BILL ANALYSIS                                                                                                                                                                                                    Ó






           ----------------------------------------------------------------- 
          |SENATE RULES COMMITTEE            |                         SB 34|
          |Office of Senate Floor Analyses   |                              |
          |(916) 651-1520    Fax: (916)      |                              |
          |327-4478                          |                              |
           ----------------------------------------------------------------- 


                                   THIRD READING 


          Bill No:  SB 34
          Author:   Hill (D)
          Amended:  4/22/15  
          Vote:     21  

           SENATE TRANS. & HOUSING COMMITTEE:  8-2, 4/7/15
           AYES:  Beall, Allen, Galgiani, Leyva, McGuire, Mendoza, Roth,  
            Wieckowski
           NOES:  Bates, Gaines
           NO VOTE RECORDED:  Cannella

           SENATE JUDICIARY COMMITTEE:  4-2, 4/14/15
           AYES:  Jackson, Leno, Monning, Wieckowski
           NOES:  Vidak, Anderson
           NO VOTE RECORDED:  Hertzberg

           SENATE APPROPRIATIONS COMMITTEE:  5-2, 5/4/15
           AYES:  Lara, Beall, Hill, Leyva, Mendoza
           NOES:  Bates, Nielsen

           SUBJECT:   Automated license plate recognition systems: use of  
                     data


          SOURCE:    Author


          DIGEST:  This bill establishes regulations on the privacy and  
          usage of automatic license plate recognition (ALPR) data and  
          expands the meaning of "personal information" to include  
          information or data collected through the use or operation of an  
          ALPR system.









                                                                      SB 34  
                                                                    Page  2



          ANALYSIS: 

          Existing law:
          
          1)  Places regulations on agencies, persons, or businesses that  
            own, license, or maintain computerized data that includes  
            personal information.  These regulations include disclosing a  
            breach of security. 
           
          2)  Prohibits a transportation agency from selling or providing  
            personally identifiable information of any person who  
            subscribes to an electronic toll or electronic transit fare  
            collection system or who uses a toll bridge, toll lane, or  
            toll highway that employs an electronic toll collection  
            system.  Agencies covered by this regulation are the  
            Department of Transportation, the Bay Area Toll Authority, any  
            entity operating a toll bridge, toll lane, or toll highway  
            within the state, any entity administering an electronic  
            transit fare collection system and any transit operator  
            participating in that system, or any entity under contract  
            with the above-mentioned entities.  

          3)  Requires that transportation agencies employing an  
            electronic toll or transit fare collection system establish a  
            privacy policy for the collection and use of personally  
            identifiable information and provide users with a copy of the  
            privacy policy.  Transportation agencies include the  
            Department of Transportation, the Bay Area Toll Authority, any  
            entity operating a toll bridge, toll lane, or toll highway  
            within the state, any entity administering an electronic  
            transit fare collection system, and any transit operator  
            participating in that system, or any entity under contract  
            with the above-mentioned entities. 

          4)  Establishes limits on the length of time that transportation  
            agencies may keep personal information.  All information may  
            be kept only as long as necessary to perform account  
            functions.  All other information must be discarded within 4  
            years after the conclusion of the billing cycle. 

          This bill:

          1)  Defines an ALPR system as a system of one or more mobile or  







                                                                      SB 34  
                                                                    Page  3


            fixed cameras combined with computer algorithms to read and  
            convert images of registration plates and the characters they  
            contain into computer-readable data.

          2)  Requires that data collected through the use or operation of  
            an ALPR system be considered as personal information subject  
            to existing law pertaining to agencies, persons, or businesses  
            that conduct business in California, and that own or license  
            computerized data including personal information. 

          3)  Defines an ALPR end-user as a person that accesses or uses  
            ALPR information and an ALPR operator as a person that  
            operates an ALPR system, or that maintains ALPR information,  
            with the exception of transportation agencies.  A person may  
            include a law enforcement agency, government agency, private  
            entity, or individual.  

          4)  Requires that ALPR operators ensure that ALPR information is  
            protected with reasonable operational, administrative,  
            technical, and physical safeguards to ensure its  
            confidentiality and integrity.

          5)  Requires that ALPR operators implement and maintain  
            reasonable security procedures and practices in order to  
            protect ALPR information from unauthorized access,  
            destruction, use, modification, or disclosure.

          6)  Requires that ALPR operators and end users implement and  
            maintain a usage and privacy policy in order to ensure that  
            the collection, access, and use of ALPR information is  
            consistent with respect for individuals' privacy and civil  
            liberties.  

          7)  Requires that the usage and privacy policy include, in part:  


           the purpose for using ALPR systems/data
           a list of authorized users of ALPR systems/data
           how the ALPR systems/data will be monitored
           how ALPR operators will comply with security procedures
                 the length of time that ALPR information will be stored  
               and how it will be determined whether/when to destroy  
               retained information
                 the owner of the ALPR data and the employees who are  







                                                                      SB 34  
                                                                    Page  4


               responsible for implementing the usage and privacy policy
           the reason and process by which ALPR data is shared with other  
            parties
           a plan for how end users will maintain security of ALPR data
           
          8)  Requires ALPR operators that access or provide access to  
            ALPR information to maintain a record of that access.  The  
            record must include the date and time of access, the license  
            plate number which was queried, the person who accesses the  
            information, and the purpose of accessing the information.

          9)  Allows an individual who has been harmed by a violation of  
            this title to bring a civil action against a person who  
            knowingly caused the violation.  The court can award damages  
            which are stipulated in this bill.

