On November 15, 2013, the U.S. Government Accountability Office (“GAO”) released a report it had previously delivered to the U.S. Senate Committee on Commerce, Science and Transportation (“Committee”) that focuses on identifying gaps in U.S. privacy laws and approaches for improving information privacy, particularly related to the use of mobile applications. The GAO report responds to a request by the Committee to examine privacy issues that are emerging with the wave of new technologies. The GAO report follows recent Congressional efforts to enact new privacy laws, such as the Do-Not-Track Online Act introduced by Committee Chairman Rockefeller and the Geolocational Privacy and Surveillance Act introduced by Senator Wyden, signaling concern among legislators about the growth in the collection and reselling of consumer information.
The report examines privacy issues related to consumer information “used for marketing and for individual reference services,” and explicitly excludes information used for other purposes, such as fraud prevention or underwriting credit. Emphasizing the need to regulate the use of consumer information by information aggregators and resellers using new technologies, such as social media platforms and mobile phone applications, the GAO recommends that Congress consider strengthening "the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.”
FOCUS ON ONLINE TRACKING, MOBILE DEVICES AND MOBILE PAYMENTS
The report provides extensive coverage of the use of “new technologies,” particularly social media, Web tracking tools, mobile applications and location tracking. The GAO’s concern about new technologies stems from the increasingly expansive use of consumers’ online data for tracking and marketing purposes, as well as the growth in consumer use of mobile devices and applications.
The GAO found that existing laws and enforcement actions are limited in their ability to adequately regulate the large amount of consumer data generated from online activity and use of mobile phone applications. The GAO partially attributes this limitation to a lack of privacy laws that focus primarily on issues raised by new technologies, as discussed below. Moreover, the GAO specifically discusses mobile payments as an area in which privacy issues have arisen. According to the report, while mobile payments offer convenience, they raise privacy concerns because of the number of companies involved in "the mobile payment marketplace and the large amount of detailed personal and purchase information collected and consolidated in the process."
CONCERNS ABOUT EXISTING LAWS GOVERNING PRIVACY
To determine the adequacy of existing privacy laws, the GAO relied on the Fair Information Practice Principles (“FIPPs”) framework to guide its study. In assessing the existing federal laws governing privacy, the GAO notes that there is no “comprehensive federal privacy law” governing the “collection, use, and sale of personal information by private-sector companies.” According to the report, existing laws present several limitations. Specifically, the GAO notes that existing laws are: (1) narrowly tailored toward a particular entity, sector or purpose; (2) not designed specifically to address products sold and information maintained by information resellers; and (3) limited in scope with respect to addressing the use of consumer information for marketing purposes.
In addition to the compliance requirements associated with each of the current sector-specific federal laws, the GAO recommends that Congress consider imposing other requirements regarding the general collection and use of consumer information. This suggests that existing providers of products and services, particularly those employing social media platforms and mobile devices, may draw increased regulatory interest.
MOVING FORWARD ON A UNIFORM PRIVACY REGIME
Moving forward, while the GAO recommends strengthening the privacy framework in a manner that “reflects the changes in technology” and the increasing demand for consumer information, the GAO also recognizes the importance of providing appropriate privacy protection without unduly inhibiting commerce or innovation given the need to balance consumer and business interests.