As cities regulate and license new mobility services, access to anonymized data is an essential tool to manage public space, create a safe and equitable transportation system, and to ensure accountability for private companies operating on public streets.
The Civic Analytics Network, a group of Chief Data Officers from 14 cities across the US, recently wrote about the importance of “using data to understand when and where these [micromobility] devices are being used — and if they are benefiting residents and visitors from all walks of life.” The National Organization of City Transportation Officials says, “data created on city streets must be available to cities in an accessible format in order to support sustainable, accessible, and affordable transportation.”
But data licensing is complex, and there are important issues related to security, privacy, and disclosure that should be considered. We offer this guide to aid cities as they craft their data sharing rules and negotiate with mobility providers. We welcome feedback and suggestions.
Part 1. Asking for the data
Below are six key areas to focus on when creating program rules and data licenses:
1. Type of data license
Mobility providers may ask cities to negotiate and sign separate data licenses, in addition to whatever data sharing requirements are present in the providers’ permits. As managers of the public right of way, cities are entitled to data they need to do their job. Data licenses must preserve this right and make data sharing a fundamental condition of operation.
- Recommendation: Embed data license terms in the permit issued to providers. Alternatively, use the permit to reference a separate, city-developed license agreement that must be entered into as a condition of operation.
- Avoid: Entering into license agreements that vary from one provider to the next, or negotiating separate license agreements that may undermine city’s data rights in the provider’s permit.
2. Rights of use
From planning to permit enforcement to public engagement, mobility data has many potential uses. Cities should insist on broad use rights for any data received from mobility providers. Because uses for mobility data are still emerging, maximizing data rights upfront allows for future flexibility and reduces the risk of needing to renegotiate a license agreement.
- Recommendation: Seek language that allows cities to use data “for planning, program management, public engagement, and any other municipal purpose” or a similarly broad grant of rights. While cities should reserve broad data use rights in agreements with providers, they may want to restrict themselves to more narrowly defined uses when creating internal policies and publishing public transparency and privacy policies.
- Avoid: Overly restrictive or specific lists of allowed uses or prohibitions on uses that might interfere with the city’s ability to use data to fulfill its public obligations (such as restrictions on “reverse engineering” of provider business practices or use of data in ways that may be harmful to the provider’s business).
3. Raw/precise data
Mobility providers are sometimes reluctant to share data about trips that contains precise GPS locations, frequently citing privacy concerns. Some cities have been pressured to accept lower precision data or data that has been pre-aggregated by the provider. While low-precision data may be useful for high level reporting and analysis, it may not give sufficient detail for enforcing permit rules, for example no parking zones or vehicle caps.
- Recommendation: Ensure that the city has the right to raw/precise data as part of its license to data. The city may chose to store data in a less precise format to avoid privacy concerns, but should have the option of accessing raw data without renegotiating its data license.
- Avoid: Allowing providers to deliver pre-aggregated data, which may severely limit the city’s ability to ensure data quality or to use data to enforce rules against providers.
4. Sharing with other agencies
Urban transportation planning and management frequently involves many stakeholders. City DOTs often engage and share data with transit agencies, state DOTs, MPOs, and other governmental or quasi-governmental organizations. Data licenses which prohibit such sharing will make it difficult to get full public value from mobility data.
- Recommendation: Seek the explicit right to share data with other governmental entities with which the city engages in planning, right-of-way management, and service coordination. Cities may need to list specific agencies and/or agree to require them to abide by any restrictions to which the city is held under its data license. Many cities may want to exclude sharing with law enforcement agencies (absent a court order) to avoid civil liberties concerns.
- Avoid: Provisions which require prior approval from providers before data can be shared or requirements that other agencies seek their own licenses directly with providers.
5. Third-party management software
While some cities may analyze raw mobility data themselves, many will want to employ third-party software and services (such as Remix) to help them get value from data and ensure provider compliance. The city should not need special permission to use a third-party service, nor should they be forced to chose from a list of tools deemed acceptable by the provider.
