distribution of the devices throughout a city.347 To ensure equitable distribution of dockless devices, the National League of Cities recommends fleet balancing to ensure equitable distribution.348
Purposefully making fleets available in underserved or target communities can help ensure equitable distribution of transportation resources. Washington, D.C. requires that a shared micromobility operator “have at least 3% of its fleet deployed in each ward cumulatively between 5:00 a.m. and 7:00 a.m. each day.”349 Seattle’s approach to service distribution equity is to require companies to distribute ten percent or more of their deployed fleets in designated “Equity Focus Neighborhoods.”350 Portland’s equity plan requires operators to commit a consistent fifteen percent of their fleet to east Portland. Denver requires that, every morning, bike and scooter share operators Lyft and Lime “consult the opportunity map and deploy a minimum of 30% of their fleet in the identified areas.”351 DOTI uses a platform called Ride Report to track use and distribution data to monitor compliance. The penalty for failing to comply is reduced fleet sizes. To operate in Atlanta, operators are required to deploy at least two percent of their permitted fleet per day across each “equity zone” (six percent total).352
Los Angeles does not have a specific percent distribution requirement in equity zones. Instead, permit fee and fleet number incentives are offered to dockless mobility companies to distribute devices in low-income areas.353 Companies are subject to per trip fees depending on where the trip begins or ends. There is no fee if the trip begins or ends in the “Equity-Focus Mobility Development Districts,” which are neighborhoods where many households “experience economic hardship based on a high concentration of households living in poverty, overcrowded housing, high rates of unemployment, and low educational attainment.” If the trip begins or ends in a “Mobility Development District”—“neighborhoods where people on average travel short periods of time, have access to comfortable bicycle infrastructure and high-frequency transit, and have a lower rate of crashes”—the per trip fee is $0.06. The highest fee, $0.40 per trip, is assessed on trips that begin or end in “Special Operations Zones” where there is an oversaturation of deployed device or specific geographic characteristics that prohibit dockless devices. In addition, if companies want to deploy in the Venice, Downtown Los Angeles, or Hollywood Special Operations Zones, they must also deploy a percentage of their total fleet in the Equity-Focus Mobility Development District and/or a Mobility Development District.
VIII. DATA PRIVACY
Shared micromobility systems routinely collect and store information, including geospatial data, personally identifiable information (PII)—such as names, dates of birth, phone numbers, addresses, social security numbers, drivers’ licenses or state IDs—as well as confidential or otherwise sensitive information. These types of data are mostly not shared with other companies or governments. However, municipalities and transit agencies often require micromobility operators to provide some type of trips data as a condition to operate in their jurisdiction. Such data is susceptible to loss, abuse, theft, or subpoena, and raises privacy concerns. The same granular mobility data that helps generate insights for cities and mobility providers can sometimes be specific enough to raise privacy concerns.
Freedom of information and sunshine laws present potential risks. For cities, protecting personal information presents an added layer of complexity due to obligations to adhere to freedom of information or transparency regulations. While complying with these regulations, cities will exclude basic types of PII, such as names, social security numbers, and birthdates, from public exposure. Nevertheless, mobility data may not always receive the necessary protection against disclosure due to a lack of sufficient awareness around its potential to use in identifying individuals. As cities amass more mobility data, they must educate legislators and municipal legal representatives about how easily such data can transform into PII.354
Privacy law in the United States is still at an early stage, as new laws and concerns emerge. Several states are active in this area, and the federal government is contemplating multiple versions of comprehensive data protection regulations. The current federal case law presents challenges in fulfilling standing requirements.355 However, these requirements might evolve, as data protection grows more intricate. State laws and judicial rulings are taking the lead in loosening standing prerequisites, permitting broader claims of actual harm. Moreover, plaintiffs’ lawyers may use well-established legal principles in innovative ways to establish grounds for legal action against either local governments or private entities. As an example, there could potentially be liability under the Fourth Amendment doctrine, even though this aspect of liability for shared micromobility systems remains largely untested. Adhering to appropriate practices for anonymization and ensuring that local governments
___________________
347 Nicole DuPuis, Jason Griess, & Conner Klein, Micromobility in Cities, A History and Policy Overview, NATIONAL LEAGUE OF CITIES, CENTER FOR CITY SOLUTIONS (2019), www.nlc.org/sites/default/files/2019-04/CSAR_MicromobilityReport_FINAL.pdf.
348 Id.
349 D.C. CODE ANN. § 50-2201.03c.
350 SEATTLE DEP’T OF TRANSP., FREE-FLOATING SCOOTER SHARED MICROMOBILITY PERMIT REQUIREMENTS, VERSION 4.0 (May 2023), https://seattle.gov/documents/Departments/SDOT/BikeProgram/Shared_Micromobility_Permit_Requirements_Combined_4.05.3.2023.pdf.
351 Kiran Herbert, Denver’s New Shared Micromobility Plan, BETTER BIKE SHARE PARTNERSHIP, (June 9, 2021), https://betterbikeshare.org/2021/06/09/denvers-new-shared-micrombility-plan/.
352 ATLANTA, GA. CODE OF ORDINANCES § 150-407.
353 LOS ANGELES DEP’T OF TRANSP., ON-DEMAND MOBILITY RULES AND GUIDELINES (2021), https://ladot.lacity.org/sites/default/files/documents/on-demand-mobility-rules-and-guidelines-2021.pdf.
