Automated License Plate Readers (ALPRs) have become commonplace among government agencies. Transit agencies use ALPRs to collect highway tolls, reducing traffic bottlenecks caused by tollbooths. Law enforcement agencies use ALPRs to scan parked or passing vehicles and run the collected information against databases of stolen vehicles or vehicles associated with outstanding warrants.
Government agencies are not the only users of ALPR technology. Private actors now use ALPRs for a wide variety of purposes. For example, property owners and managers use them to track vendors’, visitors’ or tenants’ activities, enforce parking restrictions, and investigate insurance claims. Some homeowners’ associations even use them to investigate break-ins or other property crimes. Nonetheless, any private individual or entity considering the use of ALPRs should consider the potential consequences of collecting and storing information that can be used to track visitors and passers-by to its property.
As ALPRs and data processing and storage have gotten cheaper and more widespread, privacy advocates and civil libertarians have warned about overreach. Many law enforcement databases that collect ALPR data retain data on all license plates that pass through their location — not just those license plates that “hit” on a stolen vehicle or warrant search — including the date, time, location, and even a photo of the passing vehicle and its occupants. Such practices, according to critics, amount to dragnet electronic tracking of peoples’ movements and activity.
In response to these concerns, many states have passed laws restricting who can collect ALPR data, with some expressly prohibiting private use and others restricting use to certain law enforcement or other agencies. States may also limit the amount of time that ALPR data can be retained. New Hampshire, the most restrictive state, mandates that ALPR data be purged from any system within three minutes after collection, unless the number resulted in an arrest, a citation or protective custody, or identified a vehicle that was the subject of a missing or wanted person broadcast. Some other states with ALPR laws require the destruction of records within days, months or years of their collection unless retention is authorized by an exception. Though some states have addressed ALPR, the majority of states do not have laws regarding either public or private use of ALPR, and even those with laws restricting law enforcement use of ALPR may not address private use.
Even where ALPR use is covered to some extent by statute, the technology may implicate other rights and laws, including privacy laws and Fourth Amendment rights against unlawful searches. As with many new technologies, there is still uncertainty about the boundaries of permissible ALPR use. For example, the Ninth Circuit is currently considering a case (United States v. Yang), argued in November 2019, regarding the constitutionality of a warrantless search of aggregated ALPR data. Private users of ALPR have even less guidance from courts, as there is little or no case law regarding ALPR in the private sector. So, a business, organization or even an individual can likely use ALPR available to the private-sector in states where private use is not explicitly banned. But private users should be aware of potential legal risks, including the following:
First, ALPR entails the collection and storage of data that may be considered protected or private information. Some states have expressly provided that ALPR data is considered “personal information,” subject to privacy restrictions under state law. Other states, or their courts, may similarly consider ALPR data to be private information, particularly because it can locate a particular vehicle at a particular location and point in time.
Second, the collection and storage of private or personal information often creates an obligation to secure that data. Major hacks of ALPR data from private companies have already occurred. In 2019, a contractor hired by U.S. Customs and Border Protection had data on more than 50,000 license plates stolen and made available on the dark web. Hacks or inadvertent leaks from private databases can create significant exposure to civil penalties or damages.
Third, it is possible that collection of ALPR data could be considered an invasion of privacy. Some courts have recognized that private surveillance of individuals, even on public roads, may support a tort claim of invasion of privacy. And, as discussed above, the Ninth Circuit in the Yang case is currently considering whether police must secure a warrant before accessing a database of ALPR data. The extent of peoples’ privacy rights in ALPR data — including time and location, in addition to license plate number — is still in flux, and may depend on the facts of a particular case.
ALPR systems can be useful to businesses or organizations for tracking vendors, enhancing security or enforcing contract terms, but they can also raise significant legal, privacy and cybersecurity concerns, depending on the jurisdiction in which they are used. Any private company, organization or individual considering ALPR should consider the state or local restrictions on their use before installation.
 See, e.g., Maine 29-A M.R.S.A. § 2117-A(2); N.H. Rev. Stat. Ann. §§ 261.75-b, 236.130; Ga. Code 35-1-22; Ark. Code §§ 12-12-1801 to 12-12-1808.
 N.H. Rev. Stat. Ann. § 261.75-b.
 21 days (Maine - 29-A M.R.S.A. § 2117-A(2)); 30 days (Utah Code Ann. §§ 41-6a-2001 to -2005); 60 days (Calif. Veh. Code § 2413); 90 days (N.C. Gen. Stat. §§ 20-183.30 to .32; Tenn. Code § 55-10-302; Mont. Code Ann. §§ 46-5-117 to -119; ); 150 days (Ark. Code §§ 12-12-1801 to 12-12-1808); 30 months (Ga. Code 35-1-22); three years (Colo. Rev. Stat. § 24-72-113).
 United States v. Yang, No. 18-10341 (9th Cir.). Yang involves an aggregated database allowing a law enforcement agency to locate a suspect by inputting a license plate to receive a record of all instances where that license plate had been identified by ALPR systems that input to the database. The defendant in Yang, and amici curiae the American Civil Liberties Union and the Electronic Frontier Foundation, argue that modern automated surveillance systems like ALPR and the aggregated database are different from a police officer entering a license plate into a database to check a likely driver’s car ownership, driver status and criminal record.
 See, e.g., Calif. Civil Code § 1798.90.5.
 See, e.g., Neal v. Fairfax County Police Dept., 295 Va. 334, 346-47 (2018) (distinguishing between a license plate number stored in a database (not private information) and ALPR data including a photograph, timestamp and GPS data (private personal information)).
 Kevin Collier and Sergio Hernandez, “At least 50,000 license plates leaked in hack of border contractor not authorized to retain them” CNN, June 17, 2019 (available at https://www.cnn.com/2019/06/17/politics/customs-and-border-protection-data-breach-license-plates-leaked/index.html).
 See, e.g., Vaught v. Hartford Life & Acc. Ins. Co., No. 1:11-CV-227-HJW, 2011 WL 3861698, at *5 (S.D. Ohio Sept. 1, 2011) (denying motion to dismiss invasion of privacy claims, including allegations that plaintiff was followed); Corr. Med. Care, Inc. v. Gray, No. CIV.A. 07-2840, 2008 WL 248977, at *10 (E.D. Pa. Jan. 30, 2008) (same).
Before proceeding, please note: If you are not a current client of Lane Powell PC, please do not include any information in this email that you or someone else considers to be confidential or secret in nature. Prior to the establishment of a lawyer-client relationship, unsolicited emails from non-clients containing confidential or secret information cannot be protected from disclosure.