Reported / Citable
Background
Brendan Bartholomew parked his vehicle multiple times in 2022 and 2023 at a parking garage operated by Parking Concepts, Inc. The garage’s entry kiosk printed parking tickets that recorded license plate numbers; the exit kiosk read the license plate again and automatically lifted the barrier arm. Bartholomew sued, alleging Parking Concepts had implemented an Automated License Plate Recognition (ALPR) system without complying with California’s ALPR Law (Civil Code sections 1798.90.5-1798.90.55). The ALPR Law requires operators to maintain reasonable security procedures and to publish a publicly available privacy and use policy.
Bartholomew also brought claims under the UCL and the California Constitution’s right to privacy. The trial court sustained Parking Concepts’s demurrer without leave to amend, finding (among other things) that Bartholomew failed to allege harm within the meaning of the ALPR Law.
The Court’s Holding
The Court of Appeal reversed in the published portion of the opinion. The court held that the collection and use of license-plate information by an ALPR operator that has not implemented the statutorily required publicly available policy is itself the kind of harm the ALPR Law protects against. The Legislature created the ALPR Law to address the privacy implications of automated plate-reading systems, and the policy requirement is not a mere paperwork formality — it gives consumers meaningful information about who is collecting their license-plate data and how it will be used.
Where the operator collects ALPR data without the required policy, the consumer’s statutory privacy interest is invaded. Requiring additional proof of consequential harm (such as identity theft or stalking) would defeat the statute’s protective purpose. The court treated this as analogous to the ICRAA / ICCPA standing analysis adopted in Yeh v. Barrington Pacific.
In the unpublished portion of the opinion, the court addressed and resolved the UCL and California-constitutional-privacy claims.
Key Takeaways
- California’s ALPR Law requires both reasonable security and a publicly available privacy and use policy; operators must comply with both.
- Failure to publish the required policy is itself a cognizable harm under the ALPR Law; consumers do not need to show consequential injury.
- Parking-garage operators that use license-plate readers must implement and publish ALPR policies meeting Civil Code section 1798.90.51’s requirements.
- The decision aligns ALPR Law standing with the broader California trend toward statutory-violation-based standing in consumer-privacy statutes.
- Operators of ALPR systems should audit current compliance and publish appropriate policies on their websites and at point-of-collection locations.
Why It Matters
This decision is significant for the rapidly growing universe of California businesses using automated license-plate-recognition systems — parking-garage operators, toll-road authorities, retailers using lot-monitoring systems, HOAs operating gated communities, and others. Many of these businesses have implemented ALPR systems without realizing they trigger the ALPR Law’s policy and security obligations. The First District has now made clear that noncompliance is itself actionable.
For privacy-rights advocates and plaintiffs’ counsel, the case opens significant new litigation opportunities. Class-action and individual claims under the ALPR Law will likely follow. For operators, the immediate task is to audit current ALPR practices, draft and publish compliant policies, and ensure that customers can readily access those policies. Failure to do so exposes the operator to civil claims that, after this decision, will not be defeated at the pleading stage for want of harm.