A California appellate court has just answered a question most parking operators never thought to ask: what happens if you run a license plate recognition system for years without ever writing down — let alone posting — a policy governing what you do with the data it collects?

On February 5, 2026, the California Court of Appeal, First Appellate District, issued a published decision in Bartholomew v. Parking Concepts, Inc. (No. A171546) holding that the answer is: you can be sued, and you can lose, even if nothing was ever misused, breached, or shared with anyone. The missing policy is the harm. That is a meaningfully different standard than most operators — and most of their insurance brokers — have been operating under, and it applies well beyond California’s borders as a signal of where LPR privacy litigation is headed next.

This is not a technical-compliance walkthrough of exactly which fields belong in an ALPR policy document — that level of detail is better suited to a systems-and-IT-focused treatment. This piece is about what the ruling means operationally and legally: why the case matters, what exposure now looks like, and what decisions ownership and operations leadership need to make in the next reporting cycle, not eventually.

What Happened in the Case

Brendan Bartholomew parked his vehicle multiple times in 2022 and 2023 at a San Francisco garage operated by Parking Concepts, Inc. The facility ran a standard LPR-based access and revenue-control setup: a customer pulls up to a kiosk, presses a button, and receives a printed ticket showing the vehicle’s license plate along with the date and time of entry. Functionally, this is close to how a large share of the industry’s gated and gateless facilities already operate.

Bartholomew sued under California’s Automated License Plate Recognition Law (Civil Code §§ 1798.90.5–1798.90.55), a 2015 statute that requires any business or public agency operating an ALPR system to implement — and make publicly available — a usage and privacy policy describing what plate data is collected, why, how long it is retained, who it may be shared with, and what security measures protect it. This sits alongside the broader data privacy compliance obligations parking operators already navigate under the DPPA and state consumer privacy statutes. His claim was narrow and, on its face, almost technical: Parking Concepts, he alleged, had never implemented or published that policy at all.

The trial court in San Francisco Superior Court dismissed the case, reasoning that Bartholomew had not alleged any actual harm — no evidence his plate data was misused, no breach, no third party he could point to who improperly received it. That is the instinctive reading a lot of operators and their counsel would have shared going into 2026: no injury, no case.

The Court of Appeal reversed. The panel held that the ALPR Law’s policy-and-disclosure requirement exists precisely to give the public transparency and accountability over how this category of surveillance data is handled — and that denying a customer that transparency is itself the harm the statute was written to prevent. The court explicitly rejected the argument that a plaintiff must show “measurable monetary damages” or “affirmative misuse or mishandling” of the data to have a viable claim. The case was remanded to the trial court for further proceedings on the merits of the ALPR Law claim.

Why “No Misuse Required” Is the Part That Matters

Every operator running an LPR-based access, payment, or enforcement system for the first time has, in some form, run the mental calculation: we’re not doing anything wrong with this data, so what’s the actual risk? Bartholomew answers that question directly, and not in the industry’s favor. The court’s holding decouples the legal exposure from the operational conduct. An operator can have flawless data-security practices, never share a single plate record with a third party, and never suffer a breach — and still face liability solely because the paperwork required by the statute was never written or never posted where the public could find it.

That is a fundamentally different risk profile than the one most facilities have been managing toward. Data-breach exposure is the scenario operators have spent the last several years hardening against — encrypting stored plate data, restricting vendor access, running incident-response tabletop exercises. Bartholomew establishes a parallel and, in practical terms, far more common exposure: a paperwork gap that likely exists at a large share of LPR-equipped facilities right now, simply because the ALPR Law has sat on the books since 2015 with comparatively little enforcement attention until this decision.

The Damages Math Operators Need to Run

California’s ALPR Law authorizes liquidated damages of $2,500 per affected individual, in addition to punitive damages, attorneys’ fees, and injunctive relief, under the statute’s private right of action (Civil Code § 1798.90.54). Bartholomew is proceeding as a putative class action, and the exposure math is not subtle: a mid-size garage processing a few hundred vehicles a day, over a multi-year period in which no compliant policy existed, generates a class of “affected individuals” that can run into the tens of thousands. At $2,500 each before any multiplier for punitive damages or fees, that arithmetic gets uncomfortable quickly for even a modestly sized operation.

Whether “per affected individual” ultimately gets interpreted as per unique driver, per vehicle, per LPR scan event, or some other unit is not yet settled by this decision, and that ambiguity is itself worth tracking — it is the difference between a serious but survivable class exposure and a company-ending one. Operators should treat that uncertainty as a reason for more urgency, not less.

This Is Not Staying Confined to Parking Garages — or to California

Within roughly six weeks of the Bartholomew opinion, plaintiffs’ firms filed at minimum four additional class actions against businesses deploying LPR-adjacent camera systems, including one against Simon Property Group covering 23 California shopping malls. The pattern is a familiar one in California privacy litigation: an appellate decision establishes a theory of liability, and plaintiffs’ counsel immediately pivots to identify every other business in the state running comparable technology without matching documentation. Parking operators — who were arguably the most exposed category to begin with, given how central LPR has become to gateless and access-controlled facilities — are a clear next wave, not a hypothetical one.

