← Back to Blog·

The Billion-Dollar Surveillance Wave: How Flock Safety's License Plate Readers Are Triggering a Class Action Explosion in California

Multiple class actions filed, investigations are active, and billions in potential damages. California's ALPR privacy law is fueling a litigation wave against businesses using Flock Safety cameras, and it's just getting started.

The Billion-Dollar Surveillance Wave: How Flock Safety's License Plate Readers Are Triggering a Class Action Explosion in California

A new wave of class action lawsuits is rapidly accelerating across California, targeting shopping malls, medical centers, retailers, and commercial campuses that deployed Flock Safety's automated license plate reader (ALPR) cameras without complying with the state's privacy law. Within six weeks of a landmark appellate ruling in February, four class actions were filed in courts across the state and at least eight more investigations were actively recruiting plaintiffs.

The litigation carries a simple and devastating theory: if your business scanned license plates without posting a compliant privacy policy, you owe every person whose plate was captured at least $2,500 in statutory damages, no proof of data misuse, breach, or monetary loss required. For a single mid-size shopping mall with 500,000 annual visitors, a five-year class period could produce minimum liquidated damages in the billions before punitive multipliers even enter the picture.

Here's how we got here, who's being sued, and why this wave is far from over.

The Ruling That Lit the Fuse

Everything traces back to Bartholomew v. Parking Concepts, Inc., decided unanimously by the California First District Court of Appeal on February 5, 2026, and modified with rehearing denied on February 27.

The case involved a San Francisco parking garage that deployed ALPR cameras to scan and store drivers' license plates without ever implementing or publicly posting the "usage and privacy policy" required by California's ALPR Privacy Act (Civil Code Sections 1798.90.5 through 1798.90.55). The garage argued that no one was actually harmed, the data was never misused, breached, or shared with anyone.

The court rejected that defense entirely. It held that collecting ALPR information without implementing and making public the statutorily required policy "harms these individuals by violating this right to know." The failure to post a compliant policy is, by itself, legally actionable harm. The $2,500 per-person liquidated damages floor reflects the Legislature's intent that a missing policy constitutes a cognizable violation, period.

The court further ruled that the statute contains no exemption for small operators, single-camera deployments, or easily avoidable locations. And critically, there is no pre-suit cure notice requirement like the one in California's Consumer Privacy Act. The first time a defendant learns of a claim is when the lawsuit hits.

Four Cases Filed, Eight Investigations Running

The plaintiffs' bar moved fast. The firm Bursor & Fisher, which won the Bartholomew appeal, filed Leonard v. Simon Media Properties in San Diego County Superior Court just twelve days later on February 17, 2026, targeting Simon Property Group — one of the largest mall operators in the country, with 23 California properties. The sequencing was deliberate: build the precedent, then strike the highest-value target.

Since then, three more lawsuits have been filed. Hellerman v. Flock Group, filed in the Central District of California on January 16, 2026, takes a direct-liability approach by suing Flock Safety itself. Linder & Hoffert v. Simon Property Group landed in Sacramento Superior Court on March 19, bringing what is considered the most factually developed complaint in the wave, incorporating the Mountain View and Ventura County data-sharing scandals, EFF protest surveillance findings, and Flock accuracy failure documentation. 

And Barlow v. Sunset Development Co. was filed in Contra Costa Superior Court on March 16, targeting Bishop Ranch, a 10-million-square-foot commercial campus in San Ramon.

Meanwhile, investigations are underway, spanning medical centers, shopping centers, and commercial marketplaces from Palo Alto to Goleta. Plaintiff recruitment campaigns have been running since early March, with some firms operating dedicated intake platforms targeting Flock camera locations.

Flock's Data-Sharing Scandals Add Fuel

What elevates this litigation beyond a dry statutory compliance dispute is the growing record of Flock Safety's unauthorized data sharing with law enforcement, including federal immigration agencies.

In January 2026, the Mountain View Police Department disclosed that Flock had secretly set one of its ALPR cameras to a "nationwide" sharing mode without notifying the department. Between August and November 2024, federal agencies including the ATF, GSA OIG, and military installations accessed Mountain View's plate data through this setting.

Separately, a "statewide lookup" setting was active across all of the city's Flock cameras from installation until January 2026, allowing an estimated 600,000 unauthorized searches by over 250 agencies that had never signed any data-sharing agreement with Mountain View. The city disabled all cameras and ultimately voted to terminate its Flock contract.

