AB 1160 adds Section 7073.5 to the California Government Code to change procurement rules for unmanned, uncrewed, remotely piloted aerial and ground vehicles used by law enforcement. For new purchases the bill forces one of two outcomes: vehicles must include a user-selectable way to disable any data-collection programs that are not essential to flight, or the agency must store all collected data with an "American data storage company." The measure also staged a transition: a storage-only requirement applies to vehicles bought between January 1, 2026 and January 1, 2027, and existing vehicles must switch to U.S.-based storage when their current contracts expire.
The bill matters because it pairs equipment-level controls with a data-localization rule and strict contract limits on secondary use. Compliance affects procurement decisions, vendor selection, contracting clauses, and where agencies place video and photographic images.
The definition of "American data storage company" in the bill—entities headquartered in the U.S. with dedicated servers or hard drives domestically and demonstrable security measures—creates a clear market preference and legal requirement that will shape vendor eligibility and contracting practices.
At a Glance
What It Does
AB 1160 bars law enforcement agencies from purchasing specified unmanned aerial or ground vehicles unless the vehicle has an option to turn off any nonessential data-collection programs or the agency uses an American data storage company for all collected data. It phases in a storage-only requirement for purchases in 2026 and forces existing equipment to move data to U.S.-based storage when current contracts expire.
Who It Affects
California law enforcement agencies of all sizes that procure drones or ground robots, manufacturers and vendors of those platforms, and cloud/storage providers both inside and outside the U.S. will be directly affected. Procurement officers, IT/cybersecurity leads, and contract managers must update specifications, solicitations, and vendor agreements to meet the new rules.
Why It Matters
The bill links procurement rules to data governance: agencies must either buy hardware with configurable sensor controls or commit to domestic data hosting under restrictive contracts. That creates market access barriers for some vendors and shifts long-term custody and compliance responsibilities for sensitive surveillance data.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1160 rewrites a slice of procurement law for police drones and similar uncrewed vehicles. At its core the bill forces a choice at purchase time: the agency must buy vehicles that let operators turn off any onboard data-collection functions that are not required for flight, or the agency must ensure every bit of data the device collects—explicitly including video and photos—is housed by a U.S.-headquartered storage provider that meets the bill's technical and residency criteria.
The statute is framed around purchases but includes two transitional windows to capture near-term acquisitions and existing fleets.
For platforms acquired between January 1, 2026 and January 1, 2027, the bill does not require the hardware shutdown option; instead it obliges agencies to use an "American data storage company" to hold all collected data. For vehicles already owned before January 1, 2026, the agency must migrate to U.S.-based storage once any extant contract that houses the data expires.
Contracts with the chosen storage provider must expressly prohibit that provider from using, selling, renting, trading, or otherwise sharing the data with any other entity, and the bill states that the data remains the sole property of the collecting agency.The bill supplies a working definition of "American data storage company": a business formed under U.S. or D.C. law, headquartered in the U.S., offering digital storage services (including cloud) that has adopted security measures to protect data and maintains dedicated servers or hard drives located in the United States. The text places responsibility on agencies to flow the prohibition on secondary use into their contracts and to select providers that meet both organizational and technical residency requirements.
Together those elements shift where and how surveillance data will be stored and who can host it for California law enforcement.Practically, compliance will force agencies to amend procurement specifications and contract language, negotiate new vendor terms, or choose hardware vendors that can disable nonessential sensors. Vendors that cannot provide a disable-option and that host data abroad will either need to supply U.S.-resident storage or be excluded from certain contracts.
The statute does not create a new certification regime; it relies on agencies and contracts to implement and enforce the storage and non-sharing obligations.
The Five Things You Need to Know
The bill requires either an operator-selectable shutoff for any data-collection program not necessary for vehicle function or exclusive use of an "American data storage company" for all collected data.
Purchases made between January 1, 2026 and January 1, 2027 must use an American data storage company; the hardware-shutdown option is only mandated for purchases on or after January 1, 2027.
Agencies that owned uncrewed vehicles before January 1, 2026 must switch to U.S.-based storage after their current data-hosting contracts expire.
Contracts with the American data storage company must prohibit that provider from using, selling, renting, trading, or otherwise sharing the stored data, while affirming the agency retains sole ownership and control of the data.