354 NACTO, MANAGING MOBILITY DATA (2019), https://nacto.org/wp-content/uploads/2019/05/NACTO_IMLA_Managing-Mobility-Data.pdf.
355 Clapper v. Amnesty International, 568 U.S. 398 (2013).
only collect necessary information constitutes the most effective approach to mitigate possible legal disputes. Consumer protection law could enable customers to take legal action against private companies for the improper use of customer data, even if customers have accepted the terms and conditions required by these companies to access their services.
Privacy regulations in the United States are subject to oversight not just at the federal level, but also by individual states. Every state might use different definitions around PII and varying criteria for gathering and safeguarding data. This can lead to differing theories of liability in case of breaches. Given that privacy law is still developing, municipal administrations must stay updated about both state and federal legislation, judicial interpretations related to privacy, proposed laws, and any other possible legal responsibilities that could affect them.
Private mobility companies also face obstacles when safeguarding personal data. In contrast to the majority of mobility data required and requested by cities, the data amassed by mobility, cellular, and phone companies from their customers is highly personal. This includes information such as names, credit card details, addresses, phone numbers, along with a comprehensive history of an individual’s whereabouts over time. As these companies devise products and compile mobility data, they must protect both their interests and their customers’ interests by ensuring that they only collect essential information, secure genuine and informed consent from users regarding the utilization, storage, sale, or sharing of personal data, and embrace and enforce optimal strategies for data management and security. Even in cases where users opt in, and then data is gathered, individual trip records should be retained for the shortest duration required.356
The tension between data access and privacy necessitates a crucial discussion across all parties regarding who should possess what data and to what extent. Different groups require access to various kinds and quantities of information according to their “need to know” for effective task execution. To illustrate, a sensitive dataset for fire departments might divulge the precise locations of crucial utility lines or breaker boxes, whereas in a publicly available dataset, this information should be condensed to more generalized “no-dig” zones where crucial utility lines are located. Similarly, with mobility data, city personnel responsible for street operations need insights into the volume of rides beginning or ending at specific locations to adapt curbside regulations accordingly. When releasing this data publicly, personnel should aggregate based on factors like population density and land use characteristics to present an overall picture without disclosing individual buildings or residences. In general, the extent of aggregation required to safeguard individual privacy escalates as population density declines. Additionally, land uses with lower density, such as residential areas, might demand greater levels of aggregation compared to commercial or mixed-use zones, which tend to have higher activity levels.357
A. Data Collected and Maintained by Micromobility Systems
Micromobility services generate large amounts of mobility data, which can include potentially sensitive precise location data about users, among other user-specific data. Data from mobility services can provide valuable and timely insights to guide transportation and infrastructure policy. However, the sharing of sensitive mobility data—between companies or between and with government agencies—still merits concern around the privacy of user information.
It is common for cities to require micromobility operators to provide data about users and trips, including location and trip data. Some state laws address data requirements for micromobility share operators. For example, Nevada requires scooter share operators to provide to the local authority trip data for all trips starting or ending in the jurisdiction of the local authority.358
Cities often condition data-sharing requirements on granting permission for shared scooter systems to operate within their jurisdiction. For example, as a permit requirement in Seattle, Washington each company operating bikeshare or scooter share system must host real-time data in an application programming interface (API) feed.359 Orlando, Florida also requires scooter share companies to provide real-time or semi-real time scooter data.360 Orlando requires companies to maintain a database PII for each scooter rented as well as the date, time and duration of each person’s rental of a scooter; the route taken during the rental period; and the location of the scooter at any particular time during the rental period.361 However, the company will not be required to share this data with the city as part of the company’s operations under the permit or the program.
Atlanta requires operators to provide a documented API that furnishes anonymized data for the entire fleet.362 Operators are required to make the API endpoint available for city consumption along with an API key or token to connect to the endpoint securely.363 Atlanta has an open data portal—the Ride Report Open Data Portal—that provides a public-facing dashboard of dockless shared micromobility data collected within the city.364
Another example is the Los Angeles Department of Transportation (LADOT), which requires dockless mobility companies to provide LADOT with real-time location data about riders’ locations, routes, and destinations to within a few feet as a condition to obtaining a permit.365 The data is provided through
___________________
356 Id.
357 Id.
358 NEV. REV. STAT. ANN. § 484A.469.
359 See Seattle Council Bill 119868; SEATTLE MUNICIPAL CODE §§ 11.46.010 and 11.46.020.
360 ORLANDO, FLORIDA CODE OF ORDINANCES § 10.05.
361 Id.
362 CITY OF ATLANTA, GA., CODE OF ORDINANCES § 150-406.
363 Id.
364 CITY OF ATLANTA, RIDE REPORT, https://public.ridereport.com/atlanta.
365 CITY OF LOS ANGELES, LADOT DOCKLESS SHARED MOBILITY PROGRAM, MDS API TECHNICAL COMPLIANCE OVERVIEW, v1.1, (March 4, 2020), available at https://ladot.lacity.org/docs/ladot-dockless-shared-mobility-program.
an API called Mobility Data Specification (MDS) through GPS. MDS does not capture riders’ identities. Data collected from MDS is classified as “confidential” under the LADOT’s Data Protection Principles.366 However, such data is nonetheless susceptible to loss, abuse, theft, or subpoena, and raising privacy concerns.
