On May 25, 2012, the Federal Communications Commission (FCC) released a report with the opaque title “Location-Based Services: An Overview of Opportunities and Other Considerations.” The report outlines the growing use of location-based services (LBS) in navigation, tracking, social networking, gaming, retail, real estate, advertising, news, weather, device management, and public safety applications, and government and industry efforts to address the privacy issues surrounding such services. It stemmed from a June 28, 2011 workshop that the FCC hosted on the subject.
“As of May 2011,” according to the report, “28 percent of adult Americans used mobile LBS of some type. LBS are expected to deliver $700 billion in value to consumers and business users over the next decade.” Yet “LBS industry players face challenges as they attempt to provide consumers with appropriate notice and choice with respect to the use of the data generated by LBS and the devices and networks that host them.”
The FCC is not the only governmental agency focused on these issues. The report reflects that “the Federal Trade Commission and the Department of Commