BILL ANALYSIS                                                                                                                                                                                                    



          SENATE COMMITTEE ON APPROPRIATIONS
                             Senator Ricardo Lara, Chair
                            2015 - 2016  Regular  Session

          SB 34 (Hill) - Automated license plate recognition systems:  use  
          of data
          
           ----------------------------------------------------------------- 
          |                                                                 |
          |                                                                 |
          |                                                                 |
           ----------------------------------------------------------------- 
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Version: April 22, 2015         |Policy Vote: T. & H. 8 - 2,     |
          |                                |          JUD. 4 - 2            |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Urgency: No                     |Mandate: No                     |
          |                                |                                |
          |--------------------------------+--------------------------------|
          |                                |                                |
          |Hearing Date: May 4, 2015       |Consultant: Mark McKenzie       |
          |                                |                                |
           ----------------------------------------------------------------- 


          This bill does not meet the criteria for referral to the  
          Suspense File.







          Bill  
          Summary:  SB 34 would establish security and privacy protocols  
          to ensure the protection of data collected through the use of an  
          automated license plate recognition (ALPR) system.


          Fiscal  
          Impact:  
           Potentially significant local law enforcement agency costs to  
            comply with the provisions of this measure, to the extent  
            those entities wish to operate ALPR systems. As the use or  
            access of ALPR systems is not a mandated activity, the  







          SB 34 (Hill)                                           Page 1 of  
          ?
          
          
            implementation of additional security, privacy, and access  
            protocols and procedures are estimated to be non-reimbursable  
            by the state.
              
           Potential periodic minor to significant costs to public  
            (State/Local) and private ALPR operators, to issue data breach  
            notifications.  Private entities and public agencies are  
            already subject to data breach notification law, so costs  
            would be dependent on the frequency and size of data breaches  
            specific to unencrypted ALPR data, and the process of  
            notification utilized by each agency.  See staff comments.


          Background:  Existing law restricts the use of ALPR technology by the  
          California Highway Patrol (CHP).  Pursuant to AB 115 (Committee  
          on Budget), Chap 38/2011, the transportation budget trailer  
          bill, the CHP is authorized to retain data captured by ALPR  
          systems for no more than 60 days except in circumstances when  
          the data is being used as evidence or for felony investigations.  
           Further, the CHP is prohibited from selling the data for any  
          purpose or making the data available to any agency or person  
          other than law enforcement agencies or officers.  The data may  
          only be used by law enforcement agencies for purposes of  
          locating vehicles or persons reasonably suspected of being  
          involved in the commission of a public offense.  The CHP is  
          required to monitor the internal use of ALPR data to prevent  
          unauthorized use, and to regularly report to the Legislature on  
          its ALPR practices and uses.
          Existing law, the Data Breach Protection Law, requires any state  
          or local agency, and any person or business conducting business  
          in California, that owns or licenses computerized data that  
          includes personal information, as defined, to disclose any  
          security breach concerning that data to any California resident  
          whose unencrypted personal information was, or is believed to  
          have been, acquired by an unauthorized person.  




          Proposed Law:  
            SB 34 would establish security and privacy protocols to ensure  
          the protection of data collected through the use of an ALPR  
          system.  Specifically, this bill would:
           Define "ALPR system" as a system of one or more mobile or  








          SB 34 (Hill)                                           Page 2 of  
          ?
          
          
            fixed cameras combined with computer algorithms to read and  
            convert images of license plates and their characters into  
            computer-readable data.


           Define an "ALPR operator" as a person (including a law  
            enforcement, government, or private entity, but not including  
            a transportation agency) that operates an ALPR system, or that  
            stores or maintains ALPR information.


           Define an "ALPR end-user" as a person that accesses or uses  
            ALPR information, not including a transportation agency.


           Add unencrypted information or data collected through the use  
            or operation of an ALPR system (when combined with an  
            individual's name) to the list of personal information subject  
            to breach notification under the Data Breach Notification Law.


           Require an ALPR operator to ensure ALPR information is  
            protected, and to implement and maintain reasonable security  
            procedures and practices, as specified.


           Require an ALPR operator to implement and maintain a usage and  
            privacy policy that includes eight specified elements, at a  
            minimum, to ensure that the collection, use, maintenance,  
            sharing, and dissemination of ALPR information is consistent  
            with respect for an individual's privacy and civil liberties.


           Require an ALPR operator to maintain a record of access to  
            ALPR information, as specified.


           Require an ALPR end-user to implement and maintain a usage and  
            privacy policy that includes eight specified elements, at a  
            minimum, to ensure that the access, use, sharing, and  
            dissemination of ALPR information is consistent with respect  
            for an individual's privacy and civil liberties.










          SB 34 (Hill)                                           Page 3 of  
          ?
          
          
           Create a private right of action to enforce these provisions  
            and allow for the recovery of specified damages and costs.


           Require a public agency that considers implementing an ALPR  
            system to provide an opportunity for public comment at a  
            regularly-scheduled public meeting of the agency's governing  
            body before implementing an ALPR data collection program. 




          Related  
          Legislation:  SB 893 (Hill), which died on the Senate Inactive  
          File last year, would have placed restrictions on the use of  
          ALPR technology by both public and private users, limited the  
          types of ALPR data that could be retained, and prohibited a  
          public agency from sharing ALPR data with private entities, as  
          specified.  Both CHP and transportation agencies were exempt  
          from the bill's requirements.


          Staff  
          Comments:  By adding ALPR data to the list of information subject to  
          California's data breach notification law, public and private  
          entities could incur costs periodically to issue notices in the  
          event of an ALPR data breach, as specified.  State costs,  
          including those incurred by the CHP and transportation agencies,  
          would be dependent on the frequency and size of data breaches  
          specific to unencrypted ALPR data, and the method of  
          notification utilized by each agency.  Under existing law, if  
          the costs to provide notifications exceed $250,000, or if the  
          breach affected more than 500,000 persons, an entity could  
          utilize one of several methods of notification including posting  
          a notice on the entity's website, which would only result in  
          minor costs.

          As the usage of ALPR systems is not a mandated activity on local  
          agencies, any activities related to the implementation of  
          additional security, privacy, and access protocols and  
          procedures would not appear to be reimbursable by the state. In  
          other words, the use of ALPR systems is an optional activity by  
          local agencies, so any additional requirements related to those  
          systems are generally not construed to be state-mandated  








          SB 34 (Hill)                                           Page 4 of  
          ?
          
          
          activities.  However, whether the costs to local agencies would  
          be subject to reimbursement by the state cannot be known with  
          certainty, and would ultimately be subject to determination by  
          the Commission on State Mandates, should a local agency file a  
          test claim.  

          CHP does not anticipate any fiscal impacts as a result of this  
          bill, as existing law already contains prescriptive requirements  
          regarding the department's use of ALPR systems and data that are  
          consistent with the bill's requirements.


                                      -- END --