B. Privacy Concerns and the Fourth Amendment
Mobility data can easily become PII, even if data managers anonymized and scrubbed it of unique personal information. Geospatial data, or geodata, is data related to locations on the Earth’s surface and contains coordinate information (e.g., latitude and longitude), which allows features to be drawn on a map.367 Geospatial data can be turned into PII by either identifying recognizable travel patterns or by combining it with other identifiable data. Even in anonymous datasets, people may be re-identified from their routine travel patterns (e.g., from home to work, school, stores, or religious institutions). A 2013 study using a dataset of 1.5 million individuals compiled over six months found that over 95 percent of those individuals could be uniquely identified using only four location points triangulated from cellphone towers.368
Malicious data security breaches aside, even supposedly “anonymized” data can be cross-referenced with other information to identify individual users. Geospatial mobility data can also be combined with other data points to become PII (sometimes referred to as indirect or linked PII). A single geospatial data point like the beginning or end of a trip is not PII. When combined with a phonebook or address look-up service, however, that data can easily be linked to an individual person. In 2014, a researcher requested anonymized taxi mobility data from the NYC Taxi and Limousine Commission (TLC) under freedom of information laws, mapped them using MapQuest, and identified the home addresses of people hailing taxis in front of the Hustler Club between midnight and 6:00 a.m.369 Combining a home address with an address look-up website, social media, and other sources, the researcher was able to find the “property value, ethnicity, relationship status, court records and even a profile picture” of an individual patron.370 Another individual reportedly used the TLC’s anonymized data to identify Muslim drivers.371
The ability to combine information from individuals’ travel patterns and secondary data sets with geospatial trip data to form PII means that the public and private sector must treat geospatial trip data as PII when collecting, managing, storing, and disseminating that data. Publicly disclosing disaggregated trip data is essentially sharing the movements of private citizens. Anonymized data can be cross-referenced with other information to identify individual users. Malicious data security breaches aside, there is legitimate concern that publicly available anonymized and aggregated individual user data could be reverse engineered for malevolent purposes such as stalking, identity theft, or financial fraud.
Software that is capable of monitoring and recording the GPS location of vehicles, riders’ pick up and drop off locations, as well as their names, addresses, and other PII raises privacy concerns. If government has access to users’ route information, it can derive personal information from that data. New York’s highest court found that, “[d]isclosed in [location] data will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on.”372
In United States v. Knotts, 460 U.S. 276, 281, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983), the U.S. Supreme Court held that “[a] person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.”373 Courts have routinely found that “[t]here is a diminished expectation of privacy in a vehicle because of its availability to public scrutiny.”374
In 2007, in Alexandre v. N.Y.C. Taxi & Limousine Comm’n, 2007 U.S. Dist. LEXIS 73642 (S.D.N.Y. Sep. 28, 2007), the U.S. District Court for the Southern District of New York rejected a group of taxi drivers’ claims that the local taxi regulator’s requirement that licensed medallion taxicabs install new technology systems that would automatically collect and transmit trip data, including location using GPS, violated the drivers’ fundamental right to privacy guaranteed by the Fourth Amendment.
___________________
366 CITY OF LOS ANGELES, INTER-DEPARTMENTAL CORRESPONDENCE, DATA PROTECTION PRINCIPLES/USE AND RETENTION (CF #19-1355), (Jun. 14, 2020), http://clkrep.lacity.org/onlinedocs/2019/19-1355_rpt_DOT_6-14-2020.pdf.
367 BRANDEIS LIBRARY, GIS DATA, https://guides.library.brandeis.edu/c.php?g=990410&p=7164688 (last accessed Aug. 21, 2023).
368 Y. Montjoye, et al., Unique in the Crowd: The privacy bounds of human mobility, NATURE, (2013), www.nature.com/articles/srep01376.
369 See Alex Hern, New York Taxi Details Can Be Extracted from Anonymized Data, Researchers Say, THE GUARDIAN, (Jun. 27, 2014), www.theguardian.com/technology/2014/jun/27/new-york-taxidetails-anonymised-dataresearchers-warn.
370 Atockar, Riding with the Stars: Passenger Privacy in the NYC Taxicab, DATASET, (Sept. 15, 2014), https://agkn.wordpress.com/2014/09/15/riding-with-the-stars-passenger-privacy-in-the-nyc-taxicab-dataset/.
371 See Lorenzo Franceschi-Bicchierai, Redditor Cracks Anonymous Data Trove to Pinpoint Muslim Cab Drivers, MASHABLE, (Jan. 28, 2015), https://mashable.com/2015/01/28/redditor-muslim-cab-drivers/#QJEqzARLgsqP.
372 People v. Weaver, 909 N.E.2d 1195, 1199 (2009).
373 See also Turner v. Am. Car Rental, Inc., 92 Conn. App. 123, 884 A.2d 7, 11 (Conn. App. Ct. 2005) (“[T]he plaintiff has not presented us with any authority that equipping a motor vehicle with a global positioning system violates the privacy of the vehicle’s operator.”); People v. Gant, 9 Misc. 3d 611, 620, 802 N.Y.S.2d 839, 847 (Westchester County Ct. 2005) (holding that a search warrant was not required prior to installing a GPS device to track the vehicle’s whereabouts because there is no “legitimate expectation of privacy in a vehicle traveling upon . . . public roadways”).
