BILL ANALYSIS �Ó
SENATE COMMITTEE ON APPROPRIATIONS
Senator Ricardo Lara, Chair
2015 - 2016 Regular Session
SB 34 (Hill) - Automated license plate recognition systems: use
of data
-----------------------------------------------------------------
| |
| |
| |
-----------------------------------------------------------------
|--------------------------------+--------------------------------|
| | |
|Version: April 22, 2015 |Policy Vote: T. & H. 8 - 2, |
| | JUD. 4 - 2 |
| | |
|--------------------------------+--------------------------------|
| | |
|Urgency: No |Mandate: No |
| | |
|--------------------------------+--------------------------------|
| | |
|Hearing Date: May 4, 2015 |Consultant: Mark McKenzie |
| | |
-----------------------------------------------------------------
This bill does not meet the criteria for referral to the
Suspense File.
Bill
Summary: SB 34 would establish security and privacy protocols
to ensure the protection of data collected through the use of an
automated license plate recognition (ALPR) system.
Fiscal
Impact:
Potentially significant local law enforcement agency costs to
comply with the provisions of this measure, to the extent
those entities wish to operate ALPR systems. As the use or
access of ALPR systems is not a mandated activity, the
�
SB 34 (Hill) Page 1 of
?
implementation of additional security, privacy, and access
protocols and procedures are estimated to be non-reimbursable
by the state.
Potential periodic minor to significant costs to public
(State/Local) and private ALPR operators, to issue data breach
notifications. Private entities and public agencies are
already subject to data breach notification law, so costs
would be dependent on the frequency and size of data breaches
specific to unencrypted ALPR data, and the process of
notification utilized by each agency. See staff comments.
Background: Existing law restricts the use of ALPR technology by the
California Highway Patrol (CHP). Pursuant to AB 115 (Committee
on Budget), Chap 38/2011, the transportation budget trailer
bill, the CHP is authorized to retain data captured by ALPR
systems for no more than 60 days except in circumstances when
the data is being used as evidence or for felony investigations.
Further, the CHP is prohibited from selling the data for any
purpose or making the data available to any agency or person
other than law enforcement agencies or officers. The data may
only be used by law enforcement agencies for purposes of
locating vehicles or persons reasonably suspected of being
involved in the commission of a public offense. The CHP is
required to monitor the internal use of ALPR data to prevent
unauthorized use, and to regularly report to the Legislature on
its ALPR practices and uses.
Existing law, the Data Breach Protection Law, requires any state
or local agency, and any person or business conducting business
in California, that owns or licenses computerized data that
includes personal information, as defined, to disclose any
security breach concerning that data to any California resident
whose unencrypted personal information was, or is believed to
have been, acquired by an unauthorized person.
Proposed Law:
SB 34 would establish security and privacy protocols to ensure
the protection of data collected through the use of an ALPR
system. Specifically, this bill would:
Define "ALPR system" as a system of one or more mobile or
�
SB 34 (Hill) Page 2 of
?
fixed cameras combined with computer algorithms to read and
convert images of license plates and their characters into
computer-readable data.
Define an "ALPR operator" as a person (including a law
enforcement, government, or private entity, but not including
a transportation agency) that operates an ALPR system, or that
stores or maintains ALPR information.
Define an "ALPR end-user" as a person that accesses or uses
ALPR information, not including a transportation agency.
Add unencrypted information or data collected through the use
or operation of an ALPR system (when combined with an
individual's name) to the list of personal information subject
to breach notification under the Data Breach Notification Law.
Require an ALPR operator to ensure ALPR information is
protected, and to implement and maintain reasonable security
procedures and practices, as specified.
Require an ALPR operator to implement and maintain a usage and
privacy policy that includes eight specified elements, at a
minimum, to ensure that the collection, use, maintenance,
sharing, and dissemination of ALPR information is consistent
with respect for an individual's privacy and civil liberties.
Require an ALPR operator to maintain a record of access to
ALPR information, as specified.
Require an ALPR end-user to implement and maintain a usage and
privacy policy that includes eight specified elements, at a
minimum, to ensure that the access, use, sharing, and
dissemination of ALPR information is consistent with respect
for an individual's privacy and civil liberties.
�
SB 34 (Hill) Page 3 of
?
Create a private right of action to enforce these provisions
and allow for the recovery of specified damages and costs.
Require a public agency that considers implementing an ALPR
system to provide an opportunity for public comment at a
regularly-scheduled public meeting of the agency's governing
body before implementing an ALPR data collection program.
Related
Legislation: SB 893 (Hill), which died on the Senate Inactive
File last year, would have placed restrictions on the use of
ALPR technology by both public and private users, limited the
types of ALPR data that could be retained, and prohibited a
public agency from sharing ALPR data with private entities, as
specified. Both CHP and transportation agencies were exempt
from the bill's requirements.
Staff
Comments: By adding ALPR data to the list of information subject to
California's data breach notification law, public and private
entities could incur costs periodically to issue notices in the
event of an ALPR data breach, as specified. State costs,
including those incurred by the CHP and transportation agencies,
would be dependent on the frequency and size of data breaches
specific to unencrypted ALPR data, and the method of
notification utilized by each agency. Under existing law, if
the costs to provide notifications exceed $250,000, or if the
breach affected more than 500,000 persons, an entity could
utilize one of several methods of notification including posting
a notice on the entity's website, which would only result in
minor costs.
As the usage of ALPR systems is not a mandated activity on local
agencies, any activities related to the implementation of
additional security, privacy, and access protocols and
procedures would not appear to be reimbursable by the state. In
other words, the use of ALPR systems is an optional activity by
local agencies, so any additional requirements related to those
systems are generally not construed to be state-mandated
�
SB 34 (Hill) Page 4 of
?
activities. However, whether the costs to local agencies would
be subject to reimbursement by the state cannot be known with
certainty, and would ultimately be subject to determination by
the Commission on State Mandates, should a local agency file a
test claim.
CHP does not anticipate any fiscal impacts as a result of this
bill, as existing law already contains prescriptive requirements
regarding the department's use of ALPR systems and data that are
consistent with the bill's requirements.
-- END --