BILL ANALYSIS Ó ----------------------------------------------------------------- |SENATE RULES COMMITTEE | SB 34| |Office of Senate Floor Analyses | | |(916) 651-1520 Fax: (916) | | |327-4478 | | ----------------------------------------------------------------- THIRD READING Bill No: SB 34 Author: Hill (D) Amended: 4/22/15 Vote: 21 SENATE TRANS. & HOUSING COMMITTEE: 8-2, 4/7/15 AYES: Beall, Allen, Galgiani, Leyva, McGuire, Mendoza, Roth, Wieckowski NOES: Bates, Gaines NO VOTE RECORDED: Cannella SENATE JUDICIARY COMMITTEE: 4-2, 4/14/15 AYES: Jackson, Leno, Monning, Wieckowski NOES: Vidak, Anderson NO VOTE RECORDED: Hertzberg SENATE APPROPRIATIONS COMMITTEE: 5-2, 5/4/15 AYES: Lara, Beall, Hill, Leyva, Mendoza NOES: Bates, Nielsen SUBJECT: Automated license plate recognition systems: use of data SOURCE: Author DIGEST: This bill establishes regulations on the privacy and usage of automatic license plate recognition (ALPR) data and expands the meaning of "personal information" to include information or data collected through the use or operation of an ALPR system. SB 34 Page 2 ANALYSIS: Existing law: 1) Places regulations on agencies, persons, or businesses that own, license, or maintain computerized data that includes personal information. These regulations include disclosing a breach of security. 2) Prohibits a transportation agency from selling or providing personally identifiable information of any person who subscribes to an electronic toll or electronic transit fare collection system or who uses a toll bridge, toll lane, or toll highway that employs an electronic toll collection system. Agencies covered by this regulation are the Department of Transportation, the Bay Area Toll Authority, any entity operating a toll bridge, toll lane, or toll highway within the state, any entity administering an electronic transit fare collection system and any transit operator participating in that system, or any entity under contract with the above-mentioned entities. 3) Requires that transportation agencies employing an electronic toll or transit fare collection system establish a privacy policy for the collection and use of personally identifiable information and provide users with a copy of the privacy policy. Transportation agencies include the Department of Transportation, the Bay Area Toll Authority, any entity operating a toll bridge, toll lane, or toll highway within the state, any entity administering an electronic transit fare collection system, and any transit operator participating in that system, or any entity under contract with the above-mentioned entities. 4) Establishes limits on the length of time that transportation agencies may keep personal information. All information may be kept only as long as necessary to perform account functions. All other information must be discarded within 4 years after the conclusion of the billing cycle. This bill: 1) Defines an ALPR system as a system of one or more mobile or SB 34 Page 3 fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data. 2) Requires that data collected through the use or operation of an ALPR system be considered as personal information subject to existing law pertaining to agencies, persons, or businesses that conduct business in California, and that own or license computerized data including personal information. 3) Defines an ALPR end-user as a person that accesses or uses ALPR information and an ALPR operator as a person that operates an ALPR system, or that maintains ALPR information, with the exception of transportation agencies. A person may include a law enforcement agency, government agency, private entity, or individual. 4) Requires that ALPR operators ensure that ALPR information is protected with reasonable operational, administrative, technical, and physical safeguards to ensure its confidentiality and integrity. 5) Requires that ALPR operators implement and maintain reasonable security procedures and practices in order to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure. 6) Requires that ALPR operators and end users implement and maintain a usage and privacy policy in order to ensure that the collection, access, and use of ALPR information is consistent with respect for individuals' privacy and civil liberties. 7) Requires that the usage and privacy policy include, in part: the purpose for using ALPR systems/data a list of authorized users of ALPR systems/data how the ALPR systems/data will be monitored how ALPR operators will comply with security procedures the length of time that ALPR information will be stored and how it will be determined whether/when to destroy retained information the owner of the ALPR data and the employees who are SB 34 Page 4 responsible for implementing the usage and privacy policy the reason and process by which ALPR data is shared with other parties a plan for how end users will maintain security of ALPR data 8) Requires ALPR operators that access or provide access to ALPR information to maintain a record of that access. The record must include the date and time of access, the license plate number which was queried, the person who accesses the information, and the purpose of accessing the information. 