374 U.S. v. Moran, 349 F. Supp. 2d 425, 467 (N.D.N.Y. 2005) (citing U.S. v. Knotts, 460 U.S. 276, 281, 103 S. Ct. 1081, 75 L. Ed. 2d 55 (1983)).
Citing Knotts, the Court found that there likely is “no legitimate expectation of privacy” in the taxicab context at issue, and the Fourth Amendment protection against unreasonable searches and seizures “depends on whether the person invoking its protection can claim a ‘justifiable,’ ‘reasonable’ or ‘legitimate expectation of privacy’ that has been invaded by government action.”375
In Sanchez v. Los Angeles Dep’t of Transportation, No. CV205044DMGAFMX, 2021 WL 1220690 (C.D. Cal. Feb. 23, 2021), aff’d, 35 F.4th 721 (9th Cir. 2022), and aff’d, 39 F.4th 548 (9th Cir. 2022), the American Civil Liberties Union (ACLU), in partnership with the Electronic Frontier Foundation (EFF), unsuccessfully challenged LADOT’s MDS, which mandated scooter tracking data as a condition of permitting. The lawsuit, filed in Federal District Court in California, claimed LADOT’s requirement of scooter tracking data violates the Fourth Amendment to the U.S. Constitution, the California Constitution, and the California Electronic Communications Privacy Act.376 The U.S. District Judge dismissed the lawsuit in February 2021, stating that the plaintiffs did not have their legal or constitutional privacy rights violated by MDS because the third-party doctrine (see below) squarely applied to plaintiff’s voluntary agreement to provide location data to the e-scooter operators. While the Judge recognized the “Plaintiffs’ concern with the unprecedented breadth and scope of the City’s location data collection,” he said the debate over MDS “may be more appropriately addressed as a matter of public policy.”377
Third-party doctrine does not generally acknowledge the privacy of information voluntarily shared with a third party; instead, it dictates that a person “has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”378 Therefore, such information is not entitled to Fourth Amendment safeguards. The scope of voluntarily shared information is broad and encompasses data collected by entities like scooter companies and wireless service providers. However, a notable shift in perspective on what information merits Fourth Amendment protection was demonstrated by the U.S. Supreme Court in the significant case of Carpenter v. United States, 138 S. Ct. 2206 (2018). In this ruling, the Court established that the government’s acquisition of historical cellphone location records was a search that merits Fourth Amendment protection, necessitating a warrant for such data collection. Chief Justice Roberts, writing for the majority, noted that cellphone technology results in wireless carriers receiving dialed numbers as well as a comprehensive and detailed record of an individual’s movements, and “[t]he fact that such information is gathered by a third party does not make it any less deserving of Fourth Amendment protection.”379 Given the widespread use and indispensable nature of such services in contemporary society, this view led to a ruling that extends Fourth Amendment protection to law enforcement’s access to historical geolocation data in records provided by cellphone companies. Cities must closely monitor the trajectory of this legal interpretation and adjust their policies accordingly.
C. Federal Data Privacy Laws
Similar to the private sector, state and local government agencies are subject to a patchwork of data security laws and other restrictions when they receive, maintain, use, or transmit data containing PII and other sensitive or confidential information. There is no federal privacy regulation that specifically addresses state and local governments’ collection, maintenance, or use of personal data collected from its citizens.
Federal laws that protect personal information in government records applicable to federal agencies include the Freedom of Information Act (FOIA) and the Privacy Act of 1974. These laws broadly control the “use and disclosure of federal government records about its citizens”380 and concern an individual’s claim to prevent disclosure of sensitive or confidential information held by the federal government. These laws are unlikely to have any applicability to state and local transit agencies.381 However, many states have adopted statutes mirroring or implementing FOIA, as well as general data security and breach notification statutes that typically apply equally to government and private entities.
1. Federal Trade Commission Act
The Federal Trade Commission (FTC) has authority, under the Federal Trade Commission Act (FTCA), 15 U.S.C. §§ 41-58, as amended, to bring actions against companies or individuals that engage in unfair or deceptive acts or practices, including those involving vehicle data privacy and security. The FTC’s authority extends to its recommended guidelines regarding privacy policies.382 The FTC protects consumers’ privacy by enforcing Section 5(a) of the FTCA and penalizing companies for using consumer data in a way that violates the manufacturer’s
___________________
375 Alexandre, 2007 U.S. Dist. LEXIS 73642 at *31, citing Smith v. Maryland, 442 U.S. 735, 740, 99 S. Ct. 2577, 61 L. Ed. 2d 220 (1979) (citations omitted).
376 Sanchez v. Los Angeles Dep’t of Transportation, No. CV205044D-MGAFMX, 2021 WL 1220690 (C.D. Cal. Feb. 23, 2021), aff’d, 35 F.4th 721 (9th Cir. 2022), and aff’d, 39 F.4th 548 (9th Cir. 2022).
377 Id. at *6.
378 United States v. Miller, 425 U.S. 435, 443 (1976) (“The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government.” (citing United States v. White, 401 U.S. 745, 751-52 (1971)); Smith v. Maryland, 442 U.S. 735, 743-44 (1979) (“This Court consistently has held that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”).
