Privacy Laws For License Plate Info Aren't What You Think
- 01. Privacy Laws for License Plate Information: What You Must Know Now
- 02. The Federal Backbone: Driver's Privacy Protection Act
- 03. State-Level ALPR Privacy Laws: A Patchwork of Protections
- 04. Key State ALPR Retention Periods (2024-2026)
- 05. Private ALPR Companies: The Unregulated Data Brokers
- 06. Netherlands and EU: Stricter Privacy Standards via GDPR
- 07. How Privacy Laws Compare: U.S. vs. Netherlands/EU
- 08. Proposed Federal Reform: The License Plate Privacy Act
Privacy Laws for License Plate Information: What You Must Know Now
In the United States, there is no single federal law banning the collection of license plate data, but the federal Driver's Privacy Protection Act (DPPA) restricts how states can release personal information tied to license plates from motor vehicle records. Most privacy protections come from state laws governing automated license plate reader (ALPR) systems, which typically set maximum data retention periods (often 30-180 days), require law-warrantied use for criminal investigations, and prohibit selling plate data to third parties.
The Federal Backbone: Driver's Privacy Protection Act
Enacted in 1994 after a high-profile stalking case, the DPPA (18 U.S.C. § 2721) prohibits state departments of motor vehicles from disclosing personal information-such as name, address, phone number, or Social Security number-linked to a license plate without the vehicle owner's consent. The law allows 18 permissible uses, including law enforcement investigations, toll collection, and market research, but bans commercial scraping or mass downloads. Violators face civil lawsuits and fines up to $5,000 per violation.
However, the DPPA does not regulate private companies that operate ALPR cameras or collect plate data independently. This regulatory gap allows private entities to gather and pool millions of innocent drivers' location scans with little oversight.
State-Level ALPR Privacy Laws: A Patchwork of Protections
As of early 2026, at least 16 states have enacted specific rules governing ALPR use, with retention periods ranging from 24 hours to 30 months. California leads with the strictest regime: the California Assembly Bill 1450 (2015) mandates deletion of non-criminal ALPR data within one year and requires warrant subpoenas for access. In contrast, Georgia requires destruction of unused data after 30 months, effective January 2019.
Key State ALPR Retention Periods (2024-2026)
| State | Max Retention (Non-Criminal Data) | Key Restriction |
|---|---|---|
| California | 1 year | Warrant required for access |
| Massachusetts | 30 days | Prohibits data sharing with ICE |
| Illinois | 180 days | Requires written policy disclosure |
| Georgia | 30 months | Unified destruction deadline |
| New York | 90 days | Bans commercial sales |
Hawaii and Vermont have passed comprehensive ALPR privacy bills requiring public oversight boards and annual transparency reports. Meanwhile, over 20 states still operate under no specific statutes, leaving ALPR policies to individual police department discretion.
- Data retention limits: Most protective states cap retention at 30-180 days unless tied to active investigations
- Sales bans: 14 states explicitly prohibit selling license plate data to private brokers or advertisers
- Warrant requirements: California, Massachusetts, and Virginia require judicial approval to query historical ALPR databases
- Transparency mandates: 9 states demand annual public reports detailing scan volumes and data-sharing partners
Private ALPR Companies: The Unregulated Data Brokers
Private firms like Real-Time Accounts, License Plate Logix, and PropertyCat collect hundreds of millions of plate scans annually from parking garages, toll booths, and private security cameras. Unlike law enforcement, these companies face few federal restrictions and often retain data indefinitely, pooling it into shared databases accessible to police without warrants.
The ACLU estimates that more than 80% of all ALPR scans involve innocent drivers not suspected of any crime. Yet only 4 states require private ALPR operators to adopt privacy policies mirroring law enforcement standards. In a 2023 case, a Massachusetts court ruled that private ALPR data shared voluntarily with police could be used in criminal prosecutions without a warrant-highlighting the Loophole problem.