          10) Requires a public agency that considers using an ALPR system  
            to provide an opportunity for public comment at a regularly  
            scheduled public meeting of the governing body of the agency  
            before it implements the program of ALPR use.

          Comments

          Purpose.  The author states that this bill is necessary to  
          institute reasonable usage and privacy standards for the  
          operation of ALPR systems, which do not exist for the majority  
          of local agencies that have approved the use of ALPR technology,  
          according to the American Civil Liberties Union (ACLU).   
          Additionally, this bill requires an opportunity for public input  
          on the usage and standards of ALPR technologies, something the  
          author contends few local agencies allow.  The author states  
          that the main focus of this bill is to put in place regulations  
          for businesses and agencies which currently do not have any  
          policies regarding the use of ALPR data, unlike transportation  
          agencies which are already regulated by existing law.

          ALPR background and history.  ALPR systems automatically scan  
          any license plate within range.  Some ALPR systems can scan  
          2,000 plates in a minute.  When used by law enforcement, each  
          scanned license plate is checked against crime databases.  If a  
          "hit" occurs - for example, a stolen vehicle, AMBER alert, or an  
          arrest warrant - the ALPR technology alerts the law enforcement  
          officer.  While some suggest this technology is useful for  
          modern policing, others raise concerns over an invasion of  







                                                                      SB 34  
                                                                    Page  5


          peoples' civil liberties.  Whether or not a hit occurs, all  
          license plate scans are sent to large regional databases that  
          aggregate ALPR data from various law enforcement agencies.  The  
          ACLU reports that an estimated 1% of ALPR data results in a hit  
          and the other 99% of data has no relation to criminal activity.   
          Databases maintained for northern California law enforcement  
          agencies, San Diego law enforcement agencies, and private  
          companies (such as insurance companies, collections agencies,  
          and private investigators) contain 100 million, 49 million, and  
          more than 1 billion license plate scans, respectively.  Some  
          argue that this information has the potential to be involved in  
          large-scale security breach issues.

          The use of ALPR technology is growing.  The ACLU estimates that  
          nationally, 75% of law enforcement currently uses ALPRs, 85%  
          plan to expand their use, and within the next five years at  
          least 25% of all police vehicles will be equipped with the  
          technology.

          Privacy concerns.  The collection of a license plate number,  
          location, and time stamp over multiple time points can identify  
          not only a person's exact whereabouts but also their pattern of  
          movement.  Unlike other types of personal information that are  
          covered by existing law, civilians are not always aware when  
          their ALPR data is being collected.  One does not even need to  
          be driving to be subject to ALPR technology:  A car parked on  
          the side of the road can be scanned by an ALPR system.   

          This bill will put in place minimal privacy protections by  
          requiring the establishment of privacy and usage protection  
          policies for ALPR operators and end users.  This bill does not  
          prevent the authorized sharing of data, but if data is shared,  
          it must be justified and recorded.

          Exemption for transportation agencies.  This bill defines an  
          "automated license plate recognition operator" as a person that  
          operates an ALPR system, but exempts transportation agencies.   
          The author states the exemption is included because  
          transportation agencies are already required, under existing  
          law, to establish a privacy policy for personally identifiable  
          information.  However, transportation agencies are not currently  
          required to maintain a record of access to ALPR information,  
          including the date and time of access, the license plate number  
          or other data elements used to query the ALPR database or  







                                                                      SB 34  
                                                                    Page  6


          system, the person who accessed the information, and the purpose  
          for accessing the information.  Toll operators frequently access  
          data as part of a system that captures hundreds of thousands of  
          images daily.
           
           According to toll authority representatives, being subject to  
          these regulations would be extremely burdensome and inefficient  
          for the operation of toll roads and bridges given the immense  
          volume of transactions conducted by toll operators every day.   
          They also contend that removing the exemption would add no  
          substantive privacy protection for California.  



          FISCAL EFFECT:   Appropriation:    No          Fiscal  
          Com.:YesLocal:   No

          According to the Senate Appropriations Committee:

           Potentially significant local law enforcement agency costs to  
            comply with the provisions of this measure, to the extent  
            those entities wish to operate ALPR systems. As the use or  
            access of ALPR systems is not a mandated activity, the  
            implementation of additional security, privacy, and access  
            protocols and procedures are estimated to be non-reimbursable  
            by the state.
              
           Potential periodic minor to significant costs to public  
            (state/local) and private ALPR operators, to issue data breach  
            notifications.  Private entities and public agencies are  
            already subject to data breach notification law, so costs  
            would be dependent on the frequency and size of data breaches  
            specific to unencrypted ALPR data, and the process of  
            notification utilized by each agency.  See staff comments.


          SUPPORT:   (Verified5/4/15)


          Bay Area Civil Liberties Coalition
          California Civil Liberties Council
          Citizens for Criminal Justice Reform California
          Conference of California Bar Associations
          Media Alliance







                                                                      SB 34  
                                                                    Page  7


          Small Business California


          OPPOSITION:   (Verified5/4/15)


          None received

          ARGUMENTS IN SUPPORT:

          The Citizens for Criminal Justice Reform California state that  
          the language in this bill provides a long-overdue legislative  
          framework which establishes basic policies that will enhance  
          privacy and procedural requirements to outline the security,  
          usage, and storage of ALPR data.  

          Small Business California, Media Alliance, Bay Area Civil  
          Liberties Coalition, and the Conference of California Bar  
          Associations all support the transparency and protections that  
          are provided by this bill.  


          Prepared by:Christine Hochmuth / T. & H. / (916) 651-4121
          5/6/15 17:02:41


                                   ****  END  ****