With the ever-increasing availability and utilization of smartphones and GPS technology, location has become a vehicle through which marketing and social information can be transmitted. "Geo-location" technology has been in existence since 1999 and is well known from applications ("apps") like Google Maps, which enable a user to search for physical places (i.e. hotels, restaurants, stores, tourist attractions) relative to a computer or phone's location. These apps are now becoming more advanced and creative which has led both Congress and the FTC to examine how businesses and the government (should) regulate location-based information.
Geo-location apps, such as Foursquare and Loopt, allow friends to share their location and post comments about places they frequent or visit. The more places one visits and shares with friends, the more points and "badges" that person receives which can be redeemed for discounts and rewards. For example, on May 22nd, Pepsi released "Pepsi Loot" for the iPhone and iPad. This location-based app directs users to restaurants serving Pepsi products, known as "Pop Spots." As visits to these establishments accumulate, a user can obtain rewards, such as free downloads of exclusive music or free Pepsi with an entree purchase.
From a legal standpoint, the use of location-based information produces privacy and data security concerns. The FTC, after holding a town hall on the mobile marketplace in 2008, issued recommendations ("Self Regulatory Principles for Online Behavioral Advertising") for companies seeking to advertise based on a consumer's online activity over time. The FTC recommended that industry self-regulation consist of a requirement of "affirmative express consent" for "material retroactive changes to privacy promises" and for use of "sensitive" data, which should include "precise geographic location information." Companies need to be certain any notice they provide for location-based apps is consistent with their privacy policy; otherwise, they may be subject to privacy violations for "deceptive" notice under Section 5 of the FTC Act.
Location-based apps may trigger a string of laws concerned with protecting personal information, such as:
- the Children's Online Privacy Protection Rule (for online services aimed at children under 13),
- HIPAA and the FTC Health Breach Rule (for covered entities under HIPAA or their "business associates"),
- FACTA and the FTC Red Flag Rules (for financial institutions with data subject to identity theft),and
- Section 222 of the Federal Communications Act (for telecom providers with customer proprietary network information), and various state data security laws.
In Congress, meanwhile, Representative Rick Boucher (D-Va) and Representative Cliff Stearns (R-Fla) have sponsored an online consumer privacy protection bill, released May 4th, which would require that consumers opt-in before companies collect, use, or disclose "sensitive" data, such as "precise geographical location." More generally, Apple is looking to control third-party targeted advertising, as the most recent iPhone Developer Agreement mandates that third parties get Apple's permission before collecting user data, which would include location-based data, to advertise. The FTC, however, is reported to be investigating potential antitrust issues with this policy.
The bottom line is this: regulators seem to be in agreement that companies should obtain affirmative consent from online consumers before collecting, using, and disclosing their precise geographic location data. How mandatory any requirements might be, how extensive their reach, and where they might come from is still uncertain. Anyone involved in this growing market should watch to see if the legal parameters are clarified in the near future.
UPDATE (6/29/2010): On June 21, the Los Angeles Times reported that Apple had made an update to its privacy policy allowing the company to collect "precise," "real-time geographic location" data for users of its iPhone and iPad. Apple has apparently been collecting this information since 2008 notifying users via an End User License Agreement for each individual device. Now though, with notice in the privacy policy, by simply using the iPhone or iPad, “users are implicitly giving Apple their consent to collect the data.” The data may then be used by Apple and unspecified "partners and licensees" for targeted advertising and other services. Apple, for its part, says the data is “anonymous and does not personally identify users.” Users can prevent third-party applications from using this data through the Location Services setting on their devices; however,the LA Times reports that “there’s nothing to indicate that these settings prevent Apple itself from gathering and storing location data from Apple devices.” It should be noted that Google apparently collects location-based data from its Android Phones as well.
Meanwhile, the issue has caught the attention of certain lawmakers in Washington, concerned about how Apple is collecting and utilizing location-based information and with whom specifically it shares the information. On June 24, the Washington Post reported that Reps. Ed Markey (D-Mass.) and Joe Barton (R-Tx.), co-chairs of the House Bi-Partisan Privacy Caucus, had sent a letter to Apple CEO Steve Jobs expressing their unease regarding Apple’s new privacy changes. The lawmakers were specifically concerned about Apple’s opt-out policy for the collection of location-based information, stating that because of “the limited ability of Apple users to opt out of the revised policy and still be able to take advantage of features of their Apple products, we are concerned about the impact the collection of such data could have on the privacy of Apple’s customers.”
Reps. Markey and Barton also asked Jobs to respond to nine questions focused on some of the following topics:
- Which Apple products are being used to collect location-based information
- How many consumers are subject to this collection of data
- How long Apple holds onto this dat
- Who exactly the “partners and licensees” are with whom Apple shares this information
- What steps Apple is taking to ensure the location data is kept “anonymously” and “in a form that does not personally identify” users
- How Apple is complying with Section 222 of the Communications Act, “which mandates that no consumer location information be shared without the explicit prior consent of the consumer”
The congressmen have asked Jobs to reply by July 12th.
- Randy Shaheen and John Eason
