Marcel Porras
Chief Sustainability Officer
Los Angeles Department of Transportation
100 S. Main Street, Los Angeles, CA 90012
October 28, 2019
Dear Mr. Porras,
We received your October 25th letter, notifying us of alleged non-compliance with the Los Angeles
Department of Transportation (LADOT) Dockless On-Demand Personal Mobility One-Year Permit
Program, and that LADOT is mandating that we come into compliance on these outstanding matters or
you will suspend our permit to operate in Los Angeles. We urge LADOT to continue to work towards, and
not away from, solutions that both further next generation transportation solutions for the public and
ground themselves firmly in privacy best practice. We believe that best in class data aggregation methods
could deliver LADOT near-real time data - while protecting the identity of Los Angeles residents and our
riders.
As the Dockless On-Demand Personal Mobility One-Year Permit Program has repeatedly been framed by
LADOT as a pilot program, JUMP has consistently shared feedback with LADOT regarding how the
program can better protect the data privacy and security of our riders, while supporting LADOT’s desire to
receive data to manage and enforce dockless mobility operators. For example:
1. LADOT still asserts that geolocation trip data is not personally identifiable: ​According to
LADOT’s current website, “​MDS does not collect personally identifiable data.”1 This is directly
counter to best practice. According to NACTO, “[E]nsuring that geospatial trip data is treated as
personally identifiable information (PII) is an essential part of best practice data management.”2
This data is also defined as personally identifiable in California law in the California Consumer
Privacy Act (CCPA). JUMP repeatedly met with LADOT to ask that you follow global best practice
by identifying and handling this data as personal information. [exhibit ​A​]
2. LADOT did not initially have any rules limiting the sharing of this data: ​When the pilot was
launched, LADOT had not placed any limitations on sharing this data with other city agencies
(including law enforcement), and had not considered how this data set could be accessed in full
via public records requests, etc. After a series of exchanges with JUMP [exhibit ​A​], and in
response to growing concerns from leading privacy experts, LADOT adjusted its policy to place
minimal limitations on how this data can be shared.
3. LADOT did not have public privacy protocols in place before collecting sensitive trip data:
LADOT required the sharing of raw, real-time on-trip data ​before​ developing or publishing privacy
principles about how this data would be used, shared, and stored. It was only after JUMP and
privacy groups expressed concerns about this volume of data transfer in the absence of any
oversight or accountability when LADOT chose to draft and publish public privacy principles.3 And
while we support LA’s drafting and releasing these principles for public comment, they do little to

1

Source: ​https://ladot.io/faq/​ ​“How is LADOT protecting citizen data and citizen privacy?”
Source: ​https://nacto.org/wp-content/uploads/2019/09/NACTO_Shared_Micromobility_Guidelines_Web.pdf
3
​Source​: ​https://cdt.org/insight/comments-to-ladot-on-privacy-security-concerns-for-data-sharing-for-dockless-mobility/
2

 actually protect privacy or educate the public about what data LADOT is collecting and how it
plans to secure the data from breach or misuse. [exhibit ​B​ + ​C​] See pg. 3 for more detail below.
4. LADOT did not take the necessary steps to put guardrails on how the city and its
private-sector contractors use this data beyond policy justifications​: ​LADOT has
repeatedly required all dockless mobility operators to provide access to this raw geolocation data
to venture-backed companies that have expressed intent to monetize this data for additional
commercial purposes. One example of this was LADOT’s permit requirement that operators
provide a token to Remix, despite the fact that Remix was not bound by a contract with LADOT
that placed limitations on how they could use, copy, sell, or monetize personal location data either
in or outside of their work for LADOT. Once JUMP and other operators protested, this
requirement was removed from the permit requirements. [See exhibit ​D​]
These are four examples of the ways we have directly engaged with LADOT to establish basic privacy
and security protections for the responsible use and collection of this data. We are willing to continue
working with LADOT to identify and develop solutions to enable responsible data sharing; as such, we
want to take this moment to address the questions outlined in your Friday letter.
“​In-Trip Telemetry​”
On our October 23rd call, it was clear that LADOT and JUMP disagreed about the definition of telemetry
data. In March 2019, LADOT and JUMP leadership agreed that “in-trip telemetry” data could be provided
at 24-hr latency for the term of the permit. “In-trip telemetry” data was not defined by either JUMP or
LADOT in this meeting. It is also not defined anywhere in the MDS specification or in the LADOT
compliance guidelines.
For LADOT, “in-trip telemetry” is route data only, and does not include trip start or trip stop. As such,
LADOT now says we are out of compliance because we are not providing the trip start and trip stop data
in real-time. For JUMP, “in-trip telemetry” applies to all sensor data collected from a bike or scooter that is
associated with a user’s trip, including the precise geolocation data from the trip start, trip stop, and the
entire route; as such we understood this could all could be provided with latency for the express purpose
of protecting privacy. For LADOT to exclude the start and stop points corresponding to one’s origin and
destination—both of which can be easily reversed to reveal one’s home or work address—not only
conflicts with a standard definition of trip information, but also stands in stark opposition to their original
promise to protect privacy with this revised requirement
On the call, we offered to engage privacy groups and industry experts to sit town with all of us to more
clearly define in-trip telemetry, and provide a neutral ground to hopefully reach consensus, but LADOT
was unwilling to do so. As you are aware, the MDS specification itself currently lacks a “data dictionary”,
which is leading to inconsistencies across cities, operators and aggregators, etc. JUMP has been working
closely with the Society of Automotive Engineers (SAE), who is leading the development of performance
metrics for micromobility, to bring increased definitional clarity to the industry.
LADOT’s Privacy Principles
As noted briefly above, while we were pleased to see LADOT eventually take public and transparent
steps to produce and release privacy principles, we do not see that LADOT ​meaningfully​ incorporated
feedback from privacy experts on how to take these principles beyond aspirational statements.There
remain a number of outstanding concerns, including:

 ●

●

●

●

●

Only two changes were made to the Privacy Principles based on all public comments from
industry ​and ​independent privacy experts. LADOT did not share who reviewed and decided which
changes were incorporated and why.
LADOT has yet to share a timeline for when these Privacy Principles will be fully implemented
(published March 22, 2019). Right now they are a statement of intent, and have not been codified
in any way. In the meantime, LADOT continues to collect this sensitive consumer location data.
The privacy principles do not state that LADOT will not monetize this data. There is also nothing
that prevents either LADOT or third parties from monetizing outputs of the raw data -- so even if
direct access to the data is not granted, these principles do not prevent third parties from selling
products produced from this data. This is not only inconsistent with the expectations of our
customers, but it is also the kind of practice that the global community has shed light on as an
invasion of consumer trust.
LADOT did not make any changes to the MDS specification that accounted for or reflected the
Data Protection Principles they published. For example: data minimization, retention, or
aggregation processes or SLAs were not added to the Github.
LADOT did not share their methodology for how these commitments would be carried out, and
there are not clear enforcement mechanisms or repercussions for failing to do so in the current
version of the Privacy Principles. For example, as it relates to data minimization:
“​Data minimization​: LADOT will mandate data sets solely to meet the specific operational and
safety needs of LADOT objectives in furtherance of its responsibilities and protection of the public
right of way. a. Aggregation, obfuscation, de-identification, and destruction: Where possible,
LADOT will aggregate, de-identify, obfuscate, or destroy raw data where we do not need single
vehicle data or where we no longer need it for the management of the public right-of-way. b.
Methodologies for aggregation, de-identification, and obfuscation of trip data will rely on industry
best practices and will evolve over time as new methodologies emerge.”
This section does not clearly address:
1. What LADOT’s “specific operational and safety needs of LADOT objectives” are; it is
impossible to evaluate if they are minimizing data without clear use cases;
2. The use of “where possible” should be more clearly defined so that it is not utilized as a
‘catch-all’;
3. Methodologies that will be used.

