BILL ANALYSIS �Ó
AB 886
Page 1
Date of Hearing: April 20, 2015
ASSEMBLY COMMITTEE ON UTILITIES AND COMMERCE
Anthony Rendon, Chair
AB 886
(Chau) - As Amended March 26, 2015
SUBJECT: Transportation service network provider: passenger
privacy
SUMMARY: This bill would require transportation service network
providers (TSNP) to adopt certain privacy standards pertaining
to a passenger's personally identifiable data. Specifically,
this bill:
a)Defines a "transportation service network provider," as any
corporation, a limited liability company, partnership, sole
proprietor, or any other entity operating in California,
including any entity that provides taxicab transportation
services, that provides prearranged transportation service for
compensation using an online-enabled application or platform
to connect to passengers.
b)Defines "personally identifiable data," as the following:
a. Information that identifies, relates to, describes, or
is capable of being associated with a particular
individual, including, but not limited to, his or her name,
signature, social security number, physical
characteristics, address, email address, telephone number,
bank account number, credit card number, debit card number,
�
AB 886
Page 2
or any other financial information.
b. Information described or concerning the duration of the
transportation service provided, the location and route of
the service provided, and the monetary exchange associated
with the service provided.
c. Information relating to the mobile device or computer
used to arrange transportation related services, including
Internet protocol addresses, media access control
addresses, device applications, and geo-locational
information.
c)Prohibits a TSNP from requesting or requiring any personally
identifiable data of a passenger or accountholder unless the
information is required to complete a transaction for the
transportation service being provided or for the detection,
investigation, prevention of fraud, identity or other theft,
or other criminal activity.
d)Prohibits a TSNP from disclosing any personally identifiable
data collected to any another person, firm, partnership,
association, or corporation unless it is required to do so by
state or federal law, or is contractually obligated to share
the information with a financial entity to complete the
transaction, for the detection, investigation, prevention of
fraud, identity or other theft, or other criminal activity.
e)Allows a TSNP to request or require a consumer to establish an
account, and provide personal identifiable data to maintain
and update the account as a condition of using the
transportation service, if the information collected is used
solely for those purposes.
f)Requires a TSNP to provide an accountholder with an
opportunity to cancel or terminate the account and to destroy
or dispose of all personally identifiable data in a secure
�
AB 886
Page 3
manner, upon cancellation or termination of the account.
g)Requires a TSNP to dispose of all personally identifiable data
in a secure manner after the information is no longer needed
for purposes as specified.
h)Provides that a TSNP found in violation is subject to a civil
penalty not to exceed
$250 for the first violation and $1,000 for each subsequent
violation.
EXISTING LAW:
1)Directs the California Public Utilities Commission (CPUC) to
issue permits or certificates to charter party carriers (CPC),
investigate complaints against carriers, and cancel, revoke,
or suspend permits and certificates for specific violations.
(Public Utilities Code §5387)
2)Defines "charter-party carrier of passengers" as every person
engaged in the transportation of persons by motor vehicle for
compensation, whether in common or contract carriage, over any
public highway in the state. (Public Utilities Code §5360)
3)Defines a "transportation network company" (TNC) to mean an
organization, including, but not limited to, a corporation,
limited liability company, partnership, sole proprietor, or
any entity operating in California that provides prearranged
transportation services for compensation using an
online-enabled application or platform to connect passengers
with drivers using a personal vehicle. (Public Utilities Code
§5431)
4)Prohibits a TNC from disclosing to a third party any
personally identifiable information of a TNC passenger unless
one of the following applies:
�
AB 886
Page 4
a. The customer knowingly consents,
b. Pursuant to a legal obligation, and
c. The disclosure is to the CPUC in order to investigate a
complaint filed against a TNC or a participating driver,
and the CPUC treats the information under confidentiality
protections. (Public Utilities Code §5437)
5)Prohibits a business, as defined, from sharing, disclosing, or
otherwise making accessible to any third party a customer's
data without obtaining the express consent of the customer and
conspicuously disclosing to whom the disclosure will be made
and how the data will be used. (Civil Code §1798.98)
6)Requires a business, as defined, that discloses data with the
express consent of the customer, pursuant to a contract with a
nonaffiliated third party, maintain reasonable security
procedures and practices appropriate to the nature of the
information, to protect the data from unauthorized access,
destruction, use, modification, or disclosure, as specified.
