By Scott Hall, Phillip Wiese, and Leeza Arbatman
Businesses that use automated license plate recognition (ALPR) technology should take a fresh look at their compliance with California’s Automated License Plate Recognition law. A recent California Court of Appeal decision, followed by several new class action complaints, has increased litigation risk for parking operators, shopping centers, retailers, property managers, and other businesses that use ALPR technology but have not adopted and publicly posted a compliant ALPR usage and privacy policy.
California’s ALPR statute, Civil Code sections 1798.90.5–1798.90.55, has been in effect since 2016, but many private businesses are not aware of the law’s requirement to post an ALPR policy or may not realize that the statute applies beyond law enforcement or dedicated parking technology companies. The law can apply to private entities that operate, access, or use systems that capture license plate information through cameras and convert that information into searchable computer-readable data.
California law requires ALPR operators and end-users to maintain reasonable security procedures and implement a usage and privacy policy governing the collection, use, maintenance, sharing, and dissemination of ALPR information. The required policy must address specific topics, including authorized purposes for using ALPR information, who may access it, training requirements, security monitoring, sharing restrictions, data accuracy measures, retention periods, and destruction procedures. In Bartholomew v. Parking Concepts, Inc., the Court of Appeal summarized these requirements and emphasized the requirement to publicly post the policy in writing, and, if the business has a website, conspicuously post the policy on that website.
The key recent development is the February 2026 Bartholomew decision. In that case, a plaintiff alleged that a parking garage operator collected his license plate information when he entered and exited a garage but failed to implement and make publicly available the required ALPR usage and privacy policy. The trial court sustained the parking garage operator’s demurrer, but the Court of Appeal reversed in part.
The most important part of the decision is the Court of Appeal’s ruling on “harm.” The ALPR statute authorizes a private civil action only by an individual “harmed” by a violation. The parking garage operator argued that a plaintiff must show misuse, mishandling, or measurable damages—not simply lack of compliance with statutory requirements. The Court of Appeal disagreed. Although the court held that a mere technical violation is not always enough, it concluded that collecting and maintaining ALPR information without implementing and making public the required policy harms individuals by violating their statutory “right to know” who is collecting their ALPR data and how it is being used and maintained.
That holding is significant because the statute provides for actual damages, but not less than $2,500 in liquidated damages, along with potential punitive damages, attorneys’ fees, litigation costs, and injunctive relief.
Since Bartholomew, plaintiffs’ firms have filed new putative class actions against businesses and property owners that allegedly used ALPR technology without the required public policy. Complaints have even been filed against businesses that have posted ALPR policies, but which plaintiffs assert lack information or details required by the statute.
Businesses that use ALPR technology in parking lots, garages, retail centers, residential communities, office properties, hospitals, or other facilities should promptly determine whether the California ALPR law applies to them. This review should consider facilities the business operates directly, as well as those operated by vendors, parking managers, security contractors, or property management companies.
At a minimum, businesses should consider taking the following steps:
The recent wave of ALPR litigation shows that businesses may face legal claims not only arising from the collection or use of license plate data, but also from the absence of a posted, statute-compliant policy. After Bartholomew, one of the most important steps businesses can take to reduce litigation exposure is to adopt and post a compliant ALPR policy.
If your company needs assistance with any privacy issues, the Coblentz Data Privacy & Cybersecurity team can help. Please reach out to Scott Hall or Phillip Wiese for further information or assistance.