Skip Repetitive Navigation Links

Automated License Plate Readers
To Better Protect Individuals’ Privacy, Law Enforcement Must Increase Its Safeguards for the Data It Collects

Report Number: 2019-118

Use the links below to skip to the specific section you wish to view:

Appendix A

Agencies That Did Not Respond to Our Survey

Source: Analysis of survey responses.

Summary of ALPR Survey Responses

The Audit Committee requested that we determine ALPR use among law enforcement agencies statewide. Specifically, the Audit Committee asked us to determine whether agencies use ALPR information, what vendors they use, and whether law enforcement agencies have policies and procedures to govern their use and sharing of ALPR information. We surveyed 391 county sheriffs and municipal police departments statewide. We relied upon information from the California State Sheriffs’ Association, the California Police Chiefs Association, and the FBI to obtain assurance that our list of statewide local law enforcement was reasonably comprehensive.

We received 381 responses (97 percent) to the 391 surveys we sent. Ten agencies we surveyed did not respond. The text box lists those agencies. A breakdown of the law enforcement agencies’ responses to our statewide survey can be found at The discussion here summarizes the survey results.

Summary of Results From Agencies That Reported Using ALPR Systems

In responding to our survey, law enforcement agencies indicated whether they use ALPR systems and, if so, what vendors’ systems they use to collect and access ALPR information. Of the agencies that responded, 60 percent, or 230 agencies, reported that they currently operate or access information from ALPR systems. Of those agencies, 96 percent said they have an ALPR usage and privacy policy. Vigilant is the most common vendor for the agencies that reported using ALPR systems. Figure A.1 summarizes which vendors the 230 law enforcement agencies reported that they use. Finally, 9 percent, or 36 of the agencies we surveyed, stated that they are implementing or planning to implement ALPR systems.

Figure A.1
Vigilant Is the ALPR Vendor the Majority of Law Enforcement Agencies Use

A donut chart that shows which vendor the law enforcement agencies that responded to our survey use.

Source: Analysis of survey responses.

* The Other category includes vendors such as Genetec, ELSAG, and All Traffic Solutions.

The total number of ALPR vendors used is greater than the 230 agencies that said they use ALPR systems because some agencies use more than one vendor.

Law enforcement agencies that reported using ALPR systems also answered questions related to their retention and sharing of ALPR information. We asked how long the agencies retain ALPR information not related to ongoing investigations or litigation. As Figure A.2 shows, the retention periods varied, but the majority of law enforcement agencies reported retention periods between six months and two years. Additionally, we asked agencies that operate ALPR systems if they share or sell the information they collect with other law enforcement or public agencies. Seventy‑three percent, or 168 agencies that use ALPR systems, reported that they share ALPR images with other law enforcement agencies; only three of those agencies also reported that they share ALPR images with other public agencies that are not law enforcement. None of the agencies we surveyed reported selling images to other law enforcement or public agencies.

Figure A.2
A Majority of Agencies Generally Retain ALPR Information for Between Six Months and Two Years

A bar chart that shows how long the agencies that responded to our survey generally retain their ALPR information.

Source: Analysis of survey responses.

Note: Three responding agencies that use ALPR systems did not indicate a retention period for their information: Bakersfield Police Department, Fountain Valley Police Department, and Pasadena Police Department.

Appendix B

Scope and Methodology

The Audit Committee directed the California State Auditor to conduct an audit of the extent to which local law enforcement agencies are complying with existing law regarding the use of ALPR systems. The analysis the Audit Committee approved contained five objectives. We list the objectives and the methods we used to address them in Table B.