(Civil Code §1798.98)
7)Requires a business, as defined, to implement and maintain
reasonable security procedures and practices appropriate to
the nature of the information to protect the data from
unauthorized access, destruction, use, modification, or
disclosure. (Civil Code §1798.98)
8)Prohibits a business, as defined, from providing an incentive
or discount to the customer for accessing the data without the
prior consent of the customer. (Civil Code §1798.98)
9)Requires a business, as defined, to take all reasonable steps
to dispose, or arrange for the disposal of customer data
within its custody or control when the records are no longer
�
AB 886
Page 5
to be retained by the business by shredding, erasing, or
otherwise modifying the data in those records to make it
unreadable or undecipherable through any means. (Civil Code
§1798.98)
10)Prohibits an electrical corporation, gas corporation, or
local publicly owned electric utility from sharing,
disclosing, or otherwise making accessible to any third party
a customer's electrical or gas consumption data. (Public
Utilities Code §8380 & §8381)
11)Prohibits an electrical corporation or gas corporation from
selling a customer's electrical or gas consumption data or any
other personally identifiable information for any purpose.
(Public Utilities Code §8380 & §8381)
12)Prohibits an electrical corporation, gas corporation, local
publicly owned electric utility, or its contractors from
providing an incentive or discount to the customer for
accessing the customer's electrical or gas consumption data
without the prior consent of the customer. (Public Utilities
Code §8380 & §8381)
13)Requires an electrical corporation, gas corporation, or local
publicly owned electric utility that utilizes an advanced
metering infrastructure that allows a customer to access the
customer's electrical and gas consumption data to ensure that
the customer has an option to access that data without being
required to agree to the sharing of his or her personally
identifiable information, including electrical or gas
consumption data, with a third party. (Public Utilities Code§
8380 & §8381)
14)Requires an electrical corporation or gas corporation to use
reasonable security procedures and practices to protect a
customer's unencrypted electrical or gas consumption data from
unauthorized access, destruction, use, modification, or
disclosure. (Public Utilities Code §8380 & §8381)
�
AB 886
Page 6
15)Requires a local publicly owned electric utility to use
reasonable security procedures and practices to protect a
customer's unencrypted electrical consumption data from
unauthorized access, destruction, use, modification, or
disclosure, and prohibits the use of the data for a secondary
commercial purpose not related to the primary purpose of the
contract without the customer's consent. (Public Utilities
Code §8381)
FISCAL EFFECT: Unknown.
COMMENTS:
1)Author's Statement: "As smartphone hailing applications have
grown in use, more and more personal information, including
trip data, is being collected than ever before. This
information can include personal profiles created by the
passenger, credit card information used to complete a
transaction, trip duration data and geo-tracking location data
from a personal mobile device. This information is stored and
can be used to create a detailed profile of each passenger
without the passenger's knowledge or consent. Passenger trip
data should only be gathered if it is strictly necessary for
the operation of the transportation service being provided.
Any other collection of data for passengers, especially those
that use the service on a daily basis, can have serious
ramifications on personal privacy."
2)Background: California law regulates different modes of
passenger transportation for compensation including taxi
services, which are regulated by cities and/or counties; and
CPCs and passenger stage companies (PSC), which are regulated
by the PUC. Beginning as early as 2009, a new model of
transportation service began springing up in cities across the
United States. Known as TNCs, these companies work by
�
AB 886
Page 7
allowing patrons to prearrange transportation services through
an online application on their smartphone or computer.
