Every day, billions of mobile and Internet-enabled computers, smartphones, watches, drones and even coffee machines are collecting vast amounts of geolocation data about their users. Apps such as Foursquare, Tinder and Waze, as well as mobile games such as Pokemon Go and Zombies Run all track and reveal an individual’s physical location through GPS, Wi-Fi and cell-based tracking technologies. This information, in turn, can be used to market products and services, deliver context-specific content, monitor users or employees, and enforce location-based access restrictions, providing valuable information to companies that can help them uncover new insights about consumers and their behaviors. While this ubiquitous collection of data can have social and economic benefits, it can also pose significant privacy and security concerns.
FTC Protects Geolocation Data
The United States does not have comprehensive legislation addressing the privacy implications of the collection and use of geolocation data. However, the Federal Trade Commission (FTC) has used its enforcement authority under Section 5 of the FTC Act to regulate companies engaged in unfair or deceptive practices involving geolocation data. Indeed, in the past few years, the FTC has paid particular attention to companies with deceptive privacy policies that fail to disclose adequately — or that affirmatively misrepresent — the extent to which consumers’ geolocation information is being collected or used. While these FTC actions are not binding on all companies, the commission’s enforcement actions related to geolocation data provide guidance for balancing the utility of collecting this data against competing consumer privacy concerns.
The FTC also objected to the company’s allegedly false and misleading end-user license agreement (EULA), which presented users with an illusory option of refusing the terms of the EULA, including those related to the collection and use of data. In fact, the FTC alleged in its complaint against Goldenshores Technologies that the app began transmitting geolocation data and persistent identifiers while users viewed the EULA and before they ever accepted or refused its terms. Goldenshores Technologies’ settlement with the FTC prohibited the company from misrepresenting the extent to which consumers’ information is collected, used, disclosed or shared, and the extent to which users may exercise control over their data. The FTC ordered the company to delete any geolocation data collected prior to settlement, and to provide, immediately prior to the collection or transmission of user data, a clear and prominent disclosure of when, how, why and what geolocation data is being collected.
Geolocation and Children
The collection and use of geolocation data becomes a particularly sensitive issue when it involves children. The Children’s Online Privacy Protection Act (COPPA) “prohibits unfair or deceptive acts or practices” in the “collection, use and/or disclosure of personal information” over the Internet about children under age 13. Under COPPA, protected “personal information” includes “geolocation information sufficient to identify street name and name of a city or town.” The FTC has clarified that geolocation data that constitutes “personal information” includes longitudinal and latitudinal coordinates, but excludes more coarse-grained data that might be tantamount to collecting a zip code.
These recent FTC actions provide some useful practice tips for companies:
2. Disclose fully. Even without an affirmative misrepresentation, companies risk being the subject of an FTC enforcement action by omitting details about what type of geolocation data they are collecting, how they are collecting it, how they are using it and to whom it is being disclosed. Although Goldenshore’s description was not false, the FTC took issue with that company’s vague description of the type of data it collected (which omitted any mention of geolocation data) and the company’s failure to inform its users that geolocation data would be shared with third parties.
3. Comply with COPPA. Failure to abide by COPPA can subject a mobile app or web service company to significant fines and bad publicity. The FTC authorizes the filing of a complaint when it has “reason to believe” that COPPA has been or is being violated, and the proceeding is in the public interest. It is thus important that any service that may be targeted at children notify and receive verifiable consent from parents before collecting geolocation data from children, including geolocation data obtained from the device the child is using.
In short, when the marketing department of your company says that good business is all about “geolocation, geolocation, geolocation,” remind them that good business should also be about “notice and consent, notice and consent, notice and consent.”
Devika Kornbacher is a Partner based in Vinson & Elkins’ Houston office. At the time of this writing, Scott Breedlove was a Partner in the firm’s Dallas office. Janice Ta is a senior associate based in the firm’s Austin, TX, office, and Aislinn Affinito is an associate. The views herein represent those of the authors and not necessarily their firm or its clients.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.