BILL ANALYSIS �Ó
AB 886
Page 1
Date of Hearing: January 11, 2016
ASSEMBLY COMMITTEE ON UTILITIES AND COMMERCE
Mike Gatto, Chair
AB 886
(Chau) - As Amended January 4, 2016
SUBJECT: Transportation service network provider: passenger
privacy
SUMMARY: This bill prohibits a transportation network company
(TNC) from disclosing to a third party any personally
identifiable information unless the passenger affirmatively
consents through an opt-in selection, as specified.
Specifically, this bill:
a)Prohibits a TNC from disclosing any personally identifiable
information, as defined, to a third party unless the passenger
affirmatively consents through an opt-in selection.
b)Specifies that consent shall be distinct from any transaction
or service provided and be acquired in a format that is
separate from the financial transaction for services.
c)Specifies that consent shall not be required by the TNC as a
condition of accepting or processing a transaction, as a
condition of creating a user account, if a user account is
required by the TNC, or as a condition of downloading or
installing a mobile application.
�
AB 886
Page 2
d)Defines "personally identifiable information," to include the
following:
1) Any information about an electronic communication or the
use of an electronic communication service, including, but
not limited to, the contents, sender, recipients, format,
or location of the sender or recipients at any point during
the communication, the time or date the communication was
created, sent, or received, or any information pertaining
to any individual or device participating in the
communication, including, but not limited to, an IP
address.
2) Any information stored on or generated through the
operation of an electronic device, including the current
and prior locations of the device.
3) The name, street address, telephone number, email
address, or similar contact information provided by the
subscriber to the provider to establish or maintain an
account or communication channel, a subscriber or account
number or identifier, the length of service, and the types
of services used by a user of or subscriber to a service
provider.
4) The social security number, physical characteristics, or
financial information of the passenger.
EXISTING LAW:
1)Declares that all people are by nature free and independent
and have inalienable rights. Among these are enjoying and
defending life and liberty, acquiring, possessing, and
protecting property, and pursuing and obtaining safety,
�
AB 886
Page 3
happiness, and privacy. (California Constitution, Article 1,
Section 1)
2)Directs the California Public Utilities Commission (CPUC) to
issue permits or certificates to charter party carriers (CPC),
investigate complaints against carriers, and cancel, revoke,
or suspend permits and certificates for specific violations.
(Public Utilities Code Section 5387)
3)Defines "charter-party carrier of passengers" as every person
engaged in the transportation of persons by motor vehicle for
compensation, whether in common or contract carriage, over any
public highway in the state. (Public Utilities Code Section
5360)
4)Defines a "passenger stage corporation" to include every
corporation or person engaged as a common carrier, for
compensation, in the ownership, control, operation, or
management of any passenger stage, as specified. (Public
Utilities Code Section 226)
5)Defines a "transportation network company" to mean an
organization, including, but not limited to, a corporation,
limited liability company, partnership, sole proprietor, or
any entity operating in California that provides prearranged
transportation services for compensation using an
online-enabled application or platform to connect passengers
with drivers using a personal vehicle. (Public Utilities Code
Section 5431)
6)Prohibits a TNC from disclosing to a third party any
personally identifiable information of a TNC passenger unless
one of the following applies:
a. The customer knowingly consents,
b. Pursuant to a legal obligation, and
�
AB 886
Page 4
c. The disclosure is to the CPUC in order to investigate a
complaint filed against a TNC or a participating driver,
and the CPUC treats the information under confidentiality
protections. (Public Utilities Code Section 5437)
7)Prohibits a business, as defined, form sharing, disclosing, or
otherwise making accessible to any third party a customer's
data without obtaining the express consent of the customer and
conspicuously disclosing to whom the disclosure will be made
and how the data will be used. (Civil Code Section 1798.98)
8)Prohibits an electrical corporation, gas corporation, or local
publically owned electric utility from sharing, disclosing, or
otherwise making accessible to any third party a customer's
electrical or gas consumption data. (Public Utilities Code
Section 8380 and 8381)
9)Defines "electronic communication information" to mean any
information about an electronic communication or the use of an
electronic communication service, including, but not limited
to, the contents, sender, recipients, format, or location of
the sender or recipients at any point during the
communication, the time or date the communication was created,
sent, or received, or any information pertaining to any
individual or device participating in the communication,
including, but not limited to, an IP address. (Penal Code
Section 1546)
10)Defines "electronic device information" to mean any
information stored on or generated through the operation of an
electronic device, including the current and prior locations
of the device. (Penal Code Section 1546)
11)Defines "subscriber information" to mean the name, street
address, telephone number, email address, or similar contact
information provided by the subscriber to the provider to
�
AB 886
Page 5
establish or maintain an account or communication channel, a
subscriber or account number or identifier, the length of
service, and the types of services used by a user of or
subscriber to a service provider." (Penal Code Section 1546)
FISCAL EFFECT: Unknown.
