A photo of a scooter rider in Los Angeles.
Who's on that thing, and where are they going? The scooter company knows, but the city might, too. Mike Blake/Reuters

As more cities adopt a controversial scooter tracking system pioneered by Los Angeles, concerns about rider data privacy are spreading.

If you’ve jumped on a dockless scooter in Los Angeles in the past few months, there’s an excellent chance that your every move was tracked—not just by the scooter company, but by the city itself. As of last year, L.A. officials require operators to send the city real-time pings about where scooters are, when they’re in use, and where they’re headed.

These data collection practices have been controversial from the start among mobility companies and privacy advocates, who say such location data could be used to reveal identities and compromise rider privacy. Now, a new analysis of state privacy law by the California Legislative Counsel raises the specter of possible legal complications for local governments that require operators to share such sensitive trip data.

Passed in 2015, California’s Electronic Communications Privacy Act (CalECPA for short) is a legal framework that fleshes out an individual’s right to privacy under the state constitution. CalECPA is designed to block law enforcement agencies from accessing user data, including emails, text messages, and personal information stashed online, without a warrant. Other states, including Maine, Vermont, and Utah, have similarly clarified and bolstered existing federal privacy protections within their own borders.

But local government regulators have also spotted opportunities to harness digital data collection for their own purposes, and in contrast with law enforcement agencies, it’s a less clear where they fall under the purview of ECPA. The battle for control over public rights-of-way between public officials and private mobility services is one of those murky arenas, and it is very much live in L.A.

In late 2018, the city’s department of transportation rolled out an ambitious “mobility data specification” program, which required companies to submit granular, real-time trip data to the city. The purpose of the program was to rein in the recent explosion in dockless scooters and other emerging forms of “micromobility,” and to find out how they’re affecting more established modes of transportation. MDS, as it’s known in wonk-speak, is a first-of-its-kind approach by a city to establish control over public streets before history can repeat itself: in the early days of ride-hailing, companies like Uber and Lyft operated with little respect for regulations and were largely unwilling to comply with cities’ requests for data.

With real-time information about the travel patterns of dockless scooters—and, eventually, ride-hailing cars and autonomous vehicles, if all goes according to plan—a city like L.A. can “see” where, for example, vehicles are left scattered on the sidewalk, or if companies aren’t keeping enough of them available in underserved neighborhoods. Right now, complying with these data-sharing agreements is required for scooter companies in L.A. to receive an operating permit.

What’s more, since the L.A. launched the open-source software that makes MDS run, more than a dozen other municipalities around the U.S. have adopted a version of it as well. And some are using it aggressively: Last month, Santa Monica cracked down on the dockless scooter startup Bird after finding that its MDS data feeds had “consistent anomalies” that resulted in inaccuracies.

From the start, though, players like Bird, Lyft, and Uber have objected to the data-sharing mandate on the basis that it could violate customer privacy. L.A. has promised that the granular trip information is anonymized and aggregated once the city receives it. But scooter companies are not alone in worrying that an outsider—be it a malicious actor, or a law enforcement agency such as ICE—could use the data to re-identify frequent users with relative ease. Location data researchers have shown that even highly aggregated sets of mobility data provide little personal privacy.

Consumer identity protections are just the beginning of the companies’ concerns. Down the road, MDS may eventually point to an urban future where local government could exert direct control over individual vehicles. That’s something assuredly not in the business plan of mobility startups.

So those companies have been putting up a fight. Earlier this year, Uber, Lyft, and Bird* supported a bill known as AB 1112, which would have had the state preempt any city from collecting granular trip data altogether. A number of California cities, including L.A., Oakland, San Francisco, and Anaheim, swooped in to stall the bill earlier this summer.

Meanwhile, a group of mobility companies approached another privacy-literate California lawmaker, Assemblywoman Jacqui Irwin, to take a look at LADOT’s unusual permitting requirements. Irwin’s office then requested an opinion of the state’s Legislative Counsel, which is like an in-house firm of legal experts that helps lawmakers interpret their own statutes. Earlier this month, the counsel answered her query. While the response is thorough and complicated, its takeaways suggest that L.A. could face complications if its data collection program is ever litigated in court. The counsel’s two conclusions about MDS are that:

  • CalECPA restricts a local government agency, as a political subdivision of the state, from requiring the provision of real-time location data as a condition of an operating permit, and
  • A government entity is exempted from this restriction if a specific rider directly consents to share their data—but not through a mobility operator as an intermediary.  

Not surprisingly, L.A. full-throatedly disagrees with this opinion. Last week, Seleta Reynolds, the general manager of LADOT, wrote a letter to L.A.’s City Council stating that the legislative counsel’s opinion “too narrowly interprets the question presented and fails to recognize the Legislature’s clear intent of CalECPA to address the actions  of law enforcement agencies.” She continued:

CalECPA was not written to limit the actions of regulatory agencies or to control the regulation of dockless mobility devices in the public right-of-way by a local department of transportation. In fact, there is no mention in either the statutory text or legislative history of any intent by the Legislature to limit or restrict a government regulator from using electronic data within the course and scope of regulating entities that are not electronic communications services

Furthermore, Reynolds states, LADOT consulted with the city attorney and “does not find that CalECPA applies to existing dockless permit requirement, and will continue to require full compliance from mobility provides.”

To be clear, analyses by the Legislative Counsel do not hold precedential value in the way that a decision issued by a judge in a courtroom does, and they don’t necessarily carry much weight in a lawsuit. They’re just opinions, similar to the ones that a neutral, nonpartisan law firm might write about legal proceedings that it isn’t involved in, for the purpose to shedding light on the complexities of the law.

But L.A. has exported the MDS program widely: Seattle, Portland, Minneapolis, New York City, Washington, D.C., and many others have integrated its powers into their scooter-permitting programs in some way. And for good reason—cities want to to reduce congestion, bring down transportation emissions, and keep sidewalks clear. But meanwhile, state lawmakers are getting ever more interested in the issue of data privacy. This back-and-forth between California legal analysts and city regulators could be only the start of a more contentious debate to come.

About the Author

Most Popular

  1. Bicycle riders on a package-blocked bicycle lane
    Perspective

    Why Do Micromobility Advocates Have Tiny-Demand Syndrome?

    In the 1930s big auto dreamed up freeways and demanded massive car infrastructure. Micromobility needs its own Futurama—one where cars are marginalized.

  2. A photo of an abandoned building in Providence, Rhode Island.
    Perspective

    There's No Such Thing as a Dangerous Neighborhood

    Most serious urban violence is concentrated among less than 1 percent of a city’s population. So why are we still criminalizing whole areas?

  3. a photo of a WeWork office building
    Life

    What WeWork’s Demise Could Do to NYC Real Estate

    The troubled coworking company is the largest office tenant in New York City. What happens to the city’s commercial real estate market if it goes under?

  4. Life

    Why Do Instagram Playgrounds Keep Calling Themselves Museums?

    The bustling industry of immersive, Instagram-friendly experiences has put a new spin on the word museum.

  5. Equity

    Why You Should Say 'Hello' to Strangers on the Street

    On sidewalk psychology. 

×