As everyone is aware, the Pokémon GO craze has taken the world by storm in the past month. Reports estimate there have been over 75 million downloads of the digital game since the program became available on July 6. Apple has not issued any concrete numbers, but has confirmed that it was the most downloaded app ever in its first week of availability.
When the game was first offered, users were required to grant permission not only to use a player’s smartphone camera and location data but also to gain full access to the user’s Google accounts — including email, calendars, photos, stored documents and any other data associated with the login. The game’s creator, Niantic, responded to a public outcry – including a letter from Minnesota Senator Al Franken – stating that the expansive permission requests were “erroneous” and that Pokémon GO did not use anything from players’ accounts other than basic Google profile information. The company has since issued a fix to reduce access only to users’ basic Google account profile information.
As is often the case, remarkable success naturally attracts critics who take aim. In a letter dated July 22, 2016, the Electronic Privacy Information Center (EPIC) wrote to the Federal Trade Commission (FTC) requesting government oversight on Niantic’s data collection practices. EPIC is a non-profit public interest research center in Washington, D.C., focusing public attention on privacy and civil liberties issues.
- Niantic does not explain the scope of information gathered from Google profiles or why this is necessary to the function of the Pokémon GO app.
- With Pokémon GO, Niantic has access to users’ mobile device camera. The Terms of Service for Pokémon GO grant Niantic a “nonexclusive, perpetual, irrevocable, transferable, sublicensable, worldwide, royalty-free license” to “User Content.” The Terms do not define “User Content” or specify whether this includes photos taken through the in-app camera function.
EPIC’s Request to the FTC
Based on the issues highlighted above, EPIC requested that the FTC use its authority to regulate unfair competition under the Federal Trade Commission Act (15 U.S.C. § 45) to prohibit practices by Niantic and other similar apps that fail to conform with FTC’s Fair Information Practices and the principles set forth in The White House 2012 report, “Consumer Data Privacy In A Networked World.”
According to EPIC, Niantic’s unlimited collection and indefinite retention of detailed location data, violates 15 U.S.C. § 45(n) because it is “likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
EPIC also contends that the unlimited collection and indefinite retention of detailed location data violate the data minimization requirements under the Children’s Online Privacy Protection Act (COPPA), which requires providers to “retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected.” 16 C.F.R. § 312.10.
Private Lawsuit Filed Against Niantic
The issue of consumer privacy continues to garner significant attention. Whether you are an app developer or any other company that collects and retains personal information, it is time to review your applicable policies and take appropriate steps to ensure that your company is not the subject of government agency inquiry, litigation, or a data breach.
For employers whose employees may be bumping into each other in the hallway while playing the game, consideration should be given to ban or otherwise regulate employee involvement. Certainly a drop in productively is a concern. However, even if accessing the game during work time is barred, employers should be concerned about the potential compromise to proprietary and confidential information that could occur as the result of data breaches or through counterfeit games that are designed to allow hackers access to your protected information.