Dissecting the legal privacy implications of California’s digital license plate law

The California digital license plate is here. Earlier this year, Governor Gavin Newsom approved AB 984, updating Section 4463 of the Vehicle Code, which now permits California drivers to permanently use digital license plates. 

With the implementation of this new bill, California joins states like Arizona, Michigan, and Texas in transitioning from conventional vehicle license plates and registration paraphernalia to digital alternatives. Specifically, this legislation mandates the Department of Motor Vehicles (DMV) to maintain a program allowing for digital alternatives to the conventional stickers, tabs, license plates, and registration cards we’re accustomed to.  

Admittedly, AB 984 presents opportunities as well as challenges. While the law undoubtedly seeks to enhance the efficacy of vehicle registration, it simultaneously opens the door to a myriad of legal disputes concerning privacy, employee rights, and misuse of tracking technologies.  

This article explores these potential areas of contention, providing lawyers and other legal professionals with a glimpse into the landscape of potential disputes stemming from this new law.  

Potential privacy issues from the California digital license plate law

In an age where digitization has invaded almost every facet of daily life, AB 984 introduces new territory for potential privacy conflicts. Chief among these concerns is the utilization of GPS tracking technologies.

While the law is explicit in its guidelines concerning the usage and prohibition of such tools, the very nature of digital tracking presents an array of potential violations.  

From unauthorized location tracking to unforeseen data breaches, this section delves into the principle challenges that may arise as traditional vehicle registration collides with the digital era’s intricacies. 

Issue 1: Unauthorized tracking 

Assembly Bill 984 sets guidelines on how digital tracking should be employed. Nonetheless, the expansive nature of technology and its rapid evolution presents complexities that can sometimes outpace legislative foresight.

Understanding the various facets of unauthorized tracking is crucial, not just for legal compliance but also to ensure the protection of individual privacy rights. 

What constitutes unauthorized tracking? 

Unauthorized tracking, as inferred from AB 984 and its underlying ethos, can be broadly characterized as any unwarranted or non-consensual use of vehicle location technology to monitor, locate, or surveil an individual or their vehicle. Within the framework of this legislation, tracking becomes unauthorized when: 

1. It’s done on digitized registration devices that aren’t explicitly exempted, such as fleet or commercial vehicles; 
2. The tracking occurs outside the stipulated work hours for employees without explicit need or justification; 
3. It’s conducted without the explicit knowledge and affirmative opt-in of the user, or in the absence of a clear visual indication of active tracking on the device; or 
4. Employers or other entities use the data gathered for purposes beyond those directly related to the performance of an employee’s duties or without first providing a comprehensive notice detailing the nature, extent, and purpose of monitoring.  

Where do the biggest risks of unauthorized tracking come from? 

Digitized tracking devices are always at risk for misuse, and the technologies envisioned by AB 984 are no exception. It’s not hard to conceive of numerous people and entities that might be motivated to engage in unauthorized tracking. 

Most pressingly, some employers might be tempted to keep a closer eye on their employees beyond the stipulated work hours, even though the law mandates otherwise.

Moreover, as with any digital technology, there is a risk of hacking. Malicious entities might also seek to access location data for a variety of reasons, including theft, surveillance, or data selling. 

Are there consequences for unauthorized tracking? 

The consequences of unauthorized tracking under AB 984 are framed to safeguard the privacy rights of individuals and to ensure that employers and third-party vendors act within the legal bounds when utilizing vehicle location technology. Based on the bill’s provisions, the repercussions for violations include: 

• Civil penalties: Employers who engage in unauthorized monitoring face financial consequences. An initial violation incurs a penalty of $250. Subsequent violations result in a heftier penalty of $1,000 per employee, assessed for each violation, for each day the unlawful monitoring persists without proper notice. 
• Labor Commissioner enforcement: The Labor Commissioner is authorized to enforce these provisions. This means that, besides civil penalties, the Labor Commissioner has the discretion to issue citations against employers who do not adhere to the rules. The processes for issuing, contesting, and enforcing these citations mirror those applied to other labor code violations. 
• Employee rights: Employees who believe they’ve been subject to unauthorized tracking, especially if done as a form of retaliation for disabling a device’s monitoring capabilities outside of work hours, have the right to file a complaint with the Labor Commissioner. If vindicated, they are entitled to remedies which could include reinstatement and reimbursement of lost wages and other damages caused by any retaliatory actions. 
• Transparency and accountability for vendors: Third-party vendors that provide GPS tracking services to employers using the alternative devices must, upon request, supply any required reports or information to the Labor Commissioner or the Division of Labor Standards Enforcement. This ensures an added layer of accountability and transparency in the tracking ecosystem. 