Table B
Audit Objectives and the Methods Used to Address Them
1 Review and evaluate the laws, rules, and regulations significant to the audit objectives. Reviewed relevant state laws, regulations, and other background materials applicable to the use and operation of ALPR systems by local law enforcement.
2     To the extent possible, determine the following for law enforcement agencies statewide:
  • Surveyed 391 county sheriff and municipal police departments statewide.
  • Obtained and verified a list of statewide local law enforcement agencies, using information from the California State Sheriffs’ Association, the California Police Chiefs Association, and the FBI.
  • Questioned agencies regarding their use of ALPR systems, including whether they use or are planning to use an ALPR system; if they share or sell the ALPR information; if their ALPR storage is CJIS-compliant; which system they use to store, share, or access ALPR information; if they have a usage and privacy policy and post the policy on their website; how long they retain ALPR information; how many department personnel have access to the ALPR data; and how many total personnel their department has. Full questions and a breakdown of the responses are on our website at
  • Created an interactive graphic to display responses by county, assembly district, and senate district at
  • The survey responses were self-reported, and we did not verify their accuracy.
a. Whether they use ALPR information and, if so, what vendors they use to access this information.
b. Whether they have policies and procedures in place governing the use and sharing of ALPR information.
3   Examine the use of ALPRs by the Sacramento County Sheriff’s Office and Department of Human Assistance, the Los Angeles Police Department, the Fresno Police Department, and the Marin County Sheriff’s Office by performing the following:  
a. Determine whether they have policies and procedures in place regarding ALPR systems and whether those policies contain the elements state law requires.
  • Interviewed the agencies’ ALPR administrators.
  • Obtained and reviewed ALPR policies and procedures and determined whether each agency met state law requirements in this area.
b. Determine whether they have followed state law regarding all required public notifications related to ALPR systems and information, including required public hearings.
  • Interviewed the agencies’ public information officers.
  • Obtained evidence of public notifications and public hearings and determined whether each agency met state requirements in this area.
c. Determine whether they maintain records of access to ALPR information from both within and outside the agency that includes all required documentation and whether they have ensured that ALPR information has only been used for authorized purposes.
  • Interviewed the agencies’ ALPR administrators.
  • Reviewed access records from the agencies’ ALPR systems.
  • Determined whether the agencies conducted any audits or monitoring by interviewing ALPR administrators, staff of internal audit divisions, and executive staff of any oversight entities. We also reviewed relevant policies and procedures.
  • Reviewed the agencies’ internal affairs files for any cases involving ALPR misuse.
  • Reviewed Justice’s and the FBI’s audits of the agencies’ IT security and the safeguards those audits identified.
d. Determine whether they have sold, shared, or transferred ALPR information only to other public agencies, except as otherwise permitted by law, and whether they have properly documented these activities.
  • Interviewed the agencies’ ALPR administrators.
  • Reviewed reports and records about data sharing from the agencies’ ALPR systems.
  • Reviewed existing memorandums of agreement and understanding for data sharing.
  • Interviewed executive staff at Vigilant regarding ALPR system functionality and their procedures for verifying the law enforcement purpose of client agencies.
e. Determine the nature of any contracts with third‑party vendors related to ALPR information.
  • Interviewed Justice staff responsible for protecting criminal justice information.
  • Evaluated the agencies’ contracts with third-party vendors and determined whether the contracts contained adequate protections for information in the agencies’ ALPR systems.
4 Evaluate whether current state law governing ALPR programs can be enhanced to further protect the privacy and civil liberties of California residents.
  • Interviewed agencies’ investigators and ALPR program administrators.
  • Reviewed the information in the agencies’ ALPR systems and identified the necessary protections for that information. 
  • Obtained the agencies’ justifications for their ALPR data retention periods.
  • Analyzed six months of the agencies’ ALPR search records— between late January and September 2019, depending on when we visited the agencies—to determine how often the agencies’ personnel searched for older data in their ALPR systems.
  • Reviewed other states’ ALPR data retention laws based on a report from the National Conference of State Legislatures and identified best practices for data retention.
  • Analyzed laws pertaining to privacy, personal information, and criminal justice information and determined whether changes to current ALPR law would further protect the privacy and civil liberties of California residents.
5 Review and assess any other issues that are significant to the audit. Reviewed informational material produced by law enforcement agencies, nonprofit organizations, and other entities to identify concerns surrounding privacy and ALPR systems.

Source: Analysis of state law, policies, information, and documentation identified in the table column titled Method.

Assessment of Data Reliability

The U.S. Government Accountability Office, whose standards we are statutorily obligated to follow, requires us to assess the sufficiency and appropriateness of computer‑processed information that we use to support our findings, conclusions, and recommendations. In performing this audit, we relied on electronic data files we obtained from Fresno, Los Angeles, Marin, and Sacramento. These files included reports from the agencies’ ALPR systems. Because the agencies relied on remote third‑party systems to produce the reports, our analysis of these reports was limited to verifying that we had received the information we requested. We did so by reviewing source materials such as user manuals, interviewing vendor staff, and confirming with the agency staff that the number of records in the files we received were correct. We also used electronic lists from the California Police Chiefs Association and the California State Sheriffs’ Association to compile a list of statewide police and sheriff departments for our survey. We verified the nature of the data with the associations’ staffs, and we also verified record counts by comparing the provided lists with FBI crime‑reporting data. We found the data to be sufficiently reliable for our purposes.

Back to top