Amended  IN  Assembly  March 22, 2023
Amended  IN  Assembly  March 09, 2023

CALIFORNIA LEGISLATURE— 2023–2024 REGULAR SESSION

Assembly Bill
No. 1463


Introduced by Assembly Member Lowenthal

February 17, 2023


An act to amend Sections 1798.90.5, 1798.90.51, 1798.90.52, 1798.90.53, and 1798.90.55 of, and to add Section 1798.90.56 to, the Civil Code, relating to personal information.


LEGISLATIVE COUNSEL'S DIGEST


AB 1463, as amended, Lowenthal. Automated license plate recognition systems: retention and use of information.
Existing law authorizes the Department of the California Highway Patrol to retain license plate data captured by license plate reader technology, also referred to as an automated license plate recognition (ALPR) system, for not more than 60 days unless the data is being used as evidence or for the investigation of felonies. Existing law authorizes the department to share that data with law enforcement agencies for specified purposes.
Existing law requires ALPR operators and ALPR end-users, as those terms are defined, to implement usage and privacy policies and to maintain reasonable security procedures and practices regarding ALPR information, as specified. Existing law requires the usage and privacy policy implemented by an ALPR operator or an ALPR end-user to include the length of time ALPR information will be retained and the process the ALPR operator or ALPR end-user will utilize to determine if and when to destroy retained ALPR information.
This bill would require an ALPR operator or ALPR end-user that is a public agency, excluding an airport authority, to include in those policies, procedures, and practices a requirement that ALPR information that does not match information on a hot list, as defined, be purged in 30 days, as specified. The bill would also prohibit those ALPR operators and end-users from accessing an ALPR system that retains that unmatched ALPR information for more than 60 days. days, as specified.
The bill would impose annual audit requirements to review and assess ALPR end-user searches during the previous year to determine compliance with the usage and privacy policy, as specified.
Existing law prohibits a public agency from selling, sharing, or transferring ALPR information, except to another public agency, and only as otherwise permitted by law.
This bill would prohibit ALPR information from being sold, shared, or transferred to an out-of-state or federal agency without a valid subpoena, court order, or warrant.
The bill would make related findings and declarations.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) It is well documented that agencies engaged in federal immigration enforcement are exploiting automated license plate reader (ALPR) databases containing the locations of immigrant drivers as part of their efforts to locate and deport Californians. Following the Dobbs v. Jackson Women’s Health Organization decision by the United States Supreme Court, several states have ended the right to abortion and allowed a private right of action regarding the receipt or provision of an abortion. Some states have implemented similar laws regarding gender-affirming medical care for minors.
(b) The selling, sharing, or transferring of ALPR information by a California state or local public agency to an out-of-state or federal agency is prohibited under subdivision (b) of Section 1798.90.55 of the Civil Code.
(c) Despite existing law, public agencies in California share ALPR information with out-of-state and federal law enforcement agencies engaged in enforcing federal immigration laws, bans on abortion services, or bans on gender-affirming medical care.
(d) Further legislation is needed to ensure that ALPR information is retained only for immediate comparison with a hot list and is prevented from being retained and used for purposes of enforcing federal immigration law, bans on abortion services, or bans on gender-affirming medical care.

SEC. 2.

 Section 1798.90.5 of the Civil Code is amended to read:

1798.90.5.
 The following definitions shall apply for purposes of this title:
(a) “Automated license plate recognition end-user” or “ALPR end-user” means a person that accesses or uses an ALPR system, but does not include any of the following:
(1) A transportation agency when subject to Section 31490 of the Streets and Highways Code.
(2) A person that is subject to Sections 6801 to 6809, inclusive, of Title 15 of the United States Code and state or federal statutes or regulations implementing those sections, if the person is subject to compliance oversight by a state or federal regulatory agency with respect to those sections.
(3) A person, other than a law enforcement agency, to whom information may be disclosed as a permissible use pursuant to Section 2721 of Title 18 of the United States Code.
(b) “Automated license plate recognition information,” or “ALPR information” means information or data collected through the use of an ALPR system.
(c) “Automated license plate recognition operator” or “ALPR operator” means a person that operates an ALPR system, but does not include a transportation agency when subject to Section 31490 of the Streets and Highways Code.
(d) “Automated license plate recognition system” or “ALPR system” means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.
(e) “Hot list” means a list or lists of license plates of vehicles of interest against which the ALPR system is comparing vehicles on the roadways.
(f) “Person” means any natural person, public agency, partnership, firm, association, corporation, limited liability company, or other legal entity.
(g) “Public agency” means the state, any city, county, or city and county, or any agency or political subdivision of the state or a city, county, or city and county, including, but not limited to, a law enforcement agency.

SEC. 3.

