Skip to Content

Cybersecurity & Standards, Government Surveillance

Airbnb and HomeAway Challenge NYC’s Mandatory Data Sharing Law

Earlier this year New York City adopted a new ordinance that will require online home-sharing services, like Airbnb and HomeAway, to regularly provide the City with identifying data about their hosts and their hosts’ homes, and information about the rental of those properties by third parties. Local Law No. 146 of 2018, A Local Law to amend the administrative code of the city of New York, in relation to the regulation of short-term residential rentals, (Law No. 146), goes into effect February 2, 2019. The purpose of Law No. 146 is to crack down on housing regulation violations facilitated by online platforms.

Law No. 146 places two requirements on platforms. For every instance in which a New York City residence is rented on a short-term basis using a platform, the platform must—for the foreseeable future—provide to the City’s enforcement agency on a monthly basis:  

  • The full address of the residence being rented out;
  • The full legal name, address, phone number and email address of the host;
  • The individualized name and number and the URL of such advertisement or listing;
  • A statement as to whether such short-term rental transactions involved the rental of the whole home or part of the home;
  • The total number of days that the residence was rented;
  • Fees collected by the platform from the transaction;
  • Host bank account information

As discussed below, not all of this information is made publically available via platforms. No identifiable data about those who stay in a home-sharing host’s property is required to be provided. The second requirement in the new ordinance is that home-sharing platforms must solicit consent from their users to the platform turning this data over to the City.

In August Airbnb and HomeAway (Plaintiffs) sued to stop the City from enforcing Law No. 146 citing Fourth and First Amendment concerns, as well as a violation of the Stored Communications Act (SCA). Our friends at EFF filed an amicus brief supporting this suit, arguing that the ordinance violates the Fourth Amendment and the Stored Communications Act (SCA). The lawsuits, Airbnb, Inc. v. City of New York and, Inc. v. City of New York, are proceeding in the Southern District of New York.

We review the Fourth Amendment and SCA claims below.

The Fourth Amendment Challenges

Plaintiffs argue that their Fourth Amendment rights are violated because the government is permitted to warrantlessly search their business records without any opportunity for pre-compliance review. The information sought under Law No. 146 they argue is highly sensitive and contains proprietary commercial and personal data for which Airbnb has a reasonable expectation of privacy.

EFF focused on the rights of hosts, arguing that the data sharing regime constitutes an impermissible warrantless Fourth Amendment search of host data, because the data sought is not publicly available via the platform, and are of a sensitive nature for which there is a reasonable expectation of privacy. The search would be executed by the platform acting as an agent of the government. And indeed, the information sought includes contact information for hosts, bank account information, and can reveal when individuals are home, and when they have paying guests. In short, the data sharing would provide the government the ability to spy on thousands of New Yorkers absent individualized suspicion.

The hosts whose data would have to be reported under Law No. 146 are usually not operating as commercial entities. Rather they are overwhelmingly individuals who have chosen to provide lodging to tourists, and travelers, and in that process are supplementing their income. Indeed, a report commissioned by the Hotel Trades Council determined that 12% of all hosts in New York City are operating Airbnb units as commercial entities (based on their methodology this number may be under-representative), accounting for 28% of revenue.

The home is a traditional bedrock of Fourth Amendment protections, which lends some support for this challenge. In Kyllo v. United States, government agents used a thermal-imaging device to scan a home for heat signatures consistent with heat lamps for growing marijuana. A lower court rejected Kyllo’s attempts to suppress the evidence from this search finding that “there was no objectively reasonable expectation of privacy because the thermal imager did not expose any intimate details of Kyllo’s life, only amorphous hot spots on his home’s exterior.” Writing for the Supreme Court, Justice Scalia rejected this argument outright stating that, “[i]n the home, our cases show, all details are intimate details, because the entire area is held safe from prying government eyes.”