COMMENTS:
1)Author's Statement: "As smartphone hailing applications have
grown in use, more personal information, including trip data,
is being collected than ever before. This information can
include personal profiles created by the passenger, credit
card information used to complete a transaction, trip duration
data and geo-tracking location data from a personal mobile
device. This information is stored and can be used to create
a detailed profile of each passenger without the passenger's
knowledge or consent. Passenger trip data should only be
gathered if it is strictly necessary for the operation of the
transportation service being provided. Any other collection
of data for passengers, especially those that use the service
on a daily basis, can have serious ramifications on personal
privacy."
2) Background: The CPUC is in charge of regulating passenger
carriers such as Passenger Stage Corporations (PSC) and CPCs.
PSCs are services that provide transportation to the general
public on an individual fare basis, such as scheduled bus
operators, which are buses that operate on a fixed route and
scheduled services, or airport shuttles, which operate on an
on-call door-to-door share the ride service. CPCs are
services that charter a vehicle, on a prearranged basis, for
the exclusive use of an individual or group. Charges are
based on the mileage or time of use, or a combination of both.
The CPUC does not regulate the level of charges for CPCs.
�
AB 886
Page 6
Types of CPCs include limousines, tour buses, sightseeing
services, and charter and party buses. Taxis are excluded
from the definition of CPCs and are regulated by cities or
counties.
3) What are Transportation Network Companies? In September
2013, a CPUC decision placed TNCs under the purview of the
CPUC, allowing it to exercise and enforce regulatory and
safety requirements against TNCs. Although TNCs do not neatly
fall into the conventional definition of either taxis or
limousines, the CPUC does believe that TNCs are currently
providing transportation for compensation and concludes that
TNCs are CPCs, which fall under the CPUC's existing
jurisdiction.
TNCs work by allowing passengers to prearrange transportation
services through an online application on their smartphone or
computer. The CPUC decision requires TNCs to obtain a permit
from the CPUC, conduct criminal background checks of drivers,
establish a driver training program, implement a
zero-tolerance policy on drugs and alcohol, conduct vehicle
inspections, and obtain authorization from airports before
conducting any operations on or into airport property.
4) Data Use and Privacy: California's Constitution expressly
guarantees a right of privacy against both private and public
actors. In 2010, the Legislature passed SB 1476 (Padilla,
Chapter 497, Statutes of 2010) which prohibits public and
investor owned utilities from sharing a customer's electrical
and gas consumption data received from advanced metering
�
AB 886
Page 7
infrastructure devices with a third party. The purpose of the
bill was to ensure that as new technologies develop, added
diligence is given to the protection of a customers'
personally identifiable information, including electrical and
gas consumption data. Subsequently, the legislature passed AB
1274 (Bradford, Chapter 597, Statutes of 2013) which extended
many of the same prohibitions that applied to gas and
electrical utilities to other third party businesses.
Furthermore, the CPUC's Privacy Rules are based on Fair
Information Practice (FIP) Principle, which are a set of
standards governing the collection and use of personal data
adopted throughout the world. FIP Principles include: (1)
transparency, (2) individual participation, (3) purpose
specification, (4) data minimization, (5) use limitation, (6)
data quality and integrity, (7) data security, and (8)
accountability and auditing.
1)Knowing Consent vs. Affirmative Consent: In 2014, the
Legislature passed AB 2293 (Bonilla, Chapter 389, Statutes of
2014) which, among others things, prohibited a TNC from
disclosing any personally identifiable information of a TNC
passenger to a third party unless the customer knowingly
consents. The topic of what is considered "knowing consent"
is up for debate. Arguably in situations surrounding the use
of online services, including TNCs, consent is given by a
customer as a condition of using the service or application.
In most cases, passengers are asked to agree to a privacy
policy or terms of service before they are able to download or
use an application. However, whether or not consumers are
actually aware of what they are agreeing to or if they
�
AB 886
Page 8
actually read the privacy policies or terms of service before
they agree is questionable.
This bill seeks to establish what is considered consent by
prohibiting a TNC from disclosing any personally identifiable
information to a third party unless the passenger
affirmatively consents through an opt-in selection. This bill
does not prevent TNCs from collecting personal identifiable
information, nor does it prevent TNCs from sharing the
information to prevent criminal activities, but it does
prevent it from sharing the information with third parties for
any other purpose without the customer opting in. This
minimizes the amount of personal consumer data that is shared
with third parties for consumers who may choose not to have
their personally identifiable information shared or used
outside its intended purpose of establishing, maintaining, and
updating their accounts with a TNC.
