Privacy getting taken for a ride

It’s as if they can read your mind: Before customers even ask to be picked up, apps let Uber or Lyft know you’ll need them.

That’s because personal data housed in smart phones tell ride-sharing companies when and where their customers most frequently need rides.

It’s innovated the car-service industry, critics say, at the expense of users’ privacy.

“The stories range from tracking customers in real time and stalking reporters, to data breaches where hackers obtained account records of thousands of TNC (transportation network company) users and offered them for sale on dark websites visited by criminals,” Assemblyman Ed Chau, D-Monterey Park, told the Assembly Utilities and Commerce Committee hearing this week for his bill, AB 886.

Sponsored by the Consumer Federation of California, a non-profit consumer-rights advocacy group, Chau’s bill would set up privacy standards related to “personally identifiable data” that TNCs — like Uber or Lyft — would be required to follow. Those standards don’t exist now, Chau said.

But Chau’s measure stalled in the committee on a four-to-six vote amid a fierce lobbying fight. Chau was given permission to bring the bill back to the committee for another vote, which could be as early as next week.

Supporters of AB 886 said they would be willing to reexamine the scope of the bill’s definition of “personally identifiable data” in order to move it forward.

“I guess you could say, well, protecting some personal data is better than protecting none,” said Richard Holober, executive director of the Consumer Federation. “Right now none is protected. And I don’t believe the flawed argument that Internet-based companies should have greater freedom than the other businesses who collect and share data.”

This was just one of four TNC-related bills heard by the Assembly committee that day – all of the others were approved despite the rides-sharing industry’s opposition to one measure requiring random drug testing of drivers.

But even that bill, AB 24 by Assemblyman Adrin Nazarian, D-Sherman Oaks, is a watered-down version of its former self.

Last year, a similar Nazarian bill also included a requirement that drivers be subjected to Department of Justice criminal background checks – it died in the Transportation Committee.

This time around, the author decided to amend that provision “in order to advance” the bill, Nazarian said at the hearing. Assemblyman Roger Hernandez, D-West Covina, who sits on the committee, said the Justice Department requirement is what made him “excited” about Nazarian’s bill and even asked whether the author would bring it back.

Hernandez said at the hearing, “This is a requirement already in place for all the others paid to drive people in California, why are we cutting corners for people who have cool apps? Is it because it’s hip?”

Maybe. Or maybe it’s because regulating ride-sharing companies is new territory for lawmakers and the industry has a robust lobbying arm.

Advocates of TNC-driver background checks, random drug screenings and guidelines for how these companies’ use personal data are told their antiquated approach doesn’t match the industry’s innovation.

Assemblywoman Autumn Burk, D-Inglewood, who opposed Chau’s personal data privacy bill along with her Republican colleagues on the Utilities and Commerce Committee, argued many companies – not just those providing ride-sharing – use consumer data in a similar way in order to improve their services.

“I think we should treat a brick and mortar company as we would an Internet business, so that would be one of my concerns, that it’s just not fair,” she said.

And TNCs say AB 886’s restrictions on using personal data would put them out of business. Robert Callahan, a lobbyist for the Internet Association, which represents major ride-sharing companies, said Chau’s definition of “personally identifiable data” would render these apps illegal.

“With this extremely broad definition, something as simple as ‘this guy likes the Legislature,’ or ‘this person orders pizza regularly’ – that is not identifiable – would be subject to the exact same and merit the same protections under the law as something like a social security number,” Callahan said.

“At the end of the day, we read the bill as saying if our mobile apps are functioning we are in violation of the law and subject to significant penalties,” he said.

But the backers of Chau’s privacy bill said the core issue was consumer protection.

The Consumer Federation, which wrote AB 886, says these companies would still be able to predict consumer traffic in order to sustain their performance. According to Holober, the bill’s aim is to regulate companies that sell their knowledge of, for example, whether you like pizza to a company that sells pizza.

“Why would that be information the company needs to know?” Holober said, “They don’t, so that’s where we start crossing the line into using this data for marketing purposes.”
—
Ed’s Note: Updates Holober quotes, 8th and final grafs.