Uber and Los Angeles are headed for a showdown over the city's controversial data-sharing demands. If Uber loses, the company's dockless electric scooters and bikes could disappear from city streets.
Jump, a dockless mobility company acquired by Uber last year, has a permit to rent out those scooters and bikes for use on city streets. But last week the Los Angeles Department of Transportation (LADOT) threatened to suspend the permit over the company's failure to provide the city with data on the riders' realtime locations.
Uber has argued, with the support of several privacy organizations, that this requirement violates both its customers' privacy and California law. Rather than submit to LADOT's demands, the company promises to sue.
"Jump riders in Los Angeles have a reasonable expectation of privacy in the trip data created from riding on our bikes and scooters," an Uber spokesperson told Reason. "Therefore, we had no choice but to pursue a legal challenge."
LADOT argues that its data-sharing rules are needed to enforce the city's scooter regulations and that Uber is an outlier in refusing to comply with them.
"Every other company that is permitted in Los Angeles is following the rules," an LADOT spokesperson told the Los Angeles Times. "We look forward to being able to work with Uber on getting them into compliance."
For now, Jump scooters and bikes are still available for hire on L.A. streets. The company has until Friday to appeal LADOT's decision.
The origins of this dispute go back to late 2018, when Los Angeles unveiled a pilot permitting program for dockless mobility companies. To obtain one of these permits, companies were required to obtain insurance for their vehicles, to ensure their vehicles were properly parked, and to develop an equity plan for low-income riders.
Scooter providers were also required to submit realtime data on rides, including time-stamped location data and start and end points, to the city.
At the time, LADOT promised to treat the data as confidential. It also argued that its data-sharing requirements respected users' privacy because the city was not demanding personally identifiable information.
Privacy groups were unimpressed. In a November letter to Seleta Reynolds, LADOT's general manager, the Center for Democracy and Technology (CDT) argued that the department did not sufficiently specify how it would prevent the theft or abuse of the data.
The CDT also argued that the data could easily be used to identify individual users, noting that "when persistent identifiers are connected to historical location information, individuals can be personally identified with reasonable ease."
To allay these concerns, LADOT published a list of data protection principles in March, promising to collect only the data necessary for its mission of protecting public rights-of-way, to limit third-party and law enforcement access to that data, and to adopt stringent security safeguards.
In an April blog post, Nathan Sheard of the Electronic Frontier Foundation (EFF) declared LADOT's data protection principles a "list of aspirations and buzz words" that are "a far cry from the transparent, actionable, and enforceable data privacy policies we would expect of any city agency demanding this level of sensitive information about Los Angeles residents."
Both the EFF and CDT argue that collecting realtime, individualized data on the companies' customers amounts to government surveillance that with minimal effort could reveal reams of sensitive information about an individual user. As EFF pointed out in an April letter to the city, the data collection system "could reveal trips to Planned Parenthood, specific places of prayer, and gay-friendly neighborhoods or bars. Patterns in the data could reveal social relationships, and potentially even extramarital affairs, as well as personal habits, such as when people typically leave for work, go to the gym, or run errands, how often they go out on evenings and weekends, and where they like to go."
LADOT's data requirements could also violate the California Electronic Communications Privacy Act (CalECPA), which requires government entities to obtain a warrant before accessing electronic user information.
In August, the state legislature's Legislative Counsel—a government body that drafts state bills and provides legal advice to legislators—issued an opinion finding that CalECPA prohibits local government departments from "imposing a real time data sharing requirement on a dockless mobility provider as a condition of granting a permit."
Reynolds has challenged that opinion, arguing that CalECPA was intended to restrict law enforcement agencies trying to access electronic communications, not regulatory bodies trying to keep the sidewalks clear.
The question of how much CalECPA ties L.A.'s hands will now probably be hashed out in court. Uber has yet to file a lawsuit, but it is likely do so in the near future.