Hogan Lovells and its team of 60-plus lawyers from the Privacy and Information Management Group are proud to be contributors to the International Association of Privacy Professionals’ Tracker Blog. In our monthly contributions, we will be focusing on U.S. and international legislative and policy developments impacting privacy and data security. For our initial contribution, we take a look at recent U.S. legislative developments regarding geolocation information.
Over the course of the last year, the Federal Trade Commission (FTC) has taken the position that certain geolocation data is sensitive data deserving of a greater level of privacy protection. And we recently learned that geolocation histories are surprisingly unique. In a study released in March, researchers analyzed the coarse location histories recorded to the nearest hour of 1.5 million mobile phone users. The researchers found that knowing which 23-block area a device was in during four distinct 60-minute periods was enough to uniquely identify 95 percent of location histories in the dataset. As the unique and potentially sensitive nature of certain geolocation information becomes more apparent, U.S. lawmakers on both sides of the aisle are increasingly pushing legislation intended to address the privacy issues attendant to the collection, use, and disclosure of geolocation information. We have already seen two bills from the 112th Congress reintroduced this session, and a third bill, sponsored by Sen. Al Franken (D-MN), is expected to be reintroduced in the near term.
In March, a bipartisan group of lawmakers reintroduced companion legislation in the House and Senate that would require businesses to obtain consent from individuals before collecting and sharing their geolocation information. The Geolocation Privacy and Surveillance (GPS) Act would criminalize the surreptitious tracking of individuals and require the government to obtain a warrant prior to collecting geolocation information. The bill’s warrant requirement has been well-received by privacy advocates. As written, however, the bill defines “geolocation information” as information derived from a device that is not the content of a communication and “could be used to determine or infer information regarding the location of the person.” This definition is arguably broad enough to include IP addresses. Though consent plays a central role in the bill, the GPS Act does not specify what kind of consent is required. With a private right of action and minimum statutory damages clause of $10,000 per violation, the GPS Act would almost certainly encourage a spate of class action suits testing the scope of geolocation information and the adequacy of consent.
Also in March, a separate bipartisan group of House lawmakers reintroduced the Online Communications and Geolocation Protection Act. This bill contains a similarly broad definition of “geolocation information.” Unlike the GPS Act, the bill does not address commercial collection, use, and sharing of geolocation information. It instead focuses on ensuring that geolocation information and electronic communications receive Fourth-Amendment-style protections against government access.
A third geolocation bill is likely to be introduced in coming months. Senator Al Franken (D-MN) recently made headlines when he sent a letter to Euclid Analytics in March requesting that the company provide information about how it collects, uses, and protects personal information, specifically geolocation information, collected from consumers’ mobile devices. Euclid is a company that works with retailers to track the movements of consumers as they walk by and through retail stores. Senator Franken felt that the company’s response indicated that Euclid has a “sincere desire to protect consumer privacy.” But he believes that opt-out policies, like Euclid’s, are not sufficient and “underscore the need for Congressional action to protect consumer location privacy.”
Sen. Franken is expected to reintroduce the Location Privacy Protection Act of 2012 during the 113th Congress. This bill, which was previously introduced in 2011 and was approved by the Senate Judiciary Committee in December 2012, would prohibit businesses from collecting, receiving, recording, obtaining, or disclosing geolocation information from an “electronic communications device” (e.g., smartphone) without the express consent (i.e., opt-in consent) of the individual using the device.
Although geolocation legislation is likely not at the top of the Congressional agenda, more and more lawmakers are showing a keen interest in providing protections for geolocation data. Because geolocation information can be collected and used in so many different contexts and so many types of data (from GPS-based location, to Wi-Fi signal strength, to IP addresses) convey location information, a broad range of companies and organizations would be affected by geolocation legislation.
For these reasons, entities collecting geolocation information should be especially thoughtful about that practice. Most geolocation data, if collected as a result of “pinging” a smart phone or other such device, is not immediately identifiable as belonging to a particular individual. One way to minimize privacy-related risk is to keep it that way. If there is a need to link location information to particular individuals, that information should be secured using safeguards appropriate for other kinds of sensitive information, like health and financial information. When possible, affirmative opt-in consent should be sought before collecting or sharing geolocation information. There will, of course, be circumstances where an opt-in is not a viable option. For example, an owner of a fleet of vehicles transporting hazardous materials should be allowed to track vehicle positions for safety purposes without having to obtain opt-in consents from the drivers. In those cases, though, robust notice mechanisms should be used to inform drivers of the practice, and there should be thoughtful limits placed on subsequent use of the data.