To our knowledge, LADOT has taken no actions to aggregate, destroy, or otherwise protect sensitive raw
data as recommended in their Principles document.
--JUMP is committed to providing transformative micromobility options to our customers and city partners.
But doing so at the expense of consumer privacy should not be a pilot program permit demand. JUMP
has shared robust and comprehensive data sets with LADOT as our regulator. We would continue to do
so if this can be done in a way that ​also​ protects consumer privacy and data security. Our concerns were
further validated by the California’s Legislative Counsel Bureau’s August 1st opinion that LADOT cannot
require real-time location data as a condition of our permit and doing so violates California Electronic
Communications Privacy Act (CalECPA).

 Given that we seem to have exhausted all other avenues to find a compromise solution, tomorrow we will
file a lawsuit and seek a temporary restraining order in the Los Angeles Superior Court, so that a judge
will hear these concerns and prevent the Los Angeles Department of Transportation from suspending our
permit to operate.
We sincerely hope to arrive at a compromise solution that allows us to work constructively with the City of
Los Angeles while protecting the data privacy and security of our riders.
Colin Tooze

CC:
Mayor Eric Garcetti
City Attorney Mike Feuer
Councilmember Gilberto Cedillo
Councilmember Paul Krekorian
Councilmember Bob Blumenfield
Councilmember David Ryu
Councilmember Paul Koretz
Councilmember Nury Martinez
Councilmember Monica Rodriguez
Councilmember Marqueece Harris- Dawson
Councilmember Curren Price
Councilmember Herb Wesson
Councilmember Mike Bonin
Councilmember John Lee
Councilmember Mitch O'Farrell
Councilmember Jose Huizar
Councilmember Joe Buscaino

 Exhibit A
To: Los Angeles Department of Transportation
Re: Privacy Disclosure for the Provider API
From: JUMP Team
Thank you for the opportunity to discuss the the guidelines surrounding data sharing. We have
appreciated engaging in a dialogue with you on these important and ever-developing topics.
As you know, the Los Angeles Department of Transportation (LADOT) is requiring implementation of
the Provider API of Mobility Data Specification (MDS) for the Dockless On-Demand Personal Mobility
Conditional Use Permit (CUP). The MDS requires production of certain categories of location data that
may unintentionally endanger rider privacy without specifying how that data will be secured, stored, and
used by LADOT.
Rider location data, including precise GPS, timestamp, and route information (collectively, “Trip Data”),
may create significant re-identification risk when combined with other publicly available information
unless it is properly obfuscated. With very little analysis needed, patterns emerge that can reveal a user’s
home, work, and travel, putting their privacy at risk. California’s recently passed Consumer Privacy Act
addressed this issue directly by adopting a definition of Personal Data that almost certainly includes Trip
Data.
Uber is prepared to implement the Provider API in compliance with the MDS. However, we are
concerned that, to date, we do not yet have a formal policy from LADOT explaining how Trip Data will
be secured, used, and stored. Given the speed at which the MDS is being implemented, it will be critical
to resolve these issues in the short term to protect the privacy of our riders. While we are in full support of
standardization across cities, there is a wide range of actions that all cities must pursue to fully protect this
data from bad actors, including hiring staff and setting up adequate processes, policies, and safeguards.
In the coming months, Uber is ready to work with the LADOT and others to examine the MDS in more
detail and find opportunities to better protect trip-related data while promoting wide standardization and
establish industry best practices for data collected by bikes and scooters. In the interim, we trust that as a
responsible data steward, LADOT will abide by the following data protection principles.

1. Security of Trip Data must be maintained by LADOT
Any government authority requiring production of Trip Data through the Provider API should
secure Trip Data in accordance with standards applicable to Personal Information. To do this, the
recipient must implement administrative, physical, and technical safeguards that are no less
rigorous than accepted industry practices related to the protection of Personal Information, and
shall ensure that all such safeguards, including the manner in which Trip Data is collected,
accessed, used, stored, processed, disposed of, and disclosed, comply with applicable data
protection and privacy laws. In addition, we trust that LADOT will restrict access to Trip Data to
specific individuals within the city’s internal teams who have been granted the appropriate
authorization and access rights.

  
 

2. Uses of Trip Data should be limited and communicated to riders
In light of the potential for abuse, the receiving government authority should limit its use of Trip
Data to clearly specified objectives that are in line with its mission and statutory authority. For
example, LADOT has stated that it intends to use the data for permit enforcement,
communication of events, parking restrictions, and city planning. These are all sensible uses of
Trip Data. However, Trip Data data may be easily combined with other government data sets for
uses the public may find less acceptable. By committing to a set of objectives or data use
guidelines beforehand, the government authority can demonstrate that it intends to be a
responsible steward of this information. To ensure transparency, Uber may notify riders that their
Trip Data will be shared with LADOT.

3. Trip Data should be obfuscated when stored at rest
The receiving government authority should commit to obfuscate user Trip Data when stored at
rest in its network. In practice, this is the act of masking or scrambling personally-identifiable or
sensitive data in order to control how the data appears in the output of a database query. This
simple but powerful step would significantly diminish the risk of user re-identification if Trip
Data is ever publicly disclosed via a hacking or government records request. More importantly,
precise Trip Data is not required for the vast majority of use cases cited by LADOT. City
planning uses cases, for example, are actually better served with data that has been aggregated to
uncover behavior patterns.

4. Additional data sharing must be restricted
Data privacy is in the cultural spotlight, and users are afraid they have ​lost control of their
personal data​. Yet, in the discussion on github regarding authentication, it has already been
suggested that cities will be able to ​clone auth tokens​ to share with other agencies and vendors.
We would like to reaffirm that the receiving government authority will resist sharing any data
shared by the Provider API to any other public or private bodies in the absence of a formal
agreement. Without understanding the safety measures or commitments of these third parties,
Uber cannot measure and mitigate the safety risks associated with sharing data outside of this
agreement.
Last, we recognize that LADOT is required to comply with the California Public Records Act
(CPRA). We request that LADOT propose a plan to ensure that the CPRA is not used to share
unmasked Trip Data with the the general public.
In the coming weeks, Uber looks forward to working with LADOT and others on an industry standard for
sharing bike and scooter data that will be acceptable to all parties. With participation from all, we are

  
 
confident in our ability to develop a forward-thinking standard that meets the needs of cities while
safeguarding the privacy of riders.
Regards,
JUMP Team

