January 17, 2020 Feature

No Place to Hide: Privacy Implications of Geolocation Tracking and Geofencing

By Ashley Thomas

In 2017, Strava, a fitness tracking mobile app, released a heat map showing the physical movements of its users from around the world as a result of the app accessing the user’s mobile phone GPS to track when and where a user was exercising.1 The app enables users to check their fitness performances and compare them with others. As a result of the release of this heat map, it was revealed that this information made it very easy to ascertain the locations of military bases and routines of military personnel. While U.S. military bases around the world are relatively well known, the routines and patterns of military personnel generally are not known, nor does the U.S. military, for obvious reasons, want that information to be made public. By analyzing this heat map, one could easily discover commonly used exercise routes or patrolled roads from military bases in combat zones in Afghanistan, Iraq, and Syria. Not long after this story made news headlines, the Department of Defense released a new policy prohibiting the use of GPS functions in deployed locations.2

Remember the global phenomenon of Pokémon Go? In 2016, it seemed that everyone was preoccupied with the location-based augmented reality app that became the first mobile app to gross over $100 million in the first twenty days after release.3 Pokémon Go relies on users’ locations and camera access to operate the game. It remains a top grossing mobile app.

The proliferation of mobile devices and apps along with the rapid developments in tracking technologies has made a wide range of uses and efficiencies possible for tailoring content and services to users in a particular location. Geolocation technology uses data acquired from an individual’s mobile device to identify or describe the user’s physical location. Companies desire geolocation data because it reveals a wealth of information on its customers, such as where they live and work, how often they travel, and restaurants they frequent. Geolocation information has the potential to increase financial value for companies, and many companies wish to share this information with third parties, including advertisers and data brokers. For consumers, companies that offer products and services that use geolocation information claim that such information makes consumers’ lives easier and more efficient.

However, geolocation information can also reveal sensitive information about an individual’s work tendencies, travel habits, and physical location at any time, raising certain privacy concerns. Companies could be aggregating this information into a comprehensive profile of an individual and use this information to the companies’ advantage and possibly to the individual’s detriment. Jessica Rich, Director of the Bureau of Consumer Protection at the Federal Trade Commission (FTC), testified before the U.S. Senate Judiciary Committee in 2014 regarding location data privacy issues and stated in prepared testimony that such information could reveal answers to the following questions: “Did you visit an AIDS clinic last Tuesday? What place of worship do you attend? Were you at a psychiatrist’s office last week? Did you meet with a prospective business customer?”4

In a report discussing geolocation data, the Government Accountability Office (GAO) expressed concern that while there may be consumer benefits to tracking location information through services that provide weather forecasts and retail discounts, there are also privacy concerns that consumers should be aware of such as data being disclosed to unknown third parties for unspecified uses, consumer tracking, identity theft, threats to personal safety, and surveillance.5 In its report, the GAO noted that companies did not consistently or clearly disclose to consumers what they were doing with consumers’ location data, leaving consumers unable to effectively judge and assess the privacy risks associated with sharing their location data.

Geofencing

As a byproduct of geolocation tracking, the concept of “geofencing” has emerged, which allows companies to market and advertise to customers within a specific geographic radius. Geofencing uses GPS or radio frequency identification to establish a geographic boundary (or “virtual fence”) around a certain physical location. Once a virtual fence has been created, companies or advertisers will attempt to interact and send information to devices within that geographic area.

During the 2018 midterm elections, it was reported that Tony Evers, candidate for Wisconsin governor (who ended up winning the election), used geofencing during his campaign to push ads to potential voters in a crowded primary field.6 At a Wisconsin state Democratic Party meeting, Evers’ team created a digital fence around everyone attending the state dinner and pushed ads to individuals’ mobile devices. The technology used for geofencing also pulled the unique identification numbers of the devices, which a data broker used to follow the devices home. Through this cross-device tracking technology, the campaign was able to find associated laptops and desktops to send more campaign ads.

Geofencing has been deployed in the healthcare setting, raising obvious privacy and ethical concerns. It was reported by National Public Radio that personal injury law firms have been pushing mobile ads to patients in healthcare facilities, reasoning that some people who seek out healthcare services may require the future services of a personal injury attorney.7 While this could be viewed as an inventive way of obtaining new clients, it would also be considered an invasion of personal privacy. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is the primary federal healthcare privacy law, would not necessarily apply in this context. HIPAA has national standards to protect individuals’ medical information and applies to covered entities (i.e., healthcare providers, healthcare clearinghouses, and health plans) that conduct healthcare transactions electronically. Lawyers are not considered covered entities and, as a result, HIPAA would not necessarily protect patient privacy in this situation. However, companies using geofencing technology should be mindful of federal and state consumer protection laws.

