Get Started

Bartholomew v. Parking Concepts: What CA Parking Operators Must Know About LPR Privacy Compliance

Andrew S

·

·

, , , ,







Bartholomew v. Parking Concepts — LPR privacy compliance for California parking operators

A California appellate court just gave every parking operator using license plate recognition technology a reason to check their compliance — this week, not next quarter.

Contents

The $2,500-Per-Car Question

On February 5, 2026, the California First District Court of Appeal issued a published decision in Bartholomew v. Parking Concepts, Inc. that should be on every parking operator’s radar. The ruling establishes, for the first time at the appellate level, that a parking garage’s failure to maintain and publicly post a privacy policy governing its license plate recognition system constitutes legally actionable “harm” — even without any evidence that plate data was misused, breached, or shared with third parties.

For operators running LPR-equipped facilities in California, the math is straightforward and sobering. The statute authorizes liquidated damages of $2,500 per affected individual, plus punitive damages, attorney’s fees, and injunctive relief. In a class action context — and the Bartholomew plaintiff is pursuing this as a class action — multiply that figure by every vehicle that has entered your facility. A mid-size garage processing 500 cars per day generates potential exposure in the millions within weeks of operation.

This is not a theoretical risk. The case has been remanded for further proceedings, and the plaintiff’s counsel (Bursor & Fisher, a firm with deep class action experience) has estimated the class size in the “thousands.” The appellate court’s published opinion now provides a clear template for future litigation against any California parking operator using LPR technology without a compliant privacy framework.

What Happened: The Facts

The facts are remarkably ordinary — which is precisely what makes this case so consequential for the industry. Brendan Bartholomew parked at a garage in San Francisco operated by Parking Concepts multiple times in 2022 and 2023. The facility used a standard LPR-based access and revenue control system: upon entry, customers pressed a button at a kiosk and received a printed ticket displaying their license plate number along with the date and time. Upon exit, customers paid at a station and drove to an exit kiosk where a screen displayed their plate number before the barrier arm lifted.

This is a system configuration that thousands of parking facilities across California use every day. The LPR cameras capture a plate image, optical character recognition software converts it to text, and the data is stored — at least temporarily — in a searchable database to match entry and exit transactions.

Bartholomew sued under California’s Automated License Plate Recognition Law (Civil Code §§ 1798.90.5–1798.90.55), enacted in 2015, alleging that Parking Concepts had never implemented or publicly posted the required usage and privacy policy governing its collection of this data. The trial court dismissed the case, finding no actionable harm. The appellate court reversed.

What the Court Actually Held

The appellate panel addressed two threshold questions that operators need to understand.

Your Garage Probably Operates an “ALPR System”

Parking Concepts argued that the plaintiff failed to allege the garage operated an “ALPR system” as defined by statute. The court rejected this, finding it was “an entirely reasonable inference” that a system displaying a vehicle’s plate number on a ticket and exit kiosk was using automated cameras combined with computer algorithms to read license plates and store the resulting data in a searchable database.

The implication is clear: if your facility’s PARCS equipment captures and displays license plate numbers, the court will almost certainly consider it an ALPR system under California law. This includes virtually every modern LPR-based entry/exit system, pay-by-plate configuration, and LPR-based enforcement setup.

No Policy = Harm. Period.

This is the heart of the decision. Parking Concepts argued that “harm” under the ALPR Law requires some affirmative misuse or mishandling of plate data — a data breach, unauthorized disclosure to third parties, or similar misconduct. A federal district court had previously adopted this interpretation in Navarro v. Data (C.D. Cal. 2022).

The appellate court disagreed. Analyzing the statutory text, structure, and legislative history, the court concluded that the ALPR Law’s policy requirement serves two independent purposes: first, it ensures that operators make deliberate decisions about how they collect, use, and maintain plate data; and second, it grants individuals the right to know which entities are collecting their data and how it is being handled.

Collecting and maintaining plate data without the required public policy, the court held, “harms these individuals by violating this right to know.” The court further noted that without a published policy establishing authorized uses, it becomes much harder to hold operators accountable for unauthorized uses — one of the statute’s expressly enumerated examples of actionable harm.

Critically, the court also rejected the argument that small-scale operators (single location, single camera) should be exempt. The Legislature, the court noted, “did not exempt ALPR operators who maintain only a single camera or collect ALPR information from only a single, easily avoidable location.”

ALPR regulatory timeline from SB 34 enactment in 2015 through the Bartholomew appellate reversal in February 2026

What the Court Didn’t Hold

Context matters. The appellate court’s decision is narrower than some initial commentary suggests, and operators should understand the boundaries.

The UCL claim was dismissed. Bartholomew’s Unfair Competition Law claim failed because his alleged injuries — risk of identity theft and loss of value in personal information — were too speculative to establish the economic injury UCL standing requires. His argument that he would not have parked at the garage had he known about LPR data collection was also rejected.

The constitutional privacy claim was dismissed. The court held that open collection of ALPR data at a single, avoidable location was not an “egregious breach of social privacy norms” required for a constitutional privacy violation. This is a significant distinction from mass surveillance scenarios involving law enforcement patrol cars scanning millions of plates across wide geographic areas.

