SB 274 rewrites California’s rules for automated license plate recognition (ALPR) systems by tightening who can access scans, how long non‑matching data may be kept, and what vendors must deliver in contracts. It narrows permissible operational uses to locating vehicles or persons suspected of involvement in a public offense, requires access logging tied to case file numbers or task force names, and forces contract language that prevents default connectivity to national ALPR databases.
The bill matters to any local or state agency that operates ALPR cameras, companies that sell or host ALPR systems, and privacy counsel. It creates a private right of action with minimum statutory damages, makes certain compliance tasks subject to random DOJ audits (if funded), and treats several transportation entities as outside the statute’s operator/end‑user definitions — a carve‑out that shifts responsibilities and enforcement burdens unevenly across users of ALPR technology.
At a Glance
What It Does
SB 274 imposes default‑privacy settings in new or updated vendor contracts (no default national DB access and scans not accessible to other agencies), limits ALPR use to locating vehicles or persons reasonably suspected of a public offense, and caps retention of non‑match ALPR data at 60 days with mandatory deletion within 14 days after that threshold is exceeded (effective Jan 1, 2026).
Who It Affects
State and local public agencies that operate or access ALPR systems, ALPR vendors/manufacturers, national ALPR database operators and privacy counsel; the law excludes certain transportation agencies, public transit operators, local DOT/public works, and airport parking uses from operator/end‑user definitions.
Why It Matters
The bill turns contract design and default vendor settings into a primary privacy control, creates a minimum statutory damages remedy for individuals, and sets up DOJ oversight — all of which change operational and procurement practices for agencies that run ALPR systems and for the vendors who supply them.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB 274 rewrites operational guardrails for ALPR across California. It starts by narrowing the statutory definition of who counts as an ALPR operator or end‑user: transportation agencies, certain transit agencies, local public works/departments of transportation, and airport parking operations are expressly excluded in defined circumstances.
For agencies that remain covered, the bill strengthens security requirements by mandating supervisory controls on who can view ALPR data and by requiring both data security and privacy training for all employees who access the information.
On procurement, the bill forces a change in contract defaults. As of January 1, 2026, any new or renewed contracts with ALPR vendors must prevent default connections to national ALPR databases and ensure an agency’s collected scans are not accessible by other agencies unless the agency manually enables sharing and does so consistent with a Department of Justice general order.
That shifts the burden to vendors and agencies to implement more restrictive defaults and to document any deliberate decision to share.The bill limits how ALPR data may be used and how long it may be kept. Law enforcement may use ALPR information only to locate vehicles or people when there is a reasonable suspicion of involvement in a public offense.
Non‑matching scans must be deleted after 60 days; beginning January 1, 2026, any records older than 60 days that do not match an authorized hot list must be deleted within 14 days. To prevent after‑the‑fact queries, every search must be logged with a valid case file number or, in the specific situation of Attorney General‑overseen task forces, a task force name and bureau commander.SB 274 also creates enforcement and oversight levers.
Individuals harmed by violations get a private right of action with a statutory floor for damages ($2,500), and courts can award punitive damages, fees, and equitable relief. The Department of Justice may conduct annual random audits of public agencies’ usage and privacy policies, but those audits are explicitly subject to available appropriations.
Finally, the Legislature declares several of the bill’s provisions to be matters of statewide concern, which makes the rules applicable to charter cities and triggers reimbursement mechanisms if the State Mandates Commission finds costs for local agencies.
The Five Things You Need to Know
Non‑match retention cap: Public agencies cannot keep ALPR scans that do not match an authorized hot list for more than 60 days; as of Jan 1, 2026, any records older than 60 days that are non‑matching must be deleted within 14 days.
Contract defaults: New, amended, or renewed ALPR vendor contracts (effective Jan 1, 2026) must prevent default access to any national ALPR database and must set agency‑collected scans to be not accessible by other agencies unless sharing is manually enabled and authorized.
Logged searches must show a case reference: Every ALPR query requires a log entry with a valid current case file number from the querying agency; for AG‑overseen inter‑agency task forces the log may instead list the task force name and bureau commander.
Permitted use narrowed: Law enforcement agencies may use ALPR information only to locate vehicles or persons when there is reasonable suspicion they were involved in a public offense — no broader investigative uses are authorized by this bill.
Civil remedies and DOJ oversight: Individuals have a private right of action with a $2,500 minimum damages award; the DOJ may perform annual random audits of public agencies’ ALPR policies, but audits are contingent on appropriation.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Definitions and targeted exclusions
This section expands and clarifies key definitions: it adds airport operators, and explicitly excludes transportation agencies, public transit operators, local DOT/public works, and certain airport parking uses from the definitions of ALPR operator and ALPR end‑user. Practically, that means many non‑law‑enforcement uses (traffic management, tolling, parking) fall outside these new privacy and access restrictions, concentrating compliance requirements on public safety users.
Security controls and training requirements
Agencies that qualify as ALPR operators must implement supervisory controls over who can view ALPR data, introduce strong authentication and account approval processes, and track employee searches. The section also mandates data‑security and privacy training for anyone with access. That creates internal compliance tasks — role inventories, identity management changes, and documented training — which agencies must budget and operationalize.