The Ventura County incident was arguably worse. The county's sheriff's office had disabled Flock's "National Lookup" feature in June 2023 to comply with California law. But a vendor error re-enabled it in early 2025, and between February and March 2025, outside agencies ran over 364,000 queries against Ventura County's plate data, with 299 searches explicitly citing immigration enforcement as the justification. The Oxnard Police Department suspended its Flock program entirely.

For private businesses that deploy Flock cameras, these incidents create compounding legal risk. Even if a retailer or property owner believed it had restricted law enforcement access, Flock may have re-enabled nationwide sharing without notice.

And because the ALPR statute places compliance obligations on the "operator" and "end-user" (not the vendor) the private deployer cannot disclaim responsibility by pointing to Flock. The business bears the statutory duty to maintain compliant access controls and audit records regardless of what its vendor does behind the scenes.

Who's in the Crosshairs Next

The cases filed so far have focused primarily on mall operators, but the underlying legal theory applies to any private entity running ALPR in California without a compliant policy, and Flock's own marketing materials boast a customer base that spans well beyond shopping centers.

The company has publicly stated it serves multiple top-10 national retailers, major healthcare systems, logistics and distribution companies, and commercial real estate operators. Investigative reporting has separately confirmed that big-box retailers and hospital networks in California are already operating Flock cameras with law enforcement access to the data.

Several categories of property are particularly exposed. National retail chains with large California footprints represent massive class sizes, hundreds of locations generating millions of vehicle scans per year.

Healthcare facilities carry uniquely heightened risk because patients reasonably expect greater privacy protections when visiting a medical provider, and immigration enforcement access to hospital parking lot data adds a layer of reputational and legal liability that goes beyond the ALPR statute alone. Commercial campuses, logistics hubs, and residential communities using Flock for security all face the same fundamental compliance question.

The exposure formula is straightforward: take the number of unique vehicles scanned during the non-compliant period, multiply by $2,500, and add potential punitive damages for willfulness and attorney's fees. For national retailers or major property operators with years of Flock deployment across high-traffic California locations, the aggregate numbers reach staggering levels.

The Practices Under Attack

The complaints and investigations converge on several specific compliance failures. The most common violation is the absence of a stand-alone ALPR privacy policy, a general corporate privacy policy that mentions "license plate information" somewhere in its pages does not satisfy the statute's requirement for a dedicated policy with seven specific elements, conspicuously posted both online and physically at each camera location.

Even businesses that have posted some form of ALPR disclosure may be vulnerable. Simon Property Group, for instance, updated its privacy policy in February 2026 to include ALPR language, but the Leonard complaint alleges the disclosure was buried behind multiple hyperlinks at the bottom of the policy, requiring three clicks to reach, what the complaint called "the opposite of conspicuous."

Beyond policy failures, plaintiffs are targeting open law enforcement access without audit records, unauthorized sharing with out-of-state and federal agencies, participation in Flock's Business Network (which formalizes private-to-private data sharing without adequate disclosure), and the absence of accuracy safeguards required by the statute. 

On that last point, testing and investigative reporting have identified a roughly 10% state misidentification rate for Flock cameras, and journalists have documented at least 12 cases of wrongful law enforcement encounters caused by Flock misreads, including gunpoint stops, wrongful arrests, and a police dog attack.

What Happens Next

Three dynamics will determine how far this wave reaches. The first is class certification, whether courts will certify classes encompassing all visitors to surveilled properties. The pending appeal in Mata v. Digital Recognition Network, a parallel private-entity ALPR case in San Diego, may provide the first instructive guidance on certification standards under the statute.

The second is the Simon Property Group litigation, where two cases now sit in different California courts. Whether those cases are coordinated through California's JCCP process or proceed in parallel will shape defense strategy for every other potential defendant.

The third is simple expansion. With active investigations already reaching into medical centers, commercial campuses, and retail chains beyond Simon, new filings are expected within 30 to 60 days. 

The plaintiffs' bar has found a statute with teeth, a favorable appellate precedent, and a target-rich environment of businesses that deployed surveillance technology faster than they implemented compliance programs.

For the millions of Californians whose plates have been scanned at shopping malls, retail stores, hospitals, and office parks, the core question is simple: did anyone tell you? If the answer is no, or if the notice was buried in fine print you'd never find, the law says that's worth $2,500 per scan, and the lawyers are paying attention.

The Flock ALPR litigation wave went from a single appellate ruling to four filed lawsuits in six weeks, and the properties named in the next round of complaints may already be under investigation.

Rain Intelligence helps legal and risk teams identify this kind of exposure before it arrives as a summons. Request a demo to see how we track emerging class action risk in real time.