 Section 1798.90.51 of the Civil Code is amended to read:

1798.90.51.
 An ALPR operator shall do all of the following:
(a) Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure. These reasonable security procedures and practices shall include, but not be limited to, an annual audit to review and assess ALPR end-user searches during the previous year to determine if all searches were in compliance with the usage and privacy policy. If the ALPR operator is a public agency other than an airport authority, the audit shall assess whether all ALPR information that does not match information on a hot list has been purged no more than 30 days from the date of collection.
(b) (1) Implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the ALPR operator has an internet website, the usage and privacy policy shall be posted conspicuously on that internet website.
(2) The usage and privacy policy shall, at a minimum, include all of the following:
(A) The authorized purposes for using the ALPR system and collecting ALPR information.
(B) A description of the job title or other designation of the employees and independent contractors who are authorized to use or access the ALPR system, or to collect ALPR information. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.
(C) A description of how the ALPR system will be monitored to ensure the security of the information and compliance with applicable privacy laws.
(D) The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons.
(E) The title of the official custodian, or owner, of the ALPR system responsible for implementing this section.
(F) A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors.
(G) The length of time ALPR information will be retained, and the process the ALPR operator will utilize to determine if and when to destroy retained ALPR information. If the ALPR operator is a public agency other than an airport authority, the policy shall require ALPR information that does not match information on a hot list to be purged no more than 30 days after the date of collection.

SEC. 4.

 Section 1798.90.52 of the Civil Code is amended to read:

1798.90.52.
 If an ALPR operator accesses or provides access to ALPR information, the ALPR operator shall do all of the following:
(a) Maintain a record of that access. At a minimum, the record shall include all of the following:
(1) The date and time the information is accessed.
(2) The license plate number or other data elements used to query the ALPR system.
(3) The username of the person who accesses the information, and, as applicable, the organization or entity with whom the person is affiliated.
(4) The purpose for accessing the information.
(b) Require that ALPR information only be used for the authorized purposes described in the usage and privacy policy required by subdivision (b) of Section 1798.90.51.
(c) Conduct an annual audit to review and assess ALPR end-user searches during the previous year to determine if all searches were in compliance with the usage and privacy policy. If the ALPR operator is a public agency other than an airport authority, the audit shall assess whether all ALPR information that does not match information on a hot list has been purged no more than 30 days after the date of collection.

SEC. 5.

 Section 1798.90.53 of the Civil Code is amended to read:

1798.90.53.
 An ALPR end-user shall do all of the following:
(a) Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure. These reasonable security procedures and practices shall include, but not be limited to, an annual audit to review and assess ALPR end-user searches during the previous year to determine if all searches were in compliance with the usage and privacy policy. If the ALPR end-user is a public agency other than an airport authority, the audit shall include an assessment of whether all ALPR information that does not match information on a hot list has been purged no more than 30 days after the date of collection.
(b) (1) Implement a usage and privacy policy in order to ensure that the access, use, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the ALPR end-user has an internet website, the usage and privacy policy shall be posted conspicuously on that internet website.
(2) The usage and privacy policy shall, at a minimum, include all of the following:
(A) The authorized purposes for accessing and using ALPR information.
(B) A description of the job title or other designation of the employees and independent contractors who are authorized to access and use ALPR information. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.
(C) A description of how the ALPR system will be monitored to ensure the security of the information accessed or used, and compliance with all applicable privacy laws and a process for periodic system audits.
(D) The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons.
(E) The title of the official custodian, or owner, of the ALPR information responsible for implementing this section.
(F) A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors.
(G) The length of time ALPR information will be retained, and the process the ALPR end-user will utilize to determine if and when to destroy retained ALPR information. If the ALPR end-user is a public agency other than an airport authority, the policy shall require purging of ALPR information that does not match information on a hot list no more than 30 days after the date of collection.

SEC. 6.

 Section 1798.90.55 of the Civil Code is amended to read:

1798.90.55.
 Notwithstanding any other law or regulation:
(a) A public agency that operates or intends to operate an ALPR system shall provide an opportunity for public comment at a regularly scheduled public meeting of the governing body of the public agency before implementing the program.
(b) A public agency shall not sell, share, or transfer ALPR information, except to another public agency. ALPR information shall not be sold, shared, or transferred to out-of-state or federal agencies without a valid subpoena, court order, or warrant. For purposes of this section, the provision of data hosting or towing services shall not be considered the sale, sharing, or transferring of ALPR information.

SEC. 7.

 Section 1798.90.56 is added to the Civil Code, immediately following Section 1798.90.55, to read:

1798.90.56.
 An ALPR operator or ALPR end-user that is a public agency, excluding an airport authority, shall not access an ALPR system that retains ALPR information that does not match information on a hot list for more than 60 days after the date of collection. collection unless the ALPR system is operated by an airport authority.