BILL ANALYSIS �Ó
SENATE COMMITTEE ON TRANSPORTATION AND HOUSING
Senator Jim Beall, Chair
2015 - 2016 Regular
Bill No: SB 34 Hearing Date: 4/7/2015
-----------------------------------------------------------------
|Author: |Hill |
|----------+------------------------------------------------------|
|Version: |12/1/2014 |
-----------------------------------------------------------------
-----------------------------------------------------------------
|Urgency: |No |Fiscal: |Yes |
-----------------------------------------------------------------
-----------------------------------------------------------------
|Consultant|Christine Hochmuth |
|: | |
-----------------------------------------------------------------
SUBJECT: Automated license plate recognition systems: use of
data
DIGEST: This bill establishes regulations on the privacy and
usage of automatic license plate recognition (ALPR) data and
expands the meaning of "personal information" to include
information or data collected through the use or operation of an
ALPR system.
ANALYSIS:
Existing law:
1. Places regulations on agencies, persons, or businesses that
own, license, or maintain computerized data that includes
personal information. These regulations include disclosing a
breach of security.
2. Prohibits a transportation agency from selling or provide
personally identifiable information of any person who
subscribes to an electronic toll or electronic transit fare
collection system or who uses a toll bridge, toll lane, or
toll highway that employs an electronic toll collection
system. Agencies covered by this regulation are the
Department of Transportation, the Bay Area Toll Authority, any
entity operating a toll bridge, toll lane, or toll highway
within the state, any entity administering an electronic
transit fare collection system and any transit operator
participating in that system, or any entity under contract
with the above-mentioned entities.
�
SB 34 (Hill) Page 2 of ?
3. Requires that transportation agencies employing an
electronic toll or transit fare collection system establish a
privacy policy for the collection and use of personally
identifiable information and provide its users with a copy of
the privacy policy. Transportation agencies include the
Department of Transportation, the Bay Area Toll Authority, any
entity operating a toll bridge, toll lane, or toll highway
within the state, any entity administering an electronic
transit fare collection system, and any transit operator
participating in that system, or any entity under contract
with the above mentioned entities.
4. Establishes limits on the length of time that transportation
agencies may keep personal information. All information may
be kept only as long as necessary to perform account
functions. All other information must be discarded within
four and a half years after the conclusion of the billing
cycle.
This bill:
1. Defines an ALPR system as a system of one or more mobile or
fixed cameras combined with computer algorithms to read and
convert images of registration plates and the characters they
contain into computer-readable data.
2. Requires that data collected through the use or operation of
an ALPR system be considered as personal information subject
to existing law pertaining to agencies, persons, or businesses
that conduct business in California, and that own or license
computerized data including personal information.
3. Defines an ALPR end-user as a person that accesses or uses
ALPR information and an ALPR operator as a person that
operates an ALPR system, or that maintains ALPR information,
with the exception of transportation agencies. A person may
include a law enforcement agency, government agency, private
entity, or individual.
4. Requires that ALPR operators ensure that ALPR information is
protected with reasonable operational, administrative,
technical, and physical safeguards to ensure its
confidentiality and integrity.
�
SB 34 (Hill) Page 3 of ?
5. Requires that ALPR operators implement and maintain
reasonable security procedures and practices in order to
protect ALPR information from unauthorized access,
destruction, use, modification, or disclosure.
6. Requires that ALPR operators and end users implement and
maintain a usage and privacy policy in order to ensure that
the collection, access, and use of ALPR information is
consistent with respect for individuals' privacy and civil
liberties.
7. Requires that the usage and privacy policy include, in part:
the purpose for using ALPR systems/data
a list of authorized users of ALPR systems/data
how the ALPR systems/data will be monitored
how ALPR operators will comply with security procedures
the length of time that ALPR information will be stored
and how it will be determined whether/when to destroy
retained information
the owner of the ALPR data and the employees who are
responsible for implementing the usage and privacy policy
the reason, and process by which, ALPR data is shared with
other parties
a plan for how end users will maintain security of ALPR data
8. Requires ALPR operators that access or provide access to
ALPR information to maintain a record of that access. The
record must include the date and time of access, the license
plate number which was queried, the person who accesses the
information, and the purpose of accessing the information.
9. Allows an individual who has been harmed by a violation of
this title to bring a civil action against a person who
knowingly caused the violation. The court can award damages
which are stipulated in this bill.
10. Requires a public agency that considers using an ALPR system
to provide an opportunity for public comment at a regularly
scheduled public meeting of the governing body of the agency
before it implements the program of ALPR use.
COMMENTS:
1. Purpose. The author states that this bill is necessary to
�
SB 34 (Hill) Page 4 of ?
institute reasonable usage and privacy standards for the
operation of ALPR systems, which do not exist for the majority
of local agencies that have approved the use of ALPR
technology, according to the American Civil Liberties Union
(ACLU). Additionally, this bill requires an opportunity for
public input on the usage and standards of ALPR technologies,
something the author contends few local agencies allow. The
author states that the main focus of this bill is to put in
place regulations for businesses and agencies which currently
do not have any policies regarding the use of ALPR data,
unlike transportation agencies which are already regulated by
existing law.
2. ALPR background and history. ALPR systems automatically
scan any license plate within range. Some ALPR systems can
scan 2,000 plates in a minute. When used by law enforcement,
each scanned license plate is checked against crime databases.