379 Carpenter v. United States, 138 S. Ct. 2206, 2223 (2018).
380 J. Thomas McCarthy, The Rights of Publicity and Privacy, at § 6.135 (2013).
381 Because this report focuses on state and local transit agencies, federal FOIA laws are inapplicable and, therefore, outside the scope of this digest. For information on FOIA, please see Matthew E. Daus, TCRP Legal Research Digest 59: Legal Issues and Emerging Technologies, Transportation Research Board, Washington, D.C., 2022, https://doi.org/10.17226/26786.
382 15 U.S.C. § 45.
stated privacy policies.383 Section 5 prohibits “unfair or deceptive acts or practices in or affecting commerce” and states an act may be considered “unfair” if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”384 In the mobility technology context, the FTC has used its enforcement authority in appropriate circumstances to bring actions against Uber.
In October 2018, the FTC settled an action it brought against Uber for data breaches in 2014 and 2016 and charges that the company deceived consumers about its privacy and data security practices.385 In 2014, an intruder used an access key, which an Uber engineer had posted publicly on a code-sharing website, to download unencrypted files from Uber’s cloud storage. The files contained the names, license numbers, Social Security numbers, and bank account and routing numbers of approximately 100,000 Uber drivers, as well as physical addresses, email addresses, phone numbers, and trip location information. While the FTC was investigating the breach in 2016, Uber learned of a separate, similar breach impacting 600,000 U.S.-based drivers and 57 million riders. Uber allegedly paid the attackers $100,000 to destroy the data. In both instances, Uber delayed notify affected individuals or regulators. In October 2018, the FTC announced that it had finalized its settlement concerning Uber’s 2014 and 2016 breaches. The settlement requires Uber to submit to third-party audits of its privacy program and retain certain records related to bug bounty reports regarding vulnerabilities that relate to potential or actual unauthorized access to consumer data.386
The FTC is concerned with the privacy implications of mobile and geolocation data, and mobile app data security. In its 2012 report “Protecting Consumer Privacy in an Era of Rapid Change,” the FTC “call[ed] on entities involved in the mobile ecosystem to work together to establish standards that address data collection, transfer, use, and disposal, particularly for location data.”387 The FTC has issued further guidelines on best practices for developing of privacy and data security policies and practices.388
D. State Data Privacy Laws
States have different definitions for personal information and regulations regarding protection of such information in government data. Some states have specific data security requirements for government agencies that collect, use, or manage personal information of the state’s residents, and some regulate data collected by and from shared micromobility systems.
Often, government entities are exempt from consumer data privacy laws that apply to the private sector. For example, the California Consumer Privacy Act of 2018 (CCPA) applies only to “businesses” that are “organized or operated for the profit or financial benefit of [their] shareholders or other owners,” which would not include government agencies.389 The CCPA is the first state law in the U.S. to grant consumers rights over their personal information collected by businesses and how that personal information is handled. Similar to the European Union’s General Data Protection Regulation (GDPR), the CCPA requires companies to be transparent with consumers regarding the categories of personal data they collect and how they disclose and share that information.
Several states, including Arkansas, Nevada, and Utah, have laws that specifically address bikeshare or scooter share system data protection. These states require scooter share operators to provide anonymized trip data to local authorities where they operate. To ensure privacy, these states’ statutes provide that such trip data must be:390
- Provided via an API, subject to the scooter share operator’s license agreement for the interface, in compliance with a national data format standard such as the mobility data specification;
- Treated as trade secret and proprietary business information of the scooter share operator, exempt from public disclosure pursuant to a public records request;
- Considered personally identifiable information; and
- Shared with law enforcement only pursuant to valid legal process.
Nevada further requires scooter share data be subject to a privacy policy of the local authority, disclosing what data is collected and how the data is used or shared with third parties.391 The law also prohibits sharing such data with third parties without the consent of the scooter share operator.392 In addition, the local authority must safely and securely store this data and “implement reasonable administrative, physical and technical safe-
___________________
383 15 U.S.C. § 45.
384 15 U.S.C. § 45(n).
385 In the Matter of Uber Techs., Inc., 152-3054, 2018 WL 1836642 (Apr. 11, 2018).
386 Id.
387 U.S. FEDERAL TRADE COMM’N, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID CHANGE (2012), https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.
388 See, e.g., U.S. FEDERAL TRADE COMM’N, MOBILE PRIVACY DISCLOSURES: BUILDING TRUST THROUGH TRANSPARENCY, (Feb. 2013), www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf; U.S. FEDERAL TRADE COMM’N, MARKETING YOUR MOBILE APP: GET IT RIGHT FROM THE START, (Apr. 2013), www.ftc.gov/system/files/documents/plain-language/pdf-0140_marketing-your-mobile-app.pdf; U.S. FEDERAL TRADE COMM’N, START WITH SECURITY: A GUIDE FOR BUSINESS (Jun. 2015), www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business; U.S. FEDERAL TRADE COMM’N, APP DEVELOPERS: START WITH SECURITY (May 2017), www.ftc.gov/tips-advice/business-center/guidance/app-developers-start-security.
389 CAL. CIV. CODE DIV. 3, Pt. 4, Title 1.81.5 (added Stats. 2018 ch. 55 § 3 [AB 375], effective Jan. 1, 2019, operative Jan. 1, 2020).