Patrons would request a ride to a predetermined location, and
the application would connect them with a TNC driver. Payment
is processed through the application so that no physical
financial transaction occurs during the trip itself between
the patron and the driver. The TNC takes a commission on each
trip. The development of TNCs has made the ability for
passengers seeking transportation for compensation more
readily available to the general public.
3)What are Passenger Carriers? The CPUC is in charge of
regulating passenger carriers. Passenger carriers include
services such as PSCs and CPCs. PSCs are services that
provide transportation to the general public on an individual
fare basis, such as scheduled bus operators, which are buses
that operate on a fixed route and scheduled services, or
airport shuttles, which operate on an on-call door-to-door
share the ride service.
CPCs are services that charter a vehicle, on a prearranged
basis, for the exclusive use of an individual or group.
Charges are based on the mileage or time of use, or a
combination of both. The CPUC does not regulate the level of
charges for CPCs. Types of CPCs include limos, tour buses,
sightseeing services, and charter and party buses.
The CPUC requires CPCs to meet a number of requirements until
an operating permit or certificate is issued. These
requirements include providing sufficient proof of financial
responsibility, maintain a preventative maintenance program
for all vehicles, possessing a safety education and training
program, and regularly checking the driving records of all
persons operating vehicles used in transportation for
compensation.
4)What are Not Passenger Carriers? Taxis are excluded from the
�
AB 886
Page 8
definition of CPCs and are regulated by cities or counties.
The key distinction between CPC rides and taxis is that CPC
rides must be prearranged, while taxis are allowed to pick up
passengers via street hails. Other examples of
transportation services that are not considered charter party
carriers include transportation services licensed and
operating wholly within the limits of a single city or city
and county, transportation services contracted to transport
school pupils, publicly owned transit systems, passenger
vehicles carrying passengers on a noncommercial enterprise
basis, vehicles used exclusively to provide medical
transportation, among others.
5)What are Transportation Network Companies? In September 2013,
a CPUC decision put TNCs under the purview of the CPUC,
allowing it to exercise and enforce regulatory and safety
requirements against TNCs. The CPUC defined TNCs as an
"organization, including, but not limited to, a corporation,
limited liability company, partnership, sole proprietor, or
any entity, operating in California that provides prearranged
transportation services for compensation using an
online-enabled application or platform to connect passengers
with drivers using a personal vehicle." The CPUC decision
requires TNCs to obtain a permit from the CPUC, conduct
criminal background checks of drivers, establish a driver
training program, implement a zero-tolerance policy on drugs
and alcohol, conduct vehicle inspections, and obtain
authorization from airports before conducting any operations
on or into airport property.
Subsequently, the legislature passed AB 2293 (Bonilla) Chapter
389, Statutes of 2014, which codified the CPUC's definition of
TNCs and imposed certain liability and other insurance
coverage for TNCs and their participating drivers. The bill
defines when personal and commercial auto insurance come into
effect, and at what levels, when the driver logs onto the
application until the driver accepts a ride request, and for
when a ride request is accepted until the passenger exits the
vehicle. The bill sought to make a clear distinction between
�
AB 886
Page 9
when a vehicle is being used for TNC business activities and
must require commercial insurance, and when a vehicle is not
being used for TNC business activities at which time the
driver's personal auto insurance is in effect.
6)Transportation Network Companies vs. Transportation Service
Network Providers: Although TNCs do not neatly fall into the
conventional definition of either taxis or limousines, the PUC
does believe that TNCs are currently providing passengers'
transportation for compensation, and reasonably concludes that
TNCs are CPCs, therefore, falling under the PUC's existing
jurisdiction over these services.
This bill expands on the concept of TNCs to include TSNPs,
which it defines as any corporation, a limited liability
company, partnership, sole proprietor, or any other entity
operating in California that provides taxicab transportation
services that provides prearranged transportation service for
compensation using an online-enabled application or platform
to connect to passengers. The bill seeks to encompass not just
TNCs, but all future transportation services, including taxis,
which may someday adopt online-enabled applications or
platforms to connect passengers and collect customer
personally identifiable data in the process.