- Check your state's ALPR retention law via the National Conference of State Legislatures database
- Request deletion of your plate data from private companies under state "do not sell" opt-out rights
- File a DPPA complaint with the FTC if a state DMV illegally releases your personal information
- Monitor local police oversight boards for ALPR audit reports and policy changes
- Support proposed state bills requiring warrant-based historical plate queries
Netherlands and EU: Stricter Privacy Standards via GDPR
In the Netherlands, the European Union's General Data Protection Regulation (GDPR) imposes far stricter rules than U.S. law. License plate recognition cameras (ANPR) may store non-suspicious plates for no more than 24 hours under current Dutch data protection authority (CBP) rulings. A controversial 2013 bill proposed extending retention to 28 days for serious crime investigations, sparking nationwide protests and legal challenges by the Privacy First Foundation.
GDPR-classifies license plate data as personal data because it can identify vehicle owners. This requires lawful basis, purpose limitation, and data minimization-principles absent in most U.S. state laws. The Netherlands also prohibits using ALPR images to identify drivers or passengers unless explicitly authorized for terrorism or homicide cases.
How Privacy Laws Compare: U.S. vs. Netherlands/EU
| Aspect | United States (Typical State) | Netherlands/EU |
|---|---|---|
| Legal basis for collection | Existing police policy | GDPR Article 6 lawful basis required |
| Max retention (non-crime) | 30-365 days | 24 hours |
| Warrant for historical data | Required in 3 states | Required in all serious investigations |
| Private company regulation | Minimal or none | GDPR compliance mandatory |
| Data subject rights | Limited (varies by state) | Full access, deletion, portability rights |
"Automatic license plate readers have the potential to create permanent records of virtually everywhere any of us has driven, radically transforming the consequences of leaving home." - ACLU, You Are Being Tracked report (October 2024)
Proposed Federal Reform: The License Plate Privacy Act
The Public Leadership Institute's License Plate Privacy Act (introduced in Congress multiple times but not yet enacted) would establish national standards: deleting non-investigative plate data within 180 days, banning sales of captured plate data, and prohibiting transfers except for criminal investigations. The bill's Section (B) explicitly caps storage at 180 days unless part of an ongoing governmental investigation, requiring destruction at case closure.
As of May 2026, the bill remains under committee review, but momentum is growing after several high-profile abuses where ALPR data tracked activists' visits to reproductive health clinics and voting rights protests.
As ALPR usage grows-with over 50,000 readers now deployed across U.S. highways and cities-advocates argue that comprehensive federal privacy legislation is essential to prevent perpetual location surveillance. Until then, motorists must navigate a fragmented patchwork where your rights depend almost entirely on your zip code.
What are the most common questions about Privacy Laws For License Plate Info Arent What You Think?
What Happens If You Request Plate Data Deletion?
Under state laws like Illinois' Vehicle License Plate Reader Data Act, individuals can submit written deletion requests to law enforcement agencies. Agencies must respond within 30 days and destroy non-investigative data unless it relates to an active case. Private companies are less obligated, though some honor opt-out requests under California's CCPA "do not sell" clauses.
Can Police Track My Past Movements Without a Warrant?
In 21 states, police can query historical ALPR databases without a warrant for any investigation, civil or criminal. Only California, Massachusetts, and Virginia require warrants for historical queries. The ACLU reports that over 200 million plate scans are stored nationally, creating searchable movement histories for millions of innocent motorists.
Is License Plate Data Public Record?
No-plate numbers themselves are visible to anyone, but personal owner information tied to plates is protected under the DPPA. However, raw ALPR scan logs (plate + time + location) are often not classified as personal data and may be released under state open-records laws unless restricted by statute.
Do Parking Garages Need Consent to Scan My Plate?
Generally no. Private parking operators can scan plates as a contractual condition of entry, per terms posted at entry gates. Most states do not require explicit consent, though California requires conspicuous privacy notices if data may be shared with third parties beyond parking management.
What Are the Penalties for Illegal Plate Data Access?
DPPA violations carry civil penalties up to $5,000 per incident. Some states add criminal misdemeanors for unauthorized state DMV queries. However, private ALPR misuse often lacks criminal penalties unless tied to stalking or harassment statutes. Civil lawsuits remain the primary remedy.