 Exhibit B

February 13, 2019
Seleta Reynolds, General Manager
City of Los Angeles Department of Transportation
100 S. Main Street, 10th Floor
Los Angeles, CA 90012
Cc: Members, Los Angeles City Council; Mayor Eric Garcetti; City Attorney Mike Feuer
Dear Seleta Reynolds:
We write to express our strong objection to the Los Angeles Department of
Transportation’s (LADOT) plan to require operators to implement the Agency-API portion of the
Mobility Data Specification (MDS) as a condition of receiving a permit to operate in Los Angeles.
JUMP fully supports a responsible data sharing program that helps LADOT improve the
transportation landscape in Los Angeles, and has been actively engaged with LADOT since the
rollout of the MDS to this end. We pledge to continue to work with LADOT to create a framework
that advances the City’s planning goals and streamlines regulatory reporting, while complying with
all applicable laws and regulations and protecting user privacy.
Unfortunately, the current MDS (Provider + Agency) continues to present a serious risk to
our users’ personal privacy and civil liberties. Experts like the Center for Democracy and
Technology (CDT) have expressed grave concerns about the Provider-API portion of the MDS,
many of which were included in JUMP’s October 2018 Letter to LADOT. Despite these concerns,
the current Provider-API still lacks many of the appropriate mechanisms for protecting sensitive
user data. To fix these issues, JUMP has been working diligently with industry, public interest
groups, and cities to develop a version of the MDS, called MDS+, that provides the functionality
desired by the City while protecting user privacy.
The newly-proposed Agency-API would exponentially increase the threat to riders, allowing
LADOT to surveil riders in real time, and granting them unprecedented authority over personal
travel. Do LA residents understand their Department of Transportation will be tracking every one of
their dockless scooter and bike trips? Do they understand the City’s expressed intent to manage
the routing of these trips, and all commercial delivery and transportation trips in the City in the
future? These are significant changes to conventional municipal regulation, and deserve citizen
participation and public discourse that is not possible on GitHub (a developer platform).
Given these sincere concerns, we respectfully ask that LADOT suspend the
requirement to implement the Agency-API until a transparent and public discourse can
take place, including stakeholder engagement from leading U.S. privacy organizations.

 Surveillance of Riders
The Agency-API requires a real time push of the precise location of bikes and scooters
every 5 seconds while riders are actively on a trip. It also requires operators to receive and ingest
data and commands from LADOT and dynamically adjust operations in response to those
commands. This amounts to an unprecedented level of surveillance, oversight, and control that
LADOT would wield over private companies and individual citizens.
Importantly, LADOT has not given a compelling reason to justify the invasion of riders’
privacy. The reasons given to date, such as parking enforcement, event management, and
infrastructure improvement, can be addressed without resorting to real time surveillance. JUMP
accepts and appreciates that LADOT must be able to ask for information pursuant to legitimate
regulatory and policy objectives. But if LADOT cannot explain the necessity and relevance of the
specific information it is asking for (especially where JUMP is willing to work with LADOT to find a
less invasive alternative to meet LADOT’s needs), then this raises concerns about LADOT’s ask for
this expansive access to sensitive information. Here, the Provider MDS—which provides access to
route data after trips have been completed—is more than sufficient to meet LADOT’s articulated
city planning needs. The Agency MDS does not provide any meaningful improvements or
additions to meet this objective, and thus does not justify the corresponding risk to user privacy
and security that this API presents.1
Procedural shortcomings
The LADOT Strategic Implementation Plan, of which MDS is a part, states that as the City
“lays out a new paradigm for the City as a physical and virtual platform,” that LADOT “will be
diligently soliciting and digesting input on this future from the stakeholders ranging from city council
members to community-based organizations, to individual citizens in their communities.” To the
best of our knowledge, LADOT has not publicly solicited or digested input from citizens or thirdparty privacy and civil liberties organizations about either the Agency or Provider API, and the
changing role the City aims to play in their transportation data, routing, and beyond.
Operators have also not been granted significant time to digest and respond to
components of the MDS. For example, the first time operators were given a detailed briefing on
the Agency API was Thursday, February 7th, 2019 when LADOT held a singular webinar for
operators. On this webinar, LADOT failed to adequately address questions on their process for
retaining, deleting, storing, and protecting the data they intend to collect. Since that time, LADOT
has removed public access to these questions and the concerns of industry that were raised
during the webinar, and there is no mechanism for these privacy concerns to be resurfaced to the
1

See Patel v. City of Los Angeles, 738 F.3d 1058, 1064 (9th Cir en banc 2013) (“The government may
ordinarily compel the inspection of business records only through an inspection demand ‘sufficiently
limited in scope, relevant in purpose, and specific in directive so that compliance will not be
unreasonably burdensome.’”).

 Council or to the public. This is not an acceptable process by which to make significant and longlasting policy changes that will impact how the city collects, utilizes, and controls their citizens’
movement.
We believe this expanded Agency API is a monumental policy shift regarding how
governments collect and manage personal data. We call on LADOT to follow through on their
promise to engage the public and key stakeholders in answering and addressing the following
concerns:
1. How will LADOT use the data collected from users? Is there any intention to share this
data with other government agencies or third parties?
2. Does LADOT have an acceptable security framework in light of the sensitivity of this data?
3. Has LADOT confirmed with their legal staff that this program is compliant with the digital
rights afforded to California residents under the California Constitution and forthcoming
CCPA, and is this legal analysis available for review?
4. Does LADOT plan to conduct a vendor security assessment (VSA) for the
companies/developers they have hired to build this platform, and will the results of those
audits be available to service providers?
5. Does LADOT plan to pursue compliance with any industry standards or certifications for
information security, and will the results of these audits be publicly available?
6. Does LADOT have in place a privacy officer or data officer to ensure accountability in the
case of unauthorized access to trip data or a data breach? Is there a process in place to
notify users and provide them with remediation options where appropriate?
Provider API Privacy Risks
Today, JUMP continues to have concerns around the collection of data on individual trips,
which both the Provider API and Agency API enable. Despite vocal concerns from industry and
public interest groups like CDT, LADOT has not modified their data specification to account for the
risks associated with sharing and storing precise trip data. Rider location data, including precise
GPS, timestamp, and route information (collectively, “Trip Data”), may create significant reidentification risk when combined with other publicly available information unless it is properly
obfuscated. With very little analysis needed, patterns emerge that can reveal a user’s home, work,
and travel, putting their privacy at risk. California’s recently-passed Consumer Privacy Act
addressed this issue directly by adopting a definition of Personal Data that certainly includes Trip

 Data.2 The data is even more sensitive when it is “real time,” as riders can be followed or
intercepted while on trip.
In response to these concerns, LADOT issued limited guidelines governing the handling of
data. The guidelines are a step in the right direction, but still insufficient to protect the privacy and
safety of riders.3
Reciprocal Data Exchange and Implied Control Over Users
LADOT proposes to exert an unprecedented amount of control over the minute-to-minute
operations of JUMP and the individual transportation choices of its users. This approach runs
counter to the general principle that regulators will not stand in place of management in handling
the day-to-day (let alone the minute-to-minute) operations of a company.4 LADOT can set
requirements that it expects JUMP and its competitors to meet. But it need not and should not
require control over JUMP’s operations in order to ensure that JUMP meets those requirements.
Doing so would stifle innovation and competition.
***
Given these sincere concerns, we respectfully ask that LADOT suspend the requirement to
implement the Agency-API until a transparent and public discourse can take place, including
stakeholder engagement from leading U.S. privacy organizations. We sincerely appreciate your
consideration of these concerns, and welcome an opportunity to discuss these issues at your
convenience.
Sincerely,
Colin Tooze
Director of New Mobility Public Policy
JUMP

2

The California Consumer Privacy Act includes “geolocation data” in its definition of personal
information. Ca Civ. Code 1798.135(G).
3
The guidelines provide little detail on data handling, retention, and deletion protocols. Nor do they
mention applicable security certifications, audit practices, or best practices for protecting data in transit
or at rest. And perhaps most concerning, LADOT has not stated how the data will be used, giving it
unlimited right to use data in way riders may not expect. This does not comply with the most basic
tenant of privacy law, which requires limited collection of data for a specific purpose.
4
See, e.g., In the Matter of the Joint Application of GTE Corporation and Contel Corporation, D. 94-04083, 1994 Cal. PUC LEXIS 342 (Cal. Pub. Util. Comm’n Sept. 14, 1990) (Declining to adopt training
requirements in lieu of quality of service standards, stating “[a]s regulators we do not prefer as a policy
to stand in place of management in handling the day-to-day operations of the company”).

