Changes to Short-Term Rental Laws Must Include Privacy and Free Speech Protections

This week, the California Senate and the City of San Francisco are contemplating changes to the laws governing short-term rentals, which allow for individuals to host guests in their homes, using platforms like Airbnb and VRBO. While such services have a lot of fans (like me) who’ve booked accommodations from Portland to Montreal, they also have raised scrutiny from regulators. In San Francisco, the city has enacted legislation governing how tenants can list their homes on short-term rentals, but legislators are currently offering proposals to modify the existing law; at the state level, proposed legislation would allow cities to mandate the transmission of consumer data to the government on a quarterly basis.

We have serious concerns about the implications of these proposals. However, as a fundamental point, it is clear that governmental agencies have an important role to play in protecting citizens and ensuring that businesses are operating legally. In this case, the concerns we have are not with the proposals’ existence, but rather with some of their implications — specifically, how they will affect individual privacy, security, and free speech.

We have concerns about default mandates to collect this kind of data, given the sensitivity, in particular, of location data.

The California Senate legislation, which would require quarterly transmission of address, occupancy, and rate data from service providers, opts in all cities and counties by default (they can, however, affirmatively choose to not require submission of this data by renters). In general, we have concerns about default mandates to collect this kind of data, given the sensitivity, in particular, of location data. Moreover, the legislation does not prescribe security standards for the transmission of data; de-identification procedures for when the data is stored by an agency; or how an agency should respond to a FOIA or open data request. While, in theory, all agencies should already prescribe such procedures and standards, it is unlikely that all of them within California will have done so, or will have revisited those policies to update them for current privacy and security standards. If the government mandates data transmissions on an opt-in basis, at the very least it should also mandate that cities and counties implement technologically robust privacy and security standards as well.

In San Francisco, multiple City Supervisors and Mayor Ed Lee have proposed amendments to the existing law that would change how short term rentals are regulated. While the various proposals differ in their provisions, some of the proposals create privacy and security issues for both companies and individuals. As with the California legislation, there would be mandated transmission of data from service providers to the government, but with no discussion of security standards for how the data should be transmitted. On the positive side, two proposals — Mayor Lee’s and Supervisor David Campos’ — provide for redacting names and addresses in the public database of short-term renters, so that open government requests don’t reveal private information unnecessarily. As we have seen in other jurisdictions, the privacy consequences of inadequately redacting information can be significant.

One element of Supervisor Campos’ proposal raises serious issues with the current state of intermediary liability protection under Section 230 of the federal Communications Decency Act. Under current San Francisco law, a “hosting platform” is defined as “a person or entity that provides a means through which an Owner may offer a Residential Unit for Tourist or Transient Use.” However, this definition isn’t limited to sites like Airbnb or VRBO, but could, for example, include social networks like Facebook or Twitter, which could theoretically be used to offer a residential unit for short-term use. Under Supervisor Campos’ proposal, hosting platforms would have to pre-review any listings, verifying that the listing was part of the city’s centralized database and that it hasn’t been rented for more than sixty days within the calendar year. But if I post a public Tweet asking for short-term renters to stay at my apartment in the Mission and don’t list the address, Twitter, which has no way of verifying any information before I post that tweet, would be in violation of the law, despite the fact that the service wasn’t designed to facilitate such short term rentals.

Such a violation would impose a form of intermediary liability under local law, which is expressly precluded by the preemption provisions of Section 230, which preempts similar state and local laws governing intermediary liability. While this may seem like an overly technical point, it demonstrates both the need to ensure that regulation of technology is done carefully, and the need to protect intermediaries from legal violations that they have no way of realistically preemptively screening.

We hope that, as these proposals are debated, that legislators will address these crucial issues. While there is a clear need to protect individual citizens even as new technologies upend the existing paradigms of housing and lodging, such regulations must be crafted in a way that promote the privacy and free speech rights of individuals.