ALPR litigation in 2025-2026: how license-plate readers are getting tested under DPPA

What's happening

Automated license-plate readers, or ALPRs, are cameras that photograph plates and run them against databases. Toll roads use them. Parking apps use them. Police agencies use them. The biggest vendor in the police space is Flock Safety. There are others.

The cameras log every plate that passes. The vendor stores the data. Officers, sometimes other agencies, and sometimes vendor employees can query it. You type a plate, you get a list of times and places that plate was photographed. The system was sold as a tool for finding stolen cars and Amber Alert vehicles. It does that. It also stores millions of plate hits on people who've done nothing wrong.

In 2025 and 2026, plaintiffs started suing under the Driver's Privacy Protection Act. The DPPA is a 1994 federal law that limits what state DMVs can hand out about drivers. It lists 14 specific situations where disclosure is allowed. Insurance investigations. Court cases. Things like that. If someone pulls a DMV record outside those 14 situations, you can sue them for at least $2,500 per violation, plus punitive damages and attorney fees.

The theory in the new cases: when a Flock camera captures a plate and the system links it to the registered owner's name and address (which came from the DMV), the data pipeline now contains DMV-derived personal info. Sharing that data outside the 14 permitted purposes is a DPPA violation. Both the agency that bought the system and the vendor that runs it can be on the hook.

Venable's privacy practice flagged the trend in a February 2026 client alert. The cases are still working through the courts. Some have settled. Some are headed to summary judgment. The exposure is real enough that vendors are tightening access controls and agencies are getting more careful about who they let query the system.

Why it matters for first responders

Three reasons.

First, your personal vehicle is in these databases. Park your truck at the precinct, at your gym, at your kid's school. Any of those locations can have a Flock camera within range. Your plate gets logged. The system links plate to name to address. Every officer with database access can pull your home address by typing your plate.

Second, undercover and federal officers face a sharper version of this. A cover identity that holds up under normal scrutiny can break when an adversary photographs the personal vehicle and runs the plate through a friendly query. Plate-to-address pipelines are one of the higher-risk exposures in undercover work.

Third, the lawsuits cut both ways. Agencies that bought ALPR systems on the assumption that "it's just public" are now being told that no, the linked data is DPPA-protected, and an officer who queries a plate without a permitted purpose can personally face a damages claim. Train accordingly.

Where this stands as of April 2026

The DPPA framework is settled. The 14 permitted purposes are listed in 18 USC 2721(b). Private right of action under 2724 with $2,500 minimum damages.

What's new is how courts are applying this to ALPR. A few signals from the past year.

• Multiple class actions filed against ALPR vendors and partner agencies in 2025, alleging that bulk plate-data sharing violated DPPA.
• Venable's February 2026 alert flagged the rising frequency of these cases and the open question of whether ALPR-derived plate-to-name linkage triggers DPPA at all (vendors say no; plaintiffs say yes; courts are split).
• In Arizona, privacy concerns about Flock cameras hit local news in January 2026. A police-backed bill that would have shielded ALPR data from public-records requests was introduced. Outcome unsettled at last check.
• No Supreme Court case yet. Likely 2027 or later before a circuit split forces one.

The legal question that matters most is whether name-and-address data, once derived from a DMV record, stays DPPA-protected when it flows downstream. Plaintiffs argue yes. Vendors argue that once the data is in their system, it's no longer "obtained from a DMV record" under the statute. Courts are split. The split is what will eventually drive a Supreme Court case.

What an officer or agency can do today

For individual officers:

1. Run your own personal plates through whatever query tool your agency uses. See what's logged. The volume usually surprises people.
2. If you have a DMV-confidentiality election available in your state (CA Veh. Code 1808.4, NJ 39:2-3.4, others), file it. That keeps your name off the DMV record that feeds the broker pipeline. It does not stop the camera from photographing your plate.
3. For undercover work, talk to your supervisor about plate strategy. Some agencies will issue a non-personal plate for undercover vehicles. Some won't.

For agencies:

1. Audit who has query access. Restrict to a permitted-purpose framework. Log every query with the named purpose. The lawsuits target agencies that let any sworn officer pull any plate for any reason.
2. Vendor contracts should require DPPA-compliant access controls and indemnify the agency for vendor-side leakage.
3. Don't share aggregated plate data with non-LE third parties without legal review. A plate-data feed to a private-sector partner is the cleanest DPPA violation a plaintiff's lawyer could ask for.

What to watch

A few things will move this fast.

• A federal appeals decision squarely holding that ALPR-derived data is DPPA-covered. Once one circuit rules, others will follow within a year.
• Vendor consent decrees. Flock or one of its competitors settling a class action with mandated access controls will set the floor for the industry.
• State-level legislation. Some states will try to shield ALPR data from public-records requests (the Arizona bill is one example). Others will pass the opposite (mandatory disclosure of agency use). The patchwork gets messier before it gets simpler.
• A high-profile abuse case. ALPR systems have already been misused for personal lookups by officers tracking spouses or stalkers tracking exes. The next big news cycle will probably involve one of those. That tightens access controls everywhere.

If you want context on the underlying federal statute, see our DPPA explainer. For the broader landscape of how plate lookups feed broker pages, see license-plate lookups as a threat vector.