Smartphones, smartphone apps, websites, and other connected devices (e.g.,“wearables”) increasingly request that consumers provide their geo-location information. Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates.
Organizations request geo-location information for a variety of reasons. For example, many apps – such as transportation or delivery services – require geo-location in order to provide services that are requested by the consumer. Other apps – such as mapping programs, coupon programs, or weather programs – require geo-location information in order to provide consumers with useful information. Because such information has become intertwined, in many cases, with products and services, some organizations require the user to “Accept” or ‘“Agree”’ to the collection of geo-location information as a condition to using a device, application, or website.
Although there is currently no federal statute that expressly regulates the use, collection, or sharing of geo-location data, the FTC has taken the position that precise geo-location information is a form of “sensitive” personal information and has suggested that a failure to reasonably secure such information, or a failure to adequately disclose the collection or sharing of such information, may violate the FTCA’s general prohibition against unfair or deceptive practices.1 In addition, Congress and state legislatures have considered several proposals that would expressly regulate the data.
What to consider if your organization collects geo-location information:
- What is the purpose for which geo-location information is being collected?
- Are you collecting the least granular (most general) location information possible in order to effectively provide a product or a service to the consumer?
- How often do you need to collect geo-location information?
- Is the user aware that geo-location information is being collected?
- Does the user have the ability to disable the collection of geo-location information?
- Does the user have the ability to control how long that information is maintained, how it is used, when it is shared, and whether it is associated with their name?
- Will the geo-location information be shared with third parties such as advertisers? If yes, how much and how often will you share the information?
- Is the geo-location information encrypted in transmission from the consumer and/or at rest within your organization?