 Exhibit C

April 3, 2019
Ms. Seleta Reynolds, General Manager
Los Angeles Department of Transportation
100 S. Main Street, 10th Floor, Los Angeles, CA 90012
Re: JUMP comments to Los Angeles Department of Transportation Re: ​Data Protection Principles
Dear General Manager Reynolds,
On behalf of our JUMP mobility business, Uber would like to commend LADOT for drafting its Data
Protection Principles (“Principles”) to accompany the Mobility Data Specification (“MDS”) within its
dockless program. We believe this is a necessary step towards ensuring the privacy and data security of
Angelenos for whom micro-mobility options offer a valuable mode of electric transportation around the
City. We respectfully submit the following public comment on these Principles, which we hope will be
considered alongside comments from residents, privacy advocates, and Mobility Operators (“Operators”)
and addressed publicly prior to the City’s continued collection of data required by the MDS.
I. The City Should Resolve Important Ambiguities in the Principles Prior to Requiring Compliance
LADOT’s draft Data Protection Principles are a step towards responsible data use; however, these
Principles lack important details required to thoroughly assess their efficacy and protect consumer
privacy. At present, LADOT has stated their plan to further expand the scope of the MDS by requiring the
Agency API on April 15th. The City should delay the April 15 deadline until it resolves important
questions about the Principles, including: a clear definition of personal data, the scope of use and security
of the data, and a clear timeline for implementing these Principles.
(a) The Principles must be updated to clearly state that Trip Data is Personal Information
The current draft of the Principles do not classify location data collected while a user is on trip
(“Trip Data”) as personal information. The California Consumer Privacy Act defines personal
information as “information that identifies, relates to, describes, is capable of being associated
with, or could reasonably be linked, directly or indirectly, with a particular consumer or
household...personal information includes, but is not limited to...geolocation data.”1 The CCPA
does not distinguish between GPS data collected from a bike or scooter and GPS data collected
from a user’s phone—data is defined as personal information if it can be associated with a user.
Indeed, the City is aware that Trip Data can be used to re-identify an individual, since JUMP and
other advocates provided LADOT with multiple studies demonstrating that Trip Data that can
1

Cal. Civ. Code § 1798.140(o)(1)

 reveal a user’s home, work, and travel behavior with very little analysis needed.2,3 Despite this, in
its Technology Action Plan the City states that “MDS does not specify or collect any personally
identifiable data” without citing any legal or technical basis for this statement. The City cannot
credibly claim to care about privacy if it chooses to neglect the risks associated with the
collection of Trip Data.
(b) The Principles must describe how the City intends to use the data it collects
The Principles pay homage to data minimization but, upon closer inspection, it is clear that
LADOT has not incorporated this concept into their practices. Data minimization is the practice
of limiting the collection of information to that which is directly relevant and necessary to
accomplish a specified purpose. As an initial matter, LADOT has not restricted the scope of its
Principles to data collected by bikes and scooters, which makes the determination of which data is
strictly necessary for a given purpose impossible. LADOT states that it is only collecting data to
support its “operational and safety needs” but fails to provide ​any ​detail on the “how” or define
which data is strictly necessary for a given purpose. Even its previously-stated use cases—public
safety, congestion relief, equity, and sustainability—are broad categories that tell users nothing
about how LADOT will use the stockpile of data collected from their rides.
The MDS amounts to a massive ​overcollection o​ f data about the movements of bike and scooter
users. Each of the stated use cases can be accomplished without trip-level data, and certainly
without the near real-time surveillance of riders. Some requirements in the MDS also do not seem
to relate to bikes and scooters. As an example, the MDS requires operators to share vehicle
telemetry data that includes altitude and the number of GPS satellites. Without understanding the
city’s specific policy objectives, the inclusion of these data fields appear arbitrary. As we have
stated before, JUMP is not opposed to sharing data about bike and scooter usage with City. In
fact, we welcome the sharing of aggregated data and feel that the use cases described by the City
could be achieved with aggregated trip data which, when done correctly, inherently protects
individual privacy.
(c) LADOT should adopt and disclose a specific aggregation standard
JUMP is pleased to see the City is willing to use techniques to de-risk trip information through
“aggregation, obfuscation, de-identification, and destruction​.​” We request more detail on the
City’s policies to understand how they plan to do this—given that without additional detail, it is
not possible to assess whether these techniques will be effective. For example: Which types of
data are covered? What aggregation and obfuscation methods will be used? At what point in the
data life cycle will they be applied? How long will the City retain data before deletion? Without
these details, it is impossible to assess whether these Principles protect user privacy.

2

De Montjoye, Yves-Alexandre, et al. "Unique in the crowd: The privacy bounds of human mobility." Scientific
reports 3 (2013): 1376.
3
​Gonzalez, Marta C., Cesar A. Hidalgo, and Albert-Laszlo Barabasi. "Understanding individual human mobility
patterns." ​nature​ 453.7196 (2008): 779.

 If LADOT is serious about aggregation, it should adopt a third party aggregation tool such as the
SharedStreets Micro-mobility Connector. This solution transforms sensitive movement data into
useful insights that can be safely stored and, in many cases, publicly displayed. We urge the City
to adopt this technique or provide more details on an alternative solution, which is critical to the
protection of data at rest.
II.

The City Must Implement Data Security Controls and Data Breach Protocols

Data security is fundamental to any data protection standard. We appreciate the City’s commitment to
strong security controls and would only request specificity on which information security controls are
being proposed or are already in place.
Given the volume and sensitivity of data the City intends to collect, it is crucial to have not only the
proper security controls, but also a clear and reliable escalation process for the unauthorized use or breach
of data. To ensure this, we strongly urge LADOT to designate a Chief Privacy Officer to ensure
accountability and establish proper reporting processes should this data be accessed through unlawful or
unauthorized means. This is not only to protect the data of bike and scooter users—it will also be critical
for Operators to halt the flow of data while the issue is investigated and confirm the security of their own
data systems.
III.

LADOT must uphold its promise to strictly limit sharing with law enforcement and third parties
such as Remix

The City’s failure to consider the role of third parties has become a flashpoint in this debate. We
commend the City for addressing this issue in its Principles, which require any third party that receives
Trip Data to agree to use the data solely to provide services to LADOT. In practice, however, we have
not seen any signal that the City intends to implement this Principle. Operators are required to integrate
with Remix, Inc., a data aggregator that is not directly bound by a contract with the City, not obligated to
protect the data it receives from JUMP or use that data for the exclusive benefit of the City, and has
refused to enter separate agreements with Operators. It is irresponsible and potentially unlawful for the
City to use this permit process to force Operators to transfer data to Remix.
The City must also be precise about how it will share data with law enforcement. The Principles leave
open the possibility of using subpoenas or “other legal process” as the basis for sharing this data. We
believe the standard for disclosure of Trip Data must be a warrant. There is ample support for this concept
in the CalECPA, which requires a warrant before the government can obtain information from an
electronic device.4 We urge the City to follow suit and explicitly state under which circumstances it will
share data with law enforcement and publish those criteria for public review.