7)"God-View:" In October 2014, news reports surfaced regarding
a feature on Uber's platform known as "God View." According to
reports, when enabled "God View" allows the user to see the
location of all Uber drivers in a city, as well as pending
passengers who were waiting for rides. In addition, "God
View" allowed the user to track in real time the movements of
Uber users. Subsequently, additional news reports have
surfaced regarding other incidents in which Uber employees
were tracking its users, which included journalists.
8)Enforcement: Current law directs the CPUC to issue permits or
certificates to CPCs and TNCs, investigate complaints against
carriers, and cancel, revoke, or suspend permits and
certificates for specific violations. Although the CPUC
�
AB 886
Page 10
require TNCs to undergo certain training and safety
requirements as a condition of being issued an operating
permit, it does not regulate how TNCs collect, use, or
maintain a consumer's personally identifiable data. Instead,
this bill would allow any aggrieved person, the Attorney
General, or a district or city attorney to bring a civil suit
against a TSNP for any violation of the provisions set forth
in the bill, not to exceed $250 for the first violation and
$1,000 for each subsequent violation. The bill would also
allow the prevailing party to recover full costs, including
attorney's fees.
9)Data Use and Privacy: California's Constitution expressly
guarantees a right of privacy against both private and public
actors. In 2010, the legislature passed SB 1476 (Padilla)
Chapter 497, Statutes of 2010, which prohibits public and
investor owned utilities from sharing a customer's electrical
and gas consumption data received from advanced metering
infrastructure devices with a third party. The purpose of
the bill was to ensure that as new technology develops, added
diligence is given to the protection of a customers'
personally identifiable information, including electrical and
gas consumption data. Subsequently, in 2013, the legislature
passed AB 1274 (Bradford) Chapter 597, Statutes of 2013, which
extended many of the same prohibitions that applied to gas and
electrical utilities to other third party businesses,
including, but not limited to, the customers' Internet service
provider that handles a customer's usage data.
Furthermore, the CPUC's Privacy Rules are based on Fair
Information Practice (FIP) Principles, which is a set of
standards governing the collection and use of personal data
adopted throughout the world. FIP Principles include: (1)
transparency, (2) individual participation, (3) purpose
specification, (4) data minimization, (5) use limitation, (6)
data quality and integrity, (7) data security, (8)
accountability and auditing. The goal of the CPUC privacy
rules is to protect customer privacy, while also enabling
customers to access their energy usage data and share that
data with authorized third parties to promote future
�
AB 886
Page 11
conservation and grid management activities. This bill seeks
to protect TSNP customer data consistent with FIP principles
by limiting its collection, use, and sharing to only purposes
necessary to complete a transaction, investigate criminal
activities, and maintaining a user's account.
10)Arguments in Support: According to the Consumer Federation
of California, the sponsor of the bill, "the taxi and
passenger transportation industry have been revolutionized by
the prevalence of smartphones and ride-hailing mobile
applications. ? The use of smartphones to request a ride,
and their continued use in the course of travel has resulted
in the collection of a significant amount of personal
information and data on each user. This data details where
consumers live and work, where they go and when, as well as
how much the trip cost and how it was paid for. This detailed
information provides new and intrusive opportunities for
corporate surveillance and for unwelcome marketing purposes.
Recent reports and a growing number of headlines have detailed
the potential for misuse of this data. ? Privacy protections
have not kept pace with the rapid rise of TNCs. Consumers
should not have to abandon their right to privacy just to use
a ride-hailing service. Californians who utilize these
services should be assured that their personal information is
not collected, stored or shared, except to the extent
necessary to complete consumer-initiated transactions, or to
prevent fraud or other crimes."