- Recommendation: Seek the right to use any third-party software or service for mobility management, provided that the city ensures that the third-party abides by any restrictions or limitations to which the city has agreed. Ensure that any API access or data feeds may be accessed directly by the third-party operating on behalf of the city.
- Avoid: Requirement for pre-approval for use of third-party management software, need for the third-party to sign their own license agreement directly with providers, or limitations on access to data feeds and APIs by authorized third-parties.
6. Combining data sources
Cities may want to look at data from individual providers or at data from across all providers in a city. Combined views of data will be especially valuable for planning and public communication purposes. Cities may also want to bring other related datasets into their analyses (census, public transit, demand modeling, etc.).
- Recommendation: Seek the right to combine and analyze provider data alone or in conjunction with data from other providers or sources.
- Avoid: Rules which overly restrict the ways multisource reports or analysis may be used. For example, a city should not be barred for sharing data about mobility services as part of a larger transportation equity analysis or planning exercise.
7. Duration of data access
While cities may or may not want to retain mobility data indefinitely, they should make sure that their licenses allow them access to these data for as long as they might reasonably need data to perform their public responsibilities. Local rules for records retention may dictate a minimum period for which data must be retained.
- Recommendation: All data use rights are maintained for at least three years after the date when a provider ceases operation in a city. The provider agrees to maintain feeds and API access for historical data for at least one year, even after the provider ceases operations or is no longer permitted to operate.
- Avoid: Rights to data which terminate when a provider ceases operation or when the provider’s license is expired or revoked. In an adversarial situation with a noncompliant provider, it will be especially important for cities to maintain access to data which may be critical to demonstrating noncompliance.
Part 2. Limitations on cities
Mobility providers may attempt to place additional limitations, requirements, or restrictions on cities. Below are four key areas to consider:
1. Protection of data
Cities may reasonably be required to protect data from loss, theft, or disclosure as part of a data license, and to assume liability for certain types of data loss. Each city will need to consider these requirements relative to its intended use cases, IT security rules, and risk tolerance.
- Recommendation: Consult with city IT personnel early to develop a data protection strategy that aligns with the requirements of the data license. Make sure restrictions that limit access to data to specific city personnel are aligned with the city’s real-world business processes. Using third-party management software like Remix can reduce IT security complexity considerably.
- Avoid: Liability for data disclosure which results from non-negligent actions or which is necessary in order to comply with legal processes such as court orders or FOIA requests. Restrictions on disclosure that would limit the city’s ability to enforce permit rules or communicate to the public about an enforcement action (for example: releasing data that showed a provider violated an equity provision in their permit).
2. Reidentification of users
Although most mobility data is anonymous, it is sometimes possible to reidentify individual people in large datasets by combining anonymized mobility data with other information sources (such as a records of home and work addresses). Data licenses may forbid cities from attempting to reidentify individual users within the data set.
- Recommendation: Restrictions on reidentification are not unreasonable and may provide useful reassurance to the public about the city’s use of data.
- Avoid: Requiring providers to share personally identifiable information to cities without a court order. Such rules are likely to trigger concerns about civil liberties and individual privacy, and may force providers to violate their end user agreements to comply with data requests. Also, avoid requesting unique, anonymous user identifiers as this greatly decreases the difficulty of reidentification.
3. Open data/public sharing
Some cities may wish to publish mobility data on an open data website. Because it may be possible to reidentify users in an anonymous data set, cities should carefully weigh the risk and benefit of publishing records about individual trips. Aggregated data that does not show individual trips usually has a very low risk of reidentification.
- Recommendation: If cities choose to retain the right to release individual trip records, they should work with data experts to minimize the risk of reidentification using techniques such as the reduction precision in location and time, and the removal of unique vehicle IDs. Cities should always retain the right to release reports, maps, and data created by aggregating records from multiple trips together.