The statute does not require customer consent. The trial court noted, citing the federal Navarro decision, that the ALPR Law does not require operators to obtain authorization from vehicle owners before capturing plate data. Bartholomew did not challenge this finding on appeal.

In other words, the exposure here is specifically about the absence of a compliant policy — not about the act of collecting plate data itself.

Operator Compliance Checklist

The statutory requirements are specific. Under Civil Code § 1798.90.51, an ALPR operator must implement a usage and privacy policy that addresses all of the following elements:

ALPR compliance requirements diagram showing the seven required policy elements under California Civil Code section 1798.90.51(b)(2)

Specifically, the policy must address:

  1. (A) Authorized purposes — The authorized purposes for using the ALPR system and collecting ALPR information.
  2. (B) Authorized personnel — A description of job title or other designation of persons authorized to access or use ALPR information, and the training requirements for those persons.
  3. (C) Security monitoring — A description of how the ALPR system will be monitored to ensure the security of the information and compliance with applicable privacy laws.
  4. (D) Sharing restrictions — The purposes of, process for, and restrictions on the sale, sharing, or transfer of ALPR information to other persons.
  5. (E) Official custodian — The title of the official custodian or owner of the ALPR system responsible for implementation.
  6. (F) Data accuracy — A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors.
  7. (G) Retention and destruction — The length of time ALPR information will be retained, and the process the ALPR operator will utilize to determine if and when to destroy retained ALPR information.

The policy must be made available to the public in writing. If the operator has a website, the policy must be “posted conspicuously” on that site.

Additionally, under § 1798.90.52, if you access or provide access to ALPR information, you must maintain access logs — including the username and organizational affiliation of each person who accesses the data and the purpose for access — and require that ALPR information only be used for the authorized purposes described in your policy.

What Operators Should Do Now

Operator risk assessment decision tree for ALPR compliance — flowchart from LPR use through policy review to compliant posture

1. Audit Your LPR Footprint

Identify every facility where LPR technology captures plate data. This includes entry/exit PARCS systems, LPR-based enforcement (Genetec, Vortex, T2, etc.), pay-by-plate configurations, and any integration with third-party platforms. If a camera reads a plate and software converts it to text stored in a database — even temporarily — it is likely covered.

2. Draft or Update Your ALPR Policy

The policy must address every element enumerated in § 1798.90.51(b)(2). Some operators in California have already published compliant policies — Park Heavenly, for example, has a detailed ALPR policy page on its website. Use the statutory checklist above as your template. Be specific about data retention periods, authorized access roles, and whether you share data with any third parties (including your PARCS vendor, validation partners, or law enforcement).

3. Post It Publicly and Conspicuously

Website publication is required if you have a website. “Conspicuously” means it should be easily findable — not buried in a legal footer. Consider a dedicated page linked from your main navigation or a prominent notice in your facility’s terms of use. Physical signage at the facility notifying customers of LPR use, while not strictly required for the ALPR Law, provides additional notice that the court acknowledged as a mitigating factor.

4. Implement Access Logging

Under § 1798.90.52, you must maintain records of who accesses ALPR data, their organizational affiliation, and the purpose for access. Work with your PARCS vendor to ensure your system generates these audit trails. If your current system does not support access logging, this is a gap that needs to be closed.

5. Coordinate with Your PARCS Vendor and Legal Counsel

Your technology vendor is a critical partner in compliance. Understand what data is collected, how long it is stored, whether it is transmitted to any third-party servers, and what access controls exist. Engage California-licensed legal counsel to review your policy before publication — the specifics matter, and an inaccurate or incomplete policy creates its own compliance risk.

The Class Action Calculus

The financial dynamics of this ruling deserve sober attention. The ALPR Law’s $2,500 minimum liquidated damages provision, combined with the court’s holding that policy non-compliance alone constitutes harm, creates a powerful incentive structure for plaintiffs’ attorneys.

Class action exposure chart showing potential statutory damages by parking facility size, from 100 to 2000 spaces

Consider a 500-space garage operating at 70% occupancy with average turnover of 1.5 times per day. That’s roughly 525 unique vehicles daily — or approximately 190,000 per year. Even accounting for repeat visitors reducing the unique count by roughly 40%, the potential class size for a single facility accumulates rapidly. At $2,500 per class member, the damages exposure for a facility operating without a compliant policy could reach hundreds of millions of dollars over a multi-year class period. Add attorney’s fees and the possibility of punitive damages, and the economics strongly favor filing.

The Bartholomew case itself has been remanded for further proceedings. The plaintiff’s counsel estimates the class in the “thousands.” For a multi-location operator, the exposure multiplies across every facility. The cost of compliance — drafting a policy, posting it, implementing access controls — is trivial by comparison.

The Bigger Picture: LPR and the Regulatory Landscape

Bartholomew v. Parking Concepts does not exist in isolation. California’s ALPR Law was enacted in 2015, but enforcement against parking operators has been minimal until now. That is changing. At the same time, the California Legislature continues to expand the ALPR regulatory framework: SB 274, introduced in the current session, would impose new restrictions on public agencies’ retention and sharing of ALPR data, including a 60-day deletion mandate for non-hit data.

