18number, the date and time the information or data is collected,
19and the location coordinates where the information or data is
20collected. This information or data shall not be collected if the
21license plate number is not in public view.
22(b) (1) Trespass or otherwise enter upon private property to
23collect information or data for commercial purposes through the
24use or operation of an ALPR system without first obtaining written
25consent from the owner of the private property, or the owner’s
26designated agent.
27(2) This subdivision shall only apply if the ALPR operator is a
28private entity that operates an ALPR system for commercial
29
purposes.
(a) A public agency shall not disclose, distribute,
31make available, sell, access, or otherwise provide for another
32purpose, information or data collected through the use or operation
33of an ALPR system to any private entity or individual unless
34authorized by a court order, or as part of civil or criminal
35discovery.
36(b) Unless authorized by this title or another law, a person
37authorized to access or distribute information or data collected
38through the use or operation of an ALPR system shall not further
39disclose, distribute, make available, sell, access, or otherwise
40provide that information or data to another person for any purpose.
P14 1(c) If an ALPR operator accesses or provides access to
2information or data collected through the use or operation of an
3ALPR system, the ALPR operator
shall maintain a record of that
4access. At a minimum, the record shall include, but not be limited
5to, all of the following:
6(1) The date and time the information or data is accessed.
7(2) The person who accesses the information or data.
8(3) The authorized purpose for accessing the information or
9data.
Information or data collected through the use or
11operation of an ALPR system shall not be the sole basis for
12establishing probable cause to obtain a search or arrest warrant.
(a) In addition to any other sanctions, penalties,
14or remedies provided by law, an individual may bring a civil action
15in any court of competent jurisdiction against a person who
16knowingly obtains, discloses, or uses information or data collected
17through the use of an ALPR system for a purpose not authorized
18by this title.
19(b) The court may award all of the following:
20(1) Actual damages, but not less than liquidated damages in the
21amount of two thousand five hundred dollars ($2,500).
22(2) Punitive damages upon proof of willful or reckless disregard
23of the law.
24(3) Reasonable attorney’s fees and other litigation costs
25reasonably incurred.
26(4) Other preliminary and equitable relief as the court
27
determines to be appropriate.
If the Commission on State Mandates determines that
29this act contains costs mandated by the state, reimbursement to
30local agencies and school districts for those costs shall be made
31pursuant to Part 7 (commencing with Section 17500) of Division
324 of Title 2 of the Government Code.
O
98