A state agency opinion on a recent electronic privacy act puts location data in the spotlight for mobility providers and local governments and is prompting consideration by both entities.
In response to Assemblymember Jacqui Irwin, D-Thousand Oaks, the California Office of Legislative Counsel, which provides legal services to the Legislature and other entities, delivered its perspective on the 2015 California Electronic Communications Privacy Act (CalECPA). Asked by Irwin whether the act bars a city or county from requiring businesses that rent “dockless bikes, scooters or other shared mobility devices” to provide real-time location data, the Counsel found, generally, that it does. But in the wake of its Aug. 1 opinion, an official with ride-share provider Uber, which fields Jump electric rental bikes and scooters, expressed concern to Techwire about civic requirements; and the city of Los Angeles offered communications on the topic. Among the takeaways:
• Signed into law in 2015 by former Gov. Jerry Brown, CalECPA prohibited “a government entity” up to and including state law enforcement from requiring “production of or access to” electronic communication information or electronic device information without a search warrant, wiretap order, subpoena or an order for electronic reader records. The law also required governments to destroy any such information they received within 90 days.
Irwin, however, as noted by the Counsel in its opinion, asked whether the act applied to the mobility providers; and whether, to establish consent, people must assent directly to the government entity asking for their data.
• The Counsel said yes, although not to every aspect it probed. It found that city and county departments are government entities “for the purposes of the CalECPA” — but that a “dockless mobility provider” is not a service provider under the act, which considers that to be “a person or entity offering an electronic communications service.” Because of this, the Counsel found CalECPA wouldn’t bar a city or county department from imposing a real-time data-sharing requirement on a dockless mobility provider as a condition of a permit.
But CalECPA restricted governments from “compelling” the production of, or access to electronic device information by anyone other than the device owner – and the Counsel opined that this applied to city and county departments. The Counsel also found it necessary for “an individual or entity to provide consent directly to the government entity seeking that individual’s data.”
• Melanie Ensign, security and privacy communications lead for Uber, pointed out that the opinion “in and of itself is just a clarification”; and indicated the company isn’t opposed to “the whole MDS (Mobility Data Specification) idea as a concept,” and would look favorably toward a global data-sharing standard. But Ensign said public agencies that obtain location data, to track wayward bikes or scooters for example, must be good stewards and properly securitize it against bad actors for whom governments “are much easier targets than Uber.”
Uber is providing Los Angeles with location data with a 24-hour latency period, Ensign said, but is concerned the requirement, a necessity to obtain an operating permit, represents the city’s “strategy to boil the frog.”
“They’ve made it really clear and explicit in these plans that their next step is to expand into vehicles, like all commercial vehicles. And for Uber’s ride-sharing business, those are personal vehicles,” Ensign said.
• Los Angeles’ Data Protection Principles show that the city requires mobility providers to comply with its MDS as a consistent standard, according to an April 12 memo from Los Angeles Department of Transportation (LADOT) General Manager Seleta J. Reynolds’ office. That standard “is designed to process vehicle data minimally necessary for our stated goals and to apply strong privacy protections and security protocols.” The city labels raw trip data as “confidential” under IT Policy Committee handling guidelines; securitizes it and limits access; and, “where possible,” de-identifies raw data where “single vehicle data” is not needed, according to the memo.
LADOT has a “responsibility to protect individual privacy,” Reynolds said in an Aug. 15 memo on the Counsel opinion, to the L.A. City Council and the chair of the transportation committee. Law enforcement and “other government agencies, whether local, state or federal,” will not have access to this data “other than as required by law,” Reynolds said, citing the Principles. LADOT believes that the Counsel’s opinion “too narrowly interprets the question presented” and fails to recognize CalECPA’s intention to address actions of law enforcement agencies, Reynolds said in the August memo.
“LADOT consulted the City Attorney on this matter, does not find that CalECPA applies to existing dockless permit requirements, and will continue to require full compliance from mobility providers,” Reynolds said.