a tracking device in my car …. she is now my ex-true love….

A year ago, privacy and data security issues in the media were all about credit cards and identity theft.  Concerns about privacy related to location data were, at least among the general public and Congress, somewhere in a galaxy far far away.  Users of mobile devices had relatively few complaints about the scraping , aggregation and sale of location data, if they were even aware that it was occurring.

What a difference a year makes.

Highlighted by disclosures concerning the use of customer location data by social networking applications, the owners of such applications made changes to privacy policies to more specifically identify their intent to collect and use location data. Facebook, for example, clarified in its policy that it will collect and use the locations of its users.

Facebook’s Privacy Policy now states that “We collect information from or about the computers, phones, or other devices where you install or access our Services,” including geographic “device locations, including specific geographic locations, such as through GPS, Bluetooth, or Wi-Fi signals.’

Late in the year, Uber sustained several self-inflicted injuries to its reputation, highlighted by disclosures of its comprehensive tracking and matching of the travel of its customers and its casual approach to protecting the privacy and security of that data.  It also stumbled when a senior executive threatened to use such data to embarrass reporters who wrote uncomplimentary articles about the company.

At the same time, U.S. Supreme Court cases limiting the right of law enforcement to collect location data in investigations without a warrant illustrated the extensive use of location data collected from mobile devices and the accuracy with which that data can locate an individual at specific date and time.

Several state supreme court cases also considered police use of mobile device location data, and highlighted the fact that once collected, there is virtually no limit on how long it can be retained, shared with other law enforcement agencies, and combined with other personally identifiable information.

For example, the Massachusetts Supreme Judicial Court ruled that an individual has a reasonable expectation of privacy in cell phone location records held by a company. The court held that obtaining two weeks of phone location records was a search, requiring a warrant. The New Jersey Supreme Court held that that “cell-phone location information, which users must provide to receive service, can reveal a great deal of personal information about an individual” and that customers had a constitutional right under the state constitution to the privacy of such data.

In 2015, it is likely that the regulatory agenda of the executive agencies will consider the privacy issues inherent in the collection and use of location data from a variety of different sources.

  1. In-Car Data Collection:  In August 2014, for example, the National Highway Traffic Safety Administration initiated a rulemaking to require passenger cars and light trucks to contain technology that allows vehicles to communicate their locations and speed and other data to other vehicles in the vicinity.  The NHTSA claims that this technology, if widely implemented, would reduce traffic accidents.  Privacy advocates acknowledge that such technologies can potentially reduce accidents, but highlight concerns about what other uses may be made of the location data.   Questions about what data may be collected, by whom, how it would be stored and how it would be communicated to third parties were not initially part of the agency’s rulemaking.  It is clear now that the any rulemaking on vehicle to vehicle technology in 2015 is going to include an assessment of the privacy issues inherent in the technology and regulations about the collection, communication, storage and permissible uses of the vehicle data.
  2. Auto ‘Black box ” Data:  Automobile data privacy also received some attention from Congress in 2014, and it is likely to  be considered again in 2015.  The legislation would regulate the use of “black box” data recorders installed in automobiles that record speed and location data of the vehicles.  Under the 2014 version of the bill, the data could only be obtained with the owner’s written consent, under a court order, or to speed an emergency response.  De-identified data could be obtained for other limited purposes such as traffic safety research.
  3. FCC – Enhanced 9-1-1.  In 2015, also expect to see the Federal Communications Commission complete action on so-called enhanced 9-1-1 regulations, which currently include a provision that wireless providers have the capability to identify the altitude of a user’s handset, in addition to more closely identifying the user’s locations.  Comments in the rulemaking to date indicate that the agency is going to be faced with significant opposition to requiring more detailed location data from wireless handsets unless the privacy issues inherent in adoption of technology also are addressed.
  4. FTC — Look to Snapchat.  The FTC has not announced its agenda with respect to location data privacy,  but its 20-year consent order with Snapchat after finding that the company was collecting location information contrary to its stated policy gives a strong indication.  Further, the FTC’s Jessica Rich testified that in the agency’s view, location data is “sensitive information” that is subject to the same kinds of privacy concerns as other personally identifiable information.  The agency’s approach to location data is inseparable from its other concerns over the burgeoning internet of things, and misuse of location data will be a focus for enforcement actions 2015.

Finally, making predictions about how Congress will address user concerns over collection, aggregation and use of location data is an exercise in futility.  There are many new faces, and the new majority members are going to have to resolve their anti-regulatory leanings with their civil libertarian bent.  What is clear is that it is unlikely that Congress is going to be showing any more leadership on the issue than it has shown in trying to resolve other data privacy issues.  There are plenty other matters for the leadership to give greater priority, so it is fair to expect that the action will continue to be in the courts and executive agencies.