The bill defines an American data storage company as a U.S.-headquartered entity formed under U.S. or D.C. law that maintains dedicated servers or hard drives in the United States and has adopted security measures to protect stored data.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Purchase condition: shutoff option or U.S. storage
This provision creates the operative procurement gate: a law enforcement agency may not purchase an unmanned, uncrewed, remotely piloted aerial or ground vehicle unless the vehicle either offers a user-control to disable any nonessential data-collection programs or the agency commits to housing all collected data with an American data storage company. Mechanically, this binds vendor qualification to either a hardware/software capability (a disable switch or equivalent) or a contractual data-hosting decision. Procurement teams will need to translate the statutory choice into solicitation requirements and vendor certifications.
Phase-in dates for new purchases
This subsection staggers the obligations. For purchases made on or after January 1, 2027, the full dual-option rule applies (shutoff option or U.S. storage). For the 2026 calendar year (January 1, 2026 to December 31, 2026), the bill requires only that agencies use an American data storage company; the hardware disable option is not compulsory for that window. The phase-in gives agencies and suppliers time to adapt but also creates a distinct compliance standard tied strictly to the acquisition date.
Transition rule for existing equipment
Agencies already possessing covered uncrewed vehicles before January 1, 2026 are not immediately forced to alter hardware but must migrate the data to an American data storage company once any existing data-hosting contract expires. That creates a rolling compliance timeline tied to contract expirations rather than an instant cutoff, which raises operational planning issues for agencies with long-term vendor agreements.
Contract prohibitions and definition of American data storage company
Contracts with an American data storage company must bar that provider from using, selling, renting, trading, or sharing the data with third parties, and the statute explicitly states the data remains under the agency's ownership and control. The bill then defines an American data storage company as a U.S.-headquartered legal entity that provides digital storage services, has adopted security measures against unauthorized access/modification/destruction, and maintains dedicated servers or hard drives in the United States. Those two pieces together set both contractual restrictions and technical/residency eligibility criteria for vendors.
This bill is one of many.
Codify tracks hundreds of bills on Government across all five countries.
Explore Government in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California residents and privacy advocates — they gain greater control over where law enforcement surveillance data is stored and reduced risk of foreign-hosted data being accessed or reused without state-level contractual limits.
- American data storage companies headquartered in the U.S. — the bill steers procurement-driven demand toward U.S.-based providers that meet the dedicated-server and security criteria, expanding potential market share.
- Civil liberties organizations and oversight bodies — clearer contractual rules and an explicit agency ownership statement make it easier to argue for limits on secondary uses and to demand accountability when contracts are negotiated.
Who Bears the Cost
- Local law enforcement agencies — they face procurement friction, potential higher costs for domestic storage, contract renegotiations, and operational changes to migrate data when existing contracts expire.
- Foreign or non-U.S.-headquartered cloud providers and some multinational vendors — they risk exclusion from contracts unless they set up U.S.-based subsidiaries with dedicated servers and comply with the non-sharing contract terms.
- Manufacturers of uncrewed vehicles that cannot disable nonessential sensors — these vendors may need to redesign products or accept that agencies must pair their platforms with U.S.-resident storage, adding integration and contractual complexity.
Key Issues
The Core Tension
The bill pits two legitimate policy goals against each other: protecting privacy and limiting foreign access or secondary use of surveillance data by localizing storage, versus preserving law enforcement effectiveness and market flexibility by allowing agencies to buy best-in-class sensors and vendor services regardless of where data is hosted. Fixing one problem—foreign-hosted or shareable data—can raise costs, complicate procurement, reduce vendor choice, and centralize risk in U.S. data repositories.
The bill creates several practical and legal uncertainties that agencies and vendors will need to resolve. First, the statutory standard "data collection programs that are not necessary for the vehicle to function" is ambiguous: vendors and procurement officers must negotiate what counts as "necessary" (e.g., telematics for navigation versus persistent video recording for surveillance) and whether a software toggle satisfies the requirement for complex sensor stacks.
Second, the definition of an American data storage company ties eligibility to headquarters and the presence of dedicated servers or hard drives in the U.S., but it does not specify levels of encryption, access controls, or auditability, leaving open how agencies will validate a provider's security claims or certify compliance.
Enforcement is another weak point. The bill relies on contracting and agency choice to implement the non-sharing prohibition; it does not create a state certification, monitoring regime, or penalties for vendors who breach secondary-use bans beyond ordinary contract remedies.
That raises questions about detection, remediation, and cross-jurisdiction enforcement if a U.S.-headquartered provider operates foreign subsidiaries or transfers data under legal compulsion. Finally, concentrating data domestically improves some legal protections but also centralizes risk: a breach or subpoena in the U.S. could expose large troves of surveillance imagery, and agencies must weigh that against the operational benefits of vendor capabilities and cost efficiencies.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.