BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON TRANSPORTATION AND HOUSING
                              Senator Jim Beall, Chair
                                2015 - 2016  Regular 

          Bill No:          SB 34             Hearing Date:    4/7/2015
           ----------------------------------------------------------------- 
          |Author:   |Hill                                                  |
          |----------+------------------------------------------------------|
          |Version:  |12/1/2014                                             |
           ----------------------------------------------------------------- 
           ----------------------------------------------------------------- 
          |Urgency:  |No                     |Fiscal:      |Yes             |
           ----------------------------------------------------------------- 
           ----------------------------------------------------------------- 
          |Consultant|Christine Hochmuth                                    |
          |:         |                                                      |
           ----------------------------------------------------------------- 
          

          SUBJECT:  Automated license plate recognition systems:  use of  
          data

            DIGEST:  This bill establishes regulations on the privacy and  
          usage of automatic license plate recognition (ALPR) data and  
          expands the meaning of "personal information" to include  
          information or data collected through the use or operation of an  
          ALPR system. 

          ANALYSIS:
          
          Existing law:

          1.  Places regulations on agencies, persons, or businesses that  
            own, license, or maintain computerized data that includes  
            personal information.  These regulations include disclosing a  
            breach of security. 
           
          2.  Prohibits a transportation agency from selling or provide  
            personally identifiable information of any person who  
            subscribes to an electronic toll or electronic transit fare  
            collection system or who uses a toll bridge, toll lane, or  
            toll highway that employs an electronic toll collection  
            system.  Agencies covered by this regulation are the  
            Department of Transportation, the Bay Area Toll Authority, any  
            entity operating a toll bridge, toll lane, or toll highway  
            within the state, any entity administering an electronic  
            transit fare collection system and any transit operator  
            participating in that system, or any entity under contract  
            with the above-mentioned entities.  







          SB 34 (Hill)                                        Page 2 of ?
          
          

          3.  Requires that transportation agencies employing an  
            electronic toll or transit fare collection system establish a  
            privacy policy for the collection and use of personally  
            identifiable information and provide its users with a copy of  
            the privacy policy.  Transportation agencies include the  
            Department of Transportation, the Bay Area Toll Authority, any  
            entity operating a toll bridge, toll lane, or toll highway  
            within the state, any entity administering an electronic  
            transit fare collection system, and any transit operator  
            participating in that system, or any entity under contract  
            with the above mentioned entities. 

          4.  Establishes limits on the length of time that transportation  
            agencies may keep personal information.  All information may  
            be kept only as long as necessary to perform account  
            functions.  All other information must be discarded within  
            four and a half years after the conclusion of the billing  
            cycle. 

          This bill:
          
          1.  Defines an ALPR system as a system of one or more mobile or  
            fixed cameras combined with computer algorithms to read and  
            convert images of registration plates and the characters they  
            contain into computer-readable data.

          2.  Requires that data collected through the use or operation of  
            an ALPR system be considered as personal information subject  
            to existing law pertaining to agencies, persons, or businesses  
            that conduct business in California, and that own or license  
            computerized data including personal information. 

          3.  Defines an ALPR end-user as a person that accesses or uses  
            ALPR information and an ALPR operator as a person that  
            operates an ALPR system, or that maintains ALPR information,  
            with the exception of transportation agencies.  A person may  
            include a law enforcement agency, government agency, private  
            entity, or individual.  

          4.  Requires that ALPR operators ensure that ALPR information is  
            protected with reasonable operational, administrative,  
            technical, and physical safeguards to ensure its  
            confidentiality and integrity.









          SB 34 (Hill)                                        Page 3 of ?
          
          
          5.  Requires that ALPR operators implement and maintain  
            reasonable security procedures and practices in order to  
            protect ALPR information from unauthorized access,  
            destruction, use, modification, or disclosure.

          6.  Requires that ALPR operators and end users implement and  
            maintain a usage and privacy policy in order to ensure that  
            the collection, access, and use of ALPR information is  
            consistent with respect for individuals' privacy and civil  
            liberties.  

