From ride-hailing platforms like Lyft and Uber, to sites like Airbnb, FlipKey, or VRBO that enable occupants to rent properties, the so-called sharing or gig economy is expanding and disrupting industries from hotels to taxis. Cities across the U.S.—and the rest of the world—are facing a daunting array of regulatory challenges in responding to their growth.
The ongoing saga of scooter-sharing services suggests a foreseeable pattern....
Earlier this year, a new class of companies prompted controversies by flooding several cities with personal scooters available on a short-term rental basis. Advances in battery technology recently made the business model of companies like Bird and Lime profitable. In the absence of regulation, the companies deployed thousands of scooters to selected cities across the world. A resulting backlash included municipal regulation, a recent class action lawsuit, and even acts of vandalism ranging from burying scooters at sea to lighting them on fire.
The ongoing saga of scooter-sharing services suggests a foreseeable pattern: future advances in various technologies will generate opportunities for innovation. Users will clamor for services that platforms will rush to offer, often without a recognition of the legal or economic externalities seemingly exogenous to their business model. Recognizing how this pattern is poised to recur across context, we’re publishing a few suggested guidelines for companies creating the gig economy and the cities increasingly facing pressure to regulate their activities.
Location privacy and user security
Many platforms that enable users to share vehicles, from cars to scooters, collect precise location data when the vehicles are picked up, dropped off, and also continuously during their operation. This data collection carries a series of risks.
The most obvious among them is a threat to user privacy. If a user of a scooter service rides one to a mental health provider, or a reproductive services clinic, collecting their trip data and linking it to their other trip history or even an “anonymous” unique identifier could be personally invasive.
Beyond privacy, overbroad (or overly specific) data collection can also compromise user security, especially to the extent rider trip location data is either disclosed by a company or stolen by malicious actors online. For instance, disclosure of the locations at which a ride-hailing service user is most frequently picked up could conceivably place their life in danger, if they had been the target of domestic violence or private harassment.
Protective policies available to platforms
We recommend that platforms minimize the scope of their data collection, and also seek opportunities to transform data sets from individual data points into aggregate statistics whenever possible.
Limiting the specificity of data that is collected presents a further opportunity. For instance, a ride-hailing company might store only the zip code of the pick-up and destination of a ride once the ride is complete, rather than the precise pick-up address or destination. On the other hand, a data-set may be re-identifiable despite attempts at obfuscation, so this is not an effective strategy standing alone.
Beyond limiting what data platforms collect, companies should also work to prevent disclosure, in two predictable dimensions. First, when receiving government requests for information, platforms should protect the rights of their users by insisting upon valid, narrow legal process with an opportunity for judicial review, and by providing notice of disclosure to the subject user whenever possible.
Whatever data they do collect might be attractive to malicious actors such as hackers, organized crime, and even foreign state intelligence agencies. Accordingly, platforms should also anticipate attacks and potential data breaches by taking affirmative steps to guard their systems against malicious attacks that could place sensitive and revealing user data at risk.
Opportunities for Cities
Some cities, like Los Angeles, are creating proactive regulatory structures to govern the activities of gig economy platforms in their areas, and some companies are emerging to serve their needs in managing data from multiple platforms. Just like private platforms that collect or retain user data, municipal regulators should consult cybersecurity experts to ensure that their systems do not become honey pots that attract malicious actors and eventual data breaches.
Other dimensions along which platforms can protect privacy—or that cities can insist upon it—include setting time limits beyond which they will not retain user data, and also by specifying parameters governing the purposes for which any particular data may be used. For instance, a ride-hailing company could seek to maximize its revenue by disclosing users’ locations to third party advertisers for the purposes of serving them advertisements relevant to their precise location at any given moment, or instead decide to use location data only for the purposes of determining which driver may be closest at the time a ride is requested.
Fast and Loose or Slow and Steady?
The history of the Internet is rife with examples of innovations that create opportunities that, in turn, displace established industries. On the one hand, we enthusiastically encourage innovation and eagerly welcome new tools that can empower users. They reflect how code can effectively create law and policy, even absent a government action.
On the other hand, governments—including local and municipal governments—are within their rights to ensure that companies respect the rights of others, including non-users who might share infrastructure with users of gig economy platforms. Where opportunities for technology meet burdens imposed by regulation, we encourage platforms to comply with those regulations and seek their adjustment through formal democratic channels, rather than exploiting their ability to move faster than regulators can respond and risk alienating regulators, policymakers, and residents.
Sometimes those channels can present opportunities for platform users to be engaged as participants in a regulatory process. In San Francisco, Airbnb mobilized hundreds of its user-hosts in 2015 and 2016 to oppose a proposed local regulation that would have capped short-term rentals at 60 days per year. While the controversial measure was ultimately defeated, the resulting policy framework was at least the subject of deliberation and public debate—unlike the effectively lawless regime that prompted New York City to recently regulate Uber & Lyft with caps on the number of riders, as well as new disclosure requirements.
These struggles are bound to proliferate going forward, as more and more cities address more and more externalities created by more and more platforms bringing services to market. By keeping principles like user privacy, user security, and regulatory compliance in mind, companies can ensure that their future innovations generate more opportunity, and less controversy.