Smart City Surveillance in 2026: The Complete Privacy Guide for Citizens, Officials, and Journalists

Every step you take, every move you make—your city might be watching.

That streetlight above you? It could be recording video and audio. The intersection you just drove through? A camera captured your license plate and logged it in a database searchable by 160+ police agencies. The public WiFi you connected to at the park? It tracked your device's unique identifier and movement patterns.

Welcome to the smart city of 2026—where urban convenience comes wrapped in an invisible web of surveillance that most citizens don't know exists, can't opt out of, and have limited rights to challenge.

This comprehensive guide exposes the surveillance technologies deployed in American and European cities, breaks down the patchwork of regulations meant to protect you, and gives you practical tools to understand and assert your privacy rights.

Smart City Cybersecurity Assessment | CyberSafe.City

Comprehensive security assessment for smart city technologies. Evaluate risks, get recommendations, and protect your urban infrastructure.

CyberSafe.City

The Surveillance Stack: What's Watching You

Modern "smart cities" deploy a layered surveillance infrastructure that would have seemed dystopian a decade ago. Here's what's likely operating in your city right now:

🎥 Automated License Plate Readers (ALPRs)

What they do: High-speed cameras photograph every vehicle's license plate, logging the date, time, and precise GPS coordinates. This data is stored in searchable databases, often shared across hundreds of law enforcement agencies.

The scale: Flock Safety, the dominant ALPR vendor, operates cameras in over 5,000 communities nationwide. In 2024 alone, San Jose's ALPR network was searched over 923,000 times by law enforcement—and that's just one city, with 361 million plate scans captured that year.

The privacy problem: Even if you've done nothing wrong, your movements become part of a permanent, searchable database. Law enforcement can query where you've been without a warrant. In November 2025, the EFF and ACLU filed a landmark lawsuit against San Jose, arguing its network of hundreds of Flock cameras creates "a pervasive database of residents' movements in a surveillance network that is essentially impossible to avoid."

Who's watching: Not just local police. EFF investigations revealed that more than 50 federal, state, and local agencies ran hundreds of searches through Flock's national network specifically targeting protest activity. Additionally, over 80 law enforcement agencies used discriminatory language targeting Romani people in their searches.

🔫 Gunshot Detection (ShotSpotter/SoundThinking)

What it does: Networks of acoustic sensors, mounted on streetlights and buildings, claim to detect and locate gunfire, alerting police within seconds.

The privacy problem: These systems are deployed almost exclusively in predominantly Black and Hispanic neighborhoods, raising civil rights concerns. The Electronic Privacy Information Center (EPIC) formally petitioned the Justice Department in 2024, arguing that "acoustic gunshot detection tools have disparate impacts on majority-minority neighborhoods, increasing police activity in neighborhoods where sensors are placed."

Accuracy issues: A MacArthur Justice Center study found that 88.7% of Chicago police responses to ShotSpotter alerts found no incidents involving a gun. False positives from fireworks, car backfires, and construction noises send armed police into communities based on algorithms that have never been independently validated.

Legal fallout: In 2024, Chicago ended its ShotSpotter contract after years of criticism, though the city is now considering reinstatement. The case of Michael Williams—wrongly charged with murder partly based on ShotSpotter evidence—became a national symbol of the technology's dangers.

💡 Smart Streetlights

What they do: Beyond LED efficiency, many "smart" streetlights contain cameras, microphones, and WiFi tracking sensors. San Diego installed 4,200 such sensors through a contract with GE.

The privacy nightmare: San Diego's streetlights were discovered to be recording video and audio in public spaces—and the city initially had no policy governing how this data could be used. The cameras were routinely accessed by police without public knowledge or oversight.

The response: Following public outcry, San Diego's city council placed a moratorium on the surveillance features. However, the physical infrastructure remains in place—ready to be reactivated.

What to watch for: Cities often frame smart streetlight projects as "energy efficiency" initiatives while burying surveillance capabilities in the fine print.

📡 Public WiFi Tracking

What it does: Municipal WiFi networks can track the unique MAC address of your phone or laptop as you move through the city, creating detailed movement profiles.

