Follow Us

Law.com Subscribers SAVE 30%

Call 855-808-4530 or email GroupSales@alm.com to receive your discount on a new subscription.

Cybersecurity Internet Law Privacy Regulations Social Media Technology Media and Telecom

In Light of Recent FTC Actions, Review Your Privacy Policy

The United States does not have comprehensive legislation addressing the privacy implications of the collection and use of geolocation data. However, the Federal Trade Commission (FTC) has used its enforcement authority under Section 5 of the FTC Act to regulate companies engaged in unfair or deceptive practices involving geolocation data.

Print
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Every day billions of mobile and Internet-enabled computers, smartphones, watches, drones and even coffee machines are collecting vast amounts of geolocation data about their users. Apps such as Foursquare, Tinder and Waze, as well as mobile games such as Pokemon Go and Zombies Run all track and reveal an individual’s physical location through GPS, Wi-Fi and cell-based tracking technologies. This information, in turn, can be used to market products and services, deliver context-specific content, monitor users or employees and enforce location-based access restrictions, providing valuable information to companies that can help them uncover new insights about consumers and their behaviors. While this ubiquitous collection of data can have social and economic benefits, it can also pose significant privacy and security concerns.

FTC Protects Geolocation Data

The United States does not have comprehensive legislation addressing the privacy implications of the collection and use of geolocation data. However, the Federal Trade Commission (FTC) has used its enforcement authority under Section 5 of the FTC Act to regulate companies engaged in unfair or deceptive practices involving geolocation data. Indeed, in the past few years, the FTC has paid particular attention to companies with deceptive privacy policies that fail to disclose adequately — or that affirmatively misrepresent — the extent to which consumers’ geolocation information is being collected or used. While these FTC actions are not binding on all companies, the commission’s enforcement actions related to geolocation data provide guidance for balancing the utility of collecting this data against competing consumer privacy concerns.

For example, in 2014 the provider of the mobile messaging app Snapchat settled an FTC action that included a charge that its statement that it “[does] not ask, for, track or access any location-specific information” was false and misleading. Contrary to this statement in Snapchat’s privacy policy, the Snapchat application on Android transmitted Wi-Fi-based and cell-based location information from users’ mobile devices to its analytics tracking service provider, according to the FTC’s complaint. The decision and order in this action categorized “precise geolocation data of an individual or mobile device, including GPS-based, Wi-Fi based or cell-based location information” as “covered information” subject to prohibitions on future use. Snapchat’s settlement with the FTC included a requirement for biennial comprehensive information security and privacy assessments for 20 years. This action shows that the FTC considers precise geolocation data to be personally identifiable information that is subject to the fair information practice principles of notice and consent.

In another case, the FTC filed a complaint against computer rental franchisor Aaron’s Inc. for knowingly allowing the installation of monitoring technology on its computers, which allowed franchisees to track the physical location of computers, capture images through the computers’ webcams and activate keyloggers that captured users’ login credentials. Among other settlement terms, the company’s consent agreement with the FTC prohibited the installation or use of tracking technology to gather geolocation data without first providing clear and prominent notice to consumers (separate and apart from any privacy policy, terms of service or end user license agreement) and obtaining express consent. The company was also ordered to delete any previously gathered and stored geolocation data and was prohibited from misrepresenting the extent to which the company maintains the privacy, security or confidentiality of users’ information.

The FTC has also pursued enforcement actions against companies based solely on deceptive geolocation data practices. For example, Goldenshores Technologies, the provider of the Brightest Flashlight app, settled with the FTC in 2013 on allegations that the company’s privacy policy inadequately disclosed to consumers that the app transmitted data, including precise geolocation and persistent device identifiers, to third parties. The policy stated that the company collected and used “diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals.” But it did not mention geolocation data specifically, or indicate that the data would be shared with third parties such as advertising networks.

The FTC also objected to the company’s allegedly false and misleading end user license agreement (EULA), which presented users with an illusory option of refusing the terms of the EULA, including those related to the collection and use of data. In fact, the FTC alleged in its complaint against Goldenshores Technologies that the app began transmitting geolocation data and persistent identifiers while users viewed the EULA and before they ever accepted or refused its terms. Goldenshores Technologies’ settlement with the FTC prohibited the company from misrepresenting the extent to which consumers’ information is collected, used, disclosed or shared, and the extent to which users may exercise control over their data. The FTC ordered the company to delete any geolocation data collected prior to settlement, and to provide, immediately prior to the collection or transmission of user data, a clear and prominent disclosure of when, how, why and what geolocation data is being collected.

Geolocation and Children

The collection and use of geolocation data becomes a particularly sensitive issue when it involves children. The Children’s Online Privacy Protection Act (COPPA) “prohibits unfair or deceptive acts or practices” in the “collection, use and/or disclosure of personal information” over the internet about children under age 13. Under COPPA, protected “personal information” includes “geolocation information sufficient to identify street name and name of a city or town.” The FTC has clarified that geolocation data that constitutes “personal information” includes longitudinal and latitudinal coordinates, but excludes more coarse-grained data that might be tantamount to collecting a zip code.

In an FTC enforcement action settled earlier this year, United States v. InMobi PTE, No. 3:16-cv-3474 (N.D. Cal. June 22, 2016), mobile advertising company InMobi PTE Ltd. agreed to pay $950,000 in civil penalties to settle FTC charges that it had deceptively tracked the locations of hundreds of millions of consumers — including children — without their knowledge or parental consent. InMobi’s advertising network, which runs in conjunction with thousands of apps, has the ability to targets ads to consumers based on location. InMobi represented in its privacy policy that its ad software would track consumers’ locations only when the consumer opted in to such tracking. But the FTC found that even when consumers had affirmatively turned off geolocation services, InMobi would still collect data on the nearest wireless network to infer the physical location of consumers and serve geo-targeted ads to the consumer.

It also misrepresented in its privacy policy that it did not collect information for children under 13. it failed to implement adequate privacy processes, resulting in the collection of children’s personal information (including geolocation). The FTC required InMobi to delete all information that it collected from children and implement a comprehensive privacy program, to be monitored by an independent privacy professional, for 20 years. This action reinforced the commission’s willingness to follow through on its message that app operators must take steps to comply with COPPA when offering ad-supported apps directed at children, and geolocation data collected through any means (including inference from wireless network connections) is subject to the same notice and consent requirements as other personal information.

Lessons Learned

These recent FTC actions provide some useful practice tips for companies:

In short, when the marketing department of your company says that good business is all about “geolocation, geolocation, geolocation,” remind them that good business should also be about “notice and consent, notice and consent, notice and consent.”

*****
Devika Kornbacher
is a Partner based in Vinson & Elkins’ Houston office. Her practice focuses on obtaining, licensing and enforcing intellectual property rights, with a particular emphasis on technology law in the context of mergers, acquisitions, joint ventures and other business transactions. Scott Breedlove is a Partner based in the firm’s Dallas office. His practice focuses on intellectual property litigation and counseling. He is a patent litigator with experience representing clients in trial courts across the country. Janice Ta is a senior associate based in the firm’s Austin office. Her principal area of practice is intellectual property law. Aislinn Affinito is an associate based in the firm’s Washington, DC, office. Her principal area of practice is complex commercial litigation, with a focus on white-collar civil litigation, government investigations and FCPA compliance. This article is intended for educational and informational purposes only and does not constitute legal advice. The views represent those of the authors and not necessarily their firm or clients.

 

 

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Read These Next