India data protection

A California Lawsuit Over License-Plate Trackers Exposes What India's Privacy Law Leaves Uncovered

California drivers can sue over ALPR data sharing under a specific statute; India's DPDP Act lets the state exempt itself instead.

ALPR Surveillance: California's Statute vs. India's … People of Internet Research · India 17+ Years of ALPR data retained Motorola's Vigilant database alleg… 150 mph Camera plate-read speed Motorola's ALPR units can capture … 5 California cities named in suit Sacramento, Modesto, Merced, Liver… 2017 Year of Puttaswamy privacy ruling India's Supreme Court established … peopleofinternet.com
ALPR Surveillance: California's Statut… People of Internet Research · India 17+ Years of ALPR data retained 150 mph Camera plate-read speed 5 California cities named in suit 2017 Year of Puttaswamy priva… peopleofinternet.com

Key Takeaways

A Complaint from Sacramento, a Question for Delhi

On June 18, 2026, the law firm Gibbs Mura filed a class action in California against Motorola Solutions and its subsidiary Vigilant Solutions, on behalf of drivers in Sacramento, Modesto, Merced, Livermore and Pleasanton (Gibbs Mura). The complaint alleges that Motorola's automatic license-plate-reader (ALPR) network — cameras that can read plates from vehicles moving up to 150 mph and store more than 17 years of historical location data — shared identifiable vehicle and location records with out-of-state and federal law enforcement agencies without notice or consent (ClassAction.org). It invokes California Civil Code § 1798.90.55(b), which bars a public agency from selling, sharing or transferring ALPR information except to another public agency (California Legislative Information).

The proximate trigger was an April 2026 disclosure that the UC Merced Police Department had been routing ALPR data to Customs and Border Protection, IRS Criminal Investigation and the Secret Service — agencies with no obvious connection to the traffic-safety rationale ALPR programs are usually sold on.

Whatever the suit's outcome, its existence says something worth sitting with in New Delhi: California drivers have a technology-specific statute naming ALPR data, a defined sharing prohibition, and, evidently, a path into court when a vendor and a police department are alleged to have ignored both. An Indian driver photographed by a functionally identical camera network would have none of the three.

What India's Law Actually Covers

The Digital Personal Data Protection Act, 2023 is India's first cross-sectoral privacy statute, passed in August 2023 with implementing rules notified in phases through 2025–2027 (PRS Legislative Research). Against private companies, it gives citizens real consent and access rights. But Section 17 carves out precisely the entities most likely to run an ALPR-style network. Section 17(1) suspends consent and most data-principal rights wherever processing serves "prevention, detection, investigation or prosecution" of an offence. Section 17(2) goes further: the central government may, by notification, exempt any "instrumentality of the State" from the Act altogether, in the interest of state security, public order or sovereignty — with no sunset clause, no independent review requirement, and no obligation to publish a privacy impact assessment before doing so (PRS Legislative Research).

The fair case for that exemption is real. Consent-based rules are a poor fit for investigative work — a suspect cannot be asked to opt in to being tracked — and every mature privacy regime carves out some law-enforcement exception; the EU's Law Enforcement Directive and the US Privacy Act's "routine use" clause both do the same thing in narrower form. The problem with India's version is not that an exemption exists. It is that Section 17(2) exempts without the compensating conditions those other regimes, and California's own ALPR statute, attach to their exceptions: no purpose limitation confining data to the stated use, no cap on cross-agency or cross-border sharing, no retention ceiling, and no independent audit trail.

A Constitutional Backstop That Isn't a Statute

India does have a doctrinal check on paper. In Justice K.S. Puttaswamy (Retd) v. Union of India (2017), a nine-judge bench of the Supreme Court held that any state intrusion on privacy — including surveillance — must be backed by law, serve a legitimate aim, and go no further than necessary to achieve it (Indian Kanoon). That proportionality test is real law. But it is a constitutional backstop that a citizen must litigate to invoke, not a default written into the statute governing how a specific technology may be deployed — which is exactly the gap California's ALPR Data Accountability Act was built to close for license-plate cameras specifically.

That gap is not hypothetical. India's own camera networks are expanding under Safe City projects across multiple cities, and Internet Freedom Foundation's Project Panoptic has spent years tracking facial-recognition deployments nationally, flagging cases where systems went live with no published privacy impact assessment and no public accounting of who can access the data or how long it is retained (Project Panoptic). Panoptic's tracker is built around facial recognition rather than license-plate reading specifically, but the transparency failure it documents — deployment first, disclosure never — is the same structural gap an ALPR rollout would fall into, because both sit inside the same Section 17 carve-out.

The Proportionate Fix Isn't a Lawsuit Culture

India should not import California's model wholesale. A private right of action against every data fiduciary invites nuisance litigation and could chill legitimate policing tools that genuinely reduce crime and recover stolen vehicles — outcomes worth preserving. But there is a proportionate middle path between a blanket state exemption and a US-style tort regime: a narrow, technology-specific rule — mirroring what California did for ALPR specifically — that requires a published purpose limitation, a retention ceiling, a bar on sharing outside the stated law-enforcement purpose, and a mandatory privacy impact assessment before deployment, reviewable by the Data Protection Board rather than left to a unilateral central-government notification.

None of that requires abandoning Section 17's core insight — that consent is the wrong lens for policing data. It requires India to stop treating "exempt from the Act" as a substitute for writing the rules a surveillance technology actually needs. California's ALPR statute did not stop Motorola's network from being built; it gave drivers a specific standard to sue over when the network allegedly broke its own rules. India's Safe City cameras are being built regardless of what the DPDP Act says. The only question is whether anyone will have a specific standard to point to when one shares data it was never supposed to.

Sources & Citations

  1. Gibbs Mura — Motorola ALPR Privacy Lawsuit
  2. ClassAction.org — Motorola Solutions ALPR Complaint
  3. California Legislative Information — Civil Code § 1798.90.55
  4. PRS Legislative Research — DPDP Bill/Act, 2023
  5. Indian Kanoon — Justice K.S. Puttaswamy v. Union of India
  6. Project Panoptic — Internet Freedom Foundation