Official Summary Text
HB2917 - 572R - Senate Fact Sheet
AS
PASSED BY COMMITTEE
AMENDED
A
RIZONA
S
TATE
S
ENATE
ANNA NGUYEN
LEGISLATIVE RESEARCH ANALYST
GOVERNMENT
COMMITTEE
Telephone: (602) 926-3171
RESEARCH
STAFF
TO:����������������� MEMBERS
OF THE SENATE
�����������������������
GOVERNMENT COMMITTEE
DATE:����������� March
24, 2026
SUBJECT:�����
Strike
everything amendment to
H.B. 2917
, relating to government mass
surveillance network
Purpose
����������� Outlines
official law enforcement purposes for which a law enforcement agency (LEA) may
use a government mass surveillance network, including an automated license
plate reader (surveillance network). Prescribes requirements relating to the
use of a surveillance network, including training, data management and
authorization by the qualified electors of a local government jurisdiction
before deployment.
Background
����������� The
Arizona Department of Transportation must provide every vehicle owner with one
license plate for each registered vehicle. The license plate must display the
number assigned to the vehicle and vehicle owner. A person must maintain each
license plate so that it is clearly legible and securely fastened to the
vehicle in a manner that: 1) prevents the plate from swinging; 2) is at a
height of at least 12 inches from the ground to the bottom of the plate; and 3)
is in a position that is clearly visible. Failure to display a license plate as
prescribed is a civil traffic violation (A.R.S. ��
28-121
;
28-2351
;
and
28-2354
).
����������� Except
as specifically prescribed, the federal Driver's Privacy Protection Act
prohibits a state department of motor vehicles and any officer, employee or
contractor of the department from knowingly disclosing or otherwise making
available to any person or entity an individual's personal information or
highly restricted personal information obtained in connection with a motor
vehicle record without the express consent of the person for whom the
information applies. Personal information may be disclosed for uses including,
but not limited to use: 1) by any government agency, including any court or law
enforcement agency, in carrying out the agency's functions or any private
person or entity acting on behalf of a federal, state or local agency; 2) in
connection with matters of motor vehicle or driver safety and theft; and 3) in
connection with any civil, criminal, administrative or arbitral proceeding in
any federal, state or local court, agency or self-regulatory body, including
for service of process, investigation in anticipation of litigation and the
execution and enforcement of judgments and orders (
18
U.S.C. � 2721
).
�����������
There is no anticipated fiscal impact to the state
General Fund associated with this legislation.
Provisions
Voter Approval
1.
Prohibits any local government or state agency in Arizona from operating
or establishing a surveillance network without notification and approval by a
majority of the voters.
2.
Limits
a vote to approve or deny deployment of a surveillance network to pertain to
only the area that the local government has exclusive control over.
3.
Requires
any local government or state agency that proposes to deploy, contract for or
provide funding for a surveillance network technology to publish a public
notice declaring its intent to engage in government mass surveillance of the
population at least 60 days before any vote for approval.
4.
Requires
the public notice to be posted in the local government's or state agency's
official website, physically posted at the building which the public hearing
will occur and mailed or electronically delivered to each registered voter
within the proposed surveillance network coverage area.
5.
Requires
the surveillance network public notice to include:
a)
the type and number of surveillance networks proposed to be deployed;
b)
the vendor's name and the terms of service for the surveillance network;
c)
the projected annual costs of the surveillance network;
d)
how the data will be collected from the surveillance network will be
handled, retained and destroyed; and
e)
the date, time and location of the public hearings.
6.
Requires
at least two public hearings to be held, separated by at least 20 calendar
days, with the second hearing scheduled at a different time of day than the
first hearing.
7.
Requires
verbal and written public testimony to be received at each hearing regarding
the deployment of any surveillance network.
8.
Prohibits
a limit from being placed on the number of participants who may offer verbal or
written public testimony at each hearing.
9.
