On February 5, 2026, the California First District Court of Appeal issued a published decision in Bartholomew v. Parking Concepts, Inc. that fundamentally redefines the compliance obligations — and the liability exposure — for every parking operator using License Plate Recognition technology in California. The ruling establishes, for the first time at the state appellate level, that failing to maintain and publicly post a privacy policy governing an LPR system constitutes legally actionable “harm” under California’s Automated License Plate Recognition Law (Civil Code §1798.90.5 et seq.) — even absent any evidence that plate data was misused, breached, or shared with third parties.

The practical implications are immediate and significant. In a class action context — and the Bartholomew plaintiff is pursuing this as a class action — the exposure for a mid-size garage processing 500 vehicles per day reaches into the hundreds of millions of dollars over a multi-year class period. The cost of compliance, by contrast, is negligible: draft a policy, post it on your website, implement access logging.

1. The Statutory Framework: California’s ALPR Law

California’s ALPR Law was enacted in 2015 through Senate Bill 34 and became effective January 1, 2016. The law was a response to the rapid proliferation of automated license plate recognition technology across both public and private sectors. Legislative reports at the time documented staggering data collection volumes: northern California law enforcement databases alone contained over 100 million plate scans, while private companies held databases exceeding one billion scans.

Definitions and Scope

The ALPR Law defines an “ALPR system” as “a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data” (Civ. Code §1798.90.5, subd. (d)). An “ALPR operator” is any person that operates such a system, with narrow exceptions for transportation agencies subject to Streets and Highways Code §31490.

This definition is critical for parking operators. The court in Bartholomew found that standard LPR-equipped PARCS equipment — the type that reads a plate at entry, prints it on a ticket, and displays it at exit — meets this definition. If your facility’s system captures a plate image, converts it to text via optical character recognition, and stores the result in any searchable format, it almost certainly qualifies as an ALPR system under the statute.

The Seven Required Policy Elements

Section 1798.90.51, subdivision (b)(1) requires every ALPR operator to implement a usage and privacy policy to “ensure that the collection, use, maintenance, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties.” The statute specifies seven mandatory elements:

1. Authorized Purposes — The authorized purposes for using the ALPR system and collecting ALPR information.
2. Authorized Personnel — Description of job titles or designations of persons authorized to access/use ALPR information, plus their training requirements.
3. Security Monitoring — How the ALPR system will be monitored to ensure security of information and compliance with applicable privacy laws.
4. Sharing Restrictions — Purposes of, process for, and restrictions on the sale, sharing, or transfer of ALPR information to other persons.
5. Official Custodian — Title of the official custodian or owner of the ALPR system responsible for implementation.
6. Data Accuracy — Reasonable measures to ensure the accuracy of ALPR information and correct data errors.
7. Retention & Destruction — Length of time ALPR information will be retained and the process for determining if/when to destroy it.

The policy must be made publicly available in writing. If the operator has a website, it must be “posted conspicuously” on that site.

Access Logging

Section 1798.90.52 imposes additional obligations. If an ALPR operator accesses or provides access to ALPR information, it must maintain records of that access — including the username and organizational affiliation of each person who accesses the data and the purpose for access. The operator must also require that ALPR information only be used for the authorized purposes described in the published policy.

Private Right of Action and Damages

Section 1798.90.54 creates a private right of action for “an individual who has been harmed by a violation of this title, including, but not limited to, unauthorized access or use of ALPR information or a breach of security of an ALPR system.” Remedies include actual damages “but not less than liquidated damages in the amount of $2,500,” plus punitive damages, reasonable attorney’s fees and costs, and injunctive or declaratory relief. The provision for minimum liquidated damages — independent of proof of actual monetary loss — is what makes this statute a potent enforcement tool, particularly in class actions.

2. The Bartholomew Decision: A Detailed Analysis

The Facts

The facts are deliberately unremarkable — and that is the point. Brendan Bartholomew parked his vehicle at the 1635 Divisadero Medical Center Parking Garage in San Francisco, operated by Parking Concepts, Inc., on multiple occasions in 2022 and 2023. The facility used a standard LPR-based PARCS configuration: upon entry, customers pressed a button at a kiosk and received a printed ticket displaying their license plate number, date, and time. Upon exit, they paid at a station and drove to an exit kiosk where a screen displayed the plate number before the barrier arm lifted.

