A new law in California defines license plate numbers as personal information, a step which may be key for privacy advocates seeking better accountability for law enforcement as it creates records of Americans’ movements. Some companies that provide license plate recognition technologies have attempted to argue that it is not personally identifiable information.
California now says it is.
California Senate Bill 34, which was signed by Governor Jerry Brown earlier this month, creates new rules around the use of license plate data collected by public agencies in the state. In particular, it describes the lengths to which public agencies should go to when it or a contractor has had some kind of data breach. It goes into detail about the speed and method by which the agency or its contractor should inform people potentially impacted by a breach.
There is, after all, a significant new hack almost every day. This week, the personal email of of the CIA’s chief appears to have been compromised.
The law specifically addresses automatic license plate readers, systems that are able to recognize license plates with cameras and make records of the characters that appear on that license plate. By cross referencing that information with vehicle registration information, law enforcement is able to identify where a person’s car was at a given day or time.
Automatic license plate readers are often mounted on police cars though they can also be set up at fixed locations.
Senate Bill 34 defined personal information as a person’s name combined with some other piece of identifying information, including license plate numbers, acknowledging that information about the location of a person’s vehicle is, more likely than not, information about the person’s location.
The law goes on to require that when a third party is contracted to analyze or hold data collected by automatic license plate readers, it cannot sell that data to private entities (such as repo companies).
ELSAG, a provider of license plate recognition systems to law enforcement, owned by Italy’s Finmeccanica, emailed the Observer that its system was designed to comply with the kind of accountability requirements described in the new California law.
“Our business model is supporting law enforcement, not selling data. Providing the law enforcement community with the most advanced LPR technology available remains our top priority as each state develops their policies to address the concerns for use and data storage,” Nate Maloney, a company spokesperson, wrote.
Finmeccanica is involved in a wide array of military, law enforcement and aeronautic industries.
Feds match database of license plates of cars that cross the border into Mexico with those that attend gunshows, according to documents on Wikileaks.
While the California Highway Patrol is only permitted by prior law to hold onto data captured by its license plate readers for 60 days (unless the vehicle identified is under investigation), other law enforcement agencies currently have no rules on how long to hold the data.
Privacy advocates are in the middle of an ongoing legal challenge with L.A. area law enforcement, over a Freedom of Information Act request for one week worth of license plate reader data, as the Observer previously reported.
The new law goes into effect January 1, 2016.
The Electronic Frontier Foundation reports that it passed alongside three other electronic privacy laws, including laws on technology that tracks you using your cell phone and requiring warrants for seizures of digital records.
The Observer contacted several third party providers of automatic license plate reader systems this week for comment, including Vigilant Solutions, 3M and Digital Recognition Networks, none of which were available for comment.