While SB 274’s public-agency focus does not directly regulate private parking operators, it signals a legislative environment in which ALPR data privacy remains a priority. The broader trend — plaintiffs rediscovering existing privacy statutes to target technology-enabled businesses — is not limited to parking. As Fisher Phillips noted in their analysis of the Bartholomew decision, the ALPR Law is “yet another example of plaintiffs re-discovering older privacy laws to find a hook into your business.”

For parking operators, the lesson is straightforward. LPR technology delivers enormous operational value — frictionless access control, accurate revenue tracking, enhanced enforcement. But deploying that technology without the corresponding compliance infrastructure creates a liability that dwarfs any operational benefit.

The Bottom Line

The Bartholomew decision is a wake-up call, but it is also a manageable compliance challenge. The court did not prohibit LPR use in parking facilities. It did not require customer consent. It did not impose substantive restrictions on how operators use plate data. It held that if you collect this data, you must tell people about it — in the specific manner the statute requires.

That is a policy you can draft this week. Post it this month. And protect your operation from a class action risk that compounds with every car that enters your facility.

Frequently Asked Questions

Does this ruling apply to all parking garages in California?

It applies to any person or entity operating an ALPR system in California, which the court interpreted broadly. If your facility uses cameras to read license plates and stores that data in any searchable format — even temporarily — you are likely covered. The court explicitly rejected the argument that single-location or single-camera operators should be exempt.

What exactly is an “ALPR system” under California law?

California Civil Code § 1798.90.5(d) defines it as “a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.” The court found that standard LPR-equipped PARCS systems meet this definition.

Do I need to get customer consent before scanning license plates?

No. The trial court in Bartholomew found — citing the federal Navarro decision — that the ALPR Law does not require operators to obtain authorization from vehicle owners before capturing plate data. The plaintiff did not challenge this on appeal. However, you must have a compliant usage and privacy policy publicly available.

What are the damages if I don’t comply?

The ALPR Law provides for actual damages “but not less than liquidated damages in the amount of $2,500” per individual harmed, plus punitive damages, attorney’s fees, and injunctive relief (Cal. Civ. Code § 1798.90.54(b)). In a class action, this amount applies per class member, creating exposure that scales with the number of vehicles your facility processes.

Can I just add an LPR notice to my existing website terms of service?

That alone is unlikely sufficient. The statute requires a dedicated usage and privacy policy addressing seven specific elements enumerated in § 1798.90.51(b)(2), and it must be “posted conspicuously” on your website. A buried clause in a general terms page may not meet the conspicuousness standard. A dedicated ALPR policy page is the safer approach.

What if my PARCS vendor handles all the data — am I still responsible?

Yes. The ALPR Law imposes obligations on the “operator” of an ALPR system, which includes persons that “own, operate, or manage” the system. If you contract with a vendor to provide LPR technology at your facility, you are the operator. You should also understand whether your vendor constitutes an “end-user” with its own separate obligations under the statute.

Does this case affect operators outside California?

The ruling directly applies only under California law. However, other states are enacting or considering similar ALPR privacy statutes. The case signals a broader trend toward ALPR accountability that operators nationwide should monitor. Additionally, if you operate facilities in multiple states and any are in California, you need compliance for those California locations.

Is the Bartholomew case final?

The appellate opinion was filed February 5, 2026, and modified with rehearing denied on February 27, 2026. The case has been remanded to San Francisco Superior Court for further proceedings on the ALPR Law claim. The published portions of the opinion (addressing the ALPR Law) now serve as binding precedent within the First Appellate District and persuasive authority statewide.

How long do I have to come into compliance?

The ALPR Law has been in effect since January 1, 2016. There is no grace period or new compliance deadline created by the Bartholomew decision — the obligation to maintain and publish a policy has existed for a decade. Every day without a compliant policy adds to the potential class period and damages exposure. The time to act is now.

Sources & References

Primary Legal Sources

California ALPR Statutes

  • Cal. Civ. Code § 1798.90.5 — Definitions (ALPR system, ALPR information, ALPR operator)
  • Cal. Civ. Code § 1798.90.51 — ALPR operator obligations (usage and privacy policy requirements)
  • Cal. Civ. Code § 1798.90.52 — Access logging and authorized use requirements
  • Cal. Civ. Code § 1798.90.54 — Private right of action and damages ($2,500 liquidated minimum)
  • SB 274 (2025–2026 Session) — Pending legislation on public agency ALPR data retention

Legal Analysis & Commentary

Industry Resources

Case Citation: Bartholomew v. Parking Concepts, Inc., No. A171546 (Cal. Ct. App. 1st Dist., Div. 5, Feb. 5, 2026), certified for partial publication. Modified and rehearing denied Feb. 27, 2026. San Francisco Superior Court No. CGC-24-612624.

Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. Operators should consult with California-licensed legal counsel regarding compliance with the ALPR Law and related statutes.

, , , , , , , , , , , , ,
Andrew S

Andrew S