Q&A with Sara Gerke on Texas’ illegal use of Illinois license plate data

Illinois recently revealed that 46 out-of-state law enforcement agencies, including in Texas, illegally accessed the state’s automated license plate reader data to investigate abortion and immigration cases, violating data privacy laws. Sara Gerke, an associate professor of law at the University of Illinois Urbana-Champaign and expert on the legal and ethical challenges of big data, explains the growing risks of such cross-jurisdictional data misuse and the urgent need for stronger privacy protections.

How do data breaches like the Illinois license plate reader incident challenge ethics standards for managing digital data, especially when third party systems expose private health-related information?

Although Illinois had a relevant state law that was allegedly violated in this case, it still serves as a notable example that highlights a significant gap in U.S. data protection at the federal level. Non-health data, like license plate scans, can expose sensitive health information, such as whether someone traveled for an abortion. But it isn’t protected under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA only covers certain health information generated by specific entities, such as most healthcare providers, leaving non-health information, like license plate scans, that can make inferences about someone’s health outside HIPAA’s scope.

Unlike the EU, the U.S. lacks a comprehensive federal data privacy law, so protections depend on state laws. Illinois has strong safeguards, but many states don’t, and enforcement becomes tricky when breaches involve out-of-state entities. Until federal reform happens, sensitive information remains vulnerable and difficult to contain once exposed.

Who is most at risk in data breaches involving sensitive health information?

Individuals, particularly patients and consumers, face the greatest risk. For example, outside the traditional healthcare system, when companies such as those offering a period and fertility tracking app or direct-to-consumer genetic testing services leak data, people may suffer serious consequences, including legal action or discrimination, especially in states without comprehensive privacy laws. These companies are often not covered by HIPAA, and federal protections are limited. Without strong state laws, personal health data like abortion history or genetic information can be exposed and misused, leaving individuals unprotected.

In what cases are out of state authorities allowed to use license plate data across states?

I’m not a law enforcement expert, but Illinois restricts license plate data use, and legality often depends on purpose. Using it to track someone for a felony may be justified under state law. But Illinois’s state law is unique because it bans explicitly the selling, sharing, allowing access to, or transferring license plate data to any local jurisdiction or state for the purpose of enforcing or investigating a law that interferes with or denies an individual’s right to obtain or choose reproductive healthcare services, or that permits the investigation or detention of an individual based on their immigration status. Other state laws may likely differ and do not offer such strong protection.

So what new transparency and consent standards should Illinois consider for surveillance tools like license plate readers?

Illinois should consider more comprehensive data privacy laws that give individuals control over all personal data, including health-related information not covered by HIPAA. This would help close existing legal gaps. Additionally, enforcement of existing laws must be strengthened to ensure violations are taken seriously. When working with third-party vendors like Flock Safety, the state and law enforcement agencies should establish clear data-sharing agreements that define how data can be used, when it can be shared, and whether consent is required. Proper vendor vetting and oversight are also critical to prevent future breaches.

How soon do you think we could get federal privacy protection laws with the current administration?

Unfortunately, I don’t expect a comprehensive federal privacy law to pass anytime soon. It’s a complex effort that would take years. In the meantime, one option is to expand HIPAA’s scope to include entities beyond traditional healthcare providers, such as tech companies and direct-to-consumer genetic testing companies that collect health data. Even that would be a challenge, especially when it comes to regulating data that isn’t medical on its face but can reveal health information, like license plate data. Without federal action, states will need to take the lead, and consumers must remain vigilant about how their data is used.