The feeling of freedom that comes from driving down California’s sunny open roads is at risk—and rising gas prices are not to blame. Our investigations show that at least twenty Northern California law enforcement entities as well as the California Highway Patrol track the whereabouts of millions of Californians using automated license plate readers (ALPR), and some apparently even share records with a “fusion center” connected to the federal intelligence community.

Scanning thousands of plates per minute, ALPR cameras create records of innocent people’s movements that can be held for years. Unfortunately, as the ACLU’s recent report shows, many agencies use ALPRs without clear privacy protections for the collected data. Without proper safeguards, license plate readers can be used to identify every car parked near a protest or event, or to collect data about your visits to a doctor’s office, local bar, religious services, and more. We need clear, strong rules to prevent the misuse of ALPRs and the data they collect.

The massive amounts of data collected by a few Northern California police departments show how ALPR data makes it easy to track residents’ whereabouts. In Piedmont, a tiny city east of Oakland with about 11,000 residents, the local police department captured 1,641,841 plate scans with one ALPR unit in just one year. South Bay city Milpitas, with only 67,000 residents, collected 4.7 million plate images in slightly more time. On the state’s highways, the California Highway Patrol operates at least 200 cameras, but we don’t even know how much data they have collected. To bring into focus how these large quantities of scans can be used to track cars within a given area, take a look at these maps produced by Berkeley’s ALPR parking enforcement system.

Unfortunately, there are no statewide privacy protections for these records, and many individual law enforcement agencies have no such protections either. In fact, only about half of the 20 agencies we learned use ALPR had a written policy manual at all. Of those agencies with written policies, many allowed the data to be used for all “legitimate law enforcement business.” Some cities, including Milpitas in the South Bay, do not even keep records of who accesses the ALPR information. In addition, agencies vary wildly in how long they retain ALPR records. Although the Marin County town of Tiburon deletes records after 30 days if not associated with a criminal investigation, cities such as Concord, Elk Grove, and East Palo Alto allow the data to be held for upwards of two years—and Berkeley did not even have a retention policy.

We also found that sensitive ALPR data is shared with other counties and potentially the federal intelligence community through a “fusion center.” A Memorandum of Understanding (MOU) signed by Daly City describes an ALPR database shared by a Bay Area fusion center and fifteen Northern California counties. Under the plan, participating counties get continuous access to each other’s data with no clear limits on what it can be used for. By combining records from multiple jurisdictions, this database has the potential to contain extensive records of motorists’ travels throughout Northern California. The U.S. Senate concluded in 2012 that fusion centers fail to make us safer, tend to be mismanaged, and needlessly intrude on Americans’ privacy, so the suggestion that counties are sharing Californians’ data en masse is particularly concerning.

ALPR technology should be used to accomplish specific law enforcement goals, not deployed as a tool for dragnet surveillance. As it stands, lax safeguards on the use of ALPR and the availability of collected data to the federal intelligence system raise substantial privacy concerns. Real safeguards formed through democratic debate can shed light on the technology’s use, and prevent future misuse. The starting point for establishing these safeguards is to have an open discussion with local government and citizens about the risks and benefits of ALPRs. Driving may be a privilege, but privacy is a right.