BILL ANALYSIS Ó SENATE COMMITTEE ON APPROPRIATIONS Senator Ricardo Lara, Chair 2015 - 2016 Regular Session SB 34 (Hill) - Automated license plate recognition systems: use of data ----------------------------------------------------------------- | | | | | | ----------------------------------------------------------------- |--------------------------------+--------------------------------| | | | |Version: April 22, 2015 |Policy Vote: T. & H. 8 - 2, | | | JUD. 4 - 2 | | | | |--------------------------------+--------------------------------| | | | |Urgency: No |Mandate: No | | | | |--------------------------------+--------------------------------| | | | |Hearing Date: May 4, 2015 |Consultant: Mark McKenzie | | | | ----------------------------------------------------------------- This bill does not meet the criteria for referral to the Suspense File. Bill Summary: SB 34 would establish security and privacy protocols to ensure the protection of data collected through the use of an automated license plate recognition (ALPR) system. Fiscal Impact: Potentially significant local law enforcement agency costs to comply with the provisions of this measure, to the extent those entities wish to operate ALPR systems. As the use or access of ALPR systems is not a mandated activity, the SB 34 (Hill) Page 1 of ? implementation of additional security, privacy, and access protocols and procedures are estimated to be non-reimbursable by the state. Potential periodic minor to significant costs to public (State/Local) and private ALPR operators, to issue data breach notifications. Private entities and public agencies are already subject to data breach notification law, so costs would be dependent on the frequency and size of data breaches specific to unencrypted ALPR data, and the process of notification utilized by each agency. See staff comments. Background: Existing law restricts the use of ALPR technology by the California Highway Patrol (CHP). Pursuant to AB 115 (Committee on Budget), Chap 38/2011, the transportation budget trailer bill, the CHP is authorized to retain data captured by ALPR systems for no more than 60 days except in circumstances when the data is being used as evidence or for felony investigations. Further, the CHP is prohibited from selling the data for any purpose or making the data available to any agency or person other than law enforcement agencies or officers. The data may only be used by law enforcement agencies for purposes of locating vehicles or persons reasonably suspected of being involved in the commission of a public offense. The CHP is required to monitor the internal use of ALPR data to prevent unauthorized use, and to regularly report to the Legislature on its ALPR practices and uses. Existing law, the Data Breach Protection Law, requires any state or local agency, and any person or business conducting business in California, that owns or licenses computerized data that includes personal information, as defined, to disclose any security breach concerning that data to any California resident whose unencrypted personal information was, or is believed to have been, acquired by an unauthorized person. Proposed Law: SB 34 would establish security and privacy protocols to ensure the protection of data collected through the use of an ALPR system. Specifically, this bill would: Define "ALPR system" as a system of one or more mobile or SB 34 (Hill) Page 2 of ? fixed cameras combined with computer algorithms to read and convert images of license plates and their characters into computer-readable data. Define an "ALPR operator" as a person (including a law enforcement, government, or private entity, but not including a transportation agency) that operates an ALPR system, or that stores or maintains ALPR information. Define an "ALPR end-user" as a person that accesses or uses ALPR information, not including a transportation agency. Add unencrypted information or data collected through the use or operation of an ALPR system (when combined with an individual's name) to the list of personal information subject to breach notification under the Data Breach Notification Law. Require an ALPR operator to ensure ALPR information is protected, and to implement and maintain reasonable security procedures and practices, as specified. Require an ALPR operator to implement and maintain a usage and privacy policy that includes eight specified elements, at a minimum, to ensure that the collection, use, maintenance, sharing, and dissemination of ALPR information is consistent with respect for an individual's privacy and civil liberties. Require an ALPR operator to maintain a record of access to ALPR information, as specified. Require an ALPR end-user to implement and maintain a usage and privacy policy that includes eight specified elements, at a minimum, to ensure that the access, use, sharing, and dissemination of ALPR information is consistent with respect for an individual's privacy and civil liberties. SB 34 (Hill) Page 3 of ? Create a private right of action to enforce these provisions and allow for the recovery of specified damages and costs. Require a public agency that considers implementing an ALPR system to provide an opportunity for public comment at a regularly-scheduled public meeting of the agency's governing body before implementing an ALPR data collection program. Related Legislation: SB 893 (Hill), which died on the Senate Inactive File last year, would have placed restrictions on the use of ALPR technology by both public and private users, limited the types of ALPR data that could be retained, and prohibited a public agency from sharing ALPR data with private entities, as specified. Both CHP and transportation agencies were exempt from the bill's requirements. Staff Comments: By adding ALPR data to the list of information subject to California's data breach notification law, public and private entities could incur costs periodically to issue notices in the event of an ALPR data breach, as specified. State costs, including those incurred by the CHP and transportation agencies, would be dependent on the frequency and size of data breaches specific to unencrypted ALPR data, and the method of notification utilized by each agency. Under existing law, if the costs to provide notifications exceed $250,000, or if the breach affected more than 500,000 persons, an entity could utilize one of several methods of notification including posting a notice on the entity's website, which would only result in minor costs. As the usage of ALPR systems is not a mandated activity on local agencies, any activities related to the implementation of additional security, privacy, and access protocols and procedures would not appear to be reimbursable by the state. In other words, the use of ALPR systems is an optional activity by local agencies, so any additional requirements related to those systems are generally not construed to be state-mandated SB 34 (Hill) Page 4 of ? activities. However, whether the costs to local agencies would be subject to reimbursement by the state cannot be known with certainty, and would ultimately be subject to determination by the Commission on State Mandates, should a local agency file a test claim. CHP does not anticipate any fiscal impacts as a result of this bill, as existing law already contains prescriptive requirements regarding the department's use of ALPR systems and data that are consistent with the bill's requirements. -- END --