Existing law authorizes the Department of the California Highway Patrol to retain license plate data captured by license plate reader technology, also referred to as an automated license plate recognition (ALPR) system, for not more than 60 days unless the data is being used as evidence or for the investigation of felonies. Existing law authorizes the department to share that data with law enforcement agencies for specified purposes and requires both an ALPR operator and an ALPR end-user, as those terms are defined, to implement a usage and privacy policy regarding that ALPR information, as specified. Existing law requires that the usage and privacy policy implemented by an ALPR operator or an ALPR end-user include the length of time ALPR information will be retained and the process the ALPR operator and ALPR end-user will utilize to determine if and when to destroy retained ALPR information.
This bill would include in those usage and privacy policies a requirement that, if the ALPR operator or ALPR end-user is a public agency and not an airport authority, ALPR data that does not match a hot list be destroyed within 24 hours.
Existing law requires an ALPR operator and an ALPR end-user to maintain reasonable security procedures and practices. Under existing law, the reasonable security procedures and practices must include operational, administrative, technical, and physical safeguards to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure.
This bill would additionally require those procedures and practices to include an annual audit to review ALPR end-user searches during the previous year and, where the ALPR operator or ALPR end-user is a public agency and not an airport authority, the destruction of all ALPR information that does not match information on a hot list within 24 hours. The bill would also prohibit an ALPR operator or an ALPR end-user that is a public agency and not an airport authority from accessing an ALPR system that retains ALPR information for more than 24 hours that does not match a hot list.
Existing law requires an ALPR operator that accesses or provides access to ALPR information to maintain a record of that access and require that ALPR information only be used for the authorized purposes described in the usage and privacy policy.
This bill would extend the requirement to keep a record of access to ALPR information to an ALPR end-user. The bill would additionally require an ALPR operator or an ALPR end-user that accesses or provides access to ALPR information to conduct an annual audit to review ALPR end-user searches during the previous year and to confirm that, if the ALPR operator or ALPR end-user is a public agency and not an airport authority, all ALPR information that does not match a hot list is routinely destroyed in 24 hours or less. The bill would require these annual audits be made available to the public in writing, and, if the ALPR operator or ALPR end-user has an internet website, would require the annual audits be posted conspicuously on that internet website.
This bill would require the Department of Justice, on or before July 1, 2022, to draft and make available on its internet website a policy template and would permit local law enforcement agencies to use the template as a model for their ALPR policies. The bill would also require the Department of Justice to develop and issue guidance to help local law enforcement agencies identify and evaluate the types of data they are currently storing in their ALPR database systems.
Statutes affected: SB210: 1798.90.51 CIV, 1798.90.52 CIV, 1798.90.53 CIV
01/12/21 - Introduced: 1798.90.51 CIV, 1798.90.52 CIV, 1798.90.53 CIV
03/05/21 - Amended Senate: 1798.90.51 CIV, 1798.90.52 CIV, 1798.90.53 CIV
03/15/21 - Amended Senate: 1798.90.51 CIV, 1798.90.52 CIV, 1798.90.53 CIV
SB 210: 1798.90.51 CIV, 1798.90.52 CIV, 1798.90.53 CIV