The Massachusetts attorney general settled with a digital advertising company, Copley Advertising LLC, over Copley’s use of geolocation technology that “geofenced” reproductive healthcare facilities and sent targeted advertisements to the mobile devices of women who entered these facilities.8 Copley tagged the consumer’s device and sent advertisements to the consumer’s device for up to 30 days. The targeted ads contained texts stating, “Pregnancy Help,” “You Have Choices,” and “You’re Not Alone,” and linked to websites that offered information on alternatives to abortion. Copley set up geofences near reproductive healthcare centers and methadone clinics in Ohio, New York, Pennsylvania, Virginia, and Missouri, and had not yet engaged in a geofencing campaign in Massachusetts, although it had the ability to do so. As a proactive measure, the attorney general obtained an assurance of discontinuance that Copley’s practices would violate Massachusetts consumer protection laws and then reached a settlement that assures that Copley will not use geofencing technology at or near Massachusetts healthcare facilities that could reveal or infer a health status or medical condition.

Federal Privacy Enforcement

Currently, there is no federal law directly regulating geolocation tracking; however, Congress has contemplated federal privacy legislation concerning location information. Congress proposed the Geolocation Privacy and Surveillance (GPS) Act, which would seek to create a legal framework that provides government agencies, commercial entities, and private citizens guidelines for when and how geolocation information can be accessed and used.9 The GPS Act would prohibit businesses from sharing location data about their customers to third parties without first obtaining a customer’s permission. The GPS Act was originally introduced in Congress in 2011 and has been reintroduced in subsequent congressional sessions, including the 115th Congress, but has not yet been adopted.10

The FTC has been the chief federal agency on privacy policy and enforcement. The FTC has monitored developments in geolocation tracking, and in 2013 released a report emphasizing that consumers need to receive disclosures about what data the companies collect and how those companies are using that data.11 The report highlighted the importance of providing just-in-time disclosures to consumers and obtaining affirmative express consent before collecting and retaining sensitive information such as a user’s location data.

The FTC has settled with a number of companies and issued warning letters about geolocation tracking collection practices.

  • In 2013, the FTC settled with a mobile app developer, Goldenshores Technologies LLC, following allegations that its Brightest Flashlight Free app deceived consumers regarding how the app collected information, including geolocation information, and how the company was sharing that information with advertising networks and other third parties.12 According to the FTC, the app started collecting and sending information to third parties before a user even had a chance to accept the terms and conditions under Goldenshores’ end user license agreement.
  • In 2016, InMobi, a Singapore-based mobile advertising company, settled with the FTC over allegations that InMobi deceptively tracked consumers’ location, including children’s, without their knowledge and consent.13 The FTC alleged that InMobi tracked location regardless of the consumer’s location settings. As part of the settlement, InMobi paid $950,000 in civil penalties.
  • In 2018, the FTC sent warning letters to Gator Group Co. Ltd. and Tinitell Inc. for their geolocation tracking practices of children.14

State and City Action on Geolocation Tracking

Some states have attempted to specifically legislate on geolocation tracking, but few have been successful in enacting such legislation. In July 2019, the Hawaii governor vetoed a bill that would have amended Hawaii’s unfair and deceptive practices statute to prohibit the sale of location data without the explicit consent of the primary user of a smart device. The governor stated that the bill lacked clarity as currently drafted and its passage would lead to ambiguity, confusion, and unintended consequences if it became law.15

Oregon contemplated privacy legislation under House Bill 2866 that would have prohibited the collection and sale of geolocation information or audiovisual data about Oregon residents without first obtaining express consent and making certain disclosures. A violation would have been classified as an unlawful business practice under Oregon law, which included a private right of action.

The New York City Council introduced in July 2019 an amendment to the New York City administrative code that would prohibit telecommunications carriers and mobile applications from sharing an individual’s location information with third parties if the location information is gathered from a device within New York City.16 The penalties for violating the law would be set at $1,000 per violation, and creates a private right of action against the companies who violate this bill.

The much-anticipated California Consumer Privacy Act (CCPA), effective January 1, 2020, includes geolocation information under the definition of personal information.17 The CCPA, similar to the European Union’s General Data Protection Regulation (GDPR), grants California residents a broad range of rights with respect to their personal information. Under the CCPA, California residents have the right to know the location information that companies are collecting about them and how it is used. In addition, California residents can opt out of their location information being sold to third parties and also request that location information be deleted.

