SF4850

Purpose

This bill updates Minnesota’s automated license plate reader (ALPR) provisions to address how third-party service providers handle ALPR data and to strengthen oversight, accountability, and privacy protections.

Key Definitions

• Automated license plate reader (ALPR): a device that records data or photos of vehicles or license plates and can compare that data to law enforcement databases for investigations. It includes devices operated by non-government entities if the data are shared with a law enforcement agency.
• Share/sharing access or accessing: any act by which an agency makes ALPR data available to or allows querying by another person or entity, including through third-party service providers or nationwide search capabilities.
• Third-party service provider: an entity a law enforcement agency contracts with or uses to collect, create, receive, maintain, or disseminate ALPR data on the agency’s behalf.
• Traffic safety camera system: defined as in state law (different from ALPR unless referenced in this context).

Main Provisions

• Expanded definition of ALPR and data sharing

  • ALPR can include data handled by a non-government device if the data are shared with a law enforcement agency.
  • “Share/access” explicitly covers third-party platforms, databases, and multiagency or nationwide searches.

• Biennial audit requirement (new and strengthened oversight)

  • Agencies must keep records showing when ALPR data were collected and how those data are classified.
  • Agencies must arrange an independent biennial audit to verify:
  • how data are used and classified
  • whether data are destroyed as required
  • whether the agency complies with the law
  • Audits must have complete access to all records, logs, audit trails, query histories, and systems, including those managed by third-party providers.
  • If the state auditor or commissioner finds substantial noncompliance, the agency’s ALPR devices may be suspended until compliance is restored.
  • Audit results are public and must be reported to the commissioner of administration, relevant legislative committees, and the Legislative Commission on Data Practices within 30 days of audit completion.

• Access authorization and data governance (new and detailed controls)

  • Agencies must follow applicable data access laws and have written procedures limiting access to authorized personnel for legitimate, specified, and documented law enforcement purposes.
  • Access must be tied to a reasonable suspicion that data are pertinent to an active criminal investigation and must include the factual basis, case number, or incident connection.
  • Access control uses role-based access aligned with duties and training, and all queries, responses, and data actions must be recorded in a data audit trail.
  • Data audit trails are public to the extent allowed by law.
  • Any access to ALPR data by a person outside the agency (including through a third-party service provider) must be authorized in writing by the agency head or designee.
  • The agency remains responsible for ensuring full compliance with these rules, even when third-party providers manage access.

Changes to Existing Law

• Clarifies that ALPR data can involve devices owned by non-government entities if data are shared with law enforcement, and it broadens the concept of data sharing to include third-party platforms and cross-agency or nationwide access.
• Adds mandatory independent biennial audits of ALPR data practices, with public audit results and potential suspension of ALPR operations for noncompliance.
• Strengthens access controls, requiring written authorization, documented justification, and a transparent data audit trail for all ALPR data queries and actions, including those conducted via third-party providers.

Implications and Oversight

• Increased transparency: audit results and data trails become public where not restricted by privacy laws.
• Stronger privacy protections: access is tightly controlled, justified, documented, and auditable.
• Greater accountability: independent audits and possible device suspensions provide enforcement leverage to ensure compliance.
• Expanded role for third-party providers: while they can manage data handling, agencies retain ultimate responsibility for lawful use and compliance.

Potential Impacts to Watch

• Agencies will need robust systems to maintain logs, enable audits, and manage role-based access.
• Third-party providers must coordinate with agencies to allow auditor access to systems and data.
• There may be short-term operational adjustments as agencies implement new procedures and audit processes.

Relevant Terms - automated license plate reader (ALPR) - ALPR data - license plate data - third-party service provider - share/access - data practices - data audit trail - query histories - independent biennial audit - classification of data - destruction of data - reasonable suspicion - active criminal investigation - role-based access - authorization in writing - chief of police - sheriff - commissioner of administration - public audit results - data transparency - suspension of ALPR devices - records and logs - cross-agency or nationwide search capability