Does L.A.’s Scooter Data Program Violate State Privacy Laws?

If you’ve jumped on a dockless scooter in Los Angeles in the past few months, there’s an excellent chance that your every move was tracked—not just by the scooter company, but by the city itself. As of last year, L.A. officials require operators to send the city real-time pings about where scooters are, when they’re in use, and where they’re headed.

These data collection practices have been controversial from the start among mobility companies and privacy advocates, who say such location data could be used to reveal identities and compromise rider privacy. Now, a new analysis of state privacy law by the California Legislative Counsel raises the specter of possible legal complications for local governments that require operators to share such sensitive trip data.

Passed in 2015, California’s Electronic Communications Privacy Act (CalECPA for short) is a legal framework that fleshes out an individual’s right to privacy under the state constitution. CalECPA is designed to block law enforcement agencies from accessing user data, including emails, text messages, and personal information stashed online, without a warrant. Other states, including Maine, Vermont, and Utah, have similarly clarified and bolstered existing federal privacy protections within their own borders.

But local government regulators have also spotted opportunities to harness digital data collection for their own purposes, and in contrast with law enforcement agencies, it’s a less clear where they fall under the purview of ECPA. The battle for control over public rights-of-way between public officials and private mobility services is one of those murky arenas, and it is very much live in L.A.

In late 2018, the city’s department of transportation rolled out an ambitious “mobility data specification” program, which required companies to submit granular, real-time trip data to the city. The purpose of the program was to rein in the recent explosion in dockless scooters and other emerging forms of “micromobility,” and to find out how they’re affecting more established modes of transportation. MDS, as it’s known in wonk-speak, is a first-of-its-kind approach by a city to establish control over public streets before history can repeat itself: in the early days of ride-hailing, companies like Uber and Lyft operated with little respect for regulations and were largely unwilling to comply with cities’ requests for data.

With real-time information about the travel patterns of dockless scooters—and, eventually, ride-hailing cars and autonomous vehicles, if all goes according to plan—a city like L.A. can “see” where, for example, vehicles are left scattered on the sidewalk, or if companies aren’t keeping enough of them available in underserved neighborhoods. Right now, complying with these data-sharing agreements is required for scooter companies in L.A. to receive an operating permit.

What’s more, since the L.A. launched the open-source software that makes MDS run, more than a dozen other municipalities around the U.S. have adopted a version of it as well. And some are using it aggressively: Last month, Santa Monica cracked down on the dockless scooter startup Bird after finding that its MDS data feeds had “consistent anomalies” that resulted in inaccuracies.

From the start, though, players like Bird, Lyft, and Uber have objected to the data-sharing mandate on the basis that it could violate customer privacy. L.A. has promised that the granular trip information is anonymized and aggregated once the city receives it. But scooter companies are not alone in worrying that an outsider—be it a malicious actor, or a law enforcement agency such as ICE—could use the data to re-identify frequent users with relative ease. Location data researchers have shown that even highly aggregated sets of mobility data provide little personal privacy.

Consumer identity protections are just the beginning of the companies’ concerns. Down the road, MDS may eventually point to an urban future where local government could exert direct control over individual vehicles. That’s something assuredly not in the business plan of mobility startups.

So those companies have been putting up a fight. Earlier this year, Uber, Lyft, and Bird* supported a bill known as AB 1112, which would have had the state preempt any city from collecting granular trip data altogether. A number of California cities, including L.A., Oakland, San Francisco, and Anaheim, swooped in to stall the billearlier this summer.

Meanwhile, a group of mobility companies approached another privacy-literate California lawmaker, Assemblywoman Jacqui Irwin, to take a look at LADOT’s unusual permitting requirements. Irwin’s office then requested an opinion of the state’s Legislative Counsel, which is like an in-house firm of legal experts that helps lawmakers interpret their own statutes. Earlier this month, the counsel answered her query. While the response is thorough and complicated, its takeaways suggest that L.A. could face complications if its data collection program is ever litigated in court. The counsel’s two conclusions about MDS are that:

• CalECPA restricts a local government agency, as a political subdivision of the state, from requiring the provision of real-time location data as a condition of an operating permit, and
• A government entity is exempted from this restriction if a specific rider directly consents to share their data—but not through a mobility operator as an intermediary.  

Not surprisingly, L.A. full-throatedly disagrees with this opinion. Last week, Seleta Reynolds, the general manager of LADOT, wrote a letter to L.A.’s City Council stating that the legislative counsel’s opinion “too narrowly interprets the question presented and fails to recognize the Legislature’s clear intent of CalECPA to address the actions  of law enforcement agencies.” She continued:

CalECPA was not written to limit the actions of regulatory agencies or to control the regulation of dockless mobility devices in the public right-of-way by a local department of transportation. In fact, there is no mention in either the statutory text or legislative history of any intent by the Legislature to limit or restrict a government regulator from using electronic data within the course and scope of regulating entities that are not electronic communications services

Furthermore, Reynolds states, LADOT consulted with the city attorney and “does not find that CalECPA applies to existing dockless permit requirement, and will continue to require full compliance from mobility provides.”

To be clear, analyses by the Legislative Counsel do not hold precedential value in the way that a decision issued by a judge in a courtroom does, and they don’t necessarily carry much weight in a lawsuit. They’re just opinions, similar to the ones that a neutral, nonpartisan law firm might write about legal proceedings that it isn’t involved in, for the purpose to shedding light on the complexities of the law.

But L.A. has exported the MDS program widely: Seattle, Portland, Minneapolis, New York City, Washington, D.C., and many others have integrated its powers into their scooter-permitting programs in some way. And for good reason—cities want to to reduce congestion, bring down transportation emissions, and keep sidewalks clear. But meanwhile, state lawmakers are getting ever more interested in the issue of data privacy. This back-and-forth between California legal analysts and city regulators could be only the start of a more contentious debate to come.