390 ARK. CODE ANN. § 27-51-1905, NEV. REV. STAT. ANN. § 484A.469; UTAH CODE ANN. § 41-6a-1115.1.
391 NEV. REV. STAT. ANN. § 484A.469.
392 Id.
guards to protect, secure and, if applicable, encrypt or otherwise limit access to the data.”393
New York regulates the use and disclosure of trip data, personal information, images, videos, and other recorded images collected by bikeshare and scooter share systems.394 New York prohibits a scooter system operator from selling, distributing, other making such data available for any commercial purpose and generally prohibits disclosing such data except to the person who is the subject of such data, information or record or if necessary to comply with a lawful court order, judicial warrant, or subpoena.395 For the purposes of this law, New York defines “personal information” as “information that identifies an individual, including but not limited to name, address, telephone number, and the type and form of payment including credit card number, debit card number, or other payment method.”396
In states without specific laws addressing data privacy for shared-use micromobility operators, other laws may be applicable. For example, under California’s Electronically Collected Personal Information law, any state agency that electronically collects personal information through the internet must prominently give notice to users about the data that the agency is collecting and its purpose for doing so and that users have the option of requesting their data be discarded.397 This information is exempt from requests made pursuant to the California Public Records Act. The law also prohibits state agencies from distributing or selling any electronically collected personal information to any third party without prior written permission from the user.398 California state agencies are required to discard without reuse or distribution any electronically collected personal information upon request by the user.
E. Addressing Data Privacy Concerns in Shared Micromobility Systems
Many cities in the United States have principles around data protection to address privacy concerns and challenges. The Los Angeles Department of Transportation released its Mobility Data Specification (MDS) in 2019 to protect individual data in its transit system from exploitation. LADOT categorizes certain MDS vehicle data as confidential under the city’s Information Handling Guidelines, and it will withhold such information as exempt from release under the Public Records Act.399 De-identification and strong access controls are also applied to LADOT data. All mobility service providers operating on Los Angeles streets, including bikeshare and scooter share providers, must comply with MDS.400
New York City has citywide privacy protection policies and tools that all agencies use to protect user privacy. The protocol has details for every facet of data use and management, including collection, use, disclosure, access, and retention of identifying information; as well as protocols around contracts using identifying information, and organizational protocols and structures for data management.401
Other organizations have created uniform standards that all cities can follow when creating specifications on how mobility data, even bikeshare and scooter share data, can be created and stored. The Mobility Data Collective created a transportation-tailored privacy assessment tool that focuses on considerations for organizations that want to share mobility data in a privacy-sensitive manner. The Mobility Data Sharing Assessment (MDSA) provides public and private sector organizations with operational guidance to conduct legal and privacy reviews of their data-sharing processes.402 Organizations that use this tool for sharing mobility data can embed privacy and equity considerations into their mobility data-sharing agreements. The MDSA aims to enable responsible data sharing that protects individual privacy, respects community interests, and encourages transparency.
In 2020, several mobility companies, including Uber, Lyft, Spin, Bird, and Lime along with the North American Bikeshare and Scootershare Association (NABSA) and the Open Mobility Foundation (OMF), developed and agreed to a set of guidelines for protecting user data.403 The principles were developed through collaboration by over 20 cities, privacy advocates, technology companies, mobility service providers and organizations like NABSA, the New Urban Mobility Alliance (NUMO), and OMF.404
F. Disclosure of Data under State Open Records Laws
All fifty states and the District of Columbia have enacted statutes modeled on the federal FOIA, often referred to as open government laws, freedom of information laws (FOIL), or sunshine laws.405 These laws were created to increase transparency in government by allowing the public to have access to government records. Most of these laws were enacted in the 1950s or
___________________
393 Id.
394 N.Y. VEH. & TRAF. LAW §§ 1243 and 1282.
395 N.Y. VEH. & TRAF. LAW § 1282.
396 Id.
397 CAL. GOV’T CODE § 11015.5(a). See also CAL. GOV’T CODE § 11015.5(d)(1).
398 CAL. GOV’T CODE § 11015.5(b).
399 CITY OF LOS ANGELES, LADOT DATA PROTECTION PRINCIPLES, LADOT, (2019), https://ladot.lacity.org/sites/default/files/2020-02/2019-04-12_Data-Protection-Principles.pdf.pdf.
400 Id.
401 CITY OF NEW YORK, CITYWIDE PRIVACY PROTECTION POLICIES AND PROTOCOLS, (2023), www.nyc.gov/assets/oti/downloads/pdf/citywide-privacy-protection-policies-protocols.pdf.
402 MOBILITY DATA COLLABORATIVE, https://mdc.sae-itc.com/.
403 PRIVACY PRINCIPLES FOR MOBILITY DATA, www.mobilitydataprivacyprinciples.org/.
404 Rebecca Bellan, Cities, Mobility Companies Agree to 7 Guidelines to Keep Rider Data Private, TECHCRUNCH, (Oct. 29, 2021), https://techcrunch.com/2021/10/29/private-and-public-sector-come-together-to-create-privacy-principles-for-mobility-data/.
405 Emily Dowd, Open Government Laws and Critical Energy Infrastructure, NAT’L CONFERENCE OF STATE LEGISLATURES, (Jan. 30, 2018), www.ncsl.org/research/energy/open-government-laws-and-critical-energy-infrastructure.aspx.
