Does L.A.’s Scooter Data Program Violate State Privacy Laws?

This back-and-forth between California legal analysts and city regulators could be only the start of a more contentious debate to come.

This back-and-forth between California legal analysts and city regulators could be only the start of a more contentious debate to come. Shutterstock

 

Connecting state and local government leaders

As more cities adopt a controversial scooter tracking system pioneered by Los Angeles, concerns about rider data privacy are spreading.

If you’ve jumped on a dockless scooter in Los Angeles in the past few months, there’s an excellent chance that your every move was tracked—not just by the scooter company, but by the city itself. As of last year, L.A. officials require operators to send the city real-time pings about where scooters are, when they’re in use, and where they’re headed.

These data collection practices have been controversial from the start among mobility companies and privacy advocates, who say such location data could be used to reveal identities and compromise rider privacy. Now, a new analysis of state privacy law by the California Legislative Counsel raises the specter of possible legal complications for local governments that require operators to share such sensitive trip data.

Passed in 2015, California’s Electronic Communications Privacy Act (CalECPA for short) is a legal framework that fleshes out an individual’s right to privacy under the state constitution. CalECPA is designed to block law enforcement agencies from accessing user data, including emails, text messages, and personal information stashed online, without a warrant. Other states, including Maine, Vermont, and Utah, have similarly clarified and bolstered existing federal privacy protections within their own borders.

But local government regulators have also spotted opportunities to harness digital data collection for their own purposes, and in contrast with law enforcement agencies, it’s a less clear where they fall under the purview of ECPA. The battle for control over public rights-of-way between public officials and private mobility services is one of those murky arenas, and it is very much live in L.A.

In late 2018, the city’s department of transportation rolled out an ambitious “mobility data specification” program, which required companies to submit granular, real-time trip data to the city. The purpose of the program was to rein in the recent explosion in dockless scooters and other emerging forms of “micromobility,” and to find out how they’re affecting more established modes of transportation. MDS, as it’s known in wonk-speak, is a first-of-its-kind approach by a city to establish control over public streets before history can repeat itself: in the early days of ride-hailing, companies like Uber and Lyft operated with little respect for regulations and were largely unwilling to comply with cities’ requests for data.

With real-time information about the travel patterns of dockless scooters—and, eventually, ride-hailing cars and autonomous vehicles, if all goes according to plan—a city like L.A. can “see” where, for example, vehicles are left scattered on the sidewalk, or if companies aren’t keeping enough of them available in underserved neighborhoods. Right now, complying with these data-sharing agreements is required for scooter companies in L.A. to receive an operating permit.

What’s more, since the L.A. launched the open-source software that makes MDS run, more than a dozen other municipalities around the U.S. have adopted a version of it as well. And some are using it aggressively: Last month, Santa Monica cracked down on the dockless scooter startup Bird after finding that its MDS data feeds had “consistent anomalies” that resulted in inaccuracies.

From the start, though, players like Bird, Lyft, and Uber have objected to the data-sharing mandate on the basis that it could violate customer privacy. L.A. has promised that the granular trip information is anonymized and aggregated once the city receives it. But scooter companies are not alone in worrying that an outsider—be it a malicious actor, or a law enforcement agency such as ICE—could use the data to re-identify frequent users with relative ease. Location data researchers have shown that even highly aggregated sets of mobility data provide little personal privacy.

Consumer identity protections are just the beginning of the companies’ concerns. Down the road, MDS may eventually point to an urban future where local government could exert direct control over individual vehicles. That’s something assuredly not in the business plan of mobility startups.

So those companies have been putting up a fight. Earlier this year, Uber, Lyft, and Bird* supported a bill known as AB 1112, which would have had the state preempt any city from collecting granular trip data altogether. A number of California cities, including L.A., Oakland, San Francisco, and Anaheim, swooped in to stall the billearlier this summer.

Meanwhile, a group of mobility companies approached another privacy-literate California lawmaker, Assemblywoman Jacqui Irwin, to take a look at LADOT’s unusual permitting requirements. Irwin’s office then requested an opinion of the state’s Legislative Counsel, which is like an in-house firm of legal experts that helps lawmakers interpret their own statutes. Earlier this month, the counsel answered her query. While the response is thorough and complicated, its takeaways suggest that L.A. could face complications if its data collection program is ever litigated in court. The counsel’s two conclusions about MDS are that:

  • CalECPA restricts a local government agency, as a political subdivision of the state, from requiring the provision of real-time location data as a condition of an operating permit, and
  • A government entity is exempted from this restriction if a specific rider directly consents to share their data—but not through a mobility operator as an intermediary.  

Not surprisingly, L.A. full-throatedly disagrees with this opinion. Last week, Seleta Reynolds, the general manager of LADOT, wrote a letter to L.A.’s City Council stating that the legislative counsel’s opinion “too narrowly interprets the question presented and fails to recognize the Legislature’s clear intent of CalECPA to address the actions  of law enforcement agencies.” She continued:

CalECPA was not written to limit the actions of regulatory agencies or to control the regulation of dockless mobility devices in the public right-of-way by a local department of transportation. In fact, there is no mention in either the statutory text or legislative history of any intent by the Legislature to limit or restrict a government regulator from using electronic data within the course and scope of regulating entities that are not electronic communications services

Furthermore, Reynolds states, LADOT consulted with the city attorney and “does not find that CalECPA applies to existing dockless permit requirement, and will continue to require full compliance from mobility provides.”

To be clear, analyses by the Legislative Counsel do not hold precedential value in the way that a decision issued by a judge in a courtroom does, and they don’t necessarily carry much weight in a lawsuit. They’re just opinions, similar to the ones that a neutral, nonpartisan law firm might write about legal proceedings that it isn’t involved in, for the purpose to shedding light on the complexities of the law.

But L.A. has exported the MDS program widely: Seattle, Portland, Minneapolis, New York City, Washington, D.C., and many others have integrated its powers into their scooter-permitting programs in some way. And for good reason—cities want to to reduce congestion, bring down transportation emissions, and keep sidewalks clear. But meanwhile, state lawmakers are getting ever more interested in the issue of data privacy. This back-and-forth between California legal analysts and city regulators could be only the start of a more contentious debate to come.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.