The growing use of license plate tracking systems by companies like Flock Safety and Motorola’s VehicleManager has transformed routine drives into continuously recorded digital trails. Originally designed to capture license plate data, these systems have rapidly advanced into highly sophisticated surveillance tools. With the integration of artificial intelligence, cameras can now identify not only vehicles but also faces and other distinguishing features, silently building detailed records of individuals’ movements.

This technological shift raises an important question about the effectiveness of existing privacy protections. Laws governing surveillance vary widely across states, making it difficult to determine which frameworks are truly effective and where gaps remain.

To better understand the landscape, insights were gathered from Chad Marlow, senior policy counsel and lead for surveillance at the American Civil Liberties Union. He emphasized that meaningful privacy protection requires collective effort rather than individual action. "Collective action, rather than individual action, is required," Marlow told. He also warned, "I would caution that while Flock is the most problematic ALPR company in America, there are many other ALPR companies, like Axon and Motorola, that present serious privacy risks, so switching from Flock to Axon/Motorola ALPRs at best may constitute minimal harm reduction, but it is far from a solution."

Current legislation largely focuses on two major tools used by law enforcement: automatic license plate readers (ALPRs), which track vehicles, and drones equipped with AI-enabled cameras. Meanwhile, companies are expanding into traditional surveillance cameras capable of live monitoring and tracking individuals on the ground.

Advanced AI capabilities, such as Flock’s “Freeform” search feature, allow authorities to input open-ended queries and retrieve results from vast camera networks. These developments highlight the need for updated and comprehensive regulations. Several categories of laws are emerging as particularly impactful:

Some of the most comprehensive laws limit what AI-powered cameras are allowed to detect and analyze. While not always targeting ALPRs directly, they regulate how data can be searched and used. Illinois stands out with its Biometric Information Privacy Act (BIPA), which protects sensitive identifiers like facial data and fingerprints and requires user consent. This law is so strict that certain features, such as facial recognition in consumer devices, are disabled within the state. However, many of these laws still exclude vehicle and license plate data, which often remains unprotected.

Several states allow ALPR usage only under defined circumstances, such as serious criminal investigations. These restrictions prevent widespread deployment by private entities like homeowners associations or businesses and may also limit camera placement in certain public areas.

One of the most effective privacy safeguards requires that collected data be deleted within a set timeframe unless tied to an active investigation. This prevents long-term tracking and profiling of individuals. As Marlow explained, "The idea of keeping a location dossier on every single person just in case one of us turns out to be a criminal is just about the most un-American approach to privacy I can imagine."

States like New Hampshire enforce extremely short data retention limits, requiring deletion within minutes if the data is not used. Others allow slightly longer windows. "For states that want a little more time to see if captured ALPR data is relevant to an ongoing investigation, keeping the data for a few days is sufficient," Marlow told me. "Some states, like Washington and Virginia, recently adopted 21-day limits, which is the very outermost acceptable limit." He further cautioned that prolonged storage makes it easier to build behavioral profiles "that can eviscerate individual privacy."

Certain states prohibit sharing surveillance data beyond state borders, including with federal agencies. These measures aim to limit access by organizations such as the Department of Homeland Security or ICE, though enforcing such restrictions remains a challenge. As Marlow noted, "Ideally, no data should be shared outside the collecting agency without a warrant," Marlow said, "But some states have chosen to prohibit data sharing outside of the state, which is better than nothing, and does limit some risks."

Another approach involves requiring state-level approval before installing ALPR systems. The rigor of these processes varies significantly. For example, Vermont implemented strict approval mechanisms that ultimately discouraged adoption altogether, with no agencies using ALPR systems by 2025.

Despite these efforts, new privacy laws often face resistance from companies and law enforcement agencies, sometimes leading to legal disputes and slow enforcement. Additionally, legislative proposals frequently evolve during the approval process, making it important for citizens to stay informed and engaged.

Advocacy groups and public participation also play a critical role. Initiatives like The Plate Project encourage individuals to take part in privacy discussions and reforms. Local involvement, such as attending city council meetings, can influence decisions on surveillance technology before implementation.

Ultimately, as surveillance capabilities continue to expand, the effectiveness of privacy protections will depend on both robust legislation and active public oversight.