60s and predate large-scale data collection. In general, these laws presume that government records are public and should be open to the public unless specifically exempted for privacy or other compelling reasons. These laws apply to government information, which typically includes data in electronic form.406 The exemptions in state open government laws shield information from disclosure for public policy reasons. Laws and exemptions vary by jurisdiction; however, they typically protect PII, cybersecurity strategies, and trade secrets or other commercial or financial information that is privileged or confidential. Transit agencies and cities must consult applicable state law when implementing data-sharing requirements for micromobility.
1. Information and Data Subject to State Freedom of Information Laws
For information or data to be subject to state’s public records law, it must be a public record. In addition to documents, papers, and other physical records, records typically include electronic data and other records regardless of physical form or characteristics.407 Electronic records are generally considered records for the purposes of state open government laws. To avoid any doubt about the application of the Texas Open Government law to electronic communication, the statute provides that the definition of “public information” “applies to and includes any electronic communication created, transmitted, received, or maintained on any device if the communication is in connection with the transaction of official business.”408
Generally, something is a public record if a state or local government entity either created or obtained the information and is in possession or control of it. Some states and the District of Columbia have adopted a “control standard” instead of a “possession standard” to determine the definition of what constitutes public records when the records were not created by an agency.409 Unlike the FOIA410 and other state statutes that require actual possession, the Texas Open Government law includes information where the public agency simply “has a right of access to the information” or “spends or contributes public money for the purpose of writing, producing, collecting, assembling, or maintaining the information.”411 In contract, other states, such as Michigan, have found that access available to a public body does not mean that production is required.412
2. Data Held by Vendors and Partners
Data transmitted to a public agency by third parties may constitute public records that the agency must hold to the same public records disclosure standards as other data that the agency creates and maintains. The data collected through partnerships with private entities could be considered public information subject to disclosure, and it should not be assumed that data is not subject to disclosure simply because it is held by a third party.
Some states make explicit that records in the possession of third parties may be considered public records. For example, under Illinois law, “[a] public record that is not in the possession of a public body but is in the possession of a party with whom the agency has contracted to perform a governmental function on behalf of the public body, and that directly relates to the governmental function and is not otherwise exempt under this Act, shall be considered a public record of the public body, for purposes of this Act.”413
___________________
406 Ira Bloom, Freedom of Information Laws in the Digital Age: The Death Knell of Informational Privacy, 12 RICH. J. L. & TECH. 9, text at notes 277–81 (2006).
407 See, e.g., CONN. GEN. STAT. § 1-200(5) (“‘Public records or files’ means any recorded data or information relating to the conduct of the public’s business prepared, owned, used, received or retained by a public agency, or to which a public agency is entitled to receive a copy by law or contract under section 1-218, whether such data or information be handwritten, typed, tape-recorded, printed, photostatted, photographed or recorded by any other method.”); 29 DEL. C. § 10002(g) (“Public record” is defined as “information of any kind, owned, made, used, retained, received, produced, composed, drafted or otherwise compiled or collected, by any public body, relating in any way to public business, or in any way of public interest, or in any way related to public purposes, regardless of the physical form or characteristic by which such information is stored, recorded or reproduced.”); 5 ILCS 140/2(c) (public records include “all records, reports, forms, writings, letters, memoranda, books, papers, maps, photographs, microfilms, cards, tapes, recordings, electronic data processing records, recorded information and all other documentary materials, regardless of physical form or characteristics, having been prepared, or having been or being used, received, possessed or under the control of any public body”); N.C. GEN. STAT. ANN. § 132-1(a) (“Public record” or “public records” shall mean “all documents, papers, letters, maps, books, photographs, films, sound recordings, magnetic or other tapes, electronic data-processing records, artifacts, or other documentary material, regardless of physical form or characteristics, made or received pursuant to law or ordinance in connection with the transaction of public business by any agency of North Carolina government or its subdivisions.”).
408 TEX. GOV’T CODE ANN. § 552.002(a-2) (Information is “in connection with the transaction of official business” if the information is either “created by, transmitted to, received by, or maintained by” either an officer or employee of the governmental body or “a person or entity performing official business or a governmental function on behalf of a governmental body, and pertains to official business of the governmental body.”).
409 See D.C. CODE ANN. § 2-502(18) (Public records include “all books, papers, maps, photographs, cards, tapes, recordings or other documentary materials regardless of physical form or characteristics prepared, owned or used in the possession of, or retained by a public body”); Belth v. Dep’t of Consumer & Regulatory Affairs, 115 Daily Washington Legal Rptr. 2281 (D.C. Super. Ct. 1987) (holding that records created by the National Association of Insurance Commissioners and used by the Department of Consumer & Regulatory Affairs were covered by the D.C. Act because the documents were in the agency’s physical and legal control, and used by the agency to regulate insurers).
410 Forsham v. Harris, 445 U.S. 169, 100 S. Ct. 977, 63 L. Ed. 2d 293 (1980); N. L. R. B. v. Sears, Roebuck & Co., 421 U.S. 132, 95 S. Ct. 1504 (1975).
411 TEX. GOV’T CODE ANN. § 552.002(a).
412 See Hoffman v. Bay City School Dist., 137 Mich. App. 333, 357 N.W.2d 686, 21 Ed. Law Rep. 317 (1984) (“the fact that the attorney was paid by a governmental body, the school board, and conducted his investigation at its request, does not transform his report into a record subject to disclosure under the FOIA”).