Furthermore, in Florida v. Jardines, a case about the warrantless use of a trained detection dog on a defendant’s porch, Scalia writing for the Court again observed that the home is sacrosanct:

“But when it comes to the Fourth Amendment, the home is first among equals. At the Amendment’s “very core” stands “the right of a man to retreat into his own home and there be free from unreasonable governmental in-trusion.” Silverman v. United States, 365 U. S. 505, 511 (1961). This right would be of little practical value if the State’s agents could stand in a home’s porch or side garden and trawl for evidence with impunity; the right to retreat would be significantly diminished if the police could enter a man’s property to observe his repose from just outside the front window.” (emphasis added)

Activity in a home is increasingly generating data that governmental entities seek.  As a result, it is increasingly important to establish privacy-protective rules on government access to data generated by “internet of things” devices increasingly adopted into the home. Recently, in Naperville Smart Meter Awareness v. City of Naperville, the 7th Circuit reviewed the protections that should be afforded smart meter data. The Court observed that “the energy-consumption data collected at fifteen-minute intervals reveals when people are home, when people are away, when people sleep and eat, what types of appliances are in the home, and when those appliances are used” and that residents have a reasonable expectation of privacy in this data. Just as in that case, the data collected in this suit would reveal “when people are home, when people are away” and when they have guests.

Third Party Doctrine

This case implicates the third party doctrine or the legal theory that an individual has a reduced expectation of privacy in information knowingly shared with another. In other words, do hosts retain a reasonable expectation of privacy in the data sought by the government when the host has shared that data with a platform?

In Carpenter v. United States, in which the Supreme Court determined that a warrant is needed to access more than 7 days worth of cell-site location information. Carpenter was a blow to the third party doctrine. The reasoning in Carpenter provides some support to the Fourth Amendment claims in the case at hand. The Carpenter court noted that the foundational third party doctrine cases “did not rely solely on the act of sharing. Instead, they considered ‘the nature of the particular documents sought’ to determine whether ‘there is a legitimate expectation of privacy’ concerning their contents.” In Carpenter, the fact that the data sharing between a cell phone and a provider “made possible the tracking of not only Carpenter’s location but also everyone else’s, not for a short period but for years and years” was influential to the outcome. While the data implicated by this lawsuit is not of the nature in Carpenter, it is far more revealing than the data upon which the third party doctrine is based—numbers dialed on a telephone and bank checks. The information that must be shared with the government in this case reflects how individuals choose to spend time in their home, and how they choose to open it up to paying guests.

The Administrative Search Doctrine

The administrative search doctrine may pose a hurdle to the Fourth Amendment challenge that the plaintiffs brought. It holds that there is an exception to the Fourth Amendment warrant requirement that allows for warrantless searches for the purpose of advancing a pervasive regulatory scheme. This doctrine has been used to justify a number of different searches including, for example, at employee work sites, the nation’s borders, and auto junkyards.

Plaintiffs relied on City of Los Angeles v. Patel, in the which the Supreme Court struck down a city ordinance requiring hotels to allow police officers to inspect their guest registries even absent a warrant. The Court found that there was no pervasive regulatory scheme of hotels and motels in Los Angeles. Indeed the Court observed that “nothing inherent in the operation of hotels poses a clear and significant risk to the public welfare” compared to other industries, like firearms dealing, to which the administrative search doctrine applies. Furthermore, the Court pointed to the regulations requiring hotels to, among other things, maintain a license, collect taxes, post their rates and meet certain sanitary standards and observed that such regulations did not “establish a comprehensive scheme of regulation that distinguishes hotels from numerous other business.” Plaintiffs argue that as in Patel, here too there is not a pervasive regulatory scheme sufficient to support an administrative search exception to the warrant requirement of the Fourth Amendment.

The Stored Communications Act

Perhaps the strongest challenge raised by Plaintiffs and EFF is that Law No. 146 would prompt platforms to violate the SCA. The SCA provides that “a provider of remote computing service or electronic communication service to the public shall not knowingly divulge a record or other information pertaining to a subscriber or to a customer of such service…to any government entity,” without a subpoena or other legal process, unless one of several exceptions applies, including consent. The Government concedes the application of the SCA to Plaintiffs. Airbnb acts as an electronic communication service in allowing hosts and renters to communicate about listings, and acts as a remote computing service by allowing hosts to create listings and store data like photographs, documents, and correspondence.

Plaintiffs argue persuasively that the consent they would be forced to solicit from their users would not cure the SCA violation. Specifically, they argue that the statutory consent required must be obtained by the government, and not by a third party. They further argue that the consent given here would be coerced, not voluntary, as required by the SCA.


Airbnb, Inc. v. City of New York and, Inc. v City of New York raises important issues about the continued vitality of the Fourth Amendment in protecting the privacy of activity in the home, and about the scope of the privacy protections in the Stored Communications Act. It also has significant implications for the privacy of granular data reflecting our activity in our homes will be available to law enforcement via the exploitation of data generated by IoT devices.