How it works: Even if you don't actively connect to public WiFi, your device broadcasts probe requests that can be captured. This data reveals how long you spent at specific locations, your daily routines, and which areas you frequent.

The regulatory gap: While GDPR in Europe requires anonymization and consent for WiFi tracking, U.S. cities have few restrictions. Some municipal WiFi agreements allow data to be sold to third parties.

🚇 Transit Card Tracking

What it does: RFID and NFC transit cards (like MetroCards, Oyster, or ORCA) create detailed logs of your journeys—when and where you entered and exited the system.

Who accesses it: Transit agencies routinely share trip data with law enforcement, often without a warrant. Immigration and Customs Enforcement (ICE) has subpoenaed transit records to track individuals.

The privacy alternative: Cash-based fare options, where they still exist, don't create trackable records. Anonymous fare cards, offered in some systems, provide partial protection.

🎯 Facial Recognition Systems

What they do: Cameras connected to facial recognition software attempt to identify individuals by comparing their faces against databases of photos—driver's licenses, mugshots, or scraped social media.

Accuracy problems: Multiple studies demonstrate racial and gender bias. Black and Asian faces are misidentified 10-100 times more frequently than white faces, depending on the algorithm.

Real-world harm: EFF has documented ongoing wrongful arrests resulting from facial recognition errors—with victims spending hours or days in custody before the mistake was discovered.

📊 Environmental Sensors and Pedestrian Counters

What they do: Cities deploy sensors to monitor air quality, noise levels, traffic flow, and pedestrian counts. While many are privacy-preserving (using thermal or LIDAR rather than cameras), others capture identifiable data.

The privacy-by-design approach: Some cities, like Palo Alto, use LIDAR-based pedestrian counting that tracks movement without capturing faces or personal features. This demonstrates that smart city benefits are achievable without mass surveillance.

The risk: When cities don't specifically require privacy-preserving approaches, vendors often default to camera-based solutions that capture far more data than needed.

The Regulatory Landscape: US and EU in 2026

European Union: The AI Act Takes Effect

The EU AI Act, which began enforcement in February 2025, represents the world's most comprehensive regulation of surveillance technologies:

Prohibited practices (enforced since February 2025):

• Real-time biometric identification in public spaces for law enforcement (with limited exceptions)
• AI systems that manipulate human behavior
• Social scoring systems
• Emotion recognition in workplaces and schools
• Untargeted scraping of internet or CCTV footage to build facial recognition databases

High-risk system requirements (effective August 2026):

• Mandatory conformity assessments
• Human oversight requirements
• Transparency obligations
• Data quality standards

What it means: European smart cities face significant restrictions on deploying facial recognition and must justify any use of biometric surveillance. Member states can implement even stricter rules—and many have.

Italy's moratorium: Real-time biometric identification in public spaces has been banned through 2025, with extension likely.

United States: The Patchwork Problem

The U.S. has no federal comprehensive privacy law covering smart city surveillance. Instead, regulation is a fragmented patchwork:

State privacy laws:

As of January 2026, 19 states have enacted comprehensive privacy laws: California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Montana, Texas, Delaware, Oregon, New Jersey, New Hampshire, Maryland, Minnesota, Nebraska, Rhode Island, and Kentucky.

Key provisions affecting smart cities:

• California: CPRA gives residents rights to know what data is collected, delete it, and opt out of sales. Local agencies must post ALPR usage policies online.
• Maryland: Bans the sale of sensitive personal data including precise geolocation data (effective October 2025).
• Montana and Utah: Require warrants before police can use facial recognition in most circumstances.

What's missing: Most state privacy laws focus on commercial data practices, not government surveillance. They don't require consent for public CCTV, ALPR, or gunshot detection. Few address the specific harms of smart city technologies.

Local Surveillance Ordinances: The Model Approach

The most effective privacy protections exist at the city level, where surveillance oversight ordinances require:

1. Public disclosure of all surveillance technologies
2. Open hearings before acquisition
3. Elected official approval (not just police chief sign-off)
4. Regular audits and impact assessments
5. Data retention limits and access logs

Model cities: Seattle, Oakland, Berkeley, Somerville, Cambridge, San Francisco, Palo Alto, Nashville, New York City.