11)Arguments in Opposition: According to the opposition, "AB
886 states that this information can only be accessed if it is
necessary to "complete the transaction" or for the "detection,
investigation, or prevention of fraud," which will be narrowly
interpreted to mean that only the information that is
necessary to process the payment securely can be accessed by
the app. Unfortunately, the end result is a measure that
would make the basic functioning of ridesharing apps both a
�
AB 886
Page 12
civil wrong and a crime in the State of California and
unavailable to the scores of consumers that desire to use
them. ? This regrettable posture against one of the State's
premier and growing industries -- which has already delivered
immense benefits to California in terms of transportation
choice, safety, environmental protection, economic growth, and
more -- is unjustified and also sends a concerning and
inaccurate signal to the broader mobile app economy about
California's stance towards technology and innovation.
Ultimately, consumers will be left frustrated with the
degradation of their mobile app experience and California more
generally will suffer when the companies that Californians
love are spending less time innovating and more time defending
themselves in court from unnecessary litigation."
12)Related Legislation:
AB 24 (Nazarian) 2015: This bill would require charter-party
carriers and transportation network companies to participate
in the Department of Motor Vehicles Employer Pull Notice
System and submit all drivers to a Department of Justice
criminal background check.
AB 828 (Low) 2015: This bill would exclude from the
definition of "commercial vehicle," for purposes of the
Vehicle Code, any motor vehicle operated in connection with a
transportation network company.
AB 1360 (Ting) 2015: This bill would exempt a rideshare
program operated by a transportation network company that
arranges a ride among multiple passengers who share the ride
in whole or in part from computing transportation charges
based on a vehicle mileage or time of use, provided that the
fare for each passenger is less than the fare that would be
�
AB 886
Page 13
charged to a single passenger traveling alone.
AB 1422 (Cooper) 2015: This bill authorizes TNCs to
participate in the Department of Motor Vehicle Employer Pull
Notice System.
13)Prior Legislation:
AB 612 (Nazarian) 2014: Requires charter-party carriers to
participate in the Department of Motor Vehicles Employer Pull
Notice system and submit all drivers to a Department of
Justice criminal background check. Held in the Assembly
Committee on Transportation.
AB 2293 (Bonilla) 2014: Establishes guidelines for insurance
coverage for TNCs to ensure personal and financial safety of
consumers. Chaptered by the Secretary of State - Chapter 389,
Statutes of 2014.
AB 1274 (Bradford) 2013: Prohibits a business, as defined,
from sharing, disclosing, selling, or otherwise making a
customer's electrical and gas consumption data accessible to a
third party, except as specified. Chaptered by the Secretary
of State - Chapter 597, Statutes of 2013.
SB 1476 (Padilla) 2010: Prohibits a publically owned utility
and investor owned utility from sharing with a third party a
customer's electrical and gas consumption data received from
an advanced metering infrastructure device with certain
exceptions. This bill imposes certain provisions that a
utility must comply with as it relates to the privacy of the
customer's consumption data. Chaptered by the Secretary of
State - Chapter 497, Statutes of 2010.
�
AB 886
Page 14
14)Double Referred: This bill is double referred to the
Assembly Committee on Privacy and Consumer Protection.
REGISTERED SUPPORT / OPPOSITION:
Support
Consumer Federation of California (Sponsor)
American Civil Liberties Union of California (ACLU)
California Conference Board of the Amalgamated Transit Union
California Conference of Machinists
California National Organization for Women
California Teamsters Public Affairs Council
Consumer Action
Consumer Federation of America
Consumer Watchdog
Engineers & Scientists of California
International Longshore & Warehouse Union
Privacy Rights Clearinghouse
Professional & Technical Engineers
UNITE-HERE, AFL-CIO
The Utility Reform Network (TURN)
Utility Workers Union of
America
�
AB 886
Page 15
Opposition
California Chamber of Commerce
Direct Marketing Association
The Internet Association
State Privacy and Security Coalition, Inc.
TechNet
Analysis Prepared by: Edmond Cheung / U. & C. / (916) 319-2083