The collection, use and disclosure of geolocation information obtained from customers' mobile devices has become commonplace among mobile phone providers and third party application developers. Geolocation information identifies the location of the individual using the device and is often used to provide location based information, advertisements and services to consumers. Current federal law allows companies to collect and share this information with third parties without the need to obtain consent from their customers.1 This practice has garnered significant media attention in recent months, and has raised privacy concerns among consumers.
In response to these privacy concerns, two federal bills, the Location Privacy Protection Act ("LPPA")2 and the Geolocational Privacy and Surveillance Act ("GPS Act")3, were recently introduced. If enacted, this legislation would restrict the collection and use by non-governmental entities (and, in the case of the LPPA only, governmental entities including law enforcement agencies) of geolocation information collected by mobile devices without consumer consent. The LPPA was introduced by Senators Al Franken (D-Minn.) and Richard Blumenthal (D-Conn.) on June 16, 2011, while the GPS Act was introduced by Senator Ron Wyden (D-Ore.) and Representative Jason Chaffetz (R-Utah) on June 15, 2011.
Location Privacy Protection Act
Under the LPPA, non-governmental individuals or entities, involved in the business of providing a service to electronic communication devices, would not be allowed to knowingly collect, receive, record, obtain or disclose to other non-governmental individuals or entities, the geolocation information from "electronic communication devices" without the express authorization of the individual using the device.4 The LPPA defines "electronic communication device" broadly to include any device that enables access to an electronic communication or geolocation information system or service that is designed or intended to be carried by the individual or travel with the individual (including a vehicle driven by the individual).5 This definition would cover any mobile device such as mobile phones, smart phones, Wi-Fi equipped laptops, gps navigation units or other mobile devices that provide information regarding the location of the device. The LPPA provides exceptions for collection and use of geolocation information in emergencies or when required by statute, regulation or appropriate judicial process.6
The LPPA also authorizes the United States Attorney General, State Attorney Generals and private individuals to bring a cause of action against entities that violate the LPPA, although simultaneous causes of action are not permitted.13 For example, if the U.S. Attorney General brings an action, this would preclude the State Attorney General and individuals from filing claims for the same violation during the pendency of the federal cause of action. Similar mechanisms, giving the federal government priority for enforcement, have been proposed in other pending privacy legislation, such as the Commercial Privacy Bill of Rights legislation introduced by Senators John Kerry and John McCain, which was discussed in our previous privacy law developments posting.14 An action by the State Attorney General similarly precludes individuals from bringing a cause of action.15 Under the LPPA, courts are authorized to award actual damages of not less than $2,500, punitive damages and reasonable attorneys' fees for violations of the LPPA.16
Geolocation Privacy and Surveillance Act
The GPS Act similarly prohibits the use, disclosure or interception of the geolocation information of another person without the individual's consent.17 However, unlike, the LPPA, the GPS Act applies to both governmental and non-governmental entities, and contains no provisions regarding how consent may be obtained from individuals.18 As its proposed application is broader than the LPPA's, the GPS Act makes several exceptions for: (1) access, use and disclosure of geolocation information by providers of geolocation services in the normal course of business, as long as the provider does not engage in random monitoring other than for mechanical or service quality control checks; (2) interception of geolocation information of a minor by a parent or legal guardian (or by another person authorized by the parent or legal guardian to do so); (3) interception or access of geolocation information by law enforcement or emergency responders where it is used to assist the individual or in emergency situations; (4) electronic surveillance as authorized by the Foreign Surveillance Act (50 U.S.C. 1801 et seq.); (5) access of geolocation information of another person through any system that is configured so that the information is readily accessible to the general public; and (6) interception of geolocation information by governmental entities that have obtained a warrant.19
Violators under the GPS Act may be fined and/or imprisoned for up to five (5) years.20 Furthermore, geolocation information obtained or disclosed in violation of the GPS Act may not be used as evidence in any trial, hearing, or other proceeding in court, legislative committee, administrative agency or any other federal, state or local authority.21 This interesting evidentiary provision is not included in other pending privacy legislation.22 The GPS Act also creates a private cause of action against entities, other than the United States, who have illegally obtained, used or disclosed geolocation information in violation of the Act. Individuals whose geolocation information was unlawfully used may be awarded, in addition to punitive damages, the greater of the sum of the actual damages suffered and any profits made by the violator as a result of the violation, or statutory damages of the greater of $100 a day for each day of violation or $10,000.23
Given the bi-partisan support for the proposed restrictions on the use of geolocation information and the general concerns of the public with respect to consumer privacy, companies would be well advised to start reviewing their policies regarding consumer geolocation information, specifically their collection and use protocols. As is the case with other privacy related policies, companies should start now, if they have not already, developing procedures to provide clear and prominent consent mechanisms to consumers, in order for companies to quickly comply with any new legislation or regulation on this issue. The trend in all of the pending privacy legislation is to require companies to obtain specific consents. Therefore, regardless of the type of personal consumer information being collected or used, companies need to be evaluating how they notify consumers and obtain informed consent.