GAO Study Gives Low Marks to Companies Regarding Transparency to Consumers of Use of Location Data
The Government Accountability Office (“GAO”) released a study in September, 2012 analyzing the collection, use and disclosure practices of fourteen companies operating in the mobile field regarding location data collected from consumers. In the absence of laws or regulations regarding the collection of location data specifically, the GAO compared the policies of the fourteen companies to best practices regarding the collection and use of personal information generally, aggregated from federal agencies such as the Federal Trade Commission (“FTC”) and Federal Communications Commission (“FCC”) and from self-regulatory bodies such as the CTIA – The Wireless Association. The study found that the companies’ practices included several departures from established best practices. The agency also determined that inconsistencies in what the policies say companies will do with location data and what the companies actually do with that data are exposing consumers to serious privacy risks.
The fourteen companies the GAO reviewed included mobile carriers AT&T, Sprint-Nextel, T-Mobile, and Verizon; operating system developers Apple, Google, and Research in Motion; smartphone manufacturers Apple, HTC, Motorola, Research in Motion and Samsung; and application developers Facebook, Google, Pandora, Rovio Entertainment Ltd., and Yahoo!. The privacy policies of all of the companies, and the data use policies of the mobile carriers, were reviewed for the purposes of comparing company policy to best practices. Note that companies such as Apple that are listed multiple times are large companies that run independent units for mobile app development and mobile device manufacturing with separate policies regarding the collection and use of location data.
---------------------------------------------------------------------------------------------------------------------------------
Table 1: GAO Comparison of Aggregated Best Practices with Fair Information Practice Principles (FIPs)
| Recommended Location Data Privacy Practices | Examples of specific practices | Alignment with FIPs |
| Disclosures to users about data collection, use, and sharing |
|
Purpose specification, openness, collection limitation, use limitation |
| Use controls over location data |
|
Collection limitation, use limitation, individual participation |
| Data retention and safeguards |
|
Purpose specification, security safeguards, use limitation |
| Accountability |
|
Accountability |
---------------------------------------------------------------------------------------------------------------------------------
Disclosures to Users
According to the GAO’s compilation of best practices, companies that collect personal information from consumers should include the following in their privacy policies: 1) state the reasons companies collect and share data; 2) state specifically that collection of personal information is limited to specified needs; and 3) explain that data are not used for a purpose other than what has been disclosed to users without further notice and user consent. The GAO found that all fourteen companies revealed to consumers that their products are collecting their personal information and adequately explained their collection and use practices as described above, but none of the companies adequately explain how location data is used and with which third parties location data is shared.
The GAO found that of the 11 privacy policies reviewed, 10 explicitly mentioned location data, but there were broad inconsistencies in whether location data is considered personal information. The GAO’s stance is that location data should be included under any definition of personal information, in consideration of recent FTC concerns regarding the ability to identify an individual and track their movements using location data. If location data is not considered personal information, it is unclear what protections companies give to such data, such as aggregation and anonymization. Further, the companies were inconsistent in their disclosure of which third parties had access to the location data, and to what level third parties were required to protect location data. In particular, the GAO is concerned about the fact that many of the companies share location data with third party applications to be protected under the provisions of the third party’s privacy policy, but there is no recourse if those applications do not have readily available privacy policies for consumer review.
User Controls
Best practices dictate that companies should afford consumers control over the personal information collected about them by: 1) obtaining users’ consent before collecting their personal information; and 2) providing users the ability to opt out of data collection to which they have previously consented. The GAO found that of the companies studied, all of them relied on the option built directly into mobile devices to give users control over the collection of their location data. For instance, Apple’s iOS operating system asks a consumer on initial set up if he or she would like to enable location based services, and offers an option in the device’s settings to toggle location-based services on or off during regular use.
When the privacy policies of particular applications were reviewed, however, the GAO found little to no information regarding the way users may control or correct their location based information after it has been collected and transmitted to the app developer. Additionally, the mobile carriers indicated that as location data is critical to the operation of basic mobile services, users have no option to turn off the transmission of location data to the companies.
Retention and Safeguards
In order to allow users the ability to accurately track which companies are in possession of their personal information, companies should: 1) state a specific time frame for retaining user data; and 2) protect the data with reasonable security safeguards against risks such as loss or unauthorized access. However, due to the inconsistent uses, and definitions, of location data, few companies indicated how long location data is maintained and what types of protections the companies are using to secure location data.
According to the GAO, inconsistencies in the definition of location data attributes to most of the failures by the companies to adhere to best practices. Particularly, mobile carriers are apt to view location data as necessary data to conduct mobile services, an idea reinforced by Section 222 of the Communications Act, which allows carriers to collect, use and disclose location data, with user consent, in the same way as other Customer Proprietary Network Information (“CPNI”).
The Communications Act was amended in 1999 by Congress to explicitly include location data gathered from mobile device users under the definition of CPNI. According to the law, CPNI may not be disclosed to third parties without explicit customer consent, unless the disclosure is one of several enumerated exceptions, including reasons such as “to market services such as … but not limited to, call monitoring, call tracing, call blocking,” etc. The FCC, the agency tasked with creating rules to enforce the Communications Act, found the language to be vague and declined to impose rules on the industry until the definitions, and exceptions, were clarified.
Additionally, many companies either explicitly do not include location data within the definition of personal information, or are vague about whether location data qualifies as personal information. Therefore, while all of the privacy policies listed explicit protections for personal information, the inability to decipher whether personal information includes location data leaves consumers, and the GAO, in doubt over whether those protections apply to location data.
Accountability
While not specific regarding the achievability of accountability, all of the best practices reviewed by the GAO agree that companies should be responsible for protecting users’ data. Unfortunately, lack of guidance, and correspondingly the lack of enforcement by the government or industry regulators has resulted in very little, if any, accountability of companies regarding the protection of consumers’ personal information, including location data.
Five of the eleven privacy policies reviewed nebulously stated that employees were responsible for following the practices outlined in the privacy policy, and some carriers and developers state that they are subject to accountability measures from self-regulators such as the CTIA and Trust E. However, the GAO could find no evidence of accountability or enforcement of failures to abide by company policy save one notable exception: Apple’s 2011 action to reject apps from their App Store that do not explicitly require user consent before collecting location data. Google, on the other hand, claims no responsibility in “controlling the behavior of third-party applications.”
By directly comparing the practices of mobile service providers to best practices, the GAO exposed the shortcomings of those companies in the protection of location data collected from consumers. The GAO insists that either Federal legislation or agency rulemaking is required to bring consistency to the use, collection and disclosure of location data, and explains that the current state of affairs may have lasting impact on user privacy. Particularly, the GAO cautions that the inability of users to adequately determine to which third parties their location data is being disclosed may result in myriad unintentional and unconsidered uses of consumer location data.
All companies operating in the mobile space should be wary of the results of the GAO’s study, especially as the FTC has recently produced its own report on location data, and has also indicated that they are willing to consider rulemaking on the issue if companies do not begin to take the privacy and security of consumer location data seriously.