Cities must be explicit about their intended use related to planning, analysis, oversight, and enforcement when requiring data from private mobility companies.

NACTO guidance emphasizes how good data management practice begins with being clear about what questions are being asked and what information is necessary to answer those questions.

Date Posted

NACTO Policy 2019: Managing Mobility Data

Summary Information

As the volume of data created on the public right-of-way and exchanged between parties grows, cities and private transportation providers need a common framework for sharing, protecting, and managing data. The National Association of City Transportation Officials (NACTO) and the International Municipal Lawyers Association have set out principles and best practices for city agencies and private sector partners to share, protect, and manage data to meet transportation planning and regulatory goals in a secure and appropriate manner. While this document focuses mainly on the data generated by ride-hail and shared micromobility services, the data management principles can apply more broadly.

While being mindful about the purpose of their data requests, cities have legitimate concerns about the accuracy of data provided by mobility companies. To address this uncertainty, many cities have requested a broad range of data because companies have been unwilling to provide additional data as new relevant queries occur.

Mobility companies and third-party data companies also have the responsibility to be purposeful with the data they collect. In granting permits, contracts, or other regulatory agreements that allow operations in the public right-of-way, cities can ensure that mobility companies have user agreements or privacy policies that are explicit with customers about what data they will collect and how they will use it.

Cities should follow the following best practices to get the right data and to avoid capturing unnecessary data.

  • Be clear about what questions they are trying to answer and use those questions as a basis for data requests. Cities can reduce the likelihood of obtaining sensitive information by limiting what they collect to data that has a defined purpose. This, in turn, may limit liability for the protection, storage, and security of that data and reduce data management burdens.
  • Develop internal capacity to audit the data. Trained staff, capacity for spot checks, and data audit tools, such as verifiable data logs, can help cities ensure that the data they get is accurate and unedited without requesting excess information to verify it. Cities should preserve the right to commission third-party audits if they suspect dishonest or falsified data. When using third-party developed tools, cities should make sure they know their vendor and what their privacy policies are.
  • Ensure that their regulatory scheme and analysis tools allow them to retroactively request data should a new query or purpose develop.
  • Encourage and negotiate with mobility companies to update user agreements and request and receive consent for collecting and using personal information from their customers. For example, the EU's General Data Protection Regulation identifies what genuine consent could look like, including: consent should be opt-in, not default; users should be allowed to accept or reject terms individually; consent agreements should identify third parties who might have access to the data; and companies should not require consent as a precondition for service. Because United States and state law does not have such provisions, it may be beneficial to negotiate with mobility companies to achieve at least some of these goals.