          7.  Requires that the usage and privacy policy include, in part:  

           the purpose for using ALPR systems/data
           a list of authorized users of ALPR systems/data
           how the ALPR systems/data will be monitored
           how ALPR operators will comply with security procedures
                 the length of time that ALPR information will be stored  
               and how it will be determined whether/when to destroy  
               retained information
                 the owner of the ALPR data and the employees who are  
               responsible for implementing the usage and privacy policy
           the reason, and process by which, ALPR data is shared with  
            other parties
           a plan for how end users will maintain security of ALPR data
           
          8.  Requires ALPR operators that access or provide access to  
            ALPR information to maintain a record of that access.  The  
            record must include the date and time of access, the license  
            plate number which was queried, the person who accesses the  
            information, and the purpose of accessing the information.

          9.  Allows an individual who has been harmed by a violation of  
            this title to bring a civil action against a person who  
            knowingly caused the violation.  The court can award damages  
            which are stipulated in this bill.

          10. Requires a public agency that considers using an ALPR system  
            to provide an opportunity for public comment at a regularly  
            scheduled public meeting of the governing body of the agency  
            before it implements the program of ALPR use.

          COMMENTS:

          1.  Purpose.  The author states that this bill is necessary to  








          SB 34 (Hill)                                        Page 4 of ?
          
          
            institute reasonable usage and privacy standards for the  
            operation of ALPR systems, which do not exist for the majority  
            of local agencies that have approved the use of ALPR  
            technology, according to the American Civil Liberties Union  
            (ACLU).  Additionally, this bill requires an opportunity for  
            public input on the usage and standards of ALPR technologies,  
            something the author contends few local agencies allow.  The  
            author states that the main focus of this bill is to put in  
            place regulations for businesses and agencies which currently  
            do not have any policies regarding the use of ALPR data,  
            unlike transportation agencies which are already regulated by  
            existing law.

          2.  ALPR background and history.  ALPR systems automatically  
            scan any license plate within range.  Some ALPR systems can  
            scan 2,000 plates in a minute.  When used by law enforcement,  
            each scanned license plate is checked against crime databases.  
             If a "hit" occurs - for example, a stolen vehicle, AMBER  
            alert, or an arrest warrant - the ALPR technology alerts the  
            law enforcement officer.  While some suggest this technology  
            is useful for modern policing, others raise concerns over an  
            invasion of peoples' civil liberties.  Whether or not a hit  
            occurs, all license plate scans are sent to large regional  
            databases that aggregate ALPR data from various law  
            enforcement agencies.  The ACLU reports that an estimated 1%  
            of ALPR data results in a hit and the other 99% of data has no  
            relation to criminal activity.  Databases maintained for  
            northern California law enforcement agencies, San Diego law  
            enforcement agencies, and private companies (such as insurance  
            companies, collections agencies, and private investigators)  
            contain 100 million, 49 million, and more than 1 billion  
            license plate scans, respectively.  Some argue that this  
            information has the potential to be involved in large-scale  
            security breach issues.

            The use of ALPR technology is growing.  The ACLU estimates  
            that nationally, 75% of law enforcement currently uses ALPRs,  
            85% plan to expand their use, and within the next five years  
            at least 25% of all police vehicles will be equipped with the  
            technology.

          3.  Privacy concerns.  The collection of a license plate number,  
            location, and time stamp over multiple time points can  
            identify not only a person's exact whereabouts but also their  
            pattern of movement.  Unlike other types of personal  








          SB 34 (Hill)                                        Page 5 of ?
          
          
            information that are covered by existing law, civilians are  
            not always aware when their ALPR data is being collected.  One  
            does not even need to be driving to be subject to ALPR  
            technology:  A car parked on the side of the road can be  
            scanned by an ALPR system.   

            This bill will put in place minimal privacy protections by  
            requiring the establishment of privacy and usage protection  
            policies for ALPR operators and end users.  This bill does not  
            prevent the authorized sharing of data, but if data is shared,  
            it must be justified and recorded.

