Privacy & Information Security Law Blog

On June 4, 2014, the U.S. Government Accountability Office (“GAO”) testified before the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law on GAO’s findings regarding (1) companies’ use and sharing of consumer location data, (2) privacy risks associated with the collection of location data, and (3) actions taken by certain companies and federal agencies to protect the privacy of location data. GAO’s testimony relates to its 2012 and 2013 reports that examined the collection of location data by certain mobile industry companies and in-car navigation providers.

In its Testimony, GAO noted that the companies surveyed for the 2012 and 2013 reports “did not consistently or clearly disclose to consumers what the companies do with [location data and other information] or the third parties with which they might share the data, leaving consumers unable to effectively judge whether such uses of their location data might violate their privacy.” GAO noted that the surveyed companies “primarily collect and share location data to provide location services and to improve those services.” GAO also noted that “[l]ocation data can also be used to enhance the functionality of other services that do not need to know the consumer’s location to operate.” In addition, GAO found that the all the surveyed companies had privacy policies or other practices including onscreen notifications “to notify consumers that they collect location data and other personal information. However, some companies have not consistently or clearly disclosed to consumers what they are doing with these data or which third parties they may share them with.” Accordingly, consumers are not always aware that companies share their location data for purposes other than providing services, and they may be unable to judge the risks associated with the sharing of their data.

GAO also noted that “most” of the privacy policies examined did not provide the companies’ retention period for the location data, which could mean that companies retain the data indefinitely. GAO noted that consumers could be at “higher risk of identity theft or threats to personal safety” as a result of such long retention periods and vast amounts of data collected. Finally, GAO highlighted the Federal Trade Commission’s guidance on mobile privacy disclosures and efforts to pass federal data privacy legislation that would provide a minimum level of protection for consumer data, including location data.

Jessica Rich, the Director of the FTC’s Bureau of Consumer Protection, also testified at the Senate’s hearing, discussing the FTC’s ongoing efforts related to the protection of consumers’ location data. In addition, the Director expressed the FTC’s support for the draft Location Privacy Protection Act of 2014 (the “Location Act”), which was introduced in March 2014 by Senator Al Franken (D-MN), and would require companies to obtain individuals’ permission before collecting location data through smartphones, tablets or in-car navigation devices, and before sharing it with others. The Director recommended, however, that the FTC, as the “federal government’s leading privacy enforcement agency” should be granted rulemaking and enforcement authority with regard to the civil provisions of the Location Act, as such provisions would make enforcement easier than under Section 5 of the FTC Act. The Location Act currently gives the Department of Justice sole enforcement and rulemaking authority, in consultation with the FTC.