December 06, 2017 Articles

The Legal Landscape for Geolocation Data: Where Are We Going?

The law may be evolving through the courts to recognizing the invasive nature of geolocation data and extending greater privacy protection to this data.

By Hanley Chew

In today’s society, the proliferation of GPS technology in automobiles, cell phones, and Internet of Things devices has led to the creation of geolocation data for billions of individuals. This constant generation of geolocation data can reveal a great deal about an individual’s activities and associations. Despite these technological advances, the state of the law has not kept pace. There is considerable uncertainty over the level of privacy protection afforded to geolocation data. The current legal landscape is piecemeal at best. However, the law may be evolving through the courts to recognizing the invasive nature of geolocation data and extending greater privacy protection to this data.

Current Legal Landscape
There is not an overarching federal statute that expressly governs geolocation data. However, four federal statutes have typically been applied to the collection, use and disclosure of geolocation data.

The first federal statute is the Electronic Communications Privacy Act (ECPA) which governs the disclosure of electronic communications and any related records, such as subscriber information and transactional information about a subscriber’s account. ECPA governs the disclosure of geolocation data that is collected by communications services, such as phone companies and communication apps. Under ECPA, service providers may disclose this information either “with the lawful consent of the customer or subscriber;” “as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service;” or in response to lawful process from governmental entities. See 18 U.S.C. § 2702(c). ECPA, however, does not specify what type of legal process is required for governmental entities to obtain geolocation data. For example, it is universally accepted that subpoenas and court orders pursuant to 18 U.S.C. § 2703(d) are sufficient to obtain subscriber information. But, it is uncertain whether a warrant is required for law enforcement to obtain geolocation data, such as cell site location information.

In the absence of a controlling federal statute, many states have stepped in and enacted legislation regulating the disclosure of geolocation data to governmental entities. This patchwork of laws, however, has led to different states having different requirements for the same type of data. California, Maine, Minnesota, Montana, New Hampshire, Rhode Island, Utah and Vermont all require warrants for all geolocation data. In contrast, Illinois, Indiana and New Jersey require warrants for real-time geolocation data only.

The second federal statute is the Federal Trade Commission (FTC) Act which gives the FTC a broad mandate to prevent “unfair methods of competition” and “unfair or deceptive acts or practices in or affecting commerce[.]” See 15 U.S.C. § 45(a)(1), (a)(2). However, the FTC “shall have no authority . . . to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or competition.” 15 U.S.C. § 45(n). Also, the FTC lacks enforcement authority over common carriers when they are providing common carrier services. See 15 U.S.C § 45(a)(2). The FTC may seek to bring enforcement actions for violations of the FTC Act either in a United States district court or in an administrative complaint before an administrative law judge.

The FTC has brought enforcement actions against companies that have failed to disclose publicly the type of geolocation data they were collecting, and how they were going to use that data. See United States v. InMobi Pte Ltd., No. 16-cv-3474; In the Matter of Goldenshores Techs., LLC, No. 132 3087. The FTC has also brought enforcement actions against companies that, despite having made public statements that consumers could opt out of having their geolocation data collected, still collected, used, and shared that information. See id. Companies that collect and use geolocation data should consider examining their public statements, either in their terms of use, privacy policy, website, or press releases, to determine that their statements concerning the type of geolocation data they collect, the manner that this data is collected, the uses of this data, and the options available to their customers concerning this data are accurate.

The third federal statute is the Children’s Online Privacy Protection Act (COPPA), which governs the collection, use, and disclosure of personal information, including geolocation data, from children under the age of 13. Under COPPA, companies that want to collect and use the geolocation data of children need to notify and obtain the written consent of parents or guardians prior to collection, use, or disclosure. COPPA does not require companies to verify the age of its customers. However, if a company does know or discover that one of its customers is under the age of 13, the company will be required to comply with COPPA.

The fourth federal statute is the Communications Act, which governs the collection and use of information by any communications-related companies.  The Communications Act requires telecommunications carriers to protect the confidentiality of the proprietary information of its customers, such as geolocation data. See 47 U.S.C. § 222. It also defines the term “telecommunications carrier” broadly to include “any provider of telecommunications services.” See 47 U.S.C. § 153(51). If the Communication Act is applicable, the Federal Communications Commission requires that customers be provided with notice concerning what personal information, such as geolocation data, is being collected from a customer; how that information is being collected; and how that information is being used/shared. As with complying with the FTC Act, companies should consider reviewing their public statements concerning data collection and usage/sharing to ensure the accuracy of those statements.  