Conclusion

At the beginning of 2019, there was widespread sentiment that a comprehensive federal privacy law would pass sometime during this current session of Congress. However, such efforts have gained little traction in moving forward. In an effort to compensate for the federal government’s lack of action, some states have stepped forward attempting to legislate on privacy. It is important for companies and organizations to monitor state privacy law developments as states contemplate placing restrictions on how geolocation information may be used and disclosed. Even if the current Congress does not pass privacy legislation prior to the 2020 general election, companies should be mindful that the FTC is actively monitoring data collection practices and will initiate action against deceptive misuse of geolocation information.

Endnotes

1. Fitness App Strava Lights Up Staff at Military Bases, BBC News (Jan. 29, 2018), https://www.bbc.com/news/technology-42853072.

2. Jim Garamone, New Policy Prohibits GPS Tracking in Deployed Settings, U.S. Dep’t Def. (Aug. 6, 2018), https://www.defense.gov/Newsroom/News/Article/Article/1594486/new-dod-policy-prohibits-gps-enabled-devices-in-deployed-settings.

3. Emily Clark, How Location Tracking Affects Mobile Apps: Pokémon Go, a Case Study, Manifest (Dec. 3, 2018), https://themanifest.com/app-development/how-location-tracking-affects-mobile-apps-pokemon-go-game.

4. The Location Privacy Protection Act of 2014: Hearing on S. 2171 before the Subcomm. for Privacy, Tech. & the Law of the S. Comm. on the Judiciary, 113th Cong. (2014) (statement of Jennifer Rich, Director, Bureau of Consumer Protection), https://www.ftc.gov/system/files/documents/public_statements/313671/140604locationprivacyact.pdf;

see also Andrew J. Blumberg & Peter Eckersley, On Locational Privacy, and How to Avoid Losing It Forever, Electronic Frontier Found. (Aug. 3, 2009), https://www.eff.org/wp/locational-privacy.

5. U.S. Gov’t Accountability Office, GAO-12-903, Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy (2012), http://www.gao.gov/assets/650/648044.pdf.

6. Evan Halper, Your Phone and TV Are Tracking You, and Political Campaigns Are Listening In, L.A. Times (Feb. 20, 2019), https://www.latimes.com/politics/la-na-pol-campaign-tech-privacy-20190220-story.html.

7. Digital Ambulance Chasers? Law Firms Send Ads to Patients’ Phones Inside ERs, Nat’l Pub. Radio (May 25, 2018), https://www.npr.org/sections/health-shots/2018/05/25/613127311/digital-ambulance-chasers-law-firms-send-ads-to-patients-phones-inside-ers.

8. Press Release, Mass. Attorney Gen., AG Reaches Settlement with Advertising Company Prohibiting “Geofencing” around Massachusetts Healthcare Facilities (Apr. 4, 2017),

https://www.mass.gov/news/ag-reaches-settlement-with-advertising-company-prohibiting-geofencing-around-massachusetts.

9. Geolocation Privacy and Surveillance Act, H.R. 1062, 115th Cong. (2018), https://www.gps.gov/policy/legislation/gps-act.

10. As of the submission of this article, the GPS Act or any similar federal geolocation privacy law has not been enacted.

11. U.S. Fed. Trade Comm’n, Mobile Privacy Disclosures: Building Trust through Transparency (2013), http://www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf.

12. Press Release, U.S. Fed. Trade Comm’n, Android Flashlight App Developer Settles FTC Charges It Deceived Consumers (Dec. 5, 2013),

https://www.ftc.gov/news-events/press-releases/2013/12/android-flashlight-app-developer-settles-ftc-charges-it-deceived.

13. Press Release, U.S. Fed. Trade Comm’n, Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations without Permission (June 22, 2016), https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked.

14. Press Release, U.S. Fed. Trade Comm’n, Where in the World? Warning Letters Address Geolocation and COPPA Coverage (Apr. 27, 2018), https://www.ftc.gov/news-events/blogs/business-blog/2018/04/where-world-warning-letters-address-geolocation-coppa.

15. Haw. Governor Message No. 1376 (July 9, 2019), https://www.capitol.hawaii.gov/session2019/bills/GM1376_.PDF.

16. N.Y.C. Council, Int. 1632-2019 (July 23, 2019), https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4069480&GUID=6FA8018C-84A4-4E71-93CE-D467AD53E9EA&Options=ID%7cText.

17. Cal. Civ. Code §§ 1798.100–.199 (effective Jan. 1, 2020).

Entity:
Topic:

By Ashley Thomas

Ashley Thomas, CIPP/US, CIPP/E, is an associate attorney in the Washington, D.C., office of Morris, Manning & Martin. Her primary areas of concentration include cyber and data risk management, breach preparedness and response, and global data privacy compliance. She currently serves as the Young Lawyers Division Liaison to the ABA Science and Technology Section.