A new California appellate decision raised the stakes for businesses using automated license plate recognition (ALPR) technology. Under a California law regulating that technology, businesses face statutory damages of $2,500 per violation if they fail to implement and publish the necessary ALPR policy, even if there is no data breach, economic loss, or misuse of the data. As a result, plaintiffs can pursue statutory damages based solely on a business’s alleged failure to implement and publish the required policy. 

How does California regulate ALPR technology?

California regulates companies that use, access, or operate automated systems capturing license plate images and converting them into searchable, machine-readable text. The law provides that companies should (i) implement reasonable security measures to protect the data; (ii) implement a written usage and privacy policy describing how and why they use the data, among other details; and (iii) make that policy publicly available, including posting the policy on the business’s website (if it has one). The law may be enforced through a private right of action, so an individual “harmed” by a business’s noncompliance may seek statutory damages and other relief, including punitive damages and attorneys’ fees.

What happened in the case?

In Bartholomew v. Parking Concepts, Inc., a customer alleged a parking garage operator violated California’s ALPR law by failing to implement and make publicly available a policy governing its collection and use of license plate data. The trial court dismissed the claim after concluding that the plaintiff had not alleged harm, an essential element for a claim. But the Court of Appeal disagreed by concluding that the customer had adequately alleged harm based on the defendant’s failure to implement and publicize the policy. 

How did the Court of Appeal break new ground?

The Court of Appeal upended common conceptions about the law by holding that: 

• A claim does not require data misuse, data breach, or economic injury. The court rejected a requirement to show “measurable monetary damages” or “affirmative misuse or mishandling” of license plate data.
• Failing to implement and publish the ALPR policy is an actionable harm. The court treated the missing policy as a substantive harm, not a mere technical defect, because that violation undermines the law’s focus on transparency and accountability.
• There is no “small scale” or “voluntary use” exception to liability. The court declined to limit liability based on the number of cameras, volume of data, or the customers’ ability to avoid the scanning.

But the ruling has limits. The court rejected the contention that every violation of the law is per se actionable and instead held that the law requires “harm beyond a mere statutory violation.” The court also left open whether incomplete ALPR policies—or policies that are published but not implemented (or vice versa)—are actionable. 

Why does this matter to businesses?

This ruling increases litigation and compliance risk for businesses that use ALPR technology. Companies need to keep in mind the:

• Broad applicability: The decision affects businesses that operate, use, or access license plate recognition technology, potentially including HOAs, retailers, and parking operators.
• Unique policy elements: The ALPR policy requires disclosures that cover ground not usually addressed in a general privacy policy.
• Statutory damages: California’s ALPR law authorizes statutory damages of $2,500 per violation. But whether a “violation” is each scan, each car, or something else remains unsettled. 

What should businesses do now?

Companies using or considering ALPR technology should take these steps to mitigate risk:

• Assess whether the ALPR law applies. Inventory all locations where cameras capture license plates, including any vendor-operated systems, and determine whether software converts those images into searchable data.
• Implement and publicize ALPR policy. Verify that an ALPR policy exists, is publicly available, and addresses all required topics, including uses, security, and disclosures.
• Review vendor agreements. Confirm contracts assign responsibility for ALPR compliance and include appropriate indemnification coverage.
• Train employees. Ensure stakeholders are aware of the ALPR policy’s requirements.

Bottom Line 

This decision signals increased judicial scrutiny of automated data collection tools that operate quietly in the background of everyday commercial services. California businesses that collect license plate data should treat ALPR compliance as a stand-alone, high-risk obligation—closer to biometric or wiretap compliance than ordinary website privacy disclosures—and address transparency requirements before plaintiffs do.