City-by-City Comparison: Who's Protecting Privacy?

🥇 LEADING CITIES (Strong Protections)

San Francisco, California

• Facial recognition: Banned for city agencies (2019, first in nation)
• Surveillance ordinance: Requires Board of Supervisors approval for all surveillance tech
• ALPR: Restricted, with data retention limits
• Status: Gold standard for comprehensive approach

Portland, Oregon

• Facial recognition: Banned for both government AND private businesses in public accommodations (2020, strongest in nation)
• Surveillance ordinance: Yes
• Status: Most comprehensive ban extends to stores and restaurants

Oakland, California

• Facial recognition: Banned for city use
• Surveillance ordinance: Strong—Privacy Advisory Commission reviews all technology purchases
• ALPR: Restricted
• Status: Model for community-driven oversight

Seattle, Washington

• Surveillance ordinance: Among the nation's strongest
• Facial recognition: Banned
• Status: Full-time staff dedicated to surveillance oversight

Cambridge, Massachusetts

• Facial recognition: Banned
• ALPR: Terminated Flock Safety contract in 2025 after community pressure
• Status: Demonstrated cities can reverse surveillance decisions

🥈 MODERATE CITIES (Some Protections)

Boston, Massachusetts

• Facial recognition: Banned (2020)
• Surveillance ordinance: Yes, but implementation uneven
• ALPR: Permitted with restrictions
• Status: Good policy, mixed enforcement

New York City, New York

• Facial recognition: Restricted but not banned
• Surveillance ordinance: POST Act (2020) requires NYPD to disclose surveillance capabilities
• ALPR: Extensive network, limited restrictions
• Status: Transparency without prohibition

🥉 LAGGING CITIES (Minimal Protections)

Chicago, Illinois

• Facial recognition: No ban; extensive use
• ShotSpotter: Ended contract in 2024 after criticism, but considering reinstatement
• ALPR: Extensive network with minimal restrictions
• Status: Reactive rather than proactive

San Diego, California

• Smart streetlights: Moratorium on surveillance features after outcry
• ALPR: Growing network
• Status: Improving but historically reactive

San Jose, California

• ALPR: Hundreds of Flock cameras—currently facing ACLU/EFF lawsuit
• Facial recognition: No ban
• Status: Poster child for ALPR overreach

Recent Lawsuits and Legal Developments

EFF/ACLU v. San Jose (November 2025)

The case: The Electronic Frontier Foundation and ACLU of Northern California sued San Jose over its Flock Safety ALPR network, arguing:

• Warrantless searches of stored license plate data violate the California Constitution
• The system enables "pervasive" tracking impossible to avoid
• Over 923,000 searches in 2024 demonstrates mass surveillance
• Only 0.2% of scans (361 million total) resulted in hits on wanted vehicles

Why it matters: This could establish that blanket ALPR surveillance requires a warrant, not just reasonable suspicion. The lawsuit was filed on behalf of the Services, Immigrant Rights and Education Network (SIREN) and the Council on American-Islamic Relations – California (CAIR-CA).

Institute for Justice v. Norfolk (October 2024)

The case: A federal lawsuit challenging Norfolk, Virginia's 170+ Flock cameras under the Fourth Amendment.

The argument: Pervasive ALPR surveillance constitutes an unconstitutional search under Carpenter v. United States, which established that long-term location tracking requires a warrant.

Chicago ShotSpotter Controversy (2024)

The situation: Chicago ended its ShotSpotter contract in 2024 after years of community criticism, studies showing 88.7% false positive rates, and cases like Michael Williams's wrongful murder charge.

Current status: A new administration is considering reinstating the technology despite documented failures.

Washington State ALPR Ruling (November 2025)

The ruling: Skagit County Superior Court held that ALPR data captured by Flock cameras constitutes public records under Washington's Public Records Act.

Why it matters: Public records requests can now expose how ALPR data is being used and searched, creating accountability mechanisms.