Stipulates
that, for a surveillance network proposed by a city, town or county, the
governing body may only authorize a ballot measure regarding a surveillance
network deployment on 65 percent of the affirmative vote of the full membership
of the governing body.
10.
Requires the vote of a city,
town or county governing body to be recorded by each official's name and made
part of the public record.
11.
Requires the ballot measure for
a county question to deploy a surveillance network to clearly describe, in
plain language, the scope, total cost, data handling practices and duration of
the deployment of the surveillance network.
12.
Requires, if a surveillance
network is proposed by the state or a state agency and before deployment of a
surveillance network, all of the following to occur:
a)
at least two public hearings must be held in each county, with one
public hearing held at the most populous city or town within the county and
another public hearing held at the second most populous city or town within the
county;
b)
the public hearings are separated by at least 20 calendar days, with the
second hearing scheduled at a different time of day than the first hearing; and
c)
upon
completion of the public hearings, the Legislature may refer the question of
deployment of the surveillance network by the state or a state agency for
approval by the voters.
13.
Determines
that the authority to deploy and administer a surveillance network is vested in
the chief of police, county sheriff or Director of the Department of Public
Safety (DPS) or the equivalent agency head.
14.
Requires
the voters to approve a ballot measure for a city or town, county or state
agency to deploy a surveillance network at the next general election with at
least a 60 percent affirmative vote.
15.
Prohibits
any public entity that is not explicitly authorized to deploy a surveillance
network from authorizing the deployment of a surveillance network for any
purpose.
Surveillance
Network Regulation
16.
Requires
a surveillance network authorized by the voters to be installed and configured
for the sole purpose of recording and scanning license plates.
17.
Prohibits
the surveillance network from being capable of photographing, recording,
producing or analyzing images of the occupants or contents of any vehicle.
18.
Prohibits
any surveillance network deployed in Arizona from allowing retroactive searches
of any archived license plate data.
19.
Requires
any license plate data captured by a surveillance network to be compared to the
active warrant and alert list within three minutes after the initial capture of
the license plate data.
20.
Stipulates
that, if no match to the active warrant list or alert list is found, then any
license plate data captured by the surveillance network must be automatically
and irreversibly destroyed in a manner that renders the data unrecoverable.
21.
Prohibits
license plate data from being transmitted, copied, uploaded or transferred to
any external server, cloud system, warehouse or third-party system within four
minutes after initial capture of the license plate data, except for the extent
necessary to process the comparison between the captured license plate data and
the active warrant or alert list.
22.
Stipulates
that, if the license plate data captured by a surveillance network produces a
confirmed match with the active warrant or alert list, then the data on a
specific license plate scan may be retained only until the final court
disposition of the associated case, after which the license plate data must be
destroyed within 30 days.
23.
Requires
any retained license plate data to be stored by the LEA that collected the
license plate data.
24.
Prohibits
any retained license plate data from being transmitted to a third party, unless
authorized by court order.
25.
Requires an LEA, before
deploying any surveillance network, to register by the surveillance network
with DPS on forms approved the Director of DPS.
26.
Requires the head of an LEA
to certify, in writing, that:
a)
the surveillance network to be deployed meets all outlined surveillance
network requirements;
b)
the LEA has policies that conform with the outlined surveillance network
requirements; and
c)
each law enforcement officer (LEO) who will operate the surveillance
network has successfully completed the required training.
27.
Prohibits a surveillance
network from incorporating, enabling or being connected to facial recognition
technology, vehicle occupant counting, bumper sticker or decal reading, vehicle
color detection and make and model profiling beyond what is necessary for
license plate identification or any other surveillance beyond license plate
reading.
28.
Prohibits a surveillance
network from capturing or storing global positioning system (GPS) coordinates,
speed data or directional traffic information of any vehicle beyond the fixed
location of the surveillance network.
29.
Prohibits a surveillance
network from being directly or indirectly used for the detection, enforcement
or prosecution of traffic violations, including speeding, red light violation,
expired registration, lapsed insurance or parking offenses.
30.