- Avoid: Broad restrictions on sharing data with the public or blanket declarations of confidentiality on mobility data and derivative reports or analysis.
4. Competitive disclosure
Because of the intensely competitive nature of the mobility market, providers are concerned that detailed data about their services might fall into the hands of competitors.
- Recommendation: It is OK to agree to restrictions on data use and disclosure that protect competitively sensitive information, provided they do not interfere with the city’s legitimate uses of data.
- Avoid: Language that may be incompatible with public records laws or which gives providers power to veto data uses with which they disagree.
Part 3. Other considerations
Below are five other key areas to consider:
1. Data formats
Data licenses should specify how data is to be shared with cities. Using standardized, open formats that provide detailed trip and vehicle information gives cities maximum flexibility in how they use data. It also makes it easy to use third-party management software and open source tools for analysis and reporting.
- Recommendation: Require that providers give data using two open source data standards: MDS Provider and GBFS (see our blog post explaining these formats). These formats are rapidly becoming industry standards. Because the formats are evolving, cities should require that providers stay up-to-date with new versions of MDS Provider and GBFS as they are released. Cities may also want to require providers to give additional usage information, including safety issues, customer surveys, or aggregated summaries.
- Avoid: Custom data formats or non-standard APIs that will require cities to develop bespoke tools for data analysis or require providers to create custom data reporting.
2. Public transparency
While mobility data is important to the management of the public right of way, it is also potentially sensitive from a privacy perspective. Cities should develop clear internal policies and a thoughtful public transparency strategy.
- Recommendation: Write internal rules for mobility data and publish a plain language public statement about mobility data that addresses:
- what data is collected
- for what purposes data will be used (and not used, ex: enforcement actions against individuals)
- with whom it may be shared (including with third-party management software vendors, other agencies, and/or law enforcement)
- how long it will be retained
- the ways in which it will be stored and handled to reduce any privacy risk
In the absence of a clear statement of intent and a demonstration of a serious approach to privacy, it is easy for constituents to become concerned about a city’s use of mobility data. This potential concern also opens the door for providers to resist sharing in the first place.
- Avoid: Relying solely on IT security policies or general statements about privacy when communicating with the public.
Each state has its own “freedom of information” laws and requirements (commonly known as sunshine, public records, FOIA, or FOIL). Providers will typically seek to exempt data they give to cities from disclosure under FOIA, citing competitive or privacy concerns. They may also seek to compel cities to participate in the defense of a refusal to release data under FOIA.
- Recommendation: Work with your legal team to determine what, if any, legal exemptions may exist that would allow the city to refuse a FOIA request for data. If possible, state those exemptions clearly in the data license and define the city’s posture in the event a court or other legal authority deems those exemptions inapplicable. It is reasonable for cities to agree to notify the provider in the event they receive a FOIA request for their data, provided the city has an appropriate business process to make such a notification.
- Avoid: Open-ended agreements to defend against FOIA requests, especially those which may result in significant legal costs or liability for the city.
Law around liability for data disclosure is complex and may vary from state to state based on local privacy laws. Rules such as the California Consumer Privacy Act may impact how a city handles data and the requirements they should impose on any third-party with which they contract to work with data on the city’s behalf. Cities should work with legal counsel to understand how to best address these issues in data licenses and vendor contracts.
5. Ownership versus license
Given that cities receive a sufficiently broad license, it is not strictly necessary for cities to “own” the data being shared by providers. However, careful review of license terms is necessary to ensure city rights are protected, especially in a scenario where the relationship with the provider becomes contentious.
Legal counsel note: This document is intended to aid cities in their consideration of the issues surrounding data licensing. It does not constitute legal advice nor does it address a number of topics that will be important in any licensing agreement. Cities should work with their in-house legal team and, where necessary, seek specialized legal support for the more complex aspects of data licensing.
Drafted for Remix — updated as of 2019–03–28
Do you have comments that you would like to share with Remix? Please send your comments to firstname.lastname@example.org