For a decade, California’s Automated License Plate Reader Privacy Act sat on the books largely undisturbed — a statute with real teeth that the plaintiffs’ bar hadn’t quite discovered yet. That quiet period is over. A 2026 appellate ruling converted the law into a class action engine, and retailers, shopping centers, hotels, and parking operators are now staring down exposure they didn’t know they had.
If your business operates ALPR cameras anywhere in California and you haven’t reviewed your compliance posture, this article explains what changed, what the damages math actually looks like, and what steps you need to take now.
What the California ALPR Privacy Act Actually Requires
California’s Automated License Plate Reader Privacy Act, codified at Cal. Civ. Code §§ 1798.90.5–.55, has been in effect since January 1, 2016. The statute applies to any operator or end-user of an ALPR system — not just government agencies, but private commercial operators as well.
The core obligations are straightforward:
- Implement a written ALPR usage and privacy policy that meets specific statutory content requirements
- Publicly post that policy so affected individuals can find it
- Limit use, access, and sharing of ALPR data consistent with the posted policy
- Protect ALPR data with reasonable security measures
For nearly ten years, most businesses running ALPR systems — parking garages, big-box retailers, hotel lots, shopping mall operators — either didn’t know the law applied to them or assumed no one was watching. The plaintiffs’ bar was watching.
The Case That Pulled the Pin: Bartholomew v. Parking Concepts
In February 2026, the California Court of Appeal issued its decision in Bartholomew v. Parking Concepts, Inc., 118 Cal. App. 5th 438 (1st Dist. 2026). The ruling resolved a critical threshold question that had kept litigation at bay: does the absence of a compliant ALPR policy, standing alone, constitute an actionable violation?
The court’s answer was yes.
No data breach is required. No misuse of the captured plate data. No concrete downstream harm. The failure to implement and post the required policy is itself the violation, and each individual whose plate was read during the non-compliant period is a potential plaintiff.
The court also dropped a notable footnote: it left open whether a partially compliant policy could be actionable. That language matters. It extends the litigation risk beyond operators with no policy at all to those with technically deficient policies — a category that likely includes many businesses that believe they’ve done their homework.
The California Supreme Court denied review of Bartholomew on May 13, 2026, making the appellate decision final and giving plaintiffs’ firms the green light to move at scale.
The Damages Math Is Not Forgiving
The remedial scheme under the ALPR Privacy Act was structured for exactly this kind of aggregate litigation. Affected individuals are entitled to $2,500 in statutory damages per violation. Attorneys’ fees, punitive damages, and injunctive relief are also available.
Consider the exposure for a mid-size shopping center with 500,000 annual visitors. At $2,500 per affected person, a single year of non-compliance produces potential liability in the billions of dollars. That figure is not a worst-case outlier — it is the straightforward arithmetic of the statute applied to ordinary foot traffic.
Because no harm showing is required, these cases are well-suited for class certification. Plaintiffs’ firms have already begun active recruitment advertising, and since Bartholomew, class actions have been filed against virtually every commercial ALPR deployer category: shopping malls, grocery chains, big-box retailers, hotels, commercial campuses, parking operators, and ALPR technology vendors themselves.
Who Is Actually Liable — Operators, Not Vendors
A critical compliance point that many businesses miss: the statute places liability on the operator of the ALPR system, not the vendor who supplies the hardware or software. Relying on your parking technology vendor or security integrator to have handled compliance on your behalf is not a defense.
This means businesses need to audit not just whether an ALPR system is running on their property, but:
- Whether a compliant usage and privacy policy exists and is publicly posted
- What data the vendor is actually collecting and retaining
- Whether the vendor is sharing or selling ALPR data to third parties — including the broader adtech ecosystem, where some ALPR networks’ data has reportedly been absorbed
- What contractual indemnification protections, if any, the vendor agreement provides
Vendor contracts written before Bartholomew almost certainly do not address this risk allocation clearly. That is a gap that should be closed now, before litigation arrives.
The Trend Is Spreading Beyond California
California is the immediate priority, but businesses with multi-state footprints should be tracking legislative activity elsewhere. Washington enacted its own ALPR statute — SB-6002 — on March 30, 2026, effective immediately. Washington’s law is currently focused on government agency use rather than private commercial operators, but it contains an important hook for private litigation: a vendor’s violation of the statute is a per se unfair or deceptive act under Washington’s Consumer Protection Act, which carries its own fee-shifting and damages framework.
Other states have ALPR restrictions on the books or pending. A compliance strategy built around only California will be outdated within the current legislative cycle.
Five Steps to Reduce Your Exposure Now
- Audit every ALPR deployment across your properties. Many businesses have more ALPR cameras running than their operations teams realize — entrance and exit gates, parking management systems, security integrations. Build a complete inventory.
- Review vendor agreements for data practices and liability allocation. Find out exactly what data your vendor collects, how long it is retained, and whether it is shared or sold. Push for written representations and indemnification where the contract is silent.
- Draft and post a compliant ALPR usage and privacy policy. The statute specifies what the policy must contain. A generic privacy notice does not satisfy the requirement. Given Bartholomew‘s footnote on partial compliance, the policy must be complete and technically accurate — not a placeholder.
- Assess whether historical exposure exists. If ALPR cameras have been operating without a compliant policy for any period, document the timeline and consult counsel on litigation hold and risk management strategy.
- Monitor multi-state legislative developments. Assign responsibility for tracking ALPR legislation in every jurisdiction where your business operates. Washington won’t be the last state to act.
The Broader Compliance Picture
The ALPR wave fits a pattern that compliance professionals are seeing across multiple statutes: biometric privacy laws, wiretapping statutes, pixel tracking litigation under HIPAA and state health privacy frameworks. The structure is consistent — a statutory damages scheme that removes the need to prove concrete harm, combined with a class action mechanism that aggregates individual claims into enterprise-scale exposure.
What makes ALPR different from many of these theories is the breadth of the affected business category. Retail operators, hospitality companies, commercial real estate owners, and property managers are not typically first-movers in privacy compliance — but they are running ALPR systems, often without realizing that a decade-old California statute has just become an active enforcement tool with billion-dollar math attached to ordinary visitor counts.
The window between now and the next wave of filed cases is short. Compliance infrastructure built before litigation arrives is meaningfully different from compliance infrastructure built in response to a filed complaint.
Captain Compliance Can Help
Captain Compliance works with businesses navigating emerging privacy litigation risks across consumer-facing operations. Whether your exposure is ALPR-specific, involves data broker obligations, consent management gaps, or broader state privacy law compliance, our team provides the audit frameworks, policy documentation, and compliance roadmaps that reduce your risk before the plaintiffs’ bar does its own audit of your property.