If a "hit" occurs - for example, a stolen vehicle, AMBER
alert, or an arrest warrant - the ALPR technology alerts the
law enforcement officer. While some suggest this technology
is useful for modern policing, others raise concerns over an
invasion of peoples' civil liberties. Whether or not a hit
occurs, all license plate scans are sent to large regional
databases that aggregate ALPR data from various law
enforcement agencies. The ACLU reports that an estimated 1%
of ALPR data results in a hit and the other 99% of data has no
relation to criminal activity. Databases maintained for
northern California law enforcement agencies, San Diego law
enforcement agencies, and private companies (such as insurance
companies, collections agencies, and private investigators)
contain 100 million, 49 million, and more than 1 billion
license plate scans, respectively. Some argue that this
information has the potential to be involved in large-scale
security breach issues.
The use of ALPR technology is growing. The ACLU estimates
that nationally, 75% of law enforcement currently uses ALPRs,
85% plan to expand their use, and within the next five years
at least 25% of all police vehicles will be equipped with the
technology.
3. Privacy concerns. The collection of a license plate number,
location, and time stamp over multiple time points can
identify not only a person's exact whereabouts but also their
pattern of movement. Unlike other types of personal
�
SB 34 (Hill) Page 5 of ?
information that are covered by existing law, civilians are
not always aware when their ALPR data is being collected. One
does not even need to be driving to be subject to ALPR
technology: A car parked on the side of the road can be
scanned by an ALPR system.
This bill will put in place minimal privacy protections by
requiring the establishment of privacy and usage protection
policies for ALPR operators and end users. This bill does not
prevent the authorized sharing of data, but if data is shared,
it must be justified and recorded.
4. Exemption for transportation agencies. This bill defines an
"automated license plate recognition operator" as a person
that operates an ALPR system, but exempts transportation
agencies. The author states the exemption is included because
transportation agencies are already required, under existing
law, to establish a privacy policy for personally identifiable
information. However, transportation agencies are not
currently required to maintain a record of access to ALPR
information, including the date and time of access, the
license plate number or other data elements used to query the
ALPR database or system, the person who accessed the
information, and the purpose for accessing the information.
Toll operators frequently access data as part of a system that
captures hundreds of thousands of images daily.
According to toll authority representatives, being subject to
these regulations would be extremely burdensome and
inefficient for the operation of toll roads and bridges given
the immense volume of transactions conducted by toll operators
every day. They also contend that removing the exemption
would add no substantive privacy protection for California.
5. Support for the bill. The Citizens for Criminal Justice
Reform California state that the language in this bill
provides a long-overdue legislative framework which
establishes basic policies that will enhance privacy and
procedural requirements to outline the security, usage, and
storage of ALPR data. This bill mandates chain of custody
procedures and provides additional civil remedies for anyone
injured by a person who knowingly violates those requirements.
In this way, this bill provides a degree of accountability
which does not exist under current law.
�
SB 34 (Hill) Page 6 of ?
Small Business California, Media Alliance, and the Conference
of California Bar Associations all support the transparency
and protections that are provided by this bill. They state
this bill will promote sound public policy in protecting the
public's privacy rights against improper use of new
technology, while still allowing for the use of that new
technology.
6. Double referral. The rules committee has referred this bill
to both this committee and the Judiciary committee.
Therefore, if the bill passes this committee, it will be
referred to the Judiciary Committee.
RELATED LEGISLATION:
AB 259 (Dababneh, current session) requires a public agency that
is the source of a data breach to offer at least 12 months of
identity-theft prevention and mitigation services at no cost to
affected consumers. This bill has passed through the Assembly
Privacy and Consumer Protection Committee and is currently in
Assembly Appropriations.
AB 964 (Chau, current session) requires disclosure of data
breaches to occur within 30 days, unless the breach relates to
encrypted data, in which case no disclosure is necessary. This
bill is currently in the Assembly Privacy and Consumer
Protection Committee.
SB 893 (Hill, 2014) placed restrictions on the use of ALPR
technology by both public- and private-sector users. This bill
failed on the Senate Floor.
AB 179 (Bocanegra, Chapter 375, Statutes of 2013) prohibits
transportation agencies and other entities that employ an
electronic transit fare collection system (ETFC) for the payment
of transit fares from selling or providing to third parties any
personally identifiable information obtained through a person's
participation in an ETFC, with certain exceptions.
SB 24 (Simitian, Chapter 197, Statutes of 2011) standardizes the
security breach notification that any agency, person, or
business is required to issue upon a breach of security in
personal information.
SB 1330 (Simitian, 2011) restricted the use of ALPR technology
�
SB 34 (Hill) Page 7 of ?
by private entities, including restrictions on the retention,
use, and sale of such data. This bill also restricted the
ability for a person to transfer ALPR data to a law enforcement
agency absent a search warrant or other specified circumstances.
This bill failed on the Senate Floor.
AB 115 (Committee on Budget, Chapter 38, Statutes of 2011)
allows the California Highway Patrol (CHP) to retain data
captured by ALPR systems for no more than 60 days. It also
prohibits the CHP from selling ALPR data or making it available
to anyone other than law enforcement agencies.
FISCAL EFFECT: Appropriation: No Fiscal
Com.: Yes Local: No
POSITIONS: (Communicated to the committee before noon on
Wednesday,
April 1, 2015.)
SUPPORT:
Citizens for Criminal Justice Reform California
Conference of California Bar Associations
Media Alliance
Small Business California
OPPOSITION:
None received.
-- END --