The Pokémon GO craze has taken the world by storm, with estimated downloads of the digital game topping more than 75 million since the program became available on July 6. Apple has confirmed that it was the most downloaded app ever in its first week of availability.

When first offered, the game required users to grant permission not only to use a player’s smartphone camera and location data, but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login. Respond to a public outcry (including a letter from Minnesota Senator Al Franken), the game’s creator, Niantic, stated that the permission requests were “erroneous” and that Pokémon GO did not use anything from players’ accounts other than basic Google profile information. The company has since issued a fix to reduce access only to users’ basic Google account profile information. However, that has not prevented a call for Federal Trade Commission (FTC) oversight of Niantic’s data collection practices or a lawsuit against the company over its terms of service and privacy policy.

In a letter dated July 22, 2016, the Electronic Privacy Information Center (EPIC) wrote to the FTC requesting government oversight of Niantic’s data collection practices. EPIC is a non-profit public interest research center focusing public attention on privacy and civil liberties issues.

EPIC highlighted the following issues with Niantic’s privacy policy:

  1. Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokémon GO app.
  2. Niantic collects users’ precise location information through “cell/mobile tower triangulation, wifi triangulation, and/or GPS.” The Company’s Privacy Policy states Niantic will “store” location information and “some of that location information, along with your … user name, may be shared through the App.” The Privacy Policy does not indicate any limitations on how long Niantic will retain location data or explain how indefinite retention of location data is necessary to the functionality of the Pokémon GO app.
  3. With Pokémon GO, Niantic has access to users’ mobile device camera. The Terms of Service for Pokémon GO grant Niantic a “nonexclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license” to “User Content.” The Terms do not define “User Content” or specify whether this includes photos taken through the in-app camera function.
  4. The Privacy Policy grants Niantic wide latitude to disclose user data to “third-party service providers,” “third parties,” and “to government or law enforcement officials or private parties as [Niantic], in [its] sole discretion, believe necessary or appropriate.” Niantic also deems user data, including personally identifiable information, to be a “business asset” that it can transfer to a third party in the event the company is sold. This issue has been identified as a particular concern to another non-profit organization – Common Sense Media, an independent organization focusing on children and technology. According to Common Sense Media, location information and history of children should not be considered a “business asset.”

EPIC requested that the FTC exercise its authority to regulate unfair competition under the Federal Trade Commission Act (15 U.S.C. § 45) to prohibit practices by Niantic and other similar apps companies that fail to conform with FTC’s Fair Information Practices and the principles in The White House 2012 report, “Consumer Data Privacy In A Networked World.”

According to EPIC, Niantic’s unlimited collection and indefinite retention of detailed location data violates 15 U.S.C. § 45(n) because it is “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

EPIC also contends the unlimited collection and indefinite retention of detailed location data violate the data minimization requirements under the Children’s Online Privacy Protection Act (COPPA), which requires providers to “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10.

A Pokémon GO user has filed suit in Florida state court alleging that Niantic’s terms of service and privacy policy are deceptive and unfair and violates the Florida Deceptive and Unfair Trade Practices Act. Beckman v. Niantic Inc., No. 50-2016-CA-008330, Fifteenth Judicial Circuit for Palm Beach County, Florida.

The issue of consumer privacy continues to garner significant attention and companies and app developers that collect and retain personal information should ensure they are in compliance with the relevant statutes.

In addition, employers whose employees play the game while at work may consider banning or otherwise regulating such activities. Employers also should consider potential compromises to proprietary and confidential information that could occur from data breaches or through counterfeit games designed to allow hackers access to company protected information.