Access logs and case‑number requirement
This amendment makes a log entry with a case file number a gating mechanism: no query may proceed without it. For AG‑overseen task forces, a task force name and bureau commander can substitute. The change converts what was a recordkeeping practice into an operational blocker and will require integration between case management systems and ALPR search interfaces to avoid manual bottlenecks or ad‑hoc workarounds.
End‑user policy obligations mirror operator rules
ALPR end‑users — entities that access but do not operate systems — must maintain the same employee‑level safeguards and usage/privacy policies as operators. The policy must describe authorized jobs and purposes, include auditing processes, and be publicly available. This pushes transparency obligations beyond system owners to any organization that queries ALPR data.
Private right of action and DOJ audit authority
The bill preserves and expands remedies for individuals harmed by violations, setting a minimum liquidated damage of $2,500 and allowing for attorney’s fees and punitive damages. Separately, it authorizes the Department of Justice to run annual random audits of public‑agency ALPR policies and compliance, but makes those audits contingent on whether the Legislature appropriates funds for the purpose, which limits immediate enforcement reach.
Public process, sharing limits, and procurement defaults
Agencies must provide a public comment opportunity before implementing an ALPR program. The bill continues the prohibition on selling ALPR data to private parties and adds a procurement requirement: new or updated contracts must disable default linkage to national ALPR databases and set agency scans to be non‑shareable by default. Manual agency‑to‑agency sharing is still possible, but the bill references DOJ General Order 2023‑05 as the procedural constraint for sharing among California law enforcement.
Retention ceiling and mandatory purge timing
The statute establishes a bright‑line retention rule: non‑matching ALPR records may not be retained beyond 60 days. Starting January 1, 2026, any such records older than 60 days must be deleted within 14 days. Operationally, agencies will need automated retention workflows, periodic validation checks against authorized hot lists, and secure deletion processes that produce compliance evidence for audits.
Statewide concern and applicability to charter cities
The Legislature attaches a finding that key provisions address statewide concerns rather than municipal affairs, making these rules applicable to charter cities. That removes a potential patchwork of rules across municipalities and expands the bill’s reach to all California cities, which tightens procurement and operational standards statewide.
Potential reimbursement if Commission finds state‑mandated costs
If the Commission on State Mandates determines the bill imposes reimbursable costs on local agencies or schools, reimbursement will proceed under California’s standard statutory framework for state‑mandated local programs. Agencies should track implementation costs and be prepared to document claims.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Individuals and privacy advocates — The 60‑day cap on non‑matching data, mandatory deletion windows, logging tied to case numbers, and public posting of usage policies strengthen individual privacy controls and provide an enforceable remedy through a private right of action.
- Public transit and transportation agencies (and airport parking operators) — The bill’s explicit exclusions mean these entities avoid the operational constraints and recordkeeping burdens the statute imposes on public‑safety users, preserving flexibility for traffic management and parking operations.
- Department of Justice and public transparency advocates — DOJ gains a statutory audit power (contingent on funding) and the public gains more visible usage/privacy policies and a formal public‑comment step before deployment, improving oversight and accountability.
- Law enforcement agencies using hot lists — The text preserves authorized hot‑list checks (NCIC, SVS, DOJ lists and specified alerts), allowing continued rapid identification of stolen vehicles and AMBER/Silver alerts while tightening other uses.
Who Bears the Cost
- Local and county law enforcement agencies — They must redesign workflows to require case file numbers for queries, implement retention‑and‑deletion automation, expand training and access controls, and respond to potential audits; these are direct operational and IT costs.
- ALPR vendors and national database operators — Vendors must change default contract settings and likely adjust product features to disable automatic national DB access, plus support customer‑specific sharing controls; operators of national/third‑party aggregation services will see reduced default connectivity and potential revenue impacts.
- Local governments and special districts — The bill creates a state‑mandated local program; if the Commission finds costs, entities will need to pursue reimbursement, but until then they absorb up‑front implementation expenses.
- Department of Justice — Although DOJ gains an audit role, the statute makes audits contingent on budgeted appropriations, so the department faces either a funding requirement or limitations in oversight capacity.
Key Issues
The Core Tension
SB 274’s central dilemma is the trade‑off between data minimization and operational agility: it seeks to protect privacy by imposing tight retention limits, logging requirements, and privacy‑first procurement defaults, but those same rules can impede real‑time investigations, retrospective analysis, and inter‑agency information sharing that law enforcement argues help solve crimes. The statute shifts control toward privacy‑protective defaults while leaving manual override paths and exemptions, creating an implementation environment where the balance between safety and privacy will be decided by procurement choices, technical integration, and funding for oversight rather than by statute alone.
SB 274 converts many operational choices into contract and procedural mandates. That approach tightens defaults (a common privacy technique) but leaves room for manual sharing and for agencies to enable connections if they choose — which means the bill reduces, but does not eliminate, the possibility of inter‑agency data aggregation.
The practical effect depends heavily on vendors’ willingness and ability to implement contractually required defaults and on agencies’ discipline in refusing to opt into broader sharing.
The bill’s enforcement design is uneven. It creates a private right of action with a statutory damages floor, which creates a clear legal risk for agencies that err.
At the same time, the Department of Justice’s auditing power is explicitly contingent on appropriation, which could leave compliance under‑tested if the Legislature does not fund audits. Operational constraints — case‑number gating, short retention windows, and mandatory deletion within 14 days — will require substantive IT work and can conflict with investigative realities (e.g., leads that emerge after records are deleted).
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.