          4.  Exemption for transportation agencies.  This bill defines an  
            "automated license plate recognition operator" as a person  
            that operates an ALPR system, but exempts transportation  
            agencies.  The author states the exemption is included because  
            transportation agencies are already required, under existing  
            law, to establish a privacy policy for personally identifiable  
            information.  However, transportation agencies are not  
            currently required to maintain a record of access to ALPR  
            information, including the date and time of access, the  
            license plate number or other data elements used to query the  
            ALPR database or system, the person who accessed the  
            information, and the purpose for accessing the information.   
            Toll operators frequently access data as part of a system that  
            captures hundreds of thousands of images daily.
           
             According to toll authority representatives, being subject to  
            these regulations would be extremely burdensome and  
            inefficient for the operation of toll roads and bridges given  
            the immense volume of transactions conducted by toll operators  
            every day.  They also contend that removing the exemption  
            would add no substantive privacy protection for California.  

          5.  Support for the bill.  The Citizens for Criminal Justice  
            Reform California state that the language in this bill  
            provides a long-overdue legislative framework which  
            establishes basic policies that will enhance privacy and  
            procedural requirements to outline the security, usage, and  
            storage of ALPR data.  This bill mandates chain of custody  
            procedures and provides additional civil remedies for anyone  
            injured by a person who knowingly violates those requirements.  
             In this way, this bill provides a degree of accountability  
            which does not exist under current law.









          SB 34 (Hill)                                        Page 6 of ?
          
          
            Small Business California, Media Alliance, and the Conference  
            of California Bar Associations all support the transparency  
            and protections that are provided by this bill.  They state  
            this bill will promote sound public policy in protecting the  
            public's privacy rights against improper use of new  
            technology, while still allowing for the use of that new  
            technology.

          6.  Double referral.  The rules committee has referred this bill  
            to both this committee and the Judiciary committee.   
            Therefore, if the bill passes this committee, it will be  
            referred to the Judiciary Committee.

          RELATED LEGISLATION:
          
          AB 259 (Dababneh, current session) requires a public agency that  
          is the source of a data breach to offer at least 12 months of  
          identity-theft prevention and mitigation services at no cost to  
          affected consumers.  This bill has passed through the Assembly  
          Privacy and Consumer Protection Committee and is currently in  
          Assembly Appropriations.

          AB 964 (Chau, current session) requires disclosure of data  
          breaches to occur within 30 days, unless the breach relates to  
          encrypted data, in which case no disclosure is necessary.  This  
          bill is currently in the Assembly Privacy and Consumer  
          Protection Committee.

          SB 893 (Hill, 2014) placed restrictions on the use of ALPR  
          technology by both public- and private-sector users.  This bill  
          failed on the Senate Floor.   

          AB 179 (Bocanegra, Chapter 375, Statutes of 2013) prohibits  
          transportation agencies and other entities that employ an  
          electronic transit fare collection system (ETFC) for the payment  
          of transit fares from selling or providing to third parties any  
          personally identifiable information obtained through a person's  
          participation in an ETFC, with certain exceptions.

          SB 24 (Simitian, Chapter 197, Statutes of 2011) standardizes the  
          security breach notification that any agency, person, or  
          business is required to issue upon a breach of security in  
          personal information.  

          SB 1330 (Simitian, 2011) restricted the use of ALPR technology  








          SB 34 (Hill)                                        Page 7 of ?
          
          
          by private entities, including restrictions on the retention,  
          use, and sale of such data.  This bill also restricted the  
          ability for a person to transfer ALPR data to a law enforcement  
          agency absent a search warrant or other specified circumstances.  
           This bill failed on the Senate Floor.

          AB 115 (Committee on Budget, Chapter 38, Statutes of 2011)  
          allows the California Highway Patrol (CHP) to retain data  
          captured by ALPR systems for no more than 60 days.  It also  
          prohibits the CHP from selling ALPR data or making it available  
          to anyone other than law enforcement agencies.

          FISCAL EFFECT:                 Appropriation:  No    Fiscal  
          Com.:             Yes          Local:          No
            
          POSITIONS:  (Communicated to the committee before noon on  
          Wednesday,
                          April 1, 2015.)
          
            SUPPORT:  

          Citizens for Criminal Justice Reform California
          Conference of California Bar Associations
          Media Alliance
          Small Business California

          OPPOSITION:

          None received.
          
          
                                      -- END --