A California resident formally requested Flock Safety delete all collected personal data, citing CCPA rights against what they term a "domestic spying program." The user specifically demanded erasure of information pertaining to themselves, their vehicles, and household members from all databases.

Flock responded by denying the request, claiming they operate strictly as a service provider and processor for their customers, who they assert are the actual data controllers. The company stated they cannot directly fulfill such deletion requests, instead advising the user contact the organization that engaged Flock’s LPR services.

This assertion that Flock is exempt from direct CCPA compliance due to its processor status raises serious legal questions regarding who bears responsibility when LPR technology captures PII in public view. Flock maintains its LPRs only capture publicly visible vehicle characteristics, not sensitive data like addresses, and defaults to a 30-day retention window.

The user views Flock's reply as legally inaccurate, believing the entity collecting and processing the information should adhere to the consumer privacy act requirements; they are now considering legal action against the data processor.