By Linh Nguyen
Sacramento – An audit requested by Senator Scott Wiener finds that law enforcement agencies across the state were violating state law regarding Automated License Plate Readers (ALPR) by failing to implement privacy policies and misusing sensitive information.
Senator Wiener initially requested the audit due to concerns about privacy, recognizing that this technology can be misused without regulation. He was specifically worried that the ALPR technology might be helping Immigration and Customs Enforcement (ICE) detain and deport undocumented immigrants, which would be violating California’s sanctuary state status.
ALPR cameras capture license plate numbers and store them with the date, time, and location of the scan in a searchable database. Some scans also show a partial image of the vehicle. This software compares the plate number to stored lists of vehicles of interest, called hotlists. These hotlists are based on a compilation of vehicles associated with criminal investigations and vehicles connected to people of interest. If the numbers match with an entry on the list, then an issue is alerted.
However, there are privacy concerns regarding the ALPR database regarding its use and retention, which is what prompted Senator Wiener to request the audit. For example, the four local law enforcement agencies reviewed had accumulated a large number of plate images in their system, despite most of them being unrelated to criminal investigations.
In 2016, the California Legislature addressed privacy within ALPR systems through Senate Bill 34, which established requirements for these systems. These requirements included requiring detailed usage and privacy policies that describe the system’s purpose, who may use it, how the agency will share data, how the agency will protect and monitor the system, and how long the agency will retain the data.
The audit conducted in the Fresno Police Department, Los Angeles Police Department, Marin County Sheriff’s Office, and Sacramento County Sheriff’s Office found that local law enforcement agencies 
did not always follow practices that adequately consider individuals’ privacy in handling and retaining ALPR images and related data.
None of the agencies have an ALPR usage and privacy policy that implements all the legally mandated (as of 2016) requirements.
Three agencies did not completely or clearly specify who has access to the system, who has oversight, how to destroy ALPR data. The Los Angeles Police Department has not developed a policy at all.
Sacramento and Los Angeles link and store names, addresses, dates of birth, and criminal charges to their systems.
Fresno, Marin, and Sacramento use a cloud storage vendor to hold their images and data. However, the agencies do not have contract guarantees that the cloud vendors will appropriately protect the data.
Fresno and Marin share their images with hundreds of entities across the U.S. and Sacramento shares their images with thousands of entities across the U.S. None could provide evidence that they had determined whether those entities have a right or a need to access the images.
“The audit findings are deeply disturbing and confirm our worst fears about the misuse of this data,” said Senator Wiener. “ALPR data should be used only in narrow circumstances. What we’ve learned today is that many law enforcement agencies are violating state law, are retaining personal data for lengthy periods of time, and are disseminating this personal data broadly. This state of affairs is totally unacceptable, and I’m drafting legislation to protect people’s privacy and to put an end to these privacy violations.”
The auditors recommend that the state legislature should amend state law to better protect individuals’ privacy and to help ensure that local law enforcement agencies structure their ALPR programs in a way that supports accountability for proper database use. This includes requiring legislators to draft and publicize a policy template that local law enforcement agencies can use as a model for their ALPR policies, requiring legislators to develop guidance to help local law enforcement agencies identify and evaluate the data they store in ALPR systems, establishing a maximum data retention period for ALPR images, and specifying how frequently ALPR systems must be audited.
For law enforcement agencies, the auditors recommend that they should improve ALPR policies, implement needed ALPR data security, update vendor contracts with necessary data safeguards, ensure that sharing of ALPR images is done appropriately, evaluate and establish data retention periods, develop and implement procedures for granting and managing user accounts, and develop and implement ALPR system oversight.
The four local law enforcement agencies reviewed responded to the audit report. Fresno said that it will use the audit to work to achieve its goal of building trust in its community. Los Angeles said that it respects individuals’ privacy and will work on an ALPR policy as required by state law. Marin stated it is committed to improvement and will consider the recommendations, despite disagreeing with several of them. Sacramento said it had already begun implementing many of the recommendations, but that it did not agree with how some of the findings were characterized.