Future Treatment of Geolocation Data
Although Congress has not yet enacted comprehensive legislation regulating geolocation data, the courts have begun to recognize and acknowledge the intrusive nature of geolocation data and the need to extend privacy protection to it. In United States v. Jones, the United States Supreme Court held that the attachment of a GPS tracking device to an individual’s vehicle and the subsequent use of that device to monitor the vehicle’s movements on public streets constitutes a search or seizure within the meaning of the Fourth Amendment. Although the majority based its decision on the theory that the placing the of the device constituted a trespass, Justices Sotomayor and Alito acknowledged that the use of GPS devices was so potentially invasive as to warrant recognition of a reasonable expectation of privacy in an individual’s public movements. Justice Sotomayor noted, “The net result is that GPS monitoring—by making available at a relatively low cost such a substantial quantum of intimate information about any person whom the Government, in its unfettered discretion, chooses to track—may ‘alter the relationship between citizen and government in a way that is inimical to democratic society.’” Justice Alito stated, “[T]he use of longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy.”            

The Supreme Court continued to consider the impact of modern technology, such as cell phones with their GPS tracking functions, on privacy in Riley v. California. In Riley, the Court held that the search incident to arrest exception to the Fourth Amendment’s warrant requirement did not apply to modern cell phones and that the government could not search the cell phone of an individual it had just arrested, absent obtaining a warrant for that phone. In reaching its conclusion, the Court cited the fact that the modern cell phones have an exceedingly large storage capacity and likely contain numerous intimate details of an individual’s life, including historical location information, that directly impinges on the privacy interests of that individual.

The latest case pending before the Supreme Court in its current session concerning the privacy protection afforded to geolocation data is Carpenter v. United States. Currently, three of the four circuits that have addressed the issue of what is required for the government to obtain historical cell site location information (CSLI), including the Sixth Circuit in Carpenter, have found that a warrant is not required. See United States v. Carpenter, 819 F.2d 880 (6th Cir. 2016); United States v. Davis, 785 F.3d 498 (11th Cir. 2014); In re Application of the United States for Historical Cell Site Data, 724 F.3d 600 (5th Cir. 2013). CSLI refers to the information collected as a cell phone identifies its location to nearby cell towers (i.e., antennas that provide cellular service). This information can be used to approximate the location of a cell phone from within several blocks to several miles. The Fifth, Sixth and Eleventh Circuit have found that there is no reasonable expectation of privacy in historical CSLI. Only the Fourth Circuit has held that a warrant is required for the government to obtain historical cell site local information. See United States v. Graham, 796 F.3d 332 (4th Cir. 2015).

In Carpenter, the government prosecuted the defendant for nine armed robberies in violation of the Hobbs Act. At trial, the government used CSLI for the defendant’s cell phone that it had obtained with a court order pursuant to 18 U.S.C. § 2703(d) to establish that defendant was at or near the site of the robberies. The defendant unsuccessfully moved to suppress the CSLI on Fourth Amendment grounds, arguing that the information could only be obtained with a warrant supported by probable cause. The Sixth Circuit affirmed the denial of the defendant’s suppression motion, basing its decision on Smith v. Maryland, 442 U.S. 735 (1979), where the Supreme Court held that individuals had no reasonable expectation of privacy in information, such as dialed telephone numbers, that they voluntarily conveyed to a third party, which then collected the information in the ordinary course of business.

Given that Smith was decided in 1979, long before the technological advances in the succeeding decades, the Supreme Court could not have foreseen the tremendous amount of data that individuals generate and convey to third parties on a daily basis today. In light of these changing realities, it will be extremely interesting to see how the current Supreme Court addresses the question of what privacy protection should be afforded to geolocation data. If Justice Sotomayor, who noted that “the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties” is “ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks” in the Jones case is any indication, the Supreme Court may be ready to acknowledge that disclosure of geolocation data may severely impinge on privacy of individuals and place greater limitations on the government that more closely align with current expectations of privacy.

Hanley Chew – December 6, 2017