Bill Text

Bill Information


Bill PDF |Add To My Favorites | print page

SB-1276 Shared mobility service data.(2021-2022)

SHARE THIS: share this bill in Facebook share this bill in Twitter
Date Published: 04/18/2022 02:00 PM
SB1276:v97#DOCUMENT

Amended  IN  Senate  April 18, 2022
Amended  IN  Senate  March 16, 2022

CALIFORNIA LEGISLATURE— 2021–2022 REGULAR SESSION

Senate Bill
No. 1276

Introduced by Senator Durazo

February 18, 2022

An act to add Chapter 2 (commencing with Section 1798.78.1) to Title 1.8 of Part 4 of Division 3 of the Civil Code, relating to privacy.


LEGISLATIVE COUNSEL'S DIGEST


SB 1276, as amended, Durazo. Shared mobility service data.
Existing law, the California Consumer Privacy Act of 2018, grants a consumer, as defined, various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.
Existing law, the Electronic Communications Privacy Act (ECPA), generally prohibits a government entity from compelling the production of or access to electronic communication information or electronic device information, as defined, without a search warrant, wiretap order, order for electronic reader records, subpoena, or order for a pen register or trap and trace device, except for emergency situations, as specified.
This bill would authorize a regulating agency, as defined, as a term of a regulation, license, permit, or other authorization, to require a shared mobility service provider over which it has jurisdiction to provide to the regulating agency shared mobility service data, as defined, in a form that facilitates auditing, as prescribed. The bill would prohibit a regulating agency from disclosing deidentified shared mobility service data to another public agency unless certain criteria are met, including the purpose of the disclosure is to assist the recipient public agency with a public purpose. The bill would prohibit a regulating agency or recipient public agency from disclosing shared mobility service data to a local, state, or federal law enforcement agency other than as required by law, as specified. The bill would also prohibit a regulating agency from disclosing shared mobility service data that includes location data to the public unless certain criteria are met, including the location data does not depict a shared mobility device or shared mobility service currently in use by a user of the device or service. The bill would provide that shared mobility service data is not “electronic device information” or “electronic information” as those terms are defined in ECPA.
Existing constitutional provisions require that a statute that limits the right of access to the meetings of public bodies or the writings of public officials and agencies be adopted with findings demonstrating the interest protected by the limitation and the need for protecting that interest.
This bill would make legislative findings to that effect.
Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 The Legislature finds and declares all of the following:
(a) California has seen a variety of new shared mobility service providers seek to operate on public roads, and these new modes of transportation have created a variety of challenges for public agencies seeking to understand and respond to their impacts on road safety, the health and safety of communities, equitable access to educational, work, and other opportunities, and efforts to decarbonize the transportation sector.
(b) The public has an interest in ensuring that shared mobility services are equitably available to all interested users, do not create unreasonable risks or hazards for users or other road users, do not create broader unreasonable negative impacts, and that any negative impacts are not unfairly distributed.
(c) The benefits and impacts of shared mobility services can be evaluated only if public agencies have access to reliable shared mobility service data that is capable of being audited.
(d) Numerous state and local agencies need access to data about the use of public rights-of-way by shared mobility service providers in order to carry out their responsibilities to design, plan, maintain, and operate the public rights-of-way for safe and efficient multimodal use and to analyze how changes in regulation and use of shared mobility services may affect equitable access to and use of our public roads, as well as to enforce the permit requirements.
(e) Providers of shared mobility services have access to detailed personal and financial information about their employees and users and have real-time access to information about the location of specific users, as well as about their payment methods and home addresses.
(f) In contrast, public agencies are able to fulfill most responsibilities related to shared mobility providers without any of the personal information maintained by shared mobility service providers. Rather, most data generated by shared mobility services is deidentified and does not contain personal information related to drivers or users. Deidentified data documenting the status and availability for hire of devices or vehicles and supporting user trip planning is essential to the development of multimodal transportation services, equity analysis, and the development of innovative programs and services to support decarbonization of the transportation sector.
(g) Some have asserted that deidentified shared mobility service data could be used by third parties, in combination with other publicly available data, to reidentify particular individuals. This bill requires regulating agencies and other public agencies to adopt policies and practices that minimize the risk of reidentification while affirming regulating agencies’ authority to require submission of data.