Ultimately, the bill’s provisions are designed to provide a robust deterrent against any potential misuse of tracking technology while balancing the operational needs of businesses. 

Issue 2: Data breaches 

The introduction of a California digital license plate also presents a whole new potential for data breaches. As the law allows for the exchange of specific data between the DMV and these alternative devices, concerns have arisen about the safety of this data exchange, potential vulnerabilities, and the implications of unauthorized access. 

How data breaches might occur 

As with any digital device, the alternative devices introduced by this legislation may have vulnerabilities that hackers can exploit (indeed, vulnerabilities were discovered almost as soon as the bill was signed into law). Firmware flaws, software bugs, or weak encryption methods could render the device susceptible to unauthorized access. 

Moreover, the data exchanged between the DMV and these new devices might be intercepted during transmission, especially if not adequately encrypted or if transmitted over insecure networks. 

Finally, the involvement of third-party vendors in providing GPS tracking or related services could introduce additional weak points.

These vendors might not always follow best security practices or may use systems that become points of entry for malicious wrongdoers. 

Does AB 984 prescribe penalties for data breaches? 

AB 984 is particularly strict about the kind of data that can be shared between the DMV and the digitized license plate providers.

Specifically, the exchange is limited to data necessary for displaying evidence of registration compliance. The law explicitly states that the DMV shall not receive or retain any information regarding the movement, location, or use of a vehicle or person with an alternative device. 

That said, the legislation does not provide explicit penalties tailored for data breaches. Nevertheless, it’s worth noting that California has robust data protection and breach notification laws outside of AB 984.

Under the California Consumer Privacy Act (CCPA), for example, organizations that suffer data breaches can face significant penalties, be required to notify affected consumers, and may be exposed to civil litigation. 

In the context of AB 984, any data breach would not only have legal implications but could also erode public trust in the use of such alternative devices, potentially impacting their broader adoption. 

Issue 3: Secondary use of data 

In the digital age, data has emerged as a valuable commodity. With the implementation of AB 984, there will be an influx of data generation related to vehicles and their usage.

While the primary intention of this data is to ensure compliance with vehicle registration requirements, the potential exists for secondary uses of this data. This, of course, raises privacy concerns and questions about the appropriateness and legality of such uses. 

How secondary data might be used 

Anyone who has paid attention to the ads that pop up within their social media accounts knows that data concerning consumer habits is used relentlessly by anyone who can get their hands on it.

If companies learn to harness vehicle data to understand user behavior, driving patterns, or frequent locations, they might then use this information to target specific advertisements or offers to individuals.  

Likewise, insurance companies might be interested in accessing data to analyze driving behaviors, frequented locations, or time spent driving to adjust insurance rates or offer tailored packages. This may or may not benefit consumers. 

That said, driving data could also be used for the common good. For example, aggregated data from multiple vehicles could be used by municipalities or private firms to analyze traffic patterns, peak congestion times, or to inform infrastructure development projects. If any state needs additional technology to improve traffic, it’s certainly California. 

Hopefully, any concerns about secondary data usage with any California digital license plate will be moot. The legislation is clear that the DMV cannot receive or retain data about vehicle movement, location, or use of an individual with an alternative device. 

More potential disputes stemming from AB 984 

Laws concerning emerging technologies often have ambiguities or unanticipated scenarios that can lead to gray areas or disputes. AB 984 is no exception. Some potential gray areas that will undoubtedly lead to litigation include: 

• Definition of “strict necessity” in employee monitoring: The legislation mentions that employers can use the tracking technology during work hours if it’s “strictly necessary for the performance of the employee’s duties.” The term “strictly necessary” might be subject to various interpretations. What one employer deems as strictly necessary might not align with an employee’s or a court’s perspective. 
• Disabling vehicle location technology: The law states that the vehicle location technology should be “capable of being disabled by the user.” There might be disagreements or disputes regarding how easy it should be to disable the technology, how users are informed about this capability, and whether any data is still collected when it’s supposedly disabled. 
• Integration with other privacy laws: As AB 984 operates within the broader framework of California’s privacy laws, there could be gray areas concerning how those laws impact information collected from digitized plates. For example, under the CCPA, consumers have a right to request that businesses delete personal information they’ve collected and to tell their service providers to do the same. Will drivers be able to make the same request of the DMV or of employers who collect information about their driving habits? 

Conclusion

Without a doubt, the California digital license plate represents a forward-thinking approach to vehicular registration. As with many aspects of digitization, however, comes a plethora of privacy concerns and ambiguities.

The balance between convenience and privacy, the parameters around employee surveillance, and the potential for data breaches or misuse underscore the challenges of regulating emerging technologies.  

As this law is applied in the coming years, it will be imperative for legal professionals to navigate its nuances carefully, ensuring both technological advancement and the protection of individual rights.