Operators outside California should not read this as someone else’s problem. A handful of other states (Illinois’s BIPA framework for biometric-adjacent data, Texas’s CUBI, and a growing list of comprehensive state privacy statutes) already impose comparable transparency obligations on automated data collection, and California’s ALPR-specific statute is increasingly cited as a template other legislatures look to when drafting their own LPR-specific rules. A ruling that “the missing policy is the harm” in California is the kind of precedent that gets cited persuasively — even where it isn’t binding — the next time a court in another state faces the same fact pattern. Waiting for your own state’s supreme court or legislature to weigh in is not a risk management strategy; it is a bet that plaintiffs’ firms haven’t already mapped your state’s exposure. That is especially true for facilities that have moved to gateless LPR-based enforcement, where plate capture is continuous and the volume of “affected individuals” accumulates faster than in a traditional gated setup.

What Operations Leadership Should Do Now

The instinct after a ruling like this is to hand the problem to IT or the systems vendor and move on. That undersells what actually needs to happen, because the failure the court identified was not a technology failure — it was a governance and documentation failure that sits squarely with operations and ownership. It applies regardless of which generation of LPR technology a facility runs — fixed-camera, mobile, or integrated into a broader access-control platform — since the statute’s disclosure requirement attaches to the data practice, not to any specific hardware.

Confirm whether a compliant policy exists and is actually public. Not a policy that exists in a vendor contract or an internal compliance binder — one that a customer arriving at the facility can actually find, per the statute’s disclosure requirement. If your operation has never specifically confirmed this for every LPR-equipped location, that is the first item to resolve, not the fifth.

Treat this as a multi-location audit, not a single-site fix. Operators running multiple facilities under one entity face the same exposure at every location running LPR without a posted policy. A gap identified and fixed at the flagship garage does not close the exposure at the other nine.

Get outside counsel’s read on your specific footprint before assuming the fix is simple. The precise content requirements for a compliant ALPR policy, and how “affected individual” gets counted for damages purposes, are legal questions this piece is not attempting to answer for your specific facilities — that is exactly the conversation to have with counsel who can assess your actual data flows, retention practices, and vendor relationships. IPMI has flagged ALPR privacy compliance as an active member-advisory topic following the ruling, and its guidance is a reasonable starting point for benchmarking where your policy currently stands.

Revisit vendor and PARCS contracts. If a third-party LPR vendor operates the system on your behalf, confirm contractually who bears responsibility for policy development, hosting, and public disclosure. Several operators are discovering post-Bartholomew that their vendor agreements are silent on exactly this point.

Do not wait for a customer complaint or a demand letter. The plaintiff in Bartholomew was not alleging that anything bad had happened to him — he was alleging that the statute’s transparency requirement was ignored. That is a proactive-compliance problem, not a reactive one, and it is the kind of gap that surfaces itself in a class action complaint before it ever surfaces as an internal audit finding.

Frequently Asked Questions

Does the Bartholomew ruling mean any parking operator using LPR in California is automatically liable?

No. The ruling means an operator can be held liable for failing to implement and publicly post the ALPR usage-and-privacy policy the statute requires — even without proof of data misuse or a breach. An operator that has a compliant, publicly available policy is not automatically exposed simply because it uses LPR technology. The case turns on the absence of required disclosure, not the use of the technology itself.

Does California’s ALPR Law apply outside of California?

No — Civil Code §§ 1798.90.5–1798.90.55 is a California statute and applies to ALPR operators collecting data on Californians or operating within the state. However, several other states have comparable or emerging data-transparency requirements for automated data collection, and legal observers expect Bartholomew’s reasoning to be cited as persuasive authority as similar cases arise elsewhere. Operators outside California should treat this as an early signal, not a reason for inaction.

What is the maximum financial exposure under the ALPR Law’s private right of action?

The statute authorizes liquidated damages of $2,500 per affected individual, plus potential punitive damages, attorneys’ fees, and injunctive relief. In a certified class action, that per-person figure multiplied across a large class — as is being alleged in Bartholomew itself — can produce exposure well into eight figures for a single facility’s operating history. Exactly how “affected individual” will be counted (per driver, per vehicle, per scan) remains an open question the litigation has not yet resolved.

What should an ALPR usage-and-privacy policy actually cover?

At minimum, California’s statute expects a policy describing what plate data is collected, the purpose of collection, retention periods, who the data may be shared with, and the security measures protecting it — and the policy must be made publicly available, not just maintained internally. The exact language and format a specific operator needs is a question for counsel familiar with your actual data flows and vendor relationships, not a template that can be safely copy-pasted from another operator’s website.

Is this the same case referenced in technical LPR compliance checklists?

Yes — Bartholomew v. Parking Concepts is also being covered elsewhere as the basis for step-by-step technical compliance checklists aimed at systems and IT teams responsible for configuring LPR platforms. This article addresses the legal and operational implications of the ruling for facility operators and ownership; it is not a substitute for a technical implementation checklist or for legal advice specific to your facilities.


This article is provided for general informational purposes and does not constitute legal advice. The facts, statutory citations, and case status described above reflect published reporting on Bartholomew v. Parking Concepts, Inc. as of this article’s publish date; litigation status, damages theories, and legal interpretations may change as the case proceeds on remand. Parking operators evaluating their own ALPR compliance exposure should consult qualified counsel familiar with their specific facilities, vendor relationships, and jurisdiction.