Automated license plate recognition systems.

Senator Cervantes, with Assembly Member Lowenthal, advances a comprehensive Automated License Plate Recognition data accountability framework that centers privacy protections, data minimization, and auditable governance for California’s ALPR systems. The core change tightens how ALPR data is accessed, shared, retained, and reviewed by public agencies, while adding a private right of action and a DOJ-audits regime guided by budgetary appropriations. It also narrows the core ALPR regulatory reach by excluding several transportation- and airport-related entities from the ALPR operator/end-user definitions.

Key mechanisms establish that certain transportation and airport entities are no longer categorized as ALPR operators or end users under the act, and they are thus not bound by the same ALPR governance provisions. Beginning in 2026, new contracting standards require that no default access to the national ALPR database be provided and that an agency’s scans are not accessible to other agencies by default, with inter-agency sharing permitted only as authorized by a Department of Justice directive. The law restricts enforcement use to locating vehicles or persons reasonably suspected of involvement in a public offense and imposes a suite of security measures, including employee access controls, mandatory training, and ongoing monitoring as part of a formal usage and privacy policy that must be publicly posted. Public agencies must also maintain detailed records of ALPR queries, including the date and time, data elements queried, the user’s identity and affiliation, and a valid case file number or, in certain inter-agency task-forces, the task-force name and the commander in charge.

Additional obligations cover data retention and handling: non-matching ALPR data must be retained for no more than 60 days, and by 2026 agencies must delete such data within 14 days after the 60-day threshold. Public-facing policies must articulate authorized purposes, designated staff authorized to access the system, monitoring plans, sharing restrictions, the custodian responsible for implementation, data accuracy measures, and retention/destruction timelines. A public comment requirement precedes the deployment of any new ALPR program, and a private right of action permits damages, attorney’s fees, and other relief for individuals harmed by violations, complemented by annual DOJ audits of operators or end users (subject to funding). Local agencies may face mandated-cost considerations, with reimbursement provisions available if state-mandated costs are determined to exist, and all new contracting provisions are designed to curb default access and limit sharing absent appropriate authorization.

Taken together, the measure situates ALPR governance within a statewide privacy and accountability framework, expanding transparency through public policies and log-keeping, constraining data sharing and retention, and introducing civil remedies and external audits to enforce compliance. It preserves law enforcement’s ability to locate vehicles or persons for legitimate investigations while imposing structured controls on access, monitoring, and data lifecycle management. The act’s timeline emphasizes a January 2026 threshold for contracting and data-deletion requirements, alongside ongoing public engagement and budget-dependent oversight, with broad applicability to cities and local agencies and a mechanism to address potential local-cost reimbursements.