Prohibits surveillance
network data, including any positive match with active warrant or alert lists
or any authorized purposes as prescribed, from being used as a basis for
issuing any traffic violation or related civil penalty.
31.
Prohibits any person, agency
or entity from using surveillance network data, including any positive match
with active warrants or alert lists, scan logs, time stamps or location data or
any combination thereof, to construct, infer, analyze or compile a pattern of
life, behavioral profile, travel history, routine analysis or movement pattern
of any person.
32.
Includes, in the prohibition
on using surveillance network data to analyze patterns of any person, manual
and automated or algorithmic processing, including machine learning, artificial
intelligence pattern recognition or any related technological capabilities.
33.
Prohibits any declaration of
emergency from any official, including the Governor, a local governing body or
the head of an LEA from suspending, modifying, waiving or overriding any
provision of the prescribed surveillance network regulation.
34.
Subjects any surveillance
network data collected during any declared emergency to all requirements and
limitations of the prescribed surveillance network regulation.
35.
Prohibits any data or
metadata from a surveillance network, including any de-identified, anonymized,
aggregated or redacted data, from being used for mass surveillance, continuous
monitoring, population-level movement analysis, traffic flow studies or any other
purpose that involves tracking the movements of persons who are not the
specific subject of an active authorized investigation.
36.
Prohibits a surveillance
network from being combined with data from any other surveillance technology,
database or data source to enable broader tracking or identification
capabilities.
37.
Prohibits a surveillance
network from being deployed, positioned or used for the purpose of monitoring,
surveilling or identifying vehicles or persons engaged in or travelling to or
from constitutionally protected activities, including:
a)
political protests, marches, demonstrations or rallies;
b)
attendance at religious services or institutions;
c)
visits to legal counsel;
d)
visits to news media organizations; or
e)
visits to any location where the primary purpose of the visit is the
exercise of rights protected by the U.S. Constitution, the Bill of Rights or
the Arizona Constitution.
38.
Prohibits a surveillance
network from being deployed within 500 feet of:
a)
a polling place during any election period;
b)
a location in which an authorized protest, march or demonstration is
occurring;
c)
the physical address of any 501(c)(3) or 501(c)(4) nonprofit
organization registered in Arizona, except for a post office address; or
d)
a medical facility.
Vendor
Requirements
39.
Prohibits any vendor that
provides surveillance network hardware, software, data processing or related
services from acquiring, claiming, asserting or retaining any intellectual
property right, trade secret claim, copyright, proprietary interest, license,
title or other interest in or to any license plate data, images, metadata, scan
records, hit records, alert data or other data captured by or derived from any surveillance
network operated under a valid contract with a governmental entity of the state.
40.
Deems, as void and
unenforceable against the public policy of the state, any provision in a
vendor's terms of service, end user license agreement, services agreement,
order form or any other contract or instrument that purports to grant the
vendor:
a)
a perpetual, irrevocable, royalty-free, worldwide or otherwise surviving
license to use, reproduce, modify, distribute or otherwise exploit data
captured by or derived from a surveillance network for any purpose, including
the development, training, testing, improvement or enhancement of any product,
algorithm, service, model or system;
b)
ownership of any intellectual property interest in derivative works,
intermediate or final outputs, analyses, reports, models, algorithms, machine
learning weights, feature vectors or other results generated from or through
the processing of data captured by a surveillance network in Arizona;
c)
the right to retain, copy, aggregate, analyze, sell, license or
otherwise use any data captured by or derived from a surveillance network after
the termination or expiration of the contract under which the data was
collected, regardless of whether the contract contains provisions that purport
to survive termination; or
d)
the
right to require any governmental entity to waive any outlined provision as a
condition of service.
41.
Prohibits
a vendor from retaining any copy, backup, derivative or reproduction of data
captured by a surveillance network beyond the authorized retention periods.
42.
