On October 11, 2012, the U.S. Government Accountability Office (GAO) issued a report titled “Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy.” Requested by Sen. Al Franken (D-MN), the Report recognizes the efforts of Federal agencies to protect consumer privacy when using mobile devices but calls for additional action.
Building on several other recent efforts to examine mobile device privacy and security issues, the Report examines three questions:
(1) How mobile companies in the mobile wireless ecosystem collect location data, why they share these data, and how this affects consumers;
(2) The types of actions that private sector entities have taken to protect consumers’ privacy and ensure the security of location data; and
(3) The actions that Federal agencies have taken to protect consumer privacy and what additional Federal efforts, if any, are needed.
The Report emphasizes that the collection, use, and sharing of location data carries both benefits and risks. Benefits can include providing improved services, facilitating compliance with legal requirements (such as enhanced 911 regulations), and targeted advertising. Risks can include the unexpected sharing of data with third parties, identity theft, threats to personal safety, and surveillance.
The Report also evaluated the policies of fourteen companies from the mobile wireless ecosystem in the following categories: (1) disclosures to users about data collection, use, and sharing; (2) user controls over location data; (3) data retention and safeguards; and (4) accountability. It found that companies disagree on whether location data is personal information. Apple, for example, classifies location data as “nonpersonal information,” T-Mobile considers location data to be “personally identifiable information,” and four companies indicated that whether location data constitutes personal information depends on factors such as “how precise the data are and whether they are combined with other information about the user.”
Companies also differ in how much they inform users about how location data will be shared with third parties. The Report notes that some companies ensure that third parties comply with the company’s privacy practices, whereas one company expressly disclaimed liability for any third party’s failure to adequately protect shared data. Moreover, it is not always clear how companies gain users’ consent to sharing their location data. The Report notes that this raises concerns with whether consumers are providing consent without complete knowledge of how their data will be used.
According to the Report, data retention policies also vary widely. Some companies keep data for only a few days, others retain data for a few years, and at least three companies keep location data indefinitely.
The Report also highlights recent contributions from other Federal agencies, including the Federal Communications Commission (FCC), Federal Trade Commission (FTC), Department of Justice, and the National Telecommunications and Information Association (NTIA), and concludes with two recommendations for executive action:
1. NTIA should provide specific information regarding its procedures, deliverables, and time frames for its multistakeholder process. Additionally, NTIA should include a mechanism for enforcing adoption of and compliance with the principles that ultimately emerge from its process.
2. The FTC should publish comprehensive industry guidance on its views of appropriate actions by mobile companies with regard to privacy.
This Report is the latest in a series of recent efforts to examine mobile device privacy and security issues. In September 2012, the GAO issued a related report on mobile device security titled “Information Security: Better Implementation of Controls for Mobile Devices Should Be Encouraged.” Also in September 2012, the FTC issued a set of truth-in-advertising and privacy guidelines for mobile device application developers titled “Marketing Your Mobile App: Get It Right from the Start” (which we previously covered here). And in March 2012, the FTC issued its report on “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers” (which we previously covered here). In that report, the FTC called on “entities involved in the mobile ecosystem to work together to establish standards that address data collection, transfer, use, and disposal, particularly for location data.”
*A special thank-you to Paul Otto in the Hogan Lovells Washington, D.C. office for his assistance in preparing this entry.