The Next Wave of California Privacy Class Actions: Automated License Plate Readers

Published On

June 18, 2026

Authors

Ana Tagvoryan
Partner
Los Angeles
Brandon Reilly
Partner
San Francisco
Emily Whitely
Associate
New York

The Next Wave of California Privacy Class Actions: Automated License Plate Readers

A major shift in California appellate jurisprudence has weaponized a dormant 2015 privacy statute, igniting a new wave of consumer class action litigation. Plaintiffs’ attorneys are aggressively filing lawsuits against businesses operating Automated License Plate Readers (ALPRs)—including smart security cameras, gate access systems and parking tracking technologies—alleging purely procedural compliance omissions.

Historically, corporate defendants successfully defeated these claims by demonstrating that consumers suffered no concrete harm or data misuse. However, a watershed appellate ruling has stripped away this defense. Under current judicial consensus, a mere technical failure to maintain or conspicuously publish an ALPR privacy policy constitutes an actionable statutory injury. With liquidated damages set at a mandatory minimum of $2,500 per violation and no pre-suit “cure” period, a single commercial location scanning thousands of vehicles weekly faces instant, existential financial exposure.

THE CRITICAL RISK FACTOR

Any business utilizing smart parking management, digital ticketless garages, or external AI-powered security cameras is a high-probability target. If your facility tracks license plates and does not feature a precise, compliant privacy policy published both physically and online, you are likely already in non-compliance.

The Statutory Framework: California Civil Code § 1798.90.5

Enacted under the California ALPR Privacy Act, Civil Code §§ 1798.90.5 et seq. imposes strict operational and transparency mandates on any private entity that qualifies as an “ALPR operator,” defined

broadly as any person or entity that operates an ALPR system. To comply with the statute, operators must:

  • Implement and maintain a highly detailed, publicly accessible written ALPR usage and privacy policy.
  • Conspicuously post the policy on the company’s public website.
  • Ensure the policy explicitly delineates, among other things:
    • The authorized purposes for using the ALPR system and collecting ALPR information;
    • The categories of employees or independent contractors are authorized to use, access the ALPR system or collect ALPR information, including applicable training requirements;
    • The purposes, process, and restrictions governing any sale, sharing, or transfer of ALPR information;
    • Security measures and protocols to ensure compliance with applicable privacy laws;
    • Retention policies and procedures for ALPR information.

Failure to implement or publish this policy triggers an automatic violation of the statute. Section 1798.90.54 grants an explicit private right of action, allowing aggrieved consumers to recover statutory damages of $2,500 per violation, punitive damages and mandatory plaintiff’s attorneys’ fees.

The Jurisdictional Shift: Bartholomew v. Parking Concepts, Inc.

For years, the defense bar routinely dispatched these claims at the demurrer stage utilizing a standard defense: the plaintiff suffered no “injury-in-fact” because their data was never breached, shared maliciously, or leveraged to their detriment. The landscape fundamentally shifted with the landmark ruling in Bartholomew v. Parking Concepts, Inc., 118 Cal. App. 5th 438 (2026).

In Bartholomew, the California Court of Appeal ruled that the ALPR Privacy Act establishes a substantive “right to know” how one’s vehicular movements are being monitored. The court held that:

  1. The operational and transparency requirements are not merely technical rules; they are core consumer protections.
  2. The injury occurs by merely collecting and using an individual’s ALPR information without a proper policy in place.
  3. Plaintiffs do not need to allege or prove any consequential or economic harm to seek the full $2,500 statutory penalty per violation.

By defining the procedural omission as the injury itself, the court effectively eliminated the primary defense mechanism, transforming a low-stakes technical violation into an incredibly lucrative target for the plaintiffs’ class action bar.

Expanding Targets: Retailers, Commercial Landlords and Beyond

While the initial filings focused squarely on commercial parking operators and traditional garages, the litigation has expanded far beyond the parking industry. The plaintiffs’ bar is now targeting:

  • Shopping Centers and Shopping Malls: Utilizing automated cameras to track tenant and visitor density or enforce time-limited parking.
  • Big-Box Retailers and Supermarkets: Leveraging exterior loss-prevention cameras that automatically capture vehicle plates in loading zones or storefront spaces.
  • Medical Centers and Commercial Campuses: Operating automated perimeter gates and tracking employee or patient vehicles for security profiling.

The Law Enforcement and Shared Database Trap

A highly aggressive and newly developed allegation in recent complaints focuses on businesses utilizing third-party smart camera platforms, which have become widely available in recent years. Many corporate security teams install these systems without realizing their default settings pool captured license plate data into broader regional databases shared with out-of-state or federal law enforcement agencies.

Plaintiffs are successfully building high-exposure claims by arguing that commercial operators are surreptitiously facilitating law enforcement surveillance and real-time vehicle tracking without explicit, transparent disclosures in their privacy statements, triggering severe statutory and punitive exposure under the Act.

Immediate Defense and Compliance Checklist

Defense counsel should immediately advise clients utilizing any exterior camera systems to execute the following mitigation steps to prevent class action targeting and reduce exposure:

  • Conduct an Immediate Operational Camera Audit: Identify every camera deployed across all properties. Determine if the software captures, converts or indexes alphanumeric license plate characters into a searchable or storable database.
  • Draft a Defensible ALPR Policy: If ALPR functionality exists, immediately draft a comprehensive ALPR usage and privacy policy. It must explicitly name the responsible custodian, define the purpose of collection, map data security protocols, and outline concrete retention and destruction timelines (e.g., auto-deleting data within 30 days unless a security incident occurs).
  • Execute Double-Layer Policy Publication: Do not rely solely on an online link. The ALPR privacy policy should follow current notice-at-collection best practices, which may include posting clearly on the main landing page of the corporate website and/or at vehicular entry points.
  • Review Third-Party Vendor Agreements: Audit contracts with security and parking vendors. Require immediate amendments to ensure their operational systems comply with California law, disable unauthorized law enforcement data pooling unless explicitly authorized and disclosed, and secure robust, ironclad indemnification clauses covering privacy class actions.

Conclusion and Defense Outlook

The California ALPR Privacy Act represents a clear and present risk for any business monitoring its physical perimeters via automated camera technology. Because the statute lacks a pre-suit notice or “cure” window, reactive compliance is no longer a viable legal strategy; proactive auditing is mandatory. Defense counsel must move quickly to ensure clients implement these baseline protections before receiving a class action summons.

Join our newsletter to stay up to date on features and releases.

ATTORNEY ADVERTISING, pursuant to New York DR 2-101(f)

© 2026 Manatt, Phelps & Phillips, LLP. All rights reserved.