Includes, in data that must
be destroyed:
a)
the original data and all copies, backups and reproductions in any
format on any server, storage medium or system anywhere in the world;
b)
all de-identified, anonymized, redacted or aggregated versions of the
data;
c)
all machine learning training sets, model weights, feature vectors and
neural network parameters generated in whole or in part from the data;
d)
all derivative works, analytical products, reports, profiles and outputs
generated from the data; and
e)
all
indexes, hash tables, lookup tables and database entries referencing the data.
43.
Prohibits
a vendor from circumventing the outlined data destruction requirements by
claiming that data has been de-identified, anonymized, redacted, aggregated or
otherwise transformed, if the data was originally captured by or derived from a
surveillance network in Arizona.
44.
Requires
a vendor, within 30 days of the termination or expiration of any contract for surveillance
network services, to permanently destroy all retained data and certify the
destruction in writing under penalty of perjury.
45.
Requires
the certification to be signed by an officer of the vendor with authority to
bind the company and specifically attest that no copy, derivative, training
set, model weight or other data product generated from data captured has been
retained in any form on any system.
46.
Prohibits
a vendor from modifying, amending or updating the terms of service, end user
license agreement, services agreement or any other contract governing data
captured by a surveillance network without prior written consent from the
contracting governmental entity.
47.
Deems,
as void and unenforceable, any provision that permits a vendor to unilaterally
modify contract terms by posting updated terms on a website, sending a
notification or through any other mechanism that does not require the affirmative
written consent of the contracting governmental entity.
48.
Requires any contract for
the provision of surveillance network services to a governmental entity to be
governed by Arizona law.
49.
Deems, as void and
unenforceable, any provision in a vendor's contract that requires mandatory
arbitration, selects the laws of another state to govern disputes or designates
a forum outside of the state for the resolution of disputes arising from the
collection, retention, use, sharing or destruction of data captured by a surveillance
network.
50.
Prohibits a vendor from
aggregating data captured by a surveillance network with data collected in any
other state, jurisdiction or source.
51.
Prohibits a vendor from
making data captured in Arizona accessible through any national, regional or
multi-jurisdictional database, lookup system, data-sharing network or platform,
regardless of whether the vendor characterizes such access as a feature of its
service.
52.
Requires each vendor
associated with a surveillance network to submit an annual compliance audit by
the contracting governmental entity or an independent auditor selected by the
governmental entity at the vendor's expense.
53.
Requires the audit to
include examination of the vendor's servers, data storage systems, backup
systems, machine learning training pipelines and all systems in which data is
captured has been processed, stored or transmitted.
54.
Requires each vendor
associated with a surveillance network to provide complete technical
documentation of all data architecture, data flows, third-party integrations
and machine learning training processes, which must demonstrate the system is
capable of and configured for compliance with all outlined requirements and
prohibitions.
55.
Subjects a vendor that
violates any provision of the prescribed vendor requirements to criminal
penalties and a private right of action.
56.
Bars a vendor that violates any
provision of the prescribed vendor requirements from contracting with any
governmental entity in Arizona for surveillance network services.
57.
Determines that the vendor
requirements are not waivable by contract.
58.
Deems, as void and
unenforceable as against the public policy of the state, any contractual
provision that purports to waive, limit, disclaim or otherwise circumvent the prescribed
protections.
59.
Prohibits a vendor from
conditioning the provision of surveillance network services on the acceptance
of terms that conflict with the prescribed vendor requirements.
Third Party
Data Access
60.
Prohibits surveillance
network data, including positive or negative matches with any active warrant or
alert list, metadata, scan logs, images or derivative information, from being
shared with, sold or transferred to, accessed by or made available to any third
party, including:
a)
a federal agency;
b)
another agency of the state, including any task force or for any
intergovernmental compact or memorandum of understanding;
c)
an out-of-state LEA or department;
d)
a private entity;
e)
a data broker; or
f)
a surveillance network vendor's network, shared databased or national
lookup system.
61.
Deems, as inadmissible in
any criminal, civil or administrative proceeding in Arizona, any surveillance
network data obtained, retained, accessed, shared or used in violation of the outlined
surveillance network regulation, regardless of the LEO's subjective belief
regarding compliance.
