AB 1355—titled the California Location Privacy Act—creates a comprehensive statutory regime limiting how non‑governmental entities collect, process, disclose, and monetize individuals’ location information in California. The bill defines location information broadly to include GPS, cell‑site data, IP addresses, ALPR and speed‑camera captures, and even probe images used with facial recognition, and generally prohibits collection or processing unless “necessary” to provide goods or services requested by the individual.
It bans sales of location data, tightly restricts disclosure to government entities (court order required), and requires visible notice at points of capture plus a detailed location privacy policy with a 20‑business‑day change notice and consent for new uses.
The bill gives the California Privacy Protection Agency administrative enforcement authority and establishes a robust private right of action: injured individuals can recover actual damages or statutory remedies (including a $25,000 figure in the text), exemplary damages, injunctive relief, and attorney’s fees; public prosecutors may also sue and the limitations period is three years. Exemptions mirror health‑care privacy regimes (HIPAA/CMIA).
For compliance officers and legal teams, the bill changes what counts as regulated data (ALPR, speed‑camera and FRT probe images), imposes new notice and retention disciplines, and creates substantial litigation and regulatory risk for noncompliance.
At a Glance
What It Does
The bill prohibits covered entities from collecting or processing location information unless necessary to provide goods or services requested by the individual, bans sale/monetization of location data, and limits retention and derivation of unnecessary data. It requires point‑of‑capture notice and a public location privacy policy, restricts disclosure to government agencies absent a California court order, and grants the California Privacy Protection Agency and private plaintiffs enforcement authority.
Who It Affects
Covered entities (non‑governmental organizations) that collect or handle location data, service providers that process data on behalf of those entities, operators of ALPR and speed‑camera systems, mobile app developers, ad and analytics firms that use location for monetization, and legal/compliance teams responsible for notices, data inventories, and court responses. State and local agencies are specifically barred from monetizing location data.
Why It Matters
The bill expands regulated data categories (bringing ALPR, traffic camera images, and FRT probe images explicitly into scope), replaces broad commercial uses with a narrow ‘‘necessary for requested service’’ standard, and pairs prescriptive notice and retention rules with a potent private remedy—raising compliance costs and litigation exposure while constraining both commercial location markets and some law‑enforcement uses.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 1355 draws a bright line around location information and then narrows allowable uses. First, it defines location information to cover more than smartphone GPS: IP addresses that can reveal physical location, cell‑site data, automated license plate recognition (ALPR) captures, speed‑camera images, and probe images used with facial recognition.
Notably, the statute ties regulated precision to the ability to identify street‑level location within a specified range, pulling in many commercially valuable datasets and some photographic records that vendors and municipalities commonly treat as non‑personal.
The core constraint is a necessity test: a covered entity may only collect or process location information when that processing is necessary to provide goods or services the individual requested. The bill narrows exceptions: it allows limited additional collection for investigating security incidents, fraud, harassment, or illegal activity but caps retention for those investigative purposes at 24 hours.
The bill also bars sale, rental, trading, or leasing of location data and forbids deriving new data from raw location records unless required for the requested service.To make collection transparent, the bill requires visible, point‑of‑capture notice telling people that location information is being gathered, who’s collecting it, and where to get more information. Covered entities must publish a location privacy policy that itemizes the types and precision of data collected, associated service providers, data security practices, retention schedules and deletion rules, and the third parties that may receive the data.
The bill requires 20 business days’ advance notice of changes to that policy and affirmative consent before implementing new collection or processing under a revised policy.On enforcement, the bill empowers the California Privacy Protection Agency to adopt regulations and bring administrative enforcement. It also creates a private right of action that enables affected individuals to recover damages (the statute specifies statutory figures and permits exemplary damages and injunctive relief) and authorizes public officials—Attorney General, district attorneys, and local counsel—to sue.
The title exempts health‑care information already protected under HIPAA, CMIA, and related laws, so standard medical uses remain governed by existing privacy regimes.
The Five Things You Need to Know
The bill’s definition of “location information” explicitly includes ALPR (automated license plate recognition) and speed‑camera images and treats probe images used with facial recognition as location data.
A covered entity may retain location information collected for security or fraud investigations for no longer than 24 hours; ordinary retention must be ‘‘no longer than necessary’’ to provide the requested goods or services.
The statute requires a clear, visible notice at the exact location where location information is captured and a public location privacy policy listing data precision, service providers, retention schedules, and third‑party disclosures. Changes to that policy require 20 business days’ notice and consent for new collection or processing.
The bill bars covered entities from selling or otherwise monetizing location information and separately prohibits state or local agencies from monetizing location data.
The enforcement regime combines administrative authority for the California Privacy Protection Agency, public enforcement by state and local prosecutors, and a private right of action that allows plaintiffs to seek actual damages or statutory awards (the text references $25,000), exemplary damages, injunctive relief, and attorney’s fees; actions must be brought within three years.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and scope of covered data
This section establishes the statute’s vocabulary: ‘‘location information’’ (including IP addresses, GPS, cell‑site data, ALPR and speed‑camera captures, and FRT probe images), ‘‘covered entity’’ (private actors and their agents, excluding state and local agencies), ‘‘service provider’’ (narrow contractor carve‑out), ‘‘monetize’’ and ‘‘sale.’’ The practical effect is to bring a wide set of datasets and imaging systems squarely under the law, forcing entities that previously treated such records as non‑regulated to reassess whether they fall within the statute and whether their contractors qualify as service providers or covered entities in their own right.
