Members-only forum — Email to join

My parking garage is using Flock Safety cameras to scan license plates — is this legal under the DPPA?

Started by DataPrivacyDan · Jan 22, 2026 · 10 replies
For informational purposes only. Privacy and surveillance laws vary significantly by state and municipality. Consult an attorney for advice specific to your situation.
DD
DataPrivacyDan OP

So I just found out my office parking garage (managed by a national parking company) installed Flock Safety ALPR cameras at every entrance and exit. They're scanning every license plate that enters and exits the facility. I only discovered this because I noticed the cameras and Googled the model number.

There was zero notice to parkers — no signage, nothing in the parking agreement I signed when I got my monthly pass last year.

I know there was a recent ruling in California (Bartholomew v. Parking Concepts) that touched on this exact issue. Does anyone know where this stands legally? I'm particularly concerned about:

  1. Where does this data go and how long is it retained?
  2. Flock Safety shares data with law enforcement through their FLUX network — does that change the analysis?
  3. Is there any obligation to notify parkers that their plates are being scanned?

This feels like a massive privacy issue that most people don't even know about.

MK
AttorneyMichaelK Attorney

Good question, and the legal landscape here is evolving quickly. Let me break down the DPPA angle first.

The DPPA (Driver's Privacy Protection Act, 18 U.S.C. 2721-2725) restricts the disclosure of personal information obtained from state DMV records — but courts are split on whether ALPR data constitutes information "obtained from" motor vehicle records under the statute. The key issue is that ALPR systems capture plate numbers in the wild, rather than pulling data from DMV databases. Several circuits have held the DPPA doesn't apply because the data wasn't "obtained from" the DMV.

That said, the Bartholomew case in California's Central District raised an interesting wrinkle: the parking company was cross-referencing ALPR captures with DMV data to identify vehicle owners. If your garage operator is doing the same — linking plate scans to registered owner information — the DPPA argument gets much stronger.

What state are you in? That matters a lot here.

SC
SarahConsumerRights

The Bartholomew v. Parking Concepts case is really interesting for anyone following this area. The plaintiff argued the parking company was essentially building a surveillance database of customer movements without consent. The court acknowledged the privacy concerns but focused narrowly on whether the DPPA applied to the specific data flow.

What struck me about the case is the discovery showing Flock Safety's standard contract with commercial clients. The data retention was 30 days by default, but law enforcement partners on the FLUX network could retain hits indefinitely. So even if the garage deletes its data, the police department that pinged the system might keep it forever.

That's the part that really concerns me from a consumer rights perspective — there's no transparency about who's querying your plate data.

NP
NoahPeterson_LA

California has a specific ALPR statute — Civil Code 1798.90.5 through 1798.90.55. It requires any entity operating an ALPR system to:

  • Maintain a usage and privacy policy describing how the ALPR data will be used
  • Restrict access to authorized users only
  • Implement security procedures to prevent unauthorized access
  • Maintain a record of access to ALPR data for auditing purposes

The statute also limits data retention — agencies must have a policy specifying how long data is stored and justify the retention period. Private entities aren't explicitly covered by the retention limits though, which is a gap.

Several other states have ALPR-specific laws too: Maine, Vermont, New Hampshire, Arkansas, Montana. But coverage is really patchy across the country.

DD
DataPrivacyDan OP

I'm in Illinois. Does that change things? I know Illinois has BIPA for biometric data but I'm not sure there's a specific ALPR statute here.

Also — I checked the parking agreement more carefully. There's a vague clause about "security measures including video surveillance" but nothing mentioning license plate scanning, data sharing with third parties, or law enforcement access. Is that sufficient notice?

MK
AttorneyMichaelK Attorney

Illinois is interesting. You're right that there's no state-specific ALPR statute, but you have a few potential angles:

1. BIPA (740 ILCS 14): BIPA covers "biometric identifiers" which are defined as retina scans, fingerprints, voiceprints, hand scans, or face geometry. License plates aren't biometric data, so BIPA almost certainly doesn't apply here directly. However, if the Flock cameras also have facial recognition capabilities (some models do), that's a different story entirely.

2. Illinois Personal Information Protection Act (815 ILCS 530): This covers data breach notification but could be relevant if the ALPR data is compromised.