62.
Determines that evidence is derived
from surveillance network data obtained in violation of the outlined
surveillance network regulation if the investigation that produced the evidence
was initiated, directed or materially advanced by information obtained from such
data, regardless of whether the surveillance network data itself is introduced
as evidence or whether an independent source for the evidence is subsequently
identified.
63.
Prohibits
a LEA or LEO from using data obtained in violation of the outlined requirements
and prohibitions to develop a parallel line of investigation or to identify
witnesses, leads, locations or other evidence that is then presented as
independently obtained.
Warrant
Requirements
64.
Prohibits
an LEA from querying, accessing or requesting surveillance network data without
a warrant that is supported by probable cause and that is issued by a judge of
a court of competent jurisdiction that specially authorizes the query, access
or request.
65.
Prohibits blanket warrants,
including:
a)
monitoring of all license plates at a location to determine which
persons were present or monitoring of a license plate across multiple jurisdictions
without separate authorization for each jurisdiction;
b)
general warrants;
c)
warrants authorizing queries across all jurisdictions or all plates; or
d)
warrants
authorizing monitoring of license plates in association with any
constitutionally protected activity.
66.
Requires a warrant for surveillance
network data to specify:
a)
the license plate number to be queried;
b)
the specific authorized purpose;
c)
the specific LEA or agencies to be queried; and
d)
the
time period for which any retained matches with active warrants or alert lists
are sought.
67.
Authorizes surveillance
network data to be used exclusively and specifically for:
a)
identification of stolen vehicles;
b)
identification of vehicles associated with persons who are wanted, missing
or in danger, including Amber Alerts, Blue Alerts, Seek and Find Alerts and
Turquoise Alerts;
c)
identification of vehicles registered to a person who has an outstanding
arrest warrant;
d)
identification of vehicles involved in or connected to any felony; or
e)
identification
of vehicles subject to an active law enforcement alert or bulletin relating to any
homicide, kidnapping, sexual assault or act of terrorism.
LEO Training
Program
68.
Limits
the authority to operate and handle a surveillance network and associated data
to only an LEO who has completed a documented training program conducted by an
authorized nonprofit for surveillance network operation, legal requirements and
privacy protections and the outlined surveillance network regulation.
69.
Restricts
the ability to request or obtain a warrant for surveillance network data to
only an LEO.
70.
Requires
the LEO to attest under oath that the warrant request meets one of the specific
authorized purposes.
71.
Requires any access to surveillance
network data, including real-time alerts and stored positive data match
records, to be logged with:
a)
the identity of the accessing LEO;
b)
the date and time of access;
c)
the license plate number queried; and
d)
the
purpose of the access.
72.
Requires
audit logs to be retained for five years and made available to the court on
request.
Traffic Stops
73.
Requires
an LEO, before initiating a traffic stop, vehicle stop or apprehension based on
any information obtained from a surveillance network, to visually verify the
license plate number of the vehicle and confirm that the license plate matches
the license plate identified in the surveillance network alert.
74.
Requires
the visual verification of the license plate match to be communicated to
dispatch by radio and logged before the stop is initiated.
75.
Prohibits
a stop, seizure or detention of any person or vehicle from being based solely
on an unverified surveillance network alert.
Personal
Data Access
76.
Allows
a person to submit a public records request to any LEA that operates a surveillance
network for any data associated with the person's lawfully registered vehicle.
77.
Requires
the LEA to respond to a public records request within 10 business days.
78.
Requires the response from
the LEA, if the records are found in the surveillance network data, to include:
a)
the date, time and general location of each scan of the person's license
plate;
b)
whether the scan resulted in a positive match with any active warrant or
alter list; and
c)
the
case number associated with any retained license plate data.
79.
Allows
a person to request the deletion of any surveillance network data associated
with the person's lawfully registered vehicle that is not associated with an
active criminal investigation or warrant or alert list match.
80.