4

Cal. Penal Code § 1546.1(a)(2)

 IV.

The City did not engage the public in meaningful debate about the MDS

The MDS is an unprecedented effort by the City to compel every Operator to write specific code into their
proprietary code bases that empowers the City to capture their business records and electronically surveil
their users in near real-time. In the City’s own words, the City seeks to “actively manage” Operators'
businesses as part of a “radical, significant, and daunting” effort to affect a “significant cultural
transformation.”5 These efforts would, in the Department’s own words, “​change the dynamic of the
relationship between the public and private sector,”​ and by extension fundamentally change the nature of
the relationships between Operators, their customers, and the government.
Despite these lofty goals, the City has not provided in-depth and clear opportunities for the public to
understand the MDS and the extent to which the City intends to collect individual mobility data and
regulate commercial transportation options. MDS policy discussions were redirected to the Github, a
software development platform designed for developing computer code. Assuming they have heard of it
at all, the average citizen, reporter, and elected official finds Github difficult to navigate and understand
making it unfit for public consumption and an ineffective forum for a policy debate of this magnitude.
Indeed, the City did not even begin to solicit public feedback until after Operators were granted a
one-year permit and required to share data through MDS.
The City has kept detailed discussions about the MDS out of public view. Major changes to policy are
adopted as “code changes” with no public or transparent explanation or policy position underlying the
change. Even the City’s decision to write these Principles was secretive: the draft Principles are not
accessible from LADOT’s official website, and there was no public announcement of their existence, nor
that LADOT sought public comment on them. Furthermore, LADOT has not agreed to make written
submissions to their feedback form available for the public to ​actually read​. This is simply unacceptable.
As a result, Angelenos are almost entirely unaware of the City’s intent to implement this level of control
over their personal movement via the MDS. For example, the public should know about the City’s plans
to use this data for enforcement purposes—every bike and scooter user should know whether their trip
history will be the basis for fines or penalties. The City has an obligation to hold meaningful public debate
on the creation of a significant policy like the MDS under the California Constitution and Government
Code Section 54950 (the Ralph M. Brown Act (“Brown Act”)).6 The Brown Act requires a public
process by local legislative bodies that seek to create important policies like the MDS, specifically such
that “actions be taken openly and that their deliberations be conducted openly.”7 The public must be
provided with a meaningful opportunity to participate, and LADOT has so far failed to deliver on this
basic principle.

5

Ellis and Associates Inc., LADOT Strategic Implementation Plan LADOT Strategic Implementation Plan 10.
California Constitution Article I, § 3(b)(1) (“The people have the right of access to information concerning the
conduct of the people’s business, and, therefore, the meetings of public bodies and the writings of public officials
and agencies shall be open to public scrutiny.”); ​ ​Cal. Gov. Code § 54950.
7
​Cal. Gov. Code § 54950.
6

 JUMP will continue to do its part to educate users about their choices when providing their personal data
to us; we urge the City to do the same and fulfill its stated commitment to “share certain information with
the public to increase transparency, accountability, and customer service and to empower companies”
through a meaningful public comment period that deeply considers and integrates public feedback into its
dockless program.

We appreciate the time taken to carefully review these comments and look forward to hearing the City’s
response to our concerns.
Best,
Colin Tooze,
Director of Public Policy, New Mobility for Uber

 Email to LA City Council + Mayor’s Office:
April 3, 2019
TO:
FROM:

LA City Council, Mayor’s Office, City Attorney
Davis White

On behalf of our JUMP mobility business, Uber would like to commend LADOT for drafting Data
Protection Principles (“Principles”) to accompany the Mobility Data Specification (“MDS”) within its
dockless program. We believe this is a necessary step towards ensuring the privacy and data security of
Angelenos for whom micro-mobility options offer a valuable mode of electric transportation around the
City. We respectfully submitted public comment on these Principles on April 3, 2019, which we hope will
be considered alongside comments from residents, privacy advocates, and Mobility Operators
(“Operators”) and addressed publicly prior to the City’s continued collection of data required by the
MDS.
We appreciate your time to read our complete letter. I am extracting some of the key points here for you:
Important Privacy Ambiguities Still Exist: ​There are significant ambiguities in LADOT’s Data
Protection Principles, making it impossible to fully assess their proposed approach. LADOT should
commit to addressing these issues ​before​ the MDS is further expanded. For example: (a) The Principles
do not clearly state Trip Data is Personal Information; (b) The Principles do not describe how the city
intends to use the data it collects; and (c) LADOT should adopt and disclose an aggregation standard.
LADOT Must Implement Data Security Controls and Data Breach Protocols: ​Given the volume and
sensitivity of data the City intends to collect, it is crucial to have not only the proper security controls, but
also a clear and reliable escalation process for the unauthorized use or breach of data. To ensure this, we
strongly urge LADOT to designate a Chief Privacy Officer to ensure accountability and establish proper
reporting processes should this data be accessed through unlawful or unauthorized means.
LADOT Must Limit Sharing Personal Information with Third Parties: ​While LADOT states in its
Principles that they will require any third party that receives Trip Data to agree to use the data solely to
provide services to LADOT, in practice, this has not been the case. Operators are required to integrate
with Remix, Inc., a private company that is not directly bound by a contract with the City, not obligated to
protect the data it receives from JUMP or use that data for the exclusive benefit of the City, and has
refused to enter separate agreements with Operators. LADOT must also be precise about how it will share
data with law enforcement in the Principles.
LADOT Did Not ​Meaningfully​ ​Engage​ The Public: ​The City has not provided in-depth and clear
opportunities for the public to understand the MDS, and the extent to which the City intends to collect
individual mobility data and regulate commercial transportation options. MDS policy discussions were
redirected to the Github, a software development platform designed for developing computer code. Major
changes to policy are adopted as “code changes” with no public or transparent explanation or policy

 position underlying the change. As a result, Angelenos are almost entirely unaware of the City’s intent to
implement this level of control over their personal movement via the MDS.

LADOT should commit to a transparent process through which they will refine and execute these Data
Protection Principles, including but not limited to: (A) Post all comments from this process publicly so
that the public, City Council, and policymakers can all see the feedback received via this solicitation
process; (2) Disclose who will be reviewing feedback and making the final decisions on what is
incorporated; (3) Publish a detailed timeline for when these changes will be rectified; (4) Engage privacy
experts in the ongoing process to refine these Principles and develop LADOT’s methodologies; (5)
Incorporate these Privacy Principles directly into the MDS code-base, ensuring that the MDS truly
becomes a privacy-centric mobility data standard.
Thank you for your time and attention to this important matter.
Best,
Colin Tooze
Director of Public Policy, New Mobility for Uber

 Key points (draft)
●

●

Introduction
○ Scope. ​This data protection document is not limited in scope to bikes and scooters. The
city should clearly state whether this document will be used for the collection of data
outside the dockless program.
○

Classification. ​The data LADOT collects is sensitive because it includes personal
information; this should be stated to properly justify the specific data protection measures
being implemented. The reference to existing data security standards is not sufficient to
ensure that trip data is considered PI.