(h)In some cases, public agencies need personal information identifying drivers or users in order to investigate complaints, collect fees, fines, or fares, establish entitlement to discounted services, enforce safety regulations governing the safe use and operation of shared mobility devices or motor vehicles, or fulfill other public purposes. California law and public agency practices governing the privacy interests raised by that personal information are well established.

SEC. 2.

 Chapter 2 (commencing with Section 1798.78.1) is added to Title 1.8 of Part 4 of Division 3 of the Civil Code, to read:
CHAPTER  2. Shared Mobility Service Data

1798.78.1.
 As used in this chapter:
(a) “Contractor” means a business or person that is not an employee of a regulating agency that performs work under contract with a regulating agency.
(b) “Deidentified shared mobility service data” means shared mobility service data that does not include personal information, as defined in Section 1798.3, about a driver or user.
(c) “Regulating agency” means a state, county, regional, or local government agency that issues a license, permit, or other authorization to a shared mobility service provider to operate within the governmental agency’s jurisdiction or that otherwise regulates the shared mobility service provider.
(d) “Shared mobility device” means a motor vehicle, bicycle, electric bicycle, electric scooter, or other device or vehicle offered for use on a shared mobility service provider platform by which a person or goods can be propelled, moved, or drawn in the public right-of-way.
(e) “Shared mobility service” means a service that uses an online enabled application or platform to do either of the following:
(1) Display, offer, or make available in the public right-of-way for rent or use a shared mobility device.
(2) Provide for ordering and delivery of goods using a shared mobility device in the public right-of-way.
(f) “Shared mobility service data” means any of the following:
(1) Information documenting the location, characteristics, event, or operational status or change in status of a shared mobility device or shared mobility service, including locked, unlocked, accessible to people with disabilities, available for use, unavailable for use, internal combustion engine, zero-emission vehicle, and other similar characteristics or operational status.
(2) Information about trips requested or completed using a shared mobility device or shared mobility service, including, but not limited to, start and end time, duration, point of origin, route, and point of conclusion.
(3) Notifications of information described in this subdivision provided to a regulating agency by a shared mobility service provider.
(g) (1) “Shared mobility service provider” means a person, corporation, partnership, association, joint venture, or other private entity that offers, provides, or makes available to the public a shared mobility service, including, but not limited to, a transportation network company, as defined by Section 5431 of the Public Utilities Code, and a food delivery platform, as defined by Section 22598 of the Business and Professions Code.
(2) “Shared mobility service provider” does not include any of the following:
(A) A public agency or its contractors or agents acting on behalf of the public agency.
(B) A motor carrier of property, as defined in Section 34601 of the Vehicle Code.
(C) An automobile rental business.
(h) “User” includes, but is not limited to, a driver, rider, passenger, customer, or accountholder of a shared mobility service provider.

1798.78.2.
 (a) (1) Notwithstanding any other law, a regulating agency may, as a term of a regulation, license, permit, or other authorization, require a shared mobility service provider over which it has jurisdiction to provide to the regulating agency shared mobility service data in a form that facilitates auditing.
(2) The regulating agency may prescribe use of a particular data specification to govern submissions and may specify the time and frequency for reporting, including, if necessary to support a public purpose, requiring submission of contemporaneous notifications about the location and operational status of shared mobility devices and services.
(b) A regulating agency imposing a requirement pursuant to this section shall do both of the following:
(1) Provide the shared mobility service provider reasonable notice of the data specification and reporting requirements.
(2) Protect the privacy of users by implementing all of the following policies and procedures:
(A) Limiting access to shared mobility service data to employees, contractors, or agents who have an operational or regulatory need to access the data.
(B) Prohibiting employees, contractors, or agents of the regulating agency from making private use of the data.
(C) Employing technical safeguards that prevent unauthorized access to, or inadvertent release of, shared mobility service data.
(D) Adopting data minimization and retention schedules under which shared mobility service data is retained only for so long as it is needed to support a public purpose.
(E) Prohibiting an employee, contractor, or agent who has access to the shared mobility service data from using or disclosing the data for a commercial purpose and terminating a contractor or agent’s access to shared mobility service data upon completion of work required by a contract.