3. Common law privacy torts: Illinois recognizes intrusion upon seclusion. The question would be whether scanning plates in a commercial parking garage constitutes intrusion into a matter the plaintiff has a reasonable expectation of privacy in. Courts have generally held there's a reduced expectation of privacy for license plates on public roads, but a private garage where you have a contractual relationship might be different.

As for the "video surveillance" clause — I'd argue ALPR is materially different from standard security cameras. A generic surveillance disclosure likely isn't sufficient to cover systematic collection, database storage, and third-party sharing of plate data.

SJ
StartupLawyerJess Attorney

I want to add the Fourth Amendment angle since OP mentioned the FLUX law enforcement network. In Carpenter v. United States (2018), the Supreme Court held that accessing historical cell-site location information constitutes a search under the Fourth Amendment. The reasoning was that long-term tracking of someone's movements reveals the "privacies of life."

ALPR networks are arguably doing the same thing — building a comprehensive record of vehicle movements over time. Several legal scholars have argued that Carpenter's reasoning should extend to ALPR data, especially aggregated databases like FLUX.

Now, Carpenter applies to government action, not private companies. But if Flock Safety is effectively acting as an agent of law enforcement by building this shared network, there's a state action argument. Some jurisdictions are starting to grapple with this.

Practically speaking though, this area of law is still developing. I wouldn't count on winning a case on this theory alone right now.

TM
TechFounderMike

From a tech perspective, I want to point out something people miss about Flock Safety specifically. Their cameras don't just capture plate numbers — they also log vehicle make, model, color, and distinguishing features (bumper stickers, dents, etc.). That's way more data than a simple plate scan.

Their marketing materials tout the ability to create "vehicle fingerprints" that can identify a specific car even without a readable plate. That level of identification starts to feel a lot more like surveillance than simple parking management.

I looked into partnering with Flock for our company's parking lot and walked away after reviewing their data sharing terms. The FLUX network means your commercial data feeds into a law enforcement tool whether you intended it to or not.

GC
GigWorker_Chicago

I'm also in Illinois and this hits close to home. As a gig worker I'm in and out of parking garages and lots all day. The idea that every stop I make is being logged and potentially shared with police is really unsettling.

Has anyone successfully opted out of ALPR scanning? Is that even possible if you need to use the garage for work? It's not like I can just park somewhere else when a client's office is in one of these buildings.

DD
DataPrivacyDan OP

UPDATE: I sent a formal letter to the parking management company requesting the following under general consumer protection principles (since Illinois lacks a specific ALPR statute):

  1. Complete copy of their ALPR usage and privacy policy
  2. All data collected about my vehicle in the past 12 months
  3. List of all third parties with whom my data has been shared
  4. Their data retention policy for ALPR records

Their response was... interesting. They confirmed Flock Safety cameras are in use at the facility and that data is "available to law enforcement partners upon request." But they claimed the data belongs to Flock Safety, not the parking company, and directed me to Flock's privacy policy.

That feels like a dodge. The parking company contracted with Flock to install cameras on their property. They can't just disclaim responsibility by pointing at their vendor.

I'm considering filing an FTC complaint about the lack of disclosure. Thoughts?

KM
KellyMartinez_Mod Mod

Great thread with a lot of useful analysis. Let me summarize the key legal frameworks discussed for anyone finding this later:

  • DPPA (18 U.S.C. 2721-2725): May apply if operator cross-references ALPR data with DMV records; courts are split on standalone ALPR captures
  • California ALPR statute (Civ. Code 1798.90.5): Requires usage policies, access controls, and audit trails for ALPR operators in CA
  • Illinois: No specific ALPR statute; BIPA unlikely to apply to plate data alone; potential common law privacy tort claims
  • Fourth Amendment / Carpenter: Developing argument that aggregated ALPR data constitutes a search, especially when shared with law enforcement via networks like FLUX
  • Practical tips: Request your data, review your parking agreement, file complaints with FTC and state AG for lack of disclosure

This is an area of law that's moving fast. Several states have introduced ALPR-specific bills in their 2026 legislative sessions. Keep an eye on your state legislature.

Want to participate in this discussion?

Email owner@terms.law to request access