○

Timeline. ​LADOT should implement this data protection protocol ​prior​ to receiving and
storing this data to ensure user privacy and data security is maintained throughout the
duration of this pilot. The current deadline for Operator compliance (April 15) does not
allow sufficient time to ensure the necessary measures outlined in this document—data
minimization, security, and transparency to the public—will be in place prior to the
City’s receipt of trip data. Therefore, we strongly recommend that the City push back its
deadline for compliance while it meaningfully engages the key public, private, and
community stakeholders that are essential to the safe and successful execution of the
dockless program.

Data minimization
○ General​. This section should be under a broader section on “data collection and use.”
○

Data minimization. ​To understand LADOT’s determination that the MDS collects data
solely for specific enforcement or operational needs, those needs must be enumerated in
such a way that it clearly justifies the data being requested. The use cases stated
previously—public safety, congestion relief, equity, and sustainability—are not specific
enough to justify the collection of trip-level data at near real-time. They also do not
necessarily relate to bikes and scooters. As an example, the MDS requires operators to
share vehicle telemetry data that includes altitude and the number of GPS satellites.
Without understanding the city’s specific policy objectives, the inclusion of these data
fields appear arbitrary.

○

Aggregation, obfuscation, de-identification, and destruction. ​ We would appreciate
seeing the city’s specific policy for which data types these methods apply to, when they
will be applied, and the specific methods used, given the volume of raw trip data the city
will be ingesting on an hourly basis.

 ●

Access limitations
○ Law enforcement​. We request the city clarify or further restrict its policy for sharing data
with law enforcement to specific standards. We were separately informed the city would
only share location data in response to a warrant, but the city’s policy leaves open the
possibility of using subpoenas or “other legal processes” as the basis for sharing this data.
○ Third parties. T
​ he City should confirm that any third parties will be subject to the same
data protection requirements as outlined by this document and that they will not use the
data for their own benefit.

●

Data categorization:
○ General. ​We support the city’s use of the heightened “Confidential” security standard for
handling trip information. We strongly believe this should be paired with the
acknowledgment that this data is personal information, either within this section or in the
introduction of this document.

●

Security
○ General. ​We appreciate the City’s commitment to strong security controls and would
only request additional specificity on which information security controls are being
proposed or already in place to the extent that the City can make this information publicly
available.
○

●

Breach reporting. ​The City should designate a Privacy or Information Officer to ensure
accountability in the case of a data breach. The City should also include detail on their
reporting obligations if trip data is subject to a breach—this includes notifying Operators
and all individuals affected.

Transparency
○ The City must ensure a reasonable period of time for the public to understand and weigh
in on the data components of this program with assurances that their feedback will be
considered and where appropriate, integrated into the program design. This includes
clearly stating the scope of data collection, the City’s intended use of the data, and the
process by which the City will change or expand this program during or after the pilot
period.
○

Any public disclosure should include the city’s intent to use this data for enforcement
activities; those activities should be enumerated if individual face any potential penalty
for certain behaviors.

 Exhibit D

CONTRACT SUMMARY SHEET
TO:

THE OFFICE OF THE CITY CLERK,
COUNCIL/PUBLIC SERVICES DIVISION
ROOM 395, CITY HALL

DATE:

Ianuarv3 2017
y
1'

(PLEASE DO NOT STAPLE THE CONTRACT FOR THE CLERK’S FILE)
FORM MUST BE TYPEWRITTEN

TOTAL AMOUNT:

PURPOSE OF CONTRACT:
Provide Transit Marketing and Customer Outreach and Support Services for Proposition A and C
funded public transit services and projects.

NOTE: CONTRACTS ARE PUBLIC RECORDS - SCANNED AND UPLOADED TO THE INTERNET

 AGREEMENT BETWEEN
THE CITY OF LOS ANGELES
AND
ILIUM ASSOCIATES INC.
FOR
TRANSIT MARKETING
CUSTOMER OUTREACH AND SUPPORT SERVICES

 AGREEMENT
BETWEEN THE
CITY OF LOS ANGELES
AND
ILIUM ASSOCIATES INC.

THIS AGREEMENT is made and entered into, by and between the City of Los Angeles, a Municipal
Corporation (hereinafter referred to as "City") and Ilium Associates, Inc. (hereinafter referred to as the
"Contractor").
WITNESSETH
WHEREAS, the City desires to engage the service of the Contractor to provide transit marketing
and customer outreach and support services for its Proposition A and C funded public transit services and
projects; and
WHEREAS, the City issued a Request for Proposal ("RFP") on August 9, 2016 for companies
interested in conducting Transit Marketing Customer Outreach and Support Services, which RFP is on file
with the City and is incorporated herein by reference; and
WHEREAS, the Contractor submitted a Proposal in response to the RFP which is dated September
20, 2016 and is incorporated herein by reference (collectively the "Proposal"); and
WHEREAS, the Contractor has the management, expertise and financial viability necessary to
function as the Transit Marketing Customer Outreach and Support Services provider; and
WHEREAS, the Contractor has agreed to provide the services requested in the time and manner
set forth in the RFP, Addenda and Proposal incorporated into this Agreement; and
WHEREAS, the Mayor and City Council concurred with the selection of the Contractor on
December 13, 2016 (CF 11-1225-SI) and the said Proposal was the most responsive and cost-effective
Proposal received by the City for said services.
NOW, THEREFORE, the parties hereto agree as follows:
SECTION I. INTRODUCTION AND CONDITIONS PRECEDENT

A.

Parties to this Agreement
1.

The City of Los Angeles, A Municipal Corporation, having its principal offices at 200 North
Main Street, Los Angeles, California 90012

2

 2.

B.

The Contractor, known as Ilium Associates, Inc., located at 600 108th Avenue NE, Suite
660, Bellevue, Washington 98004.
Representatives of the Parties and Service of Notices

1. The representatives of the respective parties who are authorized to administer this
Agreement and to whom formal notices, demands and communications shall be given are as
follows:
a)

The representative of the City shall be, unless otherwise stated in the Agreement:
Corinne Ralph, Chief of Transit Programs
Bureau of Transit Services, LADOT
City of Los Angeles
Department of Transportation
100 S. Main Street, 10th Floor
Los Angeles, CA 90012

b) The representative of the Contractor shall be:
Carolyn Perez Andersen
President
Ilium Associates, Inc.
600 108th Avenue NE, Suite 660
Bellevue, WA 98004

C.

1)

Notices. Formal notices, demands and communications to be given by either party
shall be made in writing and may be effected by personal delivery or by mail. A
notice of Breach of Agreement will be sent via certified mail.

2)

Changes. If the name of the person designated to receive the notices, demands or
communications or the address of such person is changed, written notice shall be
given, in accordance with this Section, within five (5) working days of said change.

Contract Modifications
This Agreement fully expresses all understanding of the parties concerning all matters covered
and shall, with the Request for Proposal (RFP), the Addenda to the RFP, and the Contractor's
Proposal, constitute the total Agreement. Except as may otherwise be provided herein, no
addition to or alteration hereto shall be valid unless made in the form of a written amendment,
which must be formally approved by Mayor and/or Council and executed by the parties. No
modification or addition to this Agreement shall have any effect whatsoever unless set forth in
writing, approved by Mayor and/or Council, and signed by both parties.

3

 D.

Conditions Precedents
1.

Required Facilities. The Contractor shall, prior to the commencement of service, have all
facilities required for all necessary functions in place for the creation, production,
administration and support of service.

2.

Staff/Hourly Staff Rates. As per the Contractor's Proposal, the listing of all relevant
personnel and a discussion of the type of work that will be performed by the personnel
shall remain in effect for the term of this contract. The hourly staff rates for each staff
member for each year of this contract are included in the contractor's proposal and shall
be incorporated into this Agreement. If there are changes in the status of the staff
(including retirement, transfers, promotions, etc.) the City shall be notified in writing
within 30 days of the change.

