But unlike when rideshare services such as Uber and Lyft were taking off, many cities require providers of these shared-mobility devices to provide both aggregated and disaggregated data about rides in order to obtain operating permits. That has led to tensions between local governments, in California and elsewhere, that often claim they need disaggregated data to monitor usage and properly regulate the devices and privacy advocates who worry that sensitive personal information could be revealed.
To get the perspectives of city officials, shared-mobility providers, privacy advocates and academics before taking action on possible state legislation, the state Senate held an informational hearing this week to assess the current environment. Judiciary Chair Hannah-Beth Jackson, D-Santa Barbara, signaled from the outset that she’s committed to protecting data.
“We have to ensure data is available but that doing so doesn’t put personal information at risk,” she said in Wednesday’s hearing. And several of the groups testifying agreed to that concept.
Local governments track rides differently. The city of Los Angeles, for example, has instituted a pilot program that requires providers to signal geolocation information to the city within five seconds of when a bike or scooter begins a trip and then again within five seconds of when the trip ends. The providers must deliver full turn-by-turn data for each trip to the city within 24 hours.
Seleta Reynolds, general manager of the L.A. Department of Transportation, said that information is needed to ensure providers are locating the devices where they say they are and adhering to limits on the number available at any given point, which she said was needed to ensure that sidewalks remained accessible for pedestrians and people in wheelchairs. She said the turn-by-turn information was needed to understand where people actually were traveling so impacts could be mitigated.
The city of Sacramento, however, relies solely on aggregated data such as trips per block and where trips begin and end. Jennifer Donlon Wyant, a city transportation planning manager, said that data informs planners if bikeways or additional space on certain streets is needed to accommodate the bikes and scooters and to ensure there is adequate parking where trips end.
According to the staff report for the hearing, transportation planners in the future could use data collected from autonomous vehicles, rideshare companies, microtransit and drones to guarantee curb space, react immediately to public safety issues and provide real-time road closure and traffic information to vehicles, mobility service providers and navigation products like Waze. Some transportation experts, the report continues, predict that the trends of shared mobility automation and electrification will eventually dominate mobility and that cities could have a “living portal” into virtually all vehicular movement.
But privacy advocates, including the American Civil Liberties Union and the Electronic Frontier Foundation, are worried that even anonymized trip data can in some cases be linked to an individual, and that information can reveal sensitive data.
They cited an opinion in a 2018 Supreme Court decision that pointed out that where and when individuals are traveling “provides an intimate window into a person’s life, revealing not only (their) particular movements, but through them [their] familial, political, professional, religious and sexual associations.”
Jamie Lee Williams, a staff attorney with the Electronic Frontier Foundation, a California-based nonprofit that works to protect privacy and civil liberties in the digital age, told lawmakers that there is a need for legislation that would limit local agencies to collecting aggregated and deidentified trip data and to prevent local governments from unnecessarily stockpiling sensitive location data about individuals.
“We do not think that cities should be blocked from accessing all data. Local public agencies should be able to collect some data in order to ensure that new transportation devices are deployed safely, efficiently, equitably and sustainably,” she said.
“But local agencies do not need to collect sensitive, personally identifiable information about riders in order to do so. When cities start demanding individual level trip data, we are no longer just talking about smart cities; we are talking about surveillance cities. What we need are ‘smart enough cities’ – cities that harness the power of data and technology in a way that respects the privacy interests of all Californians.”
She called on lawmakers to enact clear limits to rein in what data can be collected by local governments.
Two tech companies testifying at the hearing offered different approaches.
Uttara Sivaram, head of privacy and security policy for Uber, urged lawmakers to ensure that state privacy laws such as the new California Consumer Privacy Act and the California Electronic Communications Privacy Act (CalECPA) apply to transportation and mobility data. Uber subsidiary JUMP has refused to comply with L.A.’s data requirements and as a result the city revoked its permit to rent bikes and scooters.
The state Office of Legislative Counsel last year opined that CalECPA would prohibit cities from requiring real-time location data as a condition of granting a permit. The cities of Los Angeles, Santa Monica and San Jose this week filed a letter with the office disagreeing with the opinion.
David Allison, senior vice president of data for Bird, a leading provider of electric scooters, took a middle approach, urging lawmakers not to draw a “bright line” but to establish principles that no person’s location should be made publicly available while ensuring cities have access to data needed to regulate the industry.
