BILL ANALYSIS Ó SENATE COMMITTEE ON TRANSPORTATION AND HOUSING Senator Jim Beall, Chair 2015 - 2016 Regular Bill No: SB 34 Hearing Date: 4/7/2015 ----------------------------------------------------------------- |Author: |Hill | |----------+------------------------------------------------------| |Version: |12/1/2014 | ----------------------------------------------------------------- ----------------------------------------------------------------- |Urgency: |No |Fiscal: |Yes | ----------------------------------------------------------------- ----------------------------------------------------------------- |Consultant|Christine Hochmuth | |: | | ----------------------------------------------------------------- SUBJECT: Automated license plate recognition systems: use of data DIGEST: This bill establishes regulations on the privacy and usage of automatic license plate recognition (ALPR) data and expands the meaning of "personal information" to include information or data collected through the use or operation of an ALPR system. ANALYSIS: Existing law: 1. Places regulations on agencies, persons, or businesses that own, license, or maintain computerized data that includes personal information. These regulations include disclosing a breach of security. 2. Prohibits a transportation agency from selling or provide personally identifiable information of any person who subscribes to an electronic toll or electronic transit fare collection system or who uses a toll bridge, toll lane, or toll highway that employs an electronic toll collection system. Agencies covered by this regulation are the Department of Transportation, the Bay Area Toll Authority, any entity operating a toll bridge, toll lane, or toll highway within the state, any entity administering an electronic transit fare collection system and any transit operator participating in that system, or any entity under contract with the above-mentioned entities. SB 34 (Hill) Page 2 of ? 3. Requires that transportation agencies employing an electronic toll or transit fare collection system establish a privacy policy for the collection and use of personally identifiable information and provide its users with a copy of the privacy policy. Transportation agencies include the Department of Transportation, the Bay Area Toll Authority, any entity operating a toll bridge, toll lane, or toll highway within the state, any entity administering an electronic transit fare collection system, and any transit operator participating in that system, or any entity under contract with the above mentioned entities. 4. Establishes limits on the length of time that transportation agencies may keep personal information. All information may be kept only as long as necessary to perform account functions. All other information must be discarded within four and a half years after the conclusion of the billing cycle. This bill: 1. Defines an ALPR system as a system of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data. 2. Requires that data collected through the use or operation of an ALPR system be considered as personal information subject to existing law pertaining to agencies, persons, or businesses that conduct business in California, and that own or license computerized data including personal information. 3. Defines an ALPR end-user as a person that accesses or uses ALPR information and an ALPR operator as a person that operates an ALPR system, or that maintains ALPR information, with the exception of transportation agencies. A person may include a law enforcement agency, government agency, private entity, or individual. 4. Requires that ALPR operators ensure that ALPR information is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality and integrity. SB 34 (Hill) Page 3 of ? 5. Requires that ALPR operators implement and maintain reasonable security procedures and practices in order to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure. 6. Requires that ALPR operators and end users implement and maintain a usage and privacy policy in order to ensure that the collection, access, and use of ALPR information is consistent with respect for individuals' privacy and civil liberties. 7. Requires that the usage and privacy policy include, in part: the purpose for using ALPR systems/data a list of authorized users of ALPR systems/data how the ALPR systems/data will be monitored how ALPR operators will comply with security procedures the length of time that ALPR information will be stored and how it will be determined whether/when to destroy retained information the owner of the ALPR data and the employees who are responsible for implementing the usage and privacy policy the reason, and process by which, ALPR data is shared with other parties a plan for how end users will maintain security of ALPR data 8. Requires ALPR operators that access or provide access to ALPR information to maintain a record of that access. The record must include the date and time of access, the license plate number which was queried, the person who accesses the information, and the purpose of accessing the information. 9. Allows an individual who has been harmed by a violation of this title to bring a civil action against a person who knowingly caused the violation. The court can award damages which are stipulated in this bill. 10. Requires a public agency that considers using an ALPR system to provide an opportunity for public comment at a regularly scheduled public meeting of the governing body of the agency before it implements the program of ALPR use. COMMENTS: 1. Purpose. The author states that this bill is necessary to SB 34 (Hill) Page 4 of ? institute reasonable usage and privacy standards for the operation of ALPR systems, which do not exist for the majority of local agencies that have approved the use of ALPR technology, according to the American Civil Liberties Union (ACLU). Additionally, this bill requires an opportunity for public input on the usage and standards of ALPR technologies, something the author contends few local agencies allow. The author states that the main focus of this bill is to put in place regulations for businesses and agencies which currently do not have any policies regarding the use of ALPR data, unlike transportation agencies which are already regulated by existing law. 2. ALPR background and history. ALPR systems automatically scan any license plate within range. Some ALPR systems can scan 2,000 plates in a minute. When used by law enforcement, each scanned license plate is checked against crime databases. If a "hit" occurs - for example, a stolen vehicle, AMBER