BILL ANALYSIS Ó SB 34 Page 1 SENATE THIRD READING SB 34 (Hill) As Amended September 1, 2015 Majority vote SENATE VOTE: 25-12 -------------------------------------------------------------------- |Committee |Votes|Ayes |Noes | | | | | | | | | | | | | | | | |----------------+-----+-----------------------+---------------------| |Transportation |13-1 |Frazier, Achadjian, |Melendez | | | |Bloom, Campos, Chu, | | | | |Daly, Dodd, Eduardo | | | | |Garcia, Gomez, Linder, | | | | |Medina, Nazarian, | | | | |O'Donnell | | | | | | | |----------------+-----+-----------------------+---------------------| |Privacy |11-0 |Gatto, Wilk, Baker, | | | | |Calderon, Chang, Chau, | | | | |Cooper, Dababneh, | | | | |Dahle, Gordon, Low | | | | | | | |----------------+-----+-----------------------+---------------------| |Appropriations |14-3 |Gomez, Bloom, Bonta, |Bigelow, Gallagher, | | | |Calderon, Chang, Daly, |Jones | | | |Eggman, | | SB 34 Page 2 | | | | | | | | | | | | |Eduardo Garcia, | | | | |Holden, Quirk, Rendon, | | | | |Wagner, Weber, Wood | | | | | | | | | | | | -------------------------------------------------------------------- SUMMARY: Imposes a variety of security, privacy, and public hearing requirements on the use of automated license plate recognition (ALPR) systems, as well as a private right of action and provisions for remedies. Specifically, this bill: 1)Requires that data collected through the use or operation of an ALPR system be treated as personal information for purposes of existing data breach notification laws applying to agencies, persons, or businesses that conduct business in California and own or license computerized data including personal information. 2)Requires an ALPR operator and ALPR end-user to maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect information from unauthorized access, destruction, use, modification, or disclosure. 3)Requires an ALPR operator and ALPR end-user to implement and maintain a usage and privacy policy, as specified, which shall be available in writing to the public, and conspicuously posted on the operator or end-user's website if one exists. 4)Requires the ALPR operator usage and privacy policy to include, at a minimum, all of the following: SB 34 Page 3 a) The authorized purposes for using the ALPR system and collecting ALPR information. b) A description of the job title or other designation of the employees and independent contractors, and their training requirements, who are authorized to use the ALPR system or collect and access ALPR information. c) A description of how the use of how the ALPR system will be monitored for compliance with privacy laws. d) The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons. e) The title of the official custodian, or owner, of the ALPR system responsible for implementing the policy. f) A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and a process to correct data errors. g) The length of time ALPR information will be retained, and the process the ALPR operator will utilize to determine if and when to destroy retained ALPR information. 5)Requires ALPR operators to maintain a record of access to ALPR information, including the date and time of access, the license plate number which was queried, the username of the person who accessed the information, and the purpose for accessing the information. 6)Requires the ALPR end-user's usage and privacy policy to include, at a minimum, all of the following: SB 34 Page 4 a) The authorized purposes for accessing and using ALPR information. b) A description of the job title or other designation of the employees and independent contractors, and their training requirements, who are authorized to access and use ALPR information. c) A description of how the use of ALPR systems will be monitored to ensure the security of the information accessed or used, and compliance with privacy laws and the process for periodic system audits, as specified. d) The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons. e) The title of the official custodian, or owner, of the ALPR information responsible for implementing this section. f) A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and a process to correct data errors. g) The length of time ALPR information will be retained, and the process the ALPR end-user will utilize to determine if and when to destroy retained ALPR information. 7)Allows an individual who has been harmed by a violation of these requirements to bring a civil action against a person who knowingly caused the violation. 8)Authorizes a court to award any or all of the following remedies: SB 34 Page 5 a) Actual damages, but not less than liquidated damages in the amount of $2,500; b) Punitive damages upon proof of willful or reckless disregard of the law; c) Reasonable attorney's fees and other litigation costs reasonably incurred; and, d) Other preliminary and equitable relief as the court determines to be appropriate. 9)Requires that a public agency that operates or intends to operate an ALPR system to provide an opportunity for public comment at a public meeting of the agency's governing body before implementing the program. 10)Prohibits a public agency from selling, sharing or transferring ALPR information, except to another public agency and only as permitted by law, although data hosting services are exempted. 11)Defines the terms "automated license plate recognition end-user," "automated license plate recognition information," "automated license plate recognition operator," "automated license plate recognition system," "person," and "public agency." 12)Double-joints this bill with AB 964 (Chau) and SB 570 (Jackson) of the current legislative session, to avoid chaptering out conflicts. FISCAL EFFECT: According to the Assembly Appropriations SB 34 Page 6 Committee: 1)The state's Data Breach Protection Law requires a public agency or California business that owns or licenses computerized data containing personal information to disclose a breach of the system's security or data to any California resident whose unencrypted personal information was acquired by an unauthorized person. If the costs to provide notifications exceed $250,000, or if the breach affected more than 500,000 persons, the agency or business can use one of several alternative methods of notification, including posting a notice on the entity's website. 2)The California Highway Patrol (CHP) could incur unknown, but likely minor costs to provide notifications in the event of a data breach. Because the department's ALPR system contains several million plates at any one time, it would likely use the less costly alternative means of notification. Other provisions of this bill are consistent with existing requirements placed on the CHP's use of ALPR. 3)Potentially significant, but non-reimbursable costs to comply with this bill's requirements for those local law enforcement agencies that elect to operate ALPR systems. Similar to the CHP, local agencies could also incur notification-related costs in the event of a data breach of their ALPR systems. COMMENTS: ALPR is a common public safety enforcement method that utilizes optical character recognition to read vehicle license plates. ALPR systems typically use infrared lighting and a variety of algorithms to take a picture of a license plate, identify any text, and determine the proper letter/number sequence on the plate. This technology also allows an ALPR camera to capture license plate images at any time of the day or night. Once a license plate is scanned, in most cases, the SB 34 Page 7 license plate sequence is then checked against a variety of databases to determine if the vehicle is stolen, has outstanding tickets, or whether the registered owner possesses outstanding arrest warrants. If a "hit" occurs, the ALPR system alerts the appropriate law enforcement entity. While many law enforcement and local government entities utilize ALPR technology, ALPR hardware and systems are generally developed and managed by non-governmental entities. Aside from the California Highway Patrol and local transportation agencies, existing law is silent on how government agencies and businesses manage and protect the data gathered by ALPR systems. The author introduced this bill to institute a number of usage and privacy standards for the operation of ALPR systems within the state. Additionally, the author notes that this bill also provides an opportunity for public input on the usage and standards of ALPR system that are used by government entities, something the author contends most government entities do not practice. With the use of ALPR technology by government agencies and private industry becoming commonplace, states are now discussing how to best use and manage the data collected through these systems. According to the National Conference of State Legislators (NCSL), 18 states have introduced legislation attempting to establish or revise standards and privacy requirements related to ALPR systems. Additionally, nine states have enacted laws in some form that address the use and management of data collected through ALPR systems. This bill aims to establish a minimal set of privacy standards for personal data collected by a person or entity using ALPR technology. SB 34 Page 8 Please see the policy committee analysis for a full discussion of this bill. Analysis Prepared by: Manny Leon / TRANS. / (916) 319-2093 FN: 0001857