3.

Travel Costs. The Contractor may be required to travel, on behalf of the City, to perform
the duties specified in the RFP and required under this Agreement. All records and
receipts for transportation (rental car, taxi, bus, gas, parking, mileage), excluding airfare,
must be retained and submitted with invoices for work performed per this contract as
set forth by the City and will be reviewed by the City for appropriateness before
payment. All transportation expenses, excluding airfare, will be reimbursed by the City,
provided they are in compliance with the standards established under the City's Travel
Policies prescribed by the City Controller. Since the Contractor's headquarters is located
outside the City, the City will pay for Contractor's transportation expenses to and from
the City while performing work under this Contract, but will not pay for airfare, hotel
accommodations or meals.

4.

Insurance Requirements. The Contractor shall comply at all times with all of the
insurance requirements under this Agreement and all Insurance verification must be
produced on City Insurance Endorsement forms. Appendix A (Standard Provisions for
City Contracts (Rev. 3-09) of the RFP describes in detail the insurance coverage and
amounts required by this Agreement.

5.

Contract Assignment. This Agreement is not to be assigned to a
substitute contractor, a successor in interest or a purchaser of the current Contractor
without the permission of the City. This Agreement will be terminated if the City does
not approve or grant permission to a subsequent contractor to assume the services.

SECTION II. TERMS OF CONTRACT

A.

Contract Period
1.

This Agreement shall be in effect for five years from January 1, 2017 through
December 31, 2021.

4

 2.

City obligations under this contract are contingent upon the City's ability to obtain
the funds from funding agencies and the availability of City funds in this and
subsequent fiscal year budgets to finance the cost of this Agreement.

3.

Contractor shall perform service hereinafter indicated strictly in accordance with the
terms and conditions of this Agreement.

4.

The City shall reserve the right to enter into other contracts with other firms for
similar services during the term of this Agreement.

SECTION III. CONTRACTOR DUTIES AND SCOPE OF WORK

A.

B.

Appointment
1.

The City hereby contracts with the Contractor to conduct, in a competent and
professional manner, all of the Transit Marketing Customer Outreach and Support
Services upon the terms and conditions as set forth in the RFP, Addenda, the
Proposal and this Agreement (collectively the "Agreement") and as directed by
LADOT on a task basis.

2.

The Contractor will render services as fully described and set forth in the RFP,
Addenda, the Proposal and this Agreement, unless otherwise modified by this
Agreement. All work performed by the Contractor shall be on a task assignment
basis based on verbal or written direction from LADOT. Assigned tasks will fall
broadly into the categories of transit marketing, customer support and miscellaneous
assistance to the LADOT Transit Bureau and LADOT.

Independent Contractor/Status of Contractor
1.

In rendering service hereunder, the Contractor shall be and remain an independent
Contractor. It is expressly understood and acknowledged by the parties hereto that any
amount payable hereunder shall be paid in gross amount, without reduction for any
federal or state withholding or other payroll taxes, or any other governmental taxes or
charges. The Contractor is responsible for assuming and remitting any applicable
federal or state withholding taxes, estimated tax payments, social security payments,
unemployment compensation payments, or any other fees or expenses whatsoever.

2.

The Contractor shall refrain from any action that would create or tend to create
obligations, expressed or implied, on behalf of the City, it being understood that the
Contractor is not and shall not be the legal representative or agent of the City and that
the Contractor shall not be authorized to make any promises, warranty or
representation except as specifically provided for in this Agreement or as otherwise
agreed to in writing between the parties.

5

 3.

The City shall have no liability to any subcontractor(s) for payment for service under
this Agreement or other work performed for the Contractor and any subcontractor
entered into by the Contractor pursuant to the conduct of service under this
Agreement. It shall be duly noted that the responsibility for payment for technical
services or any other work performed shall be the sole responsibility of the Contractor.

4.

All real property, purchased directly by the City or through the Contractor for this
contract shall become the property of the City and shall be returned to the City upon
termination of this Agreement, except as provided otherwise.

SECTION IV. COMPENSATION
A.

The Contractor agrees to provide all personnel, facilities, effort, materials and equipment
required to complete, to the full satisfaction of the City, all the work described in the RFP,
Addenda, the Proposal and this Agreement; and the City agrees to pay as full compensation
for said service, including all allowable expenses incurred and incident thereto, an estimated
amount not to exceed a ceiling price of $14 million over the five year term of the Agreement.

B.

The amount above includes all cost related to the creation, production and design of art
work, placement in media, public relations and promotions, kick-off events, distribution of
materials and all other activities related to marketing and supplying customer support for the
City's transit programs. For performance of this Agreement, the City shall pay the Contractor
upon submission of monthly invoices for all labor and other costs incurred. At the beginning
of each fiscal year covered by the Contract, the City shall notify the Contractor of the amount
budgeted for transit marketing in the City's adopted budget and that amount shall constitute
a not-to-exceed budget for that fiscal year.

C.

Invoices for payment of the service shall document all charges and fees collected, and be
prepared in such a form and supported by such copies of original invoices, payrolls and other
documents as may be required by the City to establish that the charges are allowable. The
City shall pay the Contractor upon submission of approved monthly request for payment.
The City agrees to pay the Contractor amounts billed, less disputed costs, if any, within 30
days following receipt.

SECTION V. PROJECT MANAGEMENT
A.

Carolyn Perez Andersen and John Gobis, the respective Project Co-Managers designated by
the Contractor, shall assume ultimate responsibility for, and participate in, all marketing and
customer support activities. Ms. Perez Andersen and Mr. Gobis shall oversee all staff
assigned to the project and all products produced by Ilium. The Contractor shall not replace
Ms. Perez Andersen, Mr. Gobis or other key proposed staff without written approval in
advance to the City.

6

 SECTION VI. PROJECT FINDINGS AND OWNERSHIP OF DOCUMENTS
A.

Any reports, data, or other information given to, prepared, or assembled by the Contractor
under the Agreement shall, if requested by the City, be kept confidential and shall not be
published or made available to any individual or organization by the Contractor without prior
written approval by the City.

B.

All finished or unfinished documents, data, surveys, studies, drawings, maps, brochures,
photographs, and reports prepared by the Contractor shall become the City's property.

SECTION VII. DOCUMENTS, RECORDS AND AUDIT

A.

Audits and Inspections
1.

At any time during normal business hours and as often as the City may deem necessary, the
Contractor shall make available to the City for examination, all of its records with respect to
all matters covered by this Agreement. The City shall have the authority to audit, examine
and make excerpts or transcripts from records, including all contracts, invoices, materials,
payrolls, records of personnel, conditions of employment and other statistical data relating
to all matters covered by this Agreement.

2.

The City reserves the right to dispatch auditors of its choosing to any site where any phase of
the project is being conducted. The City auditors shall be provided adequate and
appropriate work space in order to conduct audits and shall be allowed to interview any
employees of the Contractor.

3.

The City shall have the authority to make physical inspections and to require such physical
safeguarding devices as locks, alarms, safes, etc., to safeguard property and/or equipment
authorized by this Agreement. In the event the City requires equipment to be purchased
beyond what was originally proposed, the Contractor has the right to renegotiate the hourly
rate to reflect the cost of the equipment.

4.

