Companies today can learn almost everything about everyone, especially where there are at any particular time, or where they’ve been over a period of time. That’s because people holding smartphones carry transmitters of their geolocation data.
At least one lawmaker would like to see individuals’ location-based data protected, and during recent testimony before a Senate subcommittee, a top Federal Trade Commission official expressed her support for pending legislation designed to protect consumers in how their geolocation data are used.
Testifying before the Senate Committee on the Judiciary Subcommittee for Privacy, Technology and the Law, Jessica Rich, director of the agency’s Bureau of Consumer Protection, noted that the draft Location Privacy Protection Act of 2014 addresses issues of importance to the commission. U.S. Sen. Al Franken (D-Minn.) is the bill’s sponsor.
The act seeks to improve the transparency of geolocation services and give consumers greater control over the collection of their geolocation information. If approved by Congress and signed into law, the legislation would require the user’s consent before companies could collect or disclose geolocation information from electronic communications devices.
Companies also couldn’t collect location data in secret, and those that collect location data of 1,000 or more devices would have to post online the types of data they collect, how they share and use it, and how people can opt out of such data. The development, operation, and sale of GPS stalking apps would be banned, and the legislation would require the federal government to gather more information about and facilitate reporting of GPS stalking.
Geolocation services already have made their way into the payments space. MasterCard, for example, through a new partnership with Syniverse, is using geolocation services to enable holders of its cards to opt in to a mobile-payment program activated when they enter a predetermined geographic location outside of their normal service area. AT&T is working to offer a similar product for use in helping international travelers secure card authorizations when traveling. Both are opt-in services.
The mobile marketplace, Rich said in prepared testimony, has experienced remarkable growth, with new products and services offered every day, many of which rely on consumers’ geolocation information. And while products and services that use the information can make consumers’ lives easier and more efficient, such data also can reveal consumers’ movements in real time and provide a detailed, comprehensive record of their movements over time.
As such, use of this sensitive information can raise privacy concerns, she said.
Geolocation information can divulge intimately personal details about an individual, and answer such sensitive questions as, Did you visit an AIDS clinic last Tuesday? What place of worship do you attend? Were you at a psychiatrist’s office last week? Did you meet with a prospective business customer? Rich said.
Businesses could use consumers’ geolocation information to build profiles of a customer’s activities over time and potentially put the information to unanticipated uses, Rich said in her testimony. “Sensitive geolocation information could end up in the wrong hands in a number of ways, including by being sold to companies who then use it to build profiles with other sensitive information, such as medical conditions or religious affiliation, without consumers’ knowledge or consent, by being accessed by hackers, or by being collected through surreptitious means such as ‘stalking apps,’” she said.
Moreover, after obtaining an individual’s geolocation information, criminals could use it to identify the individual’s present or future location, thus enabling them to cause harm to an individual or his or her property, ranging from burglary and theft, to stalking, kidnapping, and domestic violence, she said.
Rich cited three provisions in the act that are consistent with the commission’s views. First, the bill defines geolocation information as data that is “sufficient to identify the street name and name of the city or town” in which a device is located. The definition, she said, is consistent in many respects with the commission’s Children’s Online Privacy Protection Act Rule, which requires parental consent for the collection of children’s “geolocation information” that is “sufficient to identify street name and name of city or town.”
Second, the Location Privacy Protection Act also requires that an entity collecting consumer geolocation information disclose its collection of such information, and the commission has recommended that companies make their data-collection practices more transparent to consumers, Rich said. “The disclosure mechanism outlined in the act is an important step forward on transparency concerning the collection of geolocation information,” she said.
And third, the act requires affirmative express consent from consumers before a covered entity may knowingly collect or disclose geolocation information, an approach the commission also supports, Rich said.
The commission, however, would like some minor changes in the draft, Rich testified. For one, the act gives the U.S. Department of Justice rulemaking authority, in consultation with the FTC, and sole enforcement authority. The FTC is recommending that it be given rulemaking and enforcement authority with regard to the act’s civil provisions, with the DOJ exercising enforcement authority for the criminal provisions, Rich said in her testimony.