Companies which obtain through smartphone apps, vehicle transmitters or otherwise, location information of their customers and employees should heed the very recent settlement agreement between the New York Attorney General and Uber. Among other things, the agreement requires that such data be encrypted and password protected with accessibility on a need to know basis. It also requires regular assessments and updates, as needed, of data security and privacy practices.
Many companies today use such data for marketing purposes – e.g. sending someone’s phone a coupon for a retail establishment when they are in the vicinity of the establishment – or employee monitoring purposes – e.g. tracking truck driver speed and proximity to authorized locations.
While many laws already govern such activity such as the federal Telephone Consumer Protection Act which requires an opt-in to text message marketing and various state laws which restrict the use and/or require consent to the gathering of such data in employee disciplinary proceedings, the dictates of the new settlement augment these requirements.
To be clear, the settlement is directly applicable only to Uber and is not to be considered law in the traditional sense. However, as is the case with so many seemingly “informal” pronouncements in this area, companies wishing to avoid entanglement in expensive formal proceedings, usually do well to heed them.
Those companies collecting GPS data, whether with respect to customer or employee movements, should seriously consider the steps noted in the first paragraph both for their direct operations and for any contracts with third party vendors. They should also adopt data purge policies reflecting actual business necessity. Involvement of counsel in both initial steps and ongoing assessments is usually prudent and may in itself be helpful if and when, formal proceedings do occur.