Bartholomew sued under the ALPR Law, the Unfair Competition Law (Bus. & Prof. Code §17200 et seq.), and the California Constitution’s right to privacy. His central claim: Parking Concepts had never implemented or publicly posted the ALPR usage and privacy policy required by the statute. The trial court (San Francisco Superior Court, Judge Ethan P. Schulman) sustained Parking Concepts’ demurrer without leave to amend. The appellate court reversed.

Your Garage Probably Operates an “ALPR System”

Parking Concepts argued that the complaint did not sufficiently allege it operated an “ALPR system” as the statute defines the term. The appellate court (Acting Presiding Justice Simons, with Justices Burns and Chou concurring) rejected this, finding it “an entirely reasonable inference” that a system capable of displaying a vehicle’s license plate number on a ticket at entry and a kiosk at exit was using automated cameras combined with computer algorithms to read plates and store the data in a searchable database.

The court also rejected the contention that the plaintiff needed to allege Parking Concepts shares ALPR data with other entities or uses it for particular purposes beyond parking operations. The statutory definition turns on how data is collected and stored, not on the downstream uses to which it is put.

The Harm Question — The Heart of the Decision

This is where the court made its most consequential holding. The analysis proceeded in three stages.

1. Harm does not require monetary damages. The court established that the ALPR Law’s “harm” requirement does not necessitate proof of measurable monetary injury. The availability of minimum liquidated damages ($2,500) demonstrates a legislative intent that cognizable harm extends beyond quantifiable financial loss.

2. Harm requires more than a bare violation. The court held that not every technical violation constitutes actionable harm. The statutory text limiting suits to persons “harmed by a violation” against defendants who “caused the harm” indicates that something beyond the bare fact of a violation is required. The legislative history confirmed this: a single amendment changed the operative word from “violation” to “harm” and simultaneously added two enumerated examples, reflecting a deliberate choice.

3. Collecting data without the required policy IS harm. Having established that harm requires something more than a bare violation but something less than provable monetary loss, the court then held that collecting and using ALPR information without the required publicly available policy constitutes that harm.

Requiring ALPR operators to establish and make public a policy governing use and maintenance of this data is a primary focus of the ALPR Law. This requirement ensures both that ALPR operators consider and make deliberate decisions on this issue, and that individuals can know when and how their ALPR information is being collected and used.

The court’s reasoning rests on two pillars. First, the right to know: the ALPR Law does not impose specific substantive restrictions on private entities’ collection and use of ALPR data. Instead, the statute “vests private entities that collect and use ALPR information with wide leeway to determine what to do with this data.” Given this broad latitude, the policy requirement is a “primary focus” of the statute — it ensures individuals can know which entities are collecting their data and how it is being handled. Collecting data without the policy “harms these individuals by violating this right to know.”

Second, accountability: the policy is the linchpin of the statute’s enforcement architecture. One expressly enumerated example of actionable harm is “unauthorized use” of ALPR information. But within the ALPR Law’s framework, what constitutes “authorized” use is defined by the operator’s own published policy. Without a policy establishing authorized uses, it becomes “much more difficult” to hold operators accountable for unauthorized uses.

What the Court Did Not Hold

The UCL claim failed. Bartholomew’s unfair competition claim was dismissed for insufficient economic injury. His claimed injuries — risk of future identity theft and loss of personal information value — were too speculative. His argument that he would not have parked at the garage had he known about LPR collection was also rejected, following Suchard v. Sonoma Academy (2025) 109 Cal.App.5th 1089.

The constitutional privacy claim failed. Open collection of ALPR data at a single, avoidable location did not constitute an “egregious breach of social privacy norms.” This distinguishes mass surveillance scenarios involving millions of plate scans across wide geographic areas.

No consent requirement. The ALPR Law does not require operators to obtain consent from vehicle owners before capturing plate data. The statute requires transparency (a published policy), not consent (affirmative authorization).

3. The Navarro Precedent and Why It No Longer Controls

Prior to Bartholomew, the principal authority on ALPR Law claims in the parking context was Navarro v. Data (C.D. Cal. 2022, No. 2:20-CV-07370-SVW-SK), a federal district court case involving a class action against parking garage operators and ALPR technology vendors at shopping malls. The Navarro court required proof that a defendant’s “improper handling of data led to its misuse” — effectively demanding evidence of affirmative misuse or mishandling to establish harm.

The Bartholomew court expressly considered and departed from this interpretation. While acknowledging the Navarro court’s reasoning, the appellate panel conducted a more thorough analysis of the statutory text, structure, and legislative history, concluding that the absence of a compliant policy is itself a cognizable harm — not merely a procedural deficiency awaiting some downstream injury.

