The Location Privacy Protection Act of 2014 was introduced by Senator Al Franken (D-MN) on March 27, 2014 and co-sponsored by Senators Chris Coons (D-DE) and Elizabeth Warren (D-MA). It had been created to address what’s known as “stalking apps,” those apps that are designed to maliciously track individuals without their knowledge. The legislation essentially requires all companies to obtain user permission prior to collecting and sharing location data from smartphones, tablets and in-car navigation devices.
More on the LPPA of 2014
In order to get consent, entities subject to the law (if it’s passed) will have to provide “clear, prominent, and accurate notice” that conveys to the user that his/her geolocation will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, as well as provide a link or some other easy method for users to access publicly available information regarding the geolocation data to be collected.
The bill includes several exceptions to the consent requirement, allowing for the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children and enabling the provision of emergency services.
Under the proposed legislation, companies collecting geolocation data from over 1,000 devices per year will be required to maintain a public website that describes the nature of the geolocation information that is being collected, the purposes for which the data is used and disclosed, the specific entities to which the information is being disclosed, and how a user would be able to revoke consent to such collection and disclosure of their information. The Location Privacy Protection Act, if passed, would authorize the Attorney General, in consultation with the Federal Trade Commission, to issue implementing regulations and contemplates both civil actions brought by the Attorney General and private rights of action.
Additionally, the bill bans the development and distribution of GPS “stalking apps” and criminalizes the knowing and willful disclosure of geolocation data in aid of interstate domestic violence or stalking.
Why is this important?
Geolocation information can be highly sensitive. Currently, under the Electronic Communications Privacy Act (ECPA), the companies that obtain this data from users are free to give or sell it to third parties. This oversight can be misused by many companies and abused by stalkers.
Consider the following:
- At least 25,000 adults are victims of GPS stalking annually. So-called “stalking apps” are readily available online and are openly marketed as such to stalkers.
- Half of the top apps (including apps directed to children and dating apps, such as Tinder), top mobile OS, and top device makers have all been found to collect or share user geolocation data without users’ consent.
- Top car companies have disclosed their users’ movement to third parties without consent, or announced plans to collect the data without consent.
- Separate GAO investigations have found that app companies and in-car navigation companies gave users insufficient information about how their location information would be used or shared.
In response, the ad industry has argued that mandates such as those outlined in Senator Franken’s bill would stifle small businesses and the advertising environment in general. The Digital Advertising Alliance (DAA) points out that location-based ads enable small businesses to more accurately target their audience without having to resort to large marketing campaigns.
According to the DAA’s Executive Director Lou Mastria:
“The DAA is concerned that laws and regulations are inflexible and can quickly become outdated in the face of extraordinarily rapidly-evolving technologies. When this occurs, legislation thwarts innovation and hinders economic growth. Companies are increasingly offering consumers new privacy features and tools such as sophisticated preference managers, persistent opt outs, universal choice mechanisms and shortened data retention policies.”
However, Franken, along with others, have openly questioned whether industry self-regulation would be sufficient to protect sensitive geolocation data.
In support of the bill, AdAge has commented that “because the bill aims to stop technologies that have assisted violent criminals, this particular legislation could have a better chance of passing than some of the more sprawling privacy bills,” which have been introduced in recent years.
Location-based services have been known to collect and share users’ geolocation data, often without their consent. In March 2014, Senator Al Franken (D-MN) introduced the Location Privacy Protection Act of 2014. This article takes a closer look at the bill and why it’s necessary in this environment.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Location-based services – GPS (VI.C.a.)