If a fiscal or special audit determines that the Contractor has billed the City for inaccurate or
unsubstantiated work hours in its billings to the City, the Contractor shall be notified and
given the opportunity to justify the inaccurate billings. The City shall determine the amount
to be paid to the Contractor during the period of audit. If the Contractor fails to respond
within fifteen (15) days from the notice date, the City shall make the final determination of
disallowed billed work hours and the findings will be incorporated in the final audit report.
Over-billings shall be reimbursed by deducting the amount deemed over-billed from the
Contractor's current or future invoices.

 SECTION VIII. STANDARD CONTRACT PROVISIONS
A.

The provisions of the Standard Provisions for City Contracts (Rev. 3-09), found in Appendix A
of the RFP, are hereby incorporated by reference into this Contract. The Contractor shall
abide by the City's Standard Provisions for City Contracts. In the case of any variation
between the contract and the Standard Provisions for City Contracts or other standard City
policy or requirement, standard City policy shall prevail.
1.

Equal Benefits Ordinance

Contracts awarded pursuant to this procurement process shall be subject to the applicable
provisions of Los Angeles Administrative Code Section 10.8.2.1, Equal Benefits Ordinance
(EBO).
Contractors shall complete and submit to the contracting department the Equal Benefits
Ordinance Affidavit (two (2) pages) for a City contract valued at $5,000. The Equal Benefits
Ordinance Affidavit shall be effective for a period of twelve months for the date submitted to
the City. Contractors do not need to submit supporting documentation. However, the City
may request supporting documentation to verify that the benefits are provided equally as
specified on the Equal Benefits Ordinance Affidavit.
Contractors seeking a waiver from the requirements of the EBO shall visit the Bureau of
Contract Administration's web site at www.bca.lacitv.org and download the form. The EBO
Waiver Request Form hardcopy must be returned to the contracting department.
2.

Nondiscrimination, Equal Employment Practice and Affirmative Action Program (Non­
Construction)

Contracts awarded pursuant to this procurement process shall be subject to the applicable
provisions of Los Angeles Administrative Code Section 10.8.2., Non-discrimination Clause.
Non-construction services to or for the City for which the consideration is $1,000 or more
shall comply with the provisions of Los Angeles Administrative Code Section 10.8.3., Equal
Employment Practices Provisions. Contractor shall complete the Non-Discrimination/Equal
Employment Practices Affidavit (two (2) pages) and submit the completed form to the
contracting department. Non-construction services to or for the City for which the
consideration is $100,000 or more shall comply with the provisions of Los Angeles
Administrative Code Section 10.8.4., Affirmative Action Program Provisions. Contractor must
complete and submit to the contracting department the Affirmative Action Plan (four (4)
pages).
3.

Slavery Disclosure Ordinance

Unless otherwise exempt, in accordance with the provisions of the Slavery Disclosure
Ordinance, any contract awarded pursuantto this RFB/RFP/RFQwill be subject to the Slavery

8

 Disclosure Ordinance, Section 10.41 of the Los Angeles Administrative Code.
Contractor shall complete and submit to the contracting department the Slavery Disclosure
Ordinance Affidavit (one (1) page).
Contractor seeking a waiver from the requirements of the SDO shall visit the Bureau of
Contract Administration's web site atwww.bca.lacity.org and download the form. Hardcopy
of the SDO Exemption Form (OCC/SDO-2) must be returned submitted to the contracting
department.
SECTION IX

TERMINATION OF CONTRACT

A.

The City may terminate this Agreement without cause, in whole or in part, at any time by
written notice to the Contractor. The Contractor shall be paid its reasonable costs, including
contract closeout costs, and profit on work performed up to the time of termination. The
Contractor shall promptly submit its termination claim for payment to the City. If the
Contractor has any property in its possession belonging to the City, the Contractor shall
account for the same, and dispose of it in the manner the City directs.

B.

Upon receiving notice of Agreement termination the Contractor will begin transition of service
and equipment back to the City and the City's designated replacement contractor in an
amount of time to be determined by the City.

C.

If the City determines that the Contractor has not materially complied with the terms of the
contract, the City shall notify the Contractor of such non-compliance and reserves the right to
terminate this Agreement. Reasons for such termination may include, but shall not be limited
to the failure to provide service within agreed performance standards as evidence by City
inspection, through surveys, or by communications from users of a service. Termination shall
be effected by giving a notice of termination to the Contractor setting forth the manner in
which the Contractor is in default. In the event of termination for default of Contractor, the
Contractor shall only be paid the contract price for services delivered and accepted, and for
services performed in accordance with the manner of performance set forth in this Agreement.

D.

In the event of contract termination due to noncompliance, the Contractor may request a delay
in such termination in order to present an appeal to City Council.

E.

In case of default by Contractor, the City reserves the right to procure the articles or services
from other sources and to hold the Contractor responsible for any excess costs incurred by the
City.

SECTION X. MISCELLANEOUS
A.

Neither party assumes any liability for failure to fulfill the terms and conditions of this
Agreement caused by events beyond the reasonable control of such party. Such events may
include, but are not limited to the following: natural disaster, acts of the government in either

9

 its sovereign or contracted capacity, a failure or shortage of fuel, water, fuel oil or other utility
or services, strikes, riots, fires, floods, epidemics, war, insurrection or other national or local
emergency, freight embargo, impasse of routes due to construction, and unusually severe
weather but in every case the failure to perform must be beyond the control and without the
fault or negligence of either party or the Contractor's subcontractor(s).
B.

This Agreement and all its exhibits, the RFP, all Addenda to the RFP, and the Proposal contain
the entire understanding between the Contractor and City. No modification or addition to this
Agreement shall have any effect whatsoever unless set forth in writing and signed by both
parties hereto.

C.

Any item of work contained in either the RFP or the Proposal shall be performed by Contractor
as though it appeared in this Agreement. In the event of any conflict, the terms of this
Agreement, its exhibits and the RFP shall govern over the Proposal unless specifically stated
otherwise.

D.

Disputes regarding the interpretation or application of any provisions shall, to the extent
reasonably feasible, be resolved through good faith negotiations between the parties. The City
shall make every effort to limit the negotiating period for a time not to exceed 30 days. Failure
to come to a negotiated settlement will allow the aggrieved party to seek recourse in the
courts of law (Refer to the Standard Provisions for City Personal Services Contract, Appendix B,
Section PSC-8 of the RFP).

E.

The failure of the City to insist upon strict performance by Contractor of any provision
hereunder in every one or more instances shall not constitute a waiver of such provision by
City, nor shall, as a result, City relinquish any rights that it may have under this Agreement.

F.

This Agreement shall be binding on and insures to the benefit of the heirs, executors,
administrators and assigns of the parties hereto.

REMAINDER OF PAGE INTENTIONALLY LEFT BLANK
SIGNATURE PAGE FOLLOWS

10

 IN WITNESS WHEREOF, the City of Los Angeles and the Contractor have caused this
agreement to be executed by their duly authorized representatives.

Executed for:

Executed for:

The City of Los Angeles

Ilium Associates, Inc.

Seieia J. Reynolds
General Manager
Department of Transportation

Date:

President and CEO
Ilium Associates, Inc.

»• ?• n

Date

Approved as to Form and Legality:

ATTEST:

Mike Feuer, City Attorney

Holly L. Wolcott, City Clerk

Council File Number: 11-1225-SI
Contract Number:

- V'T-S'V't'Z—

Date of City Council Approval of original Contract: 12/13/2016

11