Necessity principle, limited security exception, and prohibitions
These subsections impose the core operational limits: collect or process location information only when necessary to provide the goods or services requested by the individual. The statute narrows an exception for security/fraud/harassment responses but limits retention for those purposes to 24 hours. It explicitly forbids selling/location monetization, deriving additional data unrelated to the requested service, and keeping data longer than necessary. Compliance teams will need to map each processing operation to a narrowly defined ‘‘necessary’’ purpose and document retention and deletion triggers.
Government disclosure: court‑order gatekeeper
The bill bars covered entities and service providers from disclosing location data to federal, state, or local government agencies or officials absent a valid California court order or an out‑of‑state order that complies with California law (explicitly referencing the Reproductive Privacy Act as an example). This raises the threshold for law‑enforcement and governmental subpoenas and creates a formal process for judicial review before cross‑sector disclosures occur.
Point‑of‑capture notice and location privacy policy requirements
Covered entities must display a prominent notice at the place location data is captured, naming the collector, service provider, and contact information. They must maintain a public location privacy policy that details the requested‑service purpose, types and precision of data collected, identities of service providers and third‑party recipients, data security practices, and retention/deletion schedules. Material policy changes require 20 business days’ notice and affirmative consent before new collection or processing under the revised policy can begin—an explicit procedural hurdle for product changes and new analytics.
Enforcement: agency authority, private suits, and penalties
The California Privacy Protection Agency gets administrative enforcement authority to fine and issue cease‑and‑desist orders under the Administrative Procedure Act. The statute also authorizes a private right of action permitting injured individuals to pursue actual or statutory damages (the text references a $25,000 figure), exemplary damages, civil penalties earmarked for the injured party, injunctive relief, and attorney’s fees. Public prosecutors—the Attorney General and local counsel—may bring civil actions as well. The combination increases both regulatory and litigation exposure for noncompliant entities.
Health‑care exception
Location data collected from patients by health‑care providers or processed exclusively for HIPAA/CMIA‑covered purposes is exempt, aligning the bill with existing federal and state health‑privacy frameworks. Entities that straddle medical and nonmedical uses must partition datasets and ensure that non‑exempt uses fall within the new statute’s constraints.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individuals concerned about location tracking and stalking — the bill narrows when companies may collect precise location data, requires on‑site notice where capture occurs, and prevents commercial resale of sensitive location trails.
- People seeking reproductive privacy and other sensitive protections — the government‑disclosure gate (court order requirement and express reference to the Reproductive Privacy Act) adds procedural safeguards before authorities can obtain location records.
- Drivers and civilians captured by public cameras — explicit limits on ALPR and speed‑camera data use and retention reduce the risk that those photographic records will be repurposed for commercial tracking or retained indefinitely.
Who Bears the Cost
- Mobile app developers, ad networks, and data brokers — the ban on monetization and narrow ‘‘necessary for requested service’’ standard curtail common location monetization business models and require product reengineering and contractual changes.
- Operators of ALPR and traffic monitoring systems (private vendors and municipalities using contractors) — they must implement point‑of‑capture notices, revise retention practices, and decide whether their uses qualify as ‘‘necessary.’”
- Covered entities facing lawsuits and administrative enforcement — the statutory damages figure, exemplary damages, attorney’s fees, and public enforcement increase litigation risk and potential compliance costs; legal teams will need to triage discovery and court‑order requests under the law’s requirements.
Key Issues
The Core Tension
The central dilemma is between strong, rights‑protecting limits on location collection and the practical needs of businesses and public agencies: tightening the definition and enforcement of location privacy protects individuals from pervasive tracking and monetization, but the same rules can block legitimate product features, forensic investigations, and government uses unless carefully narrowed or accompanied by clear, operationally viable exceptions.
The bill’s strongest design choice is the ‘‘necessary to provide requested goods or services’’ standard. That test aims to stop fishing expeditions and advertising uses, but it is inherently context‑dependent.
Determining when a given advertising segment, analytics model, or location‑based feature is ‘‘necessary’’ will require line‑by‑line justification and may produce uneven outcomes across judges and regulators. The 24‑hour cap for investigative retention is a bright, enforceable limit for security uses, but it may be operationally incompatible with many incident‑response workflows that require preservation for forensic analysis and legal holds unless entities maintain parallel limited‑access archives exempted from routine retention rules.
The private right of action and the $25,000 statutory figure (plus exemplary damages and fee shifting) create a strong deterrent against noncompliance but risk over‑litigation. Plaintiffs’ lawyers could bring large numbers of suits over technical notice failures or marginal data classifications, pushing defendants to settle even weak claims.
At the same time, the government‑disclosure restriction (court‑order requirement) strengthens civil liberties but may complicate timely law‑enforcement investigations and cross‑jurisdictional requests. Finally, the definitions contain oddities—such as the statute’s precision threshold language and the inclusion of probe images as location data—that will need regulatory and judicial gloss to avoid inconsistent application and unintended exclusions or inclusions of certain datasets.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.