. . . then we’d know where in the world she was thanks to geolocation information.

Many apps on mobile devices collect information about their users’ whereabouts and movements. This information can make apps more useful (such as navigation apps that provide directions) or more fun (such as social networking apps that tell users when friends are nearby). Sometimes, though not always, app users might choose to post geolocation information about themselves, such a Facebook status update that tags the location of a night out with friends, a child’s graduation, or a family vacation. This geolocation data, however, can reveal private information about individual consumers and, worries the Federal Trade Commission (FTC), could be misused without a user’s knowledge or consent.

On June 4, 2014, the Senate Judiciary Committee’s Subcommittee for Privacy, Technology and the Law held a hearing to discuss the recently-proposed Location Privacy Protection Act, S. 2171, sponsored by Senators Al Franken (D. Minn.), Chris Coons (D.-Del.), Elizabeth Warren (D.-MA), Richard Blumenthal (D.-CT), Richard Durbin (D-IL), and Dianne Feinstein (D.-CA). This legislation would generally prohibit mobile apps from collecting, storing, or sharing users’ geolocation information without a user’s informed consent. The witnesses included Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, who testified about the FTC’s ongoing efforts to protect consumers’ privacy in this area.  

In her testimony, Director Rich praised the Location Privacy Protection Act as “an important step forward” in the protection of consumers’ private data. She laid out the three main benefits of the proposed Act: 1) providing a definition of “geolocation information” that is consistent with other online privacy rules; 2) requiring entities to disclose the fact that they collect geolocation information from consumers in advance; and 3) requiring certain companies to gain affirmative consent from consumers before collecting geolocation data or disclosing geolocation data to third parties.

She emphasized the highly personal nature of geolocation information, noting that it could reveal many aspects of a person’s private life, such as whether they visited an AIDS clinic, a psychiatrist’s office, or a place of worship. Director Rich testified that in the “wrong hands” this information could be ripe for abuse. For example, some businesses might collect consumers’ information and sell it to third party advertisers. In other cases, even if a business has its customers’ consent to collect and store geolocational data, if the business’ files are vulnerable to data-breaches, the consumers’ private data might be at risk.

Director Rich also discussed a few of the FTC’s recent enforcement actions focusing on the misuse of geolocation data, such as the agency’s recent settlement with Snapchat. In addition to several other privacy issues (we discussed the matter here), the FTC alleged that Snapchat transmitted its users’ geolocational data in violation of its stated privacy policy. In the settlement, Snapchat agreed no longer misrepresent its privacy and security policies and to implement a comprehensive privacy program. Finally, Director Rich highlighted the Commission’s outreach efforts, workshops, and reports aimed at educating businesses and consumers about geolocation data. We have written about these efforts here and here.

The proposed Location Privacy Protection Act and Director Rich’s testimony should serve as a reminder that government enforcers and privacy advocates remain focused on protecting consumers’ privacy. Businesses -- in particular mobile app developers -- should review their privacy policies and ensure that they are adequately protecting their customers’ geolocation information.