Under Navarro, an operator without a published ALPR policy could plausibly argue: “No data was misused, so there is no harm.” Under Bartholomew, that argument is no longer available.

The Navarro appeal to the Ninth Circuit was voluntarily dismissed by stipulation in August 2024. The federal case is closed. Bartholomew is now the controlling authority on harm under the ALPR Law in the parking context — binding precedent in the First Appellate District and persuasive authority statewide.

4. The Evolving Regulatory Landscape

California: SB 274 and Continued Legislative Activity

The Bartholomew decision arrives amid significant legislative activity. California Senate Bill 274, introduced by Senator Sabrina Cervantes, would impose new restrictions on public agencies’ use of ALPR data, including a 60-day deletion mandate for non-hit data, random annual audits by the Department of Justice, and requirements that vendor contracts prohibit default access to national ALPR databases.

While SB 274’s restrictions focus on public agencies and do not directly regulate private parking operators, the bill signals the legislature’s continued attention to ALPR privacy. Governor Newsom vetoed a predecessor measure in 2025. The reintroduction suggests the legislature is not backing down. Operators should anticipate that the regulatory framework will tighten over time — not loosen.

The National Picture

California is far from alone. In 2025, at least 16 states introduced ALPR-related legislation. Three states — Arkansas, Idaho, and Virginia — enacted new laws. The common themes across these legislative efforts include data retention limits, mandatory audit trails, strict access controls, and transparency requirements.

Washington State is considering the Driver Privacy Act (SB 6002), which would regulate parking enforcement use of ALPR data, restrict retention periods, prohibit use for immigration enforcement, and create a private right of action for violations. New Hampshire maintains the most restrictive framework nationally, requiring ALPR data to be purged within three minutes of collection absent a law enforcement hit.

For multi-state operators, the compliance landscape is fragmented. But the directional trend is unmistakable: more regulation, shorter retention windows, more transparency requirements, and growing enforcement mechanisms — including private rights of action.

The Plaintiffs’ Bar Discovers the ALPR Law

The Bartholomew decision is part of a broader pattern in which plaintiffs’ counsel are rediscovering existing privacy statutes to target technology-enabled businesses. As Fisher Phillips observed in their analysis of the ruling, the ALPR Law is “yet another example of plaintiffs re-discovering older privacy laws to find a hook into your business.” The Bartholomew plaintiff is represented by Bursor & Fisher, a firm with deep national class action experience. The published appellate opinion provides a template that any competent plaintiffs’ attorney can replicate against any non-compliant operator in California.

5. The Class Action Calculus

The financial dynamics of Bartholomew warrant careful attention. The combination of minimum $2,500 liquidated damages per individual, the holding that policy noncompliance alone constitutes harm, and the high-volume transaction nature of parking operations creates a powerful class action incentive structure.

The Bartholomew case has been remanded for further proceedings. The plaintiff’s counsel estimates the class in the “thousands.” For multi-location operators, the exposure multiplies across every facility. Add attorney’s fees, the possibility of punitive damages, and a multi-year class period extending back to the ALPR Law’s January 1, 2016 effective date, and the aggregate exposure for even a single non-compliant facility is extraordinary.

By contrast, the cost of compliance is minimal: legal counsel to draft a compliant policy, website updates to post it, and coordination with PARCS vendors to implement access logging. The asymmetry between compliance cost and litigation exposure is perhaps the clearest argument for immediate action.

6. Compliance: What Operators Should Do Now

7. The Practitioner’s Perspective

For those of us who have spent careers building and operating parking facilities, the Bartholomew decision is a reminder that the technology decisions we make in the design phase have legal consequences that outlast the construction timeline. LPR has been the backbone of frictionless parking for over a decade. It enables the pay-by-plate systems, the gateless revenue control, the enforcement automation, and the data analytics that modern operators depend on. Nothing in this decision prohibits any of that.

What the decision requires is something we should have been doing all along: telling people what data we collect and what we do with it. The ALPR Law has been on the books since 2016. The EFF’s database of published policies includes over 160 government agencies that have complied. Yet the parking industry — which deploys more LPR cameras in more locations touching more individual consumers than most other private sectors — has been largely silent on the compliance front. Bartholomew is the consequence of that silence.

The path forward is clear. Draft the policy. Post the policy. Log the access. These are not burdens — they are basic operational hygiene for a technology-enabled business.

The operators who act now will protect themselves from the litigation wave that this decision has made inevitable. Those who delay will find themselves explaining to their boards, their clients, and their insurers why a $2,500-per-car liability was allowed to compound month after month when the fix was a single web page.