By Nick Fortuna

In the car wash industry, there’s nothing nefarious about license plate recognition (LPR) technology, an invaluable tool used to manage unlimited wash clubs and identify frequent customers who haven’t signed up yet. But recent headlines show that LPR technology is sparking concerns over data security and privacy, leading to a robust debate over how LPR data should be collected, stored and used.

Take Nashville, for example, where the city council approved a six-month pilot of LPR technology earlier this year. The program will allow police to compare images captured by automatic license plate readers against the plate numbers of stolen vehicles.

LPR data also will help police track down vehicles believed to be connected with violent crimes, felony offenses, reckless driving or missing-persons cases.

The city council remains leery of overreach, however. In August, according to The Tennessean newspaper, it passed an ordinance barring police from using LPR data to assist federal officials with immigration enforcement.

Similarly, in Morgan County, Ga., the sheriff’s office announced in August that it had installed 12 solar-powered LPR cameras at key intersections to help solve and prevent crime. Unlike some law-enforcement agencies, the sheriff’s office pledged not to use LPR data to enforce traffic laws and issue speeding tickets. Data will be stored for 30 days, and under state law, LPR data aren’t subject to open-records requests and must be used for law-enforcement purposes only.

LPR technology is being used in a variety of applications beyond law enforcement. Toll plazas are using it to speed up traffic and reduce the need for manned toll booths, gas stations install it to prevent theft, drive-through banks and restaurants are using it to enhance the safety of employees and entities such as businesses, and universities use it to manage access to parking lots.

Despite those conveniences, worries over data security and privacy still loom large. The American Civil Liberties Union has voiced concerns that police are storing the LPR data of millions of innocent Americans.

In addition, private companies are sharing LPR data with law-enforcement agencies with little or no oversight or privacy protections in place, according to the ACLU. That lack of regulation means that policies governing how long LPR data are kept vary widely from one jurisdiction to the next, the ACLU said. To address this issue, the group has called for legislation reflecting the following five principles of LPR data collection:

>> License plate readers may be used by law-enforcement agencies only in ongoing criminal investigations.

>> The government mustn’t store data about innocent people for longer than a few days or weeks and certainly not for months or years.

>> People should be able to find out if the plate data of vehicles registered to them are contained in a law-enforcement agency’s database.

>> Law-enforcement agencies shouldn’t share LPR data with third parties that don’t follow proper retention and access principles. They also should be transparent about with whom they share LPR data.

>> Any entity using LPR technology should be required to report its usage publicly at least annually.

Additional complexity comes into play for the growing number of car wash operators with locations in multiple states due to the differences by state in laws surrounding LPR data. No two laws are exactly the same and at least 16 states have statutes addressing the use of automatic license plate readers or the retention of LPR data, according to the National Conference of State Legislatures.

Small Businesses Targeted

The threat of cybercriminals gaining access to a car wash’s LPR data is especially relevant given that small businesses are often in hackers’ crosshairs. Last spring, the cybersecurity firm Barracuda Networks issued a report saying that employees of small companies are 350% more likely to be targeted by cybercriminals than are workers at large companies. Presumably, hackers expect larger companies to have better cybersecurity measures in place.

By analyzing millions of emails across thousands of companies, Barracuda determined that at least one in five organizations had at least one email account compromised in 2021.

Linnea Solem, chief executive of consulting firm Solem Risk Partners, said it’s vital for car washes and other businesses to be transparent about LPR usage and to gain consent for the collection of LPR data. When customers sign up for unlimited wash clubs, the enrollment forms should spell out how LPR data will be used by the company and in what circumstances the car wash will share that information with third parties such as police departments, she said.

Companies should disclose, for example, whether they share LPR data with law-enforcement agencies upon request or whether those agencies will need a subpoena to gain access. Additionally, car washes should make it clear that customer data will never be sold, said Solem, whose practice specializes in third-party risk, data privacy and governance and enterprise risk management.

If car wash operators are unsure about the laws governing LPR technology in their state or municipality, they should consider contacting a lawyer for advice, Solem said.

“The tricky part is if the car wash owner routinely shares license plate numbers with law-enforcement agencies, they could be in violation of certain state laws,” she said. “The laws vary by state — and that’s the difficult part — but the focus of most of those statutes is on the usage and retention of data by law-enforcement agencies.”

