What happens after Modesto’s red-light cameras capture your info? It’s complicated
Cameras across Modesto capture, store and transfer personal information for law enforcement purposes. But concerns over that data’s security, and how it’s being used, remain.
Earlier this month, the Modesto Police Department found that data from automatic license place readers (ALPRs) was unintentionally shared with federal agencies, including Border Patrol. The discovery was mentioned in a lawsuit recently filed by the ACLU against the city and MPD Chief Brandon Gillespie.
Now, after being dormant for nearly a decade, red-light cameras are back and use new technology, such as high-quality video, to enforce the law. But what happens to the data collected? How is it used? Is it safe from hackers?
The Modesto Bee reached out to Verra Mobility, the company that runs Modesto’s red-light cameras, and MPD to answer some of these questions. Two separate lists of questions, specific to each, were sent to Verra and MPD. However, Verra responded in an email stating its response was a “coordinated response in partnership with the PD and city.” The Bee’s questions for MPD were not answered.
Your data when the cameras flash
Verra Mobility’s red-light cameras activate when its systems automatically detect an “event” — typically when a vehicle enters an intersection, or turns right too quickly, while the light is red.
The automated system determines what an “event” is through “business rules” the customer, in this case the city, and Verra agree upon. MPD did not respond when asked what the business rules were.
Photos and high-quality video of the event, along with data that back-end systems can use to identify the driver, is entered into Verra’s Axis Smart Mobility Platform — a system that can be accessed by MPD through “any computer connected to the internet,” according to Verra Mobility’s request for a contract with the city.
Verra’s automated system then uses this data to find out who the driver is by getting personally identifiable information from the DMV and Nlets. The latter is a private nonprofit that local, state and federal law enforcement agencies use for “criminal justice information sharing,” according to the company’s LinkedIn page.
All of this information is then sent to MPD for review. If someone at the Police Department determines a violation happened, it authorizes a citation to be sent. Whether citations are processed by Verra or by the court systems was not explicitly stated in documents presented to the City Council.
Whether or not a citation is issued, Verra Mobility stores all of that data for six months, according to its agreement with the city. According to Verra, that data is secure and complies with state laws around data privacy.
It isn’t clear if the same is true for personally identifiable information from red-light cameras that is stored or transferred on MPD’s systems, as the agency did not respond to questions regarding it.
Concerns over data privacy
Tracy Rosenberg, an information protection advocate and director for Oakland Privacy, said Modesto’s deal with Verra Mobility and the city’s recent cybersecurity slip-ups are cause for some concern among drivers.
She specifically noted Verra’s ability to hold on to data for six months, even for events that don’t result in a citation, as questionable.
“My question is, why? For what purpose? It seems like data retention for the sake of data retention, which is what privacy advocates in general just don’t like,” Rosenberg said.
Verra stated that the city, not the company, owns the data collected by red-light cameras. It also maintained that data is not shared with, or sold to, third parties.
“Protecting data is fundamental to Verra Mobility’s mission,” the company said in a statement. “Our private system uses the most up-to-date, continually upgraded cybersecurity practices to safeguard the information that is entrusted to us by our clients.”
However, things on the city side may not be as sound. In 2023, the city suffered a ransomware attack by a foreign hacking group. The attack leaked personal information, including Social Security numbers. Most of this information belonged almost entirely to MPD employees, but a small number of non-city employees may have been affected, too.
Since then, the city has beefed up its cybersecurity efforts but is still lacking in several categories. A 2025 risk assessment found the city did not have an information security policy, a data governance policy, lacked a completed policy for access control and data privacy and did not conduct regular penetration testing of its systems.
“Without these key policies, the City faces increased risks such as unauthorized access, data breaches and inconsistent handling of sensitive information,” the assessment reads. “These gaps can weaken the overall security posture and make it harder to manage and reduce IT risks effectively.”
Asked what it was doing to protect data collected from red-light cameras that are stored on its own systems, MPD did not respond.
Following California’s data sharing law
In November, U.S. Sen. Ron Wyden, D-Oregon, and several other members of Congress sent a letter to Gov. Gavin Newsom, warning that Immigration and Customs Enforcement and the Department of Homeland Security had access to Nlets and used it over 900,000 times since October 2024.
Nlets is the same system Verra uses to collect personally identifiable information to determine who was driving during a potential red-light violation. Verra Mobility flatly denied that any data it collects is uploaded into Nlets, or any other system. MPD did not respond to questions from The Bee.
California’s Values Act, also known as SB54, strictly prohibits data sharing between the state’s law enforcement and federal agencies that enforce immigration laws.
Earlier this month, a California Public Records Act request led to MPD discovering that its ALPR systems unintentionally shared data with several federal agencies. But there is a clear distinction between ALPR systems and red-light cameras, says Verra.
“These cameras are not surveillance cameras and do not track vehicles from location to location; they only trigger and respond to an illegal vehicle event at a specific position,” Verra said in a statement.
Since MPD discovered its slip-up with ALPR data, it strengthened policy language around the technology and is conducting monthly compliance audits to make sure it follows state law.
When asked if it was doing the same for any data it had from red-light cameras, or if it would use that data to enforce laws not related to running a red light, MPD did not respond.
As far as data protection for selling information to third parties, California has the Consumer Privacy Act and the Information Practices Act. In its statement to The Bee, Verra Mobility said it conducts routine audits to ensure it’s complying with state law.
However, the company’s annual report to investors, in which it noted its lobbying efforts, stated laws such as the CCPA could pose a risk because they allow “lawsuits against companies which experience a data breach involving personal information.”
“Any decreases in the prevalence or political acceptance of, or an increase in governmental restrictions regarding, automated and other similar methods of photo enforcement… could have a material adverse effect on our business,” the report reads.
A better way to ensure data privacy?
Rosenberg said that Verra Mobility did have a “data hygiene” policy with five California cities during a pilot phase for speed cameras. This policy would disclose who has access to the data, who’s processing the citations and how they comply with the law.
The data advocate said Modesto should probably do the same thing, especially as its residents are increasingly concerned about their privacy and who their information is being shared with.
“This is really a time of high, high anxiety in the immigrant and immigrant-adjacent populations. It would be a good thing for the city to do,” Rosenberg said. “Obviously, it’s been a problem with the license plate readers, so they should also look at these cameras and make sure that they’re not going to find out about a problem after it already happened.
Modesto’s deal with Verra Mobility is for five years and worth $3.7 million. The agreement called for the installation of red-light cameras at 10 intersections throughout the city.
The decision was based on data from California’s Department of Traffic Safety, which showed Modesto ranked first among similar cities for total injury, fatal, alcohol-related and nighttime collisions in 2022.
This story was originally published March 30, 2026 at 11:35 AM.