This bill requires that consent be distinct from any
transaction or service provided and be in a format that is
separate from the financial transaction for services. The
bill prohibits TNCs from requiring consent as a condition of
accepting or processing a transaction, as a condition of
creating a user account if a user account is required, or as a
condition of downloading or installing a mobile application.
Again, it is unclear whether or not prescribing an additional
separate disclosure agreement will achieve the desired effect
of creating a more educated consumer or simply create one
additional step that consumers agree to automatically. It is
also unclear whether the request will only be requested once
or each time a consumer uses the mobile application.
�
AB 886
Page 9
2)Personally Identifiable Information: This bill defines
"personally identifiable information (PII)" to include the
definitions of electronic communication information,
electronic device information, and subscriber information, as
well as the social security number, physical characteristics,
or financial information of the passenger. The bills
definition captures information that may also be collected
from a consumer's electronic device including, location
information, internet protocol addresses, account numbers,
etc.
3)Arguments in Support: According to the Consumer Federation of
California, the sponsor of the bill, "while consumers have
become comfortable with the use of smartphones to request a
ride, there is a growing discomfort with the collection of
sensitive information they are unknowingly releasing each time
they use the application. These applications have been
discovered to collect detailed data on where consumers live
and work, where they travel to and when, how much they spend
on the requested trip and how it was paid for. This detailed
information provides new and intrusive opportunities for
corporate surveillance and unwelcome marketing ? The need for
AB 886 is clear. Privacy protections have not kept pace with
the rapid rise of technology, specifically TNCs. While the
California Public Utilities Commission has adopted some modest
regulations for TNCs, those regulations do not address privacy
concerns. Consumers should not have to abandon their right to
privacy as a condition of using a ride-hailing service.
Californians who utilize these services should be assured that
their personal information will not be shared, except with
their consent."
�
AB 886
Page 10
4)Arguments in Opposition: According to Uber Technologies,
Inc., "California already has some of the strongest privacy
and consumer protection laws in the United States that
regulate the collection and use of true PII without
unnecessarily stifling innovation. The legislation's
burdensome opt-in consent requirements would reduce, and even
prohibit, the basic functionality of TNC apps and the service
consumers rely on, without providing any additional meaningful
protection of true PII ? This new "optional opt-in
requirement" for disclosure of PII, regardless of whether it
is information required to complete the transaction, would
render a TNC service unworkable. A TNC would simultaneously
be required to offer the service to those passengers who don't
consent, but be prohibited from sharing the information needed
to provide the service."
5)Related Legislation:
AB 24 (Nazarian) 2015: This bill would require CPCs and TNCs
to participate in the Department of Motor Vehicles Employer
Pull Notice System and submit all drivers to a Department of
Justice criminal background check. Currently pending in the
Assembly Committee on Appropriations.
AB 828 (Low) 2015: This bill would exclude from the definition
of "commercial vehicle," for purposes of the California
Vehicle Code, any motor vehicle operated in connection with a
transportation network company. Currently pending in the
Senate Committee on Energy, Utilities, and Communications.
�
AB 886
Page 11
AB 1360 (Ting) 2015: This bill would exempt a rideshare
program operated by a TNC that arranges a ride among multiple
passengers who share the ride in whole or in part from
computing transportation charges based on a vehicle mileage or
time of use, provided that the fare for each passenger is less
than the fare that would be charged to a single passenger
traveling alone. Currently pending in the Senate Committee on
Energy, Utilities, and Communications.
6)Prior Legislation:
AB 1422 (Cooper) 2015: Required TNCs to participate in the
Department of Motor Vehicle Employer Pull Notice System.
Chapter 791, Statutes of 2015.
AB 2293 (Bonilla) 2014: Established guidelines for insurance
coverage for TNCs to ensure personal and financial safety of
consumers. Chapter 389, Statutes of 2014.
AB 1274 (Bradford) 2013: Prohibited a business, as defined,
from sharing, disclosing, selling, or otherwise making a
customer's electrical and gas consumption data accessible to a
third party, except as specified. Chapter 597, Statutes of
2013.
SB 1476 (Padilla) 2010: Prohibited a publically owned utility
�
AB 886
Page 12
and investor owned utility from sharing with a third party a
customer's electrical and gas consumption data received from
an advanced metering infrastructure device with certain
exceptions. This bill imposed certain provisions that a
utility must comply with as it relates to the privacy of the
customer's consumption data. Chapter 497, Statutes of 2010.
7)Double Referred: This bill is double referred to the Assembly
Committee on Privacy and Consumer Protection.
REGISTERED SUPPORT / OPPOSITION:
Support
Consumer Federation of California (Sponsor)
CALPIRG
Privacy Rights Clearinghouse
The Utility Reform Network
Opposition
�
AB 886
Page 13
CalChamber
The Internet Association
Uber Technologies, Inc.
Analysis Prepared by:Edmond Cheung / U. & C. / (916) 319-2083