Access to customer data should be restricted to those employees who need it for specific job functions, such as the person in charge of the unlimited wash club, and that access should be reviewed periodically, Solem said. When employees leave the company or switch to a different role, they should lose access to LPR data.

When the car wash receives a request for data, there should be a process in place to verify that the request is legitimate and isn’t from a scammer impersonating the police, Solem said. Picking up the phone and calling the law-enforcement agency to confirm the request is a best practice.

According to Solem, there also should be a process and schedule for deleting customer data that are no longer needed. In the case of an unlimited wash club, customer information should be deleted after they cancel their subscription, and if they want to subscribe again, they would have to fill out new forms, Solem said.

Similarly, if a customer gets a new car, the data about the old car should be deleted from the system.

“It’s important to understand the life cycle of the data,” Solem said. “What are your processes to get rid of old data so that it’s not just growing? Most of the state statutes for law enforcement have specific timeframes after which they have to delete that information.”

Meeting Strict Standards

When evaluating LPR technology, small businesses should be sure that it is PCI DSS certified. The Payment Card Industry Data Security Standard is a set of information-security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

The PCI Standard, administered by the PCI Security Standards Council, was created to increase controls around cardholder data and reduce fraud.

Timothy Douglas, vice president of information technology for Charlotte-based Magnolia Wash Holdings, said all of the company’s more than 70 car wash locations have PCI DSS-validated payment applications. And according to Douglas, the company is currently looking to enhance that even more with full point-to-point encryption, or P2PE.

P2PE and similar solutions such as end-to-end encryption (E2EE) provide payment security by instantly converting credit and debit card information into indecipherable code at the time of the transaction. This technology anonymizes data to prevent hacking and fraud, maximizing the security of transactions and consumer privacy.

Businesses using LPR technology also should anonymize personal data such as customer license plates, names and addresses in their databases, and they should collect only as much data as is necessary.

To safeguard its data from cybercriminals, Magnolia uses an intrusion detection and prevention system, which monitors the company’s network traffic and analyzes it for signs of cyberattacks, Douglas said.

“The key is to have multilayered data security,” Douglas said.

“Think of it like a fort. You don’t just have tall walls; you also have a moat in front of it. That multilayered approach is the best way to ensure that customers’ data is secure.”

Bubble Bath Car Wash, a chain based in San Antonio, uses radio-frequency identification (RFID) stickers to administer its unlimited wash club. When customers enroll, an RFID sticker is placed on the inside of the car’s windshield.

But Bubble Bath also uses LPR technology as part of its security apparatus and to gain insight into marketing and consumer behavior, said Nicholas Lopez, the company’s president.

LPR systems help car wash operators identify repeat customers who have yet to sign up for unlimited wash clubs. When these drivers pull onto the lot, LPR systems can notify employees, giving them an opportunity to engage those customers and promote the unlimited wash club.

This technology takes on added importance for chronically understaffed car washes, which must focus their attention on those customers who are most likely to enroll.

All of the customer data collected by Bubble Bath is safeguarded in a PCI-compliant environment, Lopez said.

“Anything that has to do with client data is all firewalled off from the rest of the system,” he said. “Then, these systems are kept behind camera, alarmed and locked steel doors. With cybersecurity such a threat, we make sure to employ an outside tech company that monitors our email, incoming and outgoing traffic and all the systems not listed above that are still connected to the main network. We also have an on-staff director of technology whose job this falls under now.”

Data security and privacy cannot be an afterthought for car wash operators, regardless of whether they have a single location or more than a hundred, according to Caleb Jarrett, director of IT for Mammoth Holdings, an Atlanta-based company operating more than 100 car washes.

Companies that don’t take this issue seriously could become exposed to existential disaster, he said.

According to Jarrett, smaller car wash operators that don’t want to establish in-house databases for customer data should keep in mind two best practices.

“Put your critical on-premises data processing and storage infrastructure behind lock and key,” he said. “And identify a local managed services provider that can manage your store networks."

These two things can provide the most security value for your spend.

“Bigger operators are often bringing data in-house, one way or another,” he said. “Additionally, these operators are often held to the rigor of Level 1 PCI compliance. For them, implementing a robust security operations center to monitor user identities, device endpoints and network traffic is often part and parcel.”