1798.78.3.
 (a) Subject to Section 1798.78.4, a regulating agency shall not disclose deidentified shared mobility service data to another public agency unless all of the following are true:
(1) The purpose of the disclosure is to assist the recipient public agency with any of the following:
(A) Regulation of the public right-of-way to protect public health, safety, or welfare.
(B) Transportation planning.
(C) The design, maintenance, and operation of multimodal transportation infrastructure and services.
(D) Any other public purpose, including, but not limited to, an audit of a regulating agency or a shared mobility service provider.
(2) The disclosure is pursuant to an agreement through which the receiving public agency agrees that it will comply with the data security requirements in subdivision (b) of Section 1798.78.2 and will comply with Section 1798.78.4.
(3) The regulating agency discloses the deidentified shared mobility service data at least 24 hours after the latest event or status notification included in the shared mobility data.
(b) This section does not authorize a A regulating agency or recipient public agency to shall not disclose shared mobility service data with to a local, state, or federal law enforcement agency other than as required by law pursuant to a warrant issued under Chapter 3 (commencing with Section 1523) of Title 12 of Part 2 of the Penal Code or through a court order, subpoena, or other legal process.

1798.78.4.
 (a) Notwithstanding any other law, including the California Public Records Act, Act (Division 10 (commencing with Section 7920.000) of Title 1 of the Government Code), in order to protect individual privacy and to minimize risk of reidentification of users, a regulating agency or public agency shall not disclose shared mobility service data that includes location data to the public unless all of the following criteria are met:
(1) At least 24 hours have passed since the latest event or status notification included in the deidentified shared mobility service data.
(2) Any location field has been redacted or the precision of data in a location field has been reduced by using any of the following methods of aggregation, obfuscation, or anonymization:
(A) Aggregation of records sharing a common geography, time of day, or date range to generate a sum, average, minimum, maximum, or other summary value.
(B) Replacing precise latitude and longitude data with census blocks or other common geography.
(C) Using any other method reflected in an adopted industry standard or used, endorsed, or recommended by the United States Census Bureau or the National Institute of Standards and Technology.
(3) The location data does not depict a shared mobility device or shared mobility service currently in use by a user of the device or service.
(b) This section does not prohibit a public agency from disclosing to the public contemporaneous data that identifies the location of shared mobility devices or shared mobility services that are currently available for public use to facilitate multimodal user access, trip planning, or trip payment.

1798.78.5.
 (a) Shared mobility service data is not electronic device information or electronic information, as defined in Section 1546 of the Penal Code.
(b) This chapter does not affect the authority of the California Public Utilities Commission (CPUC) to disclose information received from CPUC permittees to the public, including, but not limited to, as authorized in Decision No. 20-03-014 as modified by Decision No. 21-06-023 in Rulemaking 12-12-011 and as ordered by Administrative Law Judge Rulings issued on December 21, 2020, and November 24, 2021, in response to motions for confidential treatment filed by transportation network companies or future similar decisions or rulings addressing public disclosure of data submitted to the CPUC by its permittees.

SEC. 3.

 The additions by this act of subdivision (a) of Section 1798.78.2 and subdivision (a) of Section 1798.78.5 to the Civil Code do not constitute a change in, but are declaratory of, existing law.

SEC. 4.

 The Legislature finds and declares that Section 2 of this act, which adds Section 1798.78.4 to the Civil Code, imposes a limitation on the public’s right of access to the meetings of public bodies or the writings of public officials and agencies within the meaning of Section 3 of Article I of the California Constitution. Pursuant to that constitutional provision, the Legislature makes the following findings to demonstrate the interest protected by this limitation and the need for protecting that interest:
This act balances the right of the public to access relevant information, that does not contain personal information, about services offered by shared mobility service providers operating in the public right-of-way while protecting the privacy interests of users of shared mobility services from improper reidentification by third parties.