SACRAMENTO — California law enforcement agencies may not be doing enough to protect the data they collect through license plate-tracking technology that police throughout the state use.

State Auditor Elaine Howle released a review Thursday of the Marin County Sheriff’s Office and three other law enforcement agencies that concluded they had “risked individuals’ privacy” by providing indiscriminate access to their collections of millions of images of license plates and not properly ensuring the security of the databases.

The audit examined the policies of the Fresno and Los Angeles police departments and the Sacramento County Sheriff’s Office, in addition to the Marin sheriff, and found they fell short of state privacy requirements.

The report also raised the possibility that the problems are widespread. The auditor’s office surveyed nearly 400 police and sheriff’s departments across California and determined that almost 70% use or plan to use a license plate-tracking system.

“We are concerned that the policy deficiencies we found are not limited to the agencies we reviewed, and thus law enforcement agencies of all types may benefit from guidance to improve their policies,” the audit said.

State Sen. Scott Wiener, D-San Francisco, who requested the audit, said he planned to introduce legislation that would incorporate its recommendations about limiting how long agencies can hold on to license plate data and with whom they can share it.

He said the report was “horrifying” because it showed that “law enforcement is engaging in mass surveillance” without justification and is indifferent to how the system is “ripe for abuse.”

“If law enforcement is going to use this technology, it needs to be extremely focused and extremely conscious of personal privacy,” Wiener said.

The systems, known as automatic license plate readers, use cameras mounted on fixed objects and police cars to take pictures of license plates. Software extracts the plate numbers from those images and alerts officers when it identifies a match on a stored list of vehicles of interest, including stolen cars and those associated with wanted criminals and missing persons.

Organizations such as the American Civil Liberties Union have raised objections that these systems allow law enforcement to track people’s movement in detail, which could inhibit free speech and association. Media reports have also identified instances when officers misused the data to monitor ex-spouses and neighbors.

A 2015 state law required law enforcement agencies to adopt privacy policies for license plate tracking, describing who can use the data, how long they keep the information and how they protect and monitor their systems.

But the audit determined that the Marin and Sacramento counties sheriff’s offices and the Fresno police did not clearly specify who had access to their systems and how to destroy data. The Los Angeles Police Department had no policy at all.

Three of the departments, including the Marin sheriff, also had data-sharing agreements with hundreds of other law enforcement organizations across the country. The auditor found no evidence that they always ensured those organizations were public agencies that had a compelling need for the images. None conducted audits of the searches in its systems to make sure they were appropriate.

“The agencies have left their systems open to abuse by neglecting to institute sufficient oversight,” the audit concluded.

The audit questioned the security of the cloud services used to store the license plate images and the length of time that agencies were keeping the pictures — as long as five years in the Los Angeles Police Department.

A data breach would broadly affect people not involved in any criminal activity. The Los Angeles Police Department database, for example, contained 320 million images, only 400,000 of which were for plate numbers considered vehicles of interest. The license plate numbers were connected to personal information such as names, addresses and dates of birth.

While some of the law enforcement agencies reviewed by the auditor’s office agreed to change their policies in response to the report, the Marin County Sheriff’s Office largely dismissed its conclusions.

In a letter, Deputy County Counsel Kerry Gerchow said Marin County contracted for its license plate-tracking system with a third-party vendor that used secure servers and allowed access only to credentialed law enforcement officers.

Gerchow said the Marin County Sheriff’s Office’s policy of retaining images for two years was “based on the statute of limitations for most crimes in the state of California.” It would be impossible to develop a more detailed policy, Gerchow said, because investigators could not know when an image might prove useful to a case.

Alexei Koseff is a San Francisco Chronicle staff writer. Email: alexei.koseff@sfchronicle.com Twitter: @akoseff