If your facility uses license plate recognition and you operate in California, a single missing policy document can now cost $2,500 per license plate read — with no data breach, no misuse, and no complaint about how the data was actually handled required to collect it.
That risk is now locked in. The California Supreme Court denied review of Bartholomew v. Parking Concepts, Inc. on May 13, 2026, finalizing the First District Court of Appeal’s decision and giving plaintiffs’ firms a green light to move at scale. Here’s what changed, what the law actually requires, and what to do about it.
What the court decided
The case turned on a narrow but consequential question: does the mere absence of a required ALPR usage and privacy policy count as harm, even if a plaintiff can’t point to any misuse of their data?
The First District Court of Appeal said yes in its February 5, 2026 decision. California Civil Code Section 1798.90.51 requires any operator of an automated license plate recognition system to implement and publicly post a policy governing how ALPR data is collected, used, shared, and destroyed. The court found that skipping this requirement isn’t a paperwork technicality — it undermines the transparency and accountability the statute is built around, and that alone is an actionable violation.
The practical effect: a plaintiff doesn’t need to prove a breach, a sale of their data, or any downstream harm. They only need to show the operator was scanning plates without a compliant policy in place. Statutory damages are set at $2,500 per violation — and each individual whose plate was read during a non-compliant period is a potential claimant.
Why this matters beyond one parking garage
Section 1798.90.51 has been on the books in California since 2016 (originally enacted as SB 34), but enforcement was largely theoretical until this ruling. With the policy-failure theory now confirmed by an appellate court and the California Supreme Court declining to revisit it, plaintiffs’ firms have a clear, low-burden path to litigation. Retailers, malls, hotels, hospitals, and parking operators using LPR-equipped gates or cameras in California are all in scope — this isn’t limited to municipal or law enforcement use of the technology.
For parking operators specifically, the exposure compounds quickly. A single unposted policy at a facility processing thousands of vehicles a month isn’t one violation — it’s potentially thousands.
The 7 required elements of a compliant ALPR policy
Civil Code Section 1798.90.51(b)(2) spells out exactly what the policy has to cover:
- Authorized purposes — the specific reasons the ALPR system is used and ALPR information is collected.
- Authorized users — job titles or designations of the employees and contractors permitted to access the system.
- Monitoring and compliance — how the system is monitored to ensure security and legal compliance.
- Sharing and sale restrictions — the purposes, process, and limits on selling, sharing, or transferring ALPR data.
- Custodian — the title of the official responsible for owning and overseeing the system.
- Data accuracy — the measures in place to keep data accurate and correct errors.
- Retention and destruction — how long data is kept and how it’s destroyed afterward.
The policy has to be in writing, publicly available, and posted conspicuously on the operator’s website — the exact gap that sank the defendant in Bartholomew. Posting it at the physical site as well is a reasonable added step, since not every visitor will look up a website before parking.
Where this fits with LPR at the gate
It’s worth being clear about what LPR does and doesn’t do in a well-designed gated facility, since the compliance obligation applies regardless. Parking BOXX systems use LPR as one layer in a broader access strategy: recognized vehicles get faster entry, while anyone whose plate isn’t on file still moves through the normal ticket or pay-station flow in the same lane. It’s a reliability and convenience layer, not a replacement for the gate itself — but it does mean the system is reading and storing plate data continuously, which is precisely the activity Section 1798.90.51 regulates. (Our earlier look at LPR for gated access covers how that layered approach works in practice.)
Any operator running LPR for entry, exit, or enforcement in California needs the policy in place regardless of how limited or well-intentioned the use case is. The statute doesn’t distinguish between “we only use it to speed up the gate” and more expansive uses — it just requires the policy to exist and be public.
What to do now
If you operate LPR-equipped parking facilities in California:
- Confirm a compliant policy exists. Check it against all seven required elements above — a generic privacy policy or terms-of-service page that doesn’t address ALPR specifically won’t satisfy the statute.
- Confirm it’s actually posted. “We have a policy on file” isn’t the same as “the policy is publicly posted on our website,” which is what the law and the Bartholomew court require.
- Review retention practices against what the policy states. If the policy says data is purged after a set period, verify that’s actually happening — a mismatch between the written policy and real practice creates its own exposure.
- Loop in counsel before the next audit or claim. Given the scale of exposure ($2,500 multiplied by every plate read during a non-compliant window), this is worth a legal review now rather than after a demand letter arrives.
This is a good moment to treat ALPR compliance the same way many operators already treat PCI DSS: not a one-time checkbox, but something reviewed on a schedule. (Our guide to what to do after a data breach covers a similar preparation-first mindset for a different compliance obligation.)
The takeaway
Bartholomew closes the door on the idea that ALPR policy requirements are a formality. A missing or unposted policy is now, on its own, a $2,500-per-person liability in California — and that exposure exists independent of whether the data was ever misused. If you’re running LPR at your facility, verify the policy is written, complete, and actually public before your next audit does it for you.
This article is provided for general informational purposes only and does not constitute legal advice. Consult with your legal counsel to evaluate your specific compliance obligations under California Civil Code Section 1798.90.51 and related law.
Have questions about how Parking BOXX’s LPR-equipped access systems fit into a compliant, layered entry strategy? Talk to our team.
