Parking BOXX Blog Insights from the Parking Industry

What California's ALPR Law Actually Requires

Who's covered, what a compliant ALPR policy must include, where it needs to be posted, and the most common ways operators fall short — a practical breakdown of California Civil Code §§ 1798.90.5–1798.90.55.

ALPR cameras in California — what the law requires

Part of Parking BOXX’s ALPR Policy Compliance Guide for California parking and property operators.

Who’s covered

The law defines “ALPR operator” (a person or entity that operates an ALPR system) and “ALPR end-user” (a person or entity that accesses or uses ALPR data) broadly — “person” includes corporations, LLCs, partnerships, associations, and public agencies, not just individuals.

Coverage turns on the technology, not the type of entity using it. An ALPR system is a camera paired with algorithms that convert plate images into a searchable database. A plain security camera that happens to catch a plate in the frame is not an ALPR system; a dedicated plate-reading system that builds a searchable database is — regardless of whether the property is a parking facility, retailer, mall, HOA, hospital, or public agency, and regardless of whether the property charges for parking.

A property can be both an operator and an end-user at once — for example, if it runs its own cameras and also uses the resulting data for enforcement. Using a third-party vendor’s ALPR system doesn’t shift the compliance obligation to the vendor — the property owner or operator generally carries its own independent duty to have a policy, regardless of who owns the hardware.

What the law requires

At minimum, an ALPR operator or end-user must:

  1. Adopt a written usage and privacy policy
  2. Make that policy available to the public
  3. If it has a website, post the policy conspicuously on that website — not just make it available on request or post it physically at the location

Operators (as opposed to end-users) also have a separate duty to maintain reasonable security safeguards and to log every access to ALPR data (date/time, plate or query data used, who accessed it, and why).

The 7 required policy elements

A compliant policy needs to address seven things, per Civil Code § 1798.90.51(b):

  1. Authorized purposes — the reasons for collecting and using ALPR data
  2. Authorized users — job titles of the employees/contractors allowed to access the system, and their required training
  3. Monitoring — how the system is monitored for security and legal compliance
  4. Data sharing — the purposes, process, and restrictions around sharing, selling, or transferring ALPR data to others
  5. Custodian — the title of the official responsible for the policy
  6. Accuracy — the measures used to keep data accurate and correct errors
  7. Retention and destruction — how long data is retained, and the process for deciding when it’s destroyed

The statute doesn’t dictate a specific retention period — each operator sets and discloses its own. For illustrative sample language covering all seven elements, see our sample ALPR policy language.

Where to post it

A single physical location can have several separate legal entities tied to it, each with its own website and its own posting obligation — for example, a shopping center’s ownership company, the property management company that runs it day to day, and the parking operator contracted to manage the lot. The statute doesn’t address multi-entity properties directly, but applying its general rule, each entity that separately operates or uses the ALPR system likely needs its own policy posted on its own website — one entity posting a policy doesn’t automatically cover the others in the chain.

The policy should be easy to find: a clearly labeled, directly linked page (e.g., in the site footer or near a privacy policy link) — not merely referenced inside a general privacy policy with no direct path to it.

Common compliance gaps

The one failure pattern confirmed in litigation to date is straightforward: no policy existed at all, which is what Bartholomew v. Parking Concepts, Inc. itself involved — the court didn’t require any showing of data breach or misuse for that omission to be actionable. (See the full case-law breakdown for details on that ruling and the litigation it triggered.)

Beyond that single confirmed pattern, reading the statute’s own requirements suggests other ways a policy can fall short: posted only at the physical location rather than online; buried inside a general privacy policy without a clear, direct link; missing one of the seven required elements (retention/destruction terms and data-sharing restrictions are easy to overlook); or unclear about who’s responsible when a third-party vendor operates the system.

Next steps

  • Determine whether your organization is an ALPR operator, an ALPR end-user, or both
  • Have legal counsel draft or review a written usage and privacy policy covering all seven required elements
  • Post the policy conspicuously on every website tied to the location — including a property manager’s or landlord’s site, if separate from your own
  • Review vendor contracts for ALPR systems to understand who bears compliance responsibility

This guide is for informational purposes only and does not constitute legal advice. California’s ALPR law is the subject of ongoing litigation, and its requirements as applied to any specific business should be confirmed with your own qualified legal counsel.

Parking BOXX Blog

Expert perspectives on parking technology, access control, revenue management, and security — from the team at Parking BOXX, a North American manufacturer of parking systems serving hospitals, hotels, universities, airports, and commercial facilities.