alert, or an arrest warrant - the ALPR technology alerts the law enforcement officer. While some suggest this technology is useful for modern policing, others raise concerns over an invasion of peoples' civil liberties. Whether or not a hit occurs, all license plate scans are sent to large regional databases that aggregate ALPR data from various law enforcement agencies. The ACLU reports that an estimated 1% of ALPR data results in a hit and the other 99% of data has no relation to criminal activity. Databases maintained for northern California law enforcement agencies, San Diego law enforcement agencies, and private companies (such as insurance companies, collections agencies, and private investigators) contain 100 million, 49 million, and more than 1 billion license plate scans, respectively. Some argue that this information has the potential to be involved in large-scale security breach issues. The use of ALPR technology is growing. The ACLU estimates that nationally, 75% of law enforcement currently uses ALPRs, 85% plan to expand their use, and within the next five years at least 25% of all police vehicles will be equipped with the technology. 3. Privacy concerns. The collection of a license plate number, location, and time stamp over multiple time points can identify not only a person's exact whereabouts but also their pattern of movement. Unlike other types of personal SB 34 (Hill) Page 5 of ? information that are covered by existing law, civilians are not always aware when their ALPR data is being collected. One does not even need to be driving to be subject to ALPR technology: A car parked on the side of the road can be scanned by an ALPR system. This bill will put in place minimal privacy protections by requiring the establishment of privacy and usage protection policies for ALPR operators and end users. This bill does not prevent the authorized sharing of data, but if data is shared, it must be justified and recorded. 4. Exemption for transportation agencies. This bill defines an "automated license plate recognition operator" as a person that operates an ALPR system, but exempts transportation agencies. The author states the exemption is included because transportation agencies are already required, under existing law, to establish a privacy policy for personally identifiable information. However, transportation agencies are not currently required to maintain a record of access to ALPR information, including the date and time of access, the license plate number or other data elements used to query the ALPR database or system, the person who accessed the information, and the purpose for accessing the information. Toll operators frequently access data as part of a system that captures hundreds of thousands of images daily. According to toll authority representatives, being subject to these regulations would be extremely burdensome and inefficient for the operation of toll roads and bridges given the immense volume of transactions conducted by toll operators every day. They also contend that removing the exemption would add no substantive privacy protection for California. 5. Support for the bill. The Citizens for Criminal Justice Reform California state that the language in this bill provides a long-overdue legislative framework which establishes basic policies that will enhance privacy and procedural requirements to outline the security, usage, and storage of ALPR data. This bill mandates chain of custody procedures and provides additional civil remedies for anyone injured by a person who knowingly violates those requirements. In this way, this bill provides a degree of accountability which does not exist under current law. SB 34 (Hill) Page 6 of ? Small Business California, Media Alliance, and the Conference of California Bar Associations all support the transparency and protections that are provided by this bill. They state this bill will promote sound public policy in protecting the public's privacy rights against improper use of new technology, while still allowing for the use of that new technology. 6. Double referral. The rules committee has referred this bill to both this committee and the Judiciary committee. Therefore, if the bill passes this committee, it will be referred to the Judiciary Committee. RELATED LEGISLATION: AB 259 (Dababneh, current session) requires a public agency that is the source of a data breach to offer at least 12 months of identity-theft prevention and mitigation services at no cost to affected consumers. This bill has passed through the Assembly Privacy and Consumer Protection Committee and is currently in Assembly Appropriations. AB 964 (Chau, current session) requires disclosure of data breaches to occur within 30 days, unless the breach relates to encrypted data, in which case no disclosure is necessary. This bill is currently in the Assembly Privacy and Consumer Protection Committee. SB 893 (Hill, 2014) placed restrictions on the use of ALPR technology by both public- and private-sector users. This bill failed on the Senate Floor. AB 179 (Bocanegra, Chapter 375, Statutes of 2013) prohibits transportation agencies and other entities that employ an electronic transit fare collection system (ETFC) for the payment of transit fares from selling or providing to third parties any personally identifiable information obtained through a person's participation in an ETFC, with certain exceptions. SB 24 (Simitian, Chapter 197, Statutes of 2011) standardizes the security breach notification that any agency, person, or business is required to issue upon a breach of security in personal information. SB 1330 (Simitian, 2011) restricted the use of ALPR technology SB 34 (Hill) Page 7 of ? by private entities, including restrictions on the retention, use, and sale of such data. This bill also restricted the ability for a person to transfer ALPR data to a law enforcement agency absent a search warrant or other specified circumstances. This bill failed on the Senate Floor. AB 115 (Committee on Budget, Chapter 38, Statutes of 2011) allows the California Highway Patrol (CHP) to retain data captured by ALPR systems for no more than 60 days. It also prohibits the CHP from selling ALPR data or making it available to anyone other than law enforcement agencies. FISCAL EFFECT: Appropriation: No Fiscal Com.: Yes Local: No POSITIONS: (Communicated to the committee before noon on Wednesday, April 1, 2015.) SUPPORT: Citizens for Criminal Justice Reform California Conference of California Bar Associations Media Alliance Small Business California OPPOSITION: None received. -- END --