413 ILL. COMP. STAT. 140/7(2).
3. Exemptions for Personal Information and Unwarranted Invasions of Personal Privacy
State freedom of information laws typically exempt disclosure of records that would constitute an unwarranted invasion of personal privacy. More than half of the states have general prohibitions on disclosing PII in public agency records. For example, in New York, records are exempt if disclosure “would constitute an unwarranted invasion of personal privacy.”414 The most frequently discussed exemption in the Michigan Freedom of Information Act provides exemption for: “[i]nformation of a personal nature where the public disclosure of the information would constitute a clearly unwarranted invasion of an individual’s privacy.”415
In California, electronically collected personal information is exempt from requests made pursuant to the California Public Records Act.416 The law defines “electronically collected personal information” as:417
[A]ny information that is maintained by an agency that identifies or describes an individual user, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, electronic mail address, and information that reveals any network location or identity, but excludes any information manually submitted to a state agency by a user, whether electronically or in written form, and information on or relating to individuals who are users serving in a business capacity, including, but not limited to, business owners, officers, or principals of that business.
Some state open records laws allow PII to be disclosed only with written consent. For example, Washington law allows access to “an individually identifiable personal record for research purposes if informed written consent for the disclosure” has been obtained.418
Public agencies should be able to avoid disclosure of sensitive information contained in data using the exemption for PII. Those that wish to disclose PII collected from new and emerging technologies for research purposes may be able to do so by first obtaining written consent for such disclosure.
4. Exemptions for Trade Secrets and Privileged or Confidential Information
Many states model their public disclosure laws after the FOIA and protect trade secrets and privileged or confidential information from public disclosure.419 These exemptions and their applications to specific types of information vary by state. For example, New York has an exemption for information and data that “are trade secrets or are submitted to an agency by a commercial enterprise or derived from information obtained from a commercial enterprise and which if disclosed would cause substantial injury to the competitive position of the subject enterprise.”420 New York’s General Specifications for government procurement further allow properly-marked materials to be maintained confidentially and exempt from disclosure under the state FOIL.421
Montana law provides that “[a]ny records, materials, or other information furnished pursuant to the Act or these rules are a matter of public record and are open to public inspection, unless they are entitled to protection under the Uniform Trade Secrets Act, Title 30, chapter 14, part 4, MCA.”422 UTSA is a model law that codifies the basic principles of common law trade secret protection.423 All of the states (except New York), the District of Columbia, and the U.S. Virgin Islands have adopted the UTSA in modified or unmodified form. Some states use the same definition of “trade secret” that in the UTSA for the purposes of the state’s open government law. Under UTSA, a “trade secret” is defined as:
[I]nformation, including a formula, pattern, compilation, program, device, method, technique, or process that:
- derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and
- is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
In Washington, records containing trade secrets are not categorically excluded from public disclosure under the Washington Public Records Act (PRA).424 Under the PRA, public records may be withheld only if the record falls within a specific PRA exemption or “other statute which exempts or prohibits disclosure of specific information or records.”425 The “other statutes” exemption “incorporates into the Act other statutes which exempt or prohibit disclosure of specific information or records. In other words, if such other statutes mesh with the Act, they operate to supplement it.”426 If there is a conflict between the
___________________
414 See, e.g., N.Y. PUB. OFF. LAW § 86(4).
415 MICH. FREEDOM OF INFORMATION ACT § 13(1)(a); MICH. COMP. LAWS ANN. § 15.243(1)(a).
416 CAL. GOV’T CODE § 11015.5(a)(7).
417 CAL. GOV’T CODE § 11015.5(d)(1).
418 REV. CODE WASH. (ARCW) § 42.48.020.
419 See e.g., TEX. GOV’T CODE § 552.110 (exempting information “if it is demonstrated based on specific factual evidence that the information is a trade secret” or “that disclosure would cause substantial competitive harm to the person from whom the information was obtained”).
420 N.Y. PUB. OFF. LAW §§ 84–90.
421 See N.Y. OFFICE OF GENERAL SERVICES, PROCUREMENT GUIDELINES, APPENDIX B—GENERAL SPECIFICATIONS, ¶ 15 (July 2006), www.ogs.state.ny.us/purchase/BidTemplate/AppendixB.doc.
422 MONT. ADMIN. R. 17.20.302.
423 Uniform Law Commission, Uniform Trade Secrets Act with 1985 Amendments, THE NATIONAL CONFERENCE OF COMMISSIONERS ON UNIFORM STATE LAWS (approved Feb. 11, 1986), https://www.uniformlaws.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=e19b2528-e0b1-0054-23c4-8069701a4b62&forceDialog=0.
424 See Lyft, Inc. v. City of Seattle, 190 Wash. 2d 769, 780, 418 P.3d 102, 104 (2018) (“It is undisputed that no provision of the PRA exempts trade secrets from disclosure, so any exemption would need to be pursuant to an ‘other statute.’”).
425 See WASH. REV. CODE ANN. § 42.56.070.
426 See Progressive Animal Welfare Soc’y v. Univ. of Wash., 125 Wash.2d 243, 261-62, 884 P.2d 592 (1994) (plurality opinion).
