International Comparison
How the UK ANPR regime, EU GDPR, and US ALPR patchwork differ on retention, oversight, purpose limitation, and data subject rights.
The United States has no comprehensive federal ALPR statute. Other democracies have built stronger governance frameworks for the same technology.
UK: centralized oversight
The UK operates a national ANPR (Automatic Number Plate Recognition) system under centralized Home Office governance. Key features:
- National strategy with defined policing purposes (counter-terrorism, serious organized crime, major crime)
- Retention defaults generally shorter than US commercial equivalents
- Office of Surveillance Commissioners historically provided independent oversight of surveillance powers
- Biometrics and Surveillance Camera Commissioner provides statutory scrutiny of camera systems including ANPR
- Explicit data-subject rights under the UK GDPR and Data Protection Act 2018
The UK system is not perfect — civil-society groups including Big Brother Watch and Liberty have documented over-retention and purpose creep — but the governance architecture exists. There are statutory commissioners with investigative authority, not just vendor self-reporting.
EU: GDPR applies to ALPR
Under GDPR, license plate data is personal data. Processing it triggers Article 6 lawful-basis requirements:
- Purpose limitation must be explicit and narrow (Article 5(1)(b))
- Data minimization prohibits dragnet collection beyond what is necessary (Article 5(1)(c))
- Storage limitation requires defined retention with justification (Article 5(1)(e))
- Data subject rights include access, rectification, erasure, and objection (Articles 15-21)
- DPIAs (Data Protection Impact Assessments) are required for large-scale systematic monitoring (Article 35)
Several EU member states have ANPR deployments, but they operate under these constraints. The Dutch, German, and French systems have been challenged in national courts and refined under GDPR pressure. None has the open-ended retention and nationwide commercial sharing model that characterizes the US market.
US: the patchwork
The United States combines:
- No federal ALPR statute — no national retention limit, no national purpose limitation, no data-subject access right
- State-by-state regulation ranging from New Hampshire's 3-minute purge to no limit at all
- Commercial vendor control over network configuration defaults — Flock has been caught enabling nationwide sharing without the city's knowledge (FW-019)
- Constitutional doctrine that treats single observations as non-searches but has not resolved aggregated historical query at scale (the Norfolk ruling (FW-023) is the first trial-court decision to treat ALPR data collection as a Fourth Amendment search)
Comparative table
| Feature | US (federal) | US (strongest state) | UK ANPR | EU (GDPR) |
|---|---|---|---|---|
| Comprehensive statute | None | CA / WA SB 6002 | Yes (Home Office) | Yes (GDPR) |
| Retention limit | None | 3 min (NH) to 90 days (NC) | Defined by strategy | Justified by purpose |
| Purpose limitation | None | WA SB 6002 | Counter-terror, serious crime | Article 5(1)(b) |
| Data subject access | None | None statutory | DPA 2018 | GDPR Arts 15-21 |
| Independent oversight | None | None statutory | SCC / OSC | DPA / DPO |
| Vendor self-certification | Common | Addressed in CA/WA | No | No |
| Warrant for historical | None | WA (private data only) | Varies | Article 8 ECHR |
The structural lesson is that the US has delegated ALPR governance to the market — vendors configure defaults, agencies buy subscriptions, and regulation follows harm rather than preceding it. The UK and EU models regulate first, deploy second.
Read the state regulation comparison - Read the legal analysis