9) Allows an individual who has been harmed by a violation of this title to bring a civil action against a person who knowingly caused the violation. The court can award damages which are stipulated in this bill. 10) Requires a public agency that considers using an ALPR system to provide an opportunity for public comment at a regularly scheduled public meeting of the governing body of the agency before it implements the program of ALPR use. Comments Purpose. The author states that this bill is necessary to institute reasonable usage and privacy standards for the operation of ALPR systems, which do not exist for the majority of local agencies that have approved the use of ALPR technology, according to the American Civil Liberties Union (ACLU). Additionally, this bill requires an opportunity for public input on the usage and standards of ALPR technologies, something the author contends few local agencies allow. The author states that the main focus of this bill is to put in place regulations for businesses and agencies which currently do not have any policies regarding the use of ALPR data, unlike transportation agencies which are already regulated by existing law. ALPR background and history. ALPR systems automatically scan any license plate within range. Some ALPR systems can scan 2,000 plates in a minute. When used by law enforcement, each scanned license plate is checked against crime databases. If a "hit" occurs - for example, a stolen vehicle, AMBER alert, or an arrest warrant - the ALPR technology alerts the law enforcement officer. While some suggest this technology is useful for modern policing, others raise concerns over an invasion of SB 34 Page 5 peoples' civil liberties. Whether or not a hit occurs, all license plate scans are sent to large regional databases that aggregate ALPR data from various law enforcement agencies. The ACLU reports that an estimated 1% of ALPR data results in a hit and the other 99% of data has no relation to criminal activity. Databases maintained for northern California law enforcement agencies, San Diego law enforcement agencies, and private companies (such as insurance companies, collections agencies, and private investigators) contain 100 million, 49 million, and more than 1 billion license plate scans, respectively. Some argue that this information has the potential to be involved in large-scale security breach issues. The use of ALPR technology is growing. The ACLU estimates that nationally, 75% of law enforcement currently uses ALPRs, 85% plan to expand their use, and within the next five years at least 25% of all police vehicles will be equipped with the technology. Privacy concerns. The collection of a license plate number, location, and time stamp over multiple time points can identify not only a person's exact whereabouts but also their pattern of movement. Unlike other types of personal information that are covered by existing law, civilians are not always aware when their ALPR data is being collected. One does not even need to be driving to be subject to ALPR technology: A car parked on the side of the road can be scanned by an ALPR system. This bill will put in place minimal privacy protections by requiring the establishment of privacy and usage protection policies for ALPR operators and end users. This bill does not prevent the authorized sharing of data, but if data is shared, it must be justified and recorded. Exemption for transportation agencies. This bill defines an "automated license plate recognition operator" as a person that operates an ALPR system, but exempts transportation agencies. The author states the exemption is included because transportation agencies are already required, under existing law, to establish a privacy policy for personally identifiable information. However, transportation agencies are not currently required to maintain a record of access to ALPR information, including the date and time of access, the license plate number or other data elements used to query the ALPR database or SB 34 Page 6 system, the person who accessed the information, and the purpose for accessing the information. Toll operators frequently access data as part of a system that captures hundreds of thousands of images daily. According to toll authority representatives, being subject to these regulations would be extremely burdensome and inefficient for the operation of toll roads and bridges given the immense volume of transactions conducted by toll operators every day. They also contend that removing the exemption would add no substantive privacy protection for California. FISCAL EFFECT: Appropriation: No Fiscal Com.:YesLocal: No According to the Senate Appropriations Committee: Potentially significant local law enforcement agency costs to comply with the provisions of this measure, to the extent those entities wish to operate ALPR systems. As the use or access of ALPR systems is not a mandated activity, the implementation of additional security, privacy, and access protocols and procedures are estimated to be non-reimbursable by the state. Potential periodic minor to significant costs to public (state/local) and private ALPR operators, to issue data breach notifications. Private entities and public agencies are already subject to data breach notification law, so costs would be dependent on the frequency and size of data breaches specific to unencrypted ALPR data, and the process of notification utilized by each agency. See staff comments. SUPPORT: (Verified5/4/15) Bay Area Civil Liberties Coalition California Civil Liberties Council Citizens for Criminal Justice Reform California Conference of California Bar Associations Media Alliance SB 34 Page 7 Small Business California OPPOSITION: (Verified5/4/15) None received ARGUMENTS IN SUPPORT: The Citizens for Criminal Justice Reform California state that the language in this bill provides a long-overdue legislative framework which establishes basic policies that will enhance privacy and procedural requirements to outline the security, usage, and storage of ALPR data. Small Business California, Media Alliance, Bay Area Civil Liberties Coalition, and the Conference of California Bar Associations all support the transparency and protections that are provided by this bill. Prepared by:Christine Hochmuth / T. & H. / (916) 651-4121 5/6/15 17:02:41 **** END ****