Requires
the LEA to comply with the deletion request within 10 business days and confirm
the deletion in writing.
81.
Allows
an LEA to withhold data pursuant to an active investigation for up to one year
from the date of the request.
82.
Requires,
if an investigation remains active after one year, an LEA to provide the
requesting person with all data responsive to the request, redacted as
necessary, to protect the integrity of the investigation, within 30 days of the
expiration of the one-year period.
83.
Grants
a private right of action in superior court to any person whose surveillance
network data is collected, retained, shared or accessed or used in violation of
the outlined surveillance network regulation.
84.
Specifies
that a private right of action is not subject to any requirement of exhaustion
of administrative remedies.
85.
Prohibits
a governmental entity and vendor from asserting qualified or sovereign immunity
or any contractual limitation of liability as a defense to claims brought in a
private right of action.
86.
Entitles a prevailing
plaintiff to:
a)
statutory damages of at least $2,500 per negligent violation and $10,000
per willful or reckless violation;
b)
actual damages;
c)
reasonable attorney fees and costs; and
d)
injunctive
relief.
Jurisdictional
Circumvention Prohibitions
87.
Prohibits, if the qualified
electors of a city or town, county or state agency have rejected a proposal to
authorize a surveillance network, any other governmental entity from deploying,
operating or contracting for any surveillance network within the boundaries of
the city or town, county or other jurisdiction, including:
a)
a county agency within a city's or town's limits;
b)
a state agency operating within a city's or town's or county's limits;
c)
a federal agency operating with the assistance, cooperation or
data-sharing of state agencies or local governments; or
d)
task
forces, joint operations or multi-jurisdictional partnerships.
88.
Prohibits
an LEA from providing or accepting surveillance network data to or from any
federal agency for the purpose of circumventing the outlined surveillance
network regulation.
89.
Prohibits
a LEA from participating in any federal grant program, task force or
cooperative agreement that requires or incentivizes the collection, retention
or sharing of surveillance network data in violation of the outlined surveillance
network regulation.
Annual
Report
90.
Requires
each LEA, by December 31 of each year, to publish an annual transparency report,
post the report on the LEA's public website and submit the report to the
Governor, the Senate President, the Speaker of the House of Representatives and
to send a copy to the Secretary of State.
91.
Requires the annual
transparency report to contain:
a)
the total number of license plate scans conducted in the previous year;
b)
the total number of positive matches with an active warrant or alert
list;
c)
the total number of positive matches that resulted in arrest, a citation
or protective custody;
d)
the total number of false positive matches or erroneous alerts;
e)
the total number of warrants obtained from surveillance network data;
f)
the total number and the identity of each LEO who is certified to
operate surveillance networks;
g)
the total cost of the surveillance network, including all vendor fees;
h)
confirmation that the annual compliance audit report for vendors was
completed and a summary of the findings; and
i)
the number of public records requests received for surveillance network
data and a description of each request.
Miscellaneous
92.
Defines
automated license
plate reader
as a technology that provides stationary or mobile detection
of license plates and that captures data associated with license plates for law
enforcement purposes.
93.
Defines
surveillance
network
as a system of monitoring through technological devices that are
stationary, mobile or satellite or through any other technological means that
are owned or operated by the state or a state agency, city, town, county or
political subdivision of the state, including an automated license plate
reader.
94.
Defines
authorized nonprofit
as a national nonprofit public interest law firm
founded after 1990 with a mission to end widespread abuses of government power
and secure the constitutional rights of the American people.
95.
Becomes
effective on the general effective date.
Amendments Adopted by
Committee
1.
Requires the governing body of a city, town or county to authorize the
deployment of a surveillance network by the affirmative vote of 65 percent,
rather than 60 percent, of the governing body.
2.
Stipulates that any public entity not explicitly authorized to deploy a
surveillance network may not deploy a surveillance network.
3.
Makes technical and conforming changes.
Senate Action
GOV������� 3/25/26�������� DPA/SE������ 5-1-1