Your Rights Checklist

Print this. Know these. Use them.

✅ Federal Constitutional Rights

• Fourth Amendment: Protects against unreasonable searches. Carpenter v. United States (2018) held that long-term location tracking requires a warrant—but courts are still determining how this applies to ALPR and facial recognition.
• First Amendment: Surveillance of protest activity may chill protected speech and assembly.

✅ State Constitutional Rights

Many state constitutions provide stronger privacy protections than the federal Constitution:

• California: Explicit right to privacy (Article I, Section 1)
• Montana: Strong privacy protections
• Alaska, Arizona, Florida, Hawaii, Illinois, Louisiana, South Carolina, Washington: Constitutional privacy provisions

✅ State Privacy Law Rights (varies by state)

If you're in one of the 19 states with comprehensive privacy laws:

• Right to Know: What data is collected about you
• Right to Delete: Request deletion of your data
• Right to Opt Out: Of data sales (limited applicability to government)
• Right to Correct: Inaccurate information

Note: These rights primarily apply to commercial entities, not government surveillance.

✅ Local Ordinance Rights

If your city has a surveillance oversight ordinance:

• Right to Public Notice: Before surveillance tech is deployed
• Right to Comment: At public hearings
• Right to See Usage Policies: Posted online
• Right to Audit Information: How surveillance is used

✅ Public Records Rights

• Federal FOIA: For federal agency surveillance
• State Public Records Acts: For state and local surveillance. Request: ALPR policies, surveillance technology inventories, contracts with vendors, search/query logs

✅ What You DON'T Have (Yet)

• No right to consent: Cities don't need your permission to photograph your license plate or face in public
• No right to opt out: Of most public surveillance
• No right to compensation: If surveillance data is misused
• No federal smart city privacy law: Congress has failed to act

How to Opt Out (Where Possible)

The uncomfortable truth: you cannot fully opt out of smart city surveillance while participating in urban life. However, you can minimize your exposure:

📱 WiFi Tracking Reduction

1. Disable WiFi when not in use: Your phone constantly broadcasts requests that can be tracked
2. Use MAC randomization: Modern iOS and Android randomize MAC addresses by default—don't disable this
3. Forget networks: Remove saved public WiFi networks
4. Use a VPN: When connecting to public WiFi

🚗 License Plate Reader Minimization

1. Understand your routes: ALPR cameras cluster at intersections, highway on-ramps, and commercial areas
2. No legal avoidance: Covering or altering your license plate is illegal
3. Check camera locations: WIRED and DeFlock published Flock Safety sensor locations in 2025
4. Advocacy: Push for data retention limits and warrant requirements

🚇 Transit Tracking Reduction

1. Use cash fares: Where still accepted
2. Anonymous fare cards: Some systems offer cards not linked to your identity
3. Avoid registration: Don't link transit cards to online accounts

👤 Facial Recognition Reduction

1. Understand limitations: Hats, sunglasses, and masks reduce accuracy but don't defeat determined systems
2. Know banned cities: Your rights are stronger in San Francisco, Portland, Oakland, Boston, and other ban cities
3. IR-blocking glasses: Some specialized eyewear defeats facial recognition (effectiveness varies)

📡 General Digital Hygiene

1. Location services: Disable when not needed
2. Bluetooth: Turn off when not in use (can be tracked)
3. Apps audit: Review which apps access your location
4. Browser privacy: Use privacy-focused browsers, clear cookies

🏠 Smart Meter Opt-Out

Utility smart meters can reveal when you're home and what appliances you use. Over 137 million are installed in U.S. homes.

1. Check opt-out options: Many states require utilities to offer analog meter alternatives
2. Expect fees: Utilities often charge $10-25/month for manual reading
3. Review data sharing: Request your utility's data-sharing policies

What City Officials Should Know

If you're a city council member, mayor, or administrator evaluating smart city technologies:

Questions to Ask Before Procurement

1. What data is collected? Get specifics, not marketing materials
2. Who has access? Which agencies? Which employees? Other jurisdictions?
3. How long is data retained? Indefinite retention is unacceptable
4. What are the accuracy rates? Independent testing, not vendor claims
5. Where is it deployed? Is there disparate impact on minority communities?
6. What oversight exists? Audit logs? Independent review?
7. What's the exit strategy? Can you terminate and delete data?

Model Ordinance Elements

Based on successful implementations in Seattle, Oakland, and Cambridge:

1. Public hearing requirement: Before any surveillance technology acquisition
2. Elected body approval: City council must vote, not just department heads
3. Annual reporting: Public reports on use, accuracy, complaints
4. Impact assessments: Including civil liberties and equity analysis
5. Data minimization: Collect only what's necessary
6. Retention limits: 30 days for routine data, longer only with justification
7. Access controls: Audit logs for all queries
8. Community oversight board: Including members from affected communities
9. Right to terminate: Contract provisions allowing exit with data deletion
10. Prohibition categories: Consider outright bans on facial recognition, predictive policing

The Cost of Getting It Wrong

• Legal liability: San Jose, Norfolk, and Chicago all face or faced expensive litigation
• Community trust: Surveillance revelations damage police-community relations
• Vendor lock-in: Vendors like Flock Safety resist transparency and data deletion
• Mission creep: Technology acquired for one purpose inevitably expands

Privacy-Preserving Alternatives

Smart city benefits don't require mass surveillance:

• LIDAR pedestrian counting: Tracks movement without capturing faces
• Aggregated traffic data: Patterns without individual tracking
• Privacy-by-design sensors: Many vendors offer options that don't retain personal data
• Edge processing: Analyze and discard, rather than store and search

Resources for Further Action

Advocacy Organizations

• Electronic Frontier Foundation (EFF): eff.org — Leading ALPR and facial recognition investigations
• American Civil Liberties Union: aclu.org — Model legislation and litigation
• Surveillance Technology Oversight Project (STOP): stopspying.org — New York focused
• Electronic Privacy Information Center (EPIC): epic.org — Federal policy advocacy
• Restore the Fourth: restorethe4th.com — Local ordinance campaigns

Research and Reporting

• Atlas of Surveillance (EFF): atlasofsurveillance.org — Searchable database of surveillance tech by jurisdiction
• DeFlock: Crowdsourced ALPR camera location map
• Brennan Center for Justice: brennancenter.org — Policy analysis
• Upturn: upturn.org — Technology policy research

Legal Resources

• MacArthur Justice Center: macarthurjustice.org — ShotSpotter litigation and research
• Institute for Justice: ij.org — ALPR constitutional challenges

What You Can Do Today

1. Find your city's surveillance inventory: Search "[your city] surveillance technology" or check EFF's Atlas
2. Attend a city council meeting: Surveillance tech purchases often slip through consent calendars
3. File a public records request: Ask for ALPR policies, camera locations, and search statistics
4. Contact your representatives: State legislators can pass statewide protections
5. Support litigation: EFF and ACLU cases create precedents that protect everyone

Conclusion: The Fight for the Future of Cities

The smart city of 2026 stands at a crossroads. One path leads to efficiency through surveillance—every movement tracked, every face scanned, every data point monetized. The other leads to cities that are intelligent without being invasive, using technology to improve lives while respecting the fundamental right to move through public space without being watched.

The difference isn't technology—it's policy. Cities like San Francisco and Portland have proven that you can ban facial recognition without urban collapse. Communities from Cambridge to Yellow Springs have shown that ALPR surveillance can be rejected when citizens organize. The EFF, ACLU, and Institute for Justice are establishing legal precedents that may finally require warrants for technologies that track our every move.

But these victories are fragile. New administrations can reverse bans. New technologies can evade existing rules. Federal preemption could override local protections.

The future of privacy in smart cities depends on citizens who understand what's watching them, know their rights, and demand accountability from the institutions that deploy these technologies in their name.

This guide is your starting point. Now it's your turn.

This article was published on February 13, 2026 and reflects the legal and regulatory landscape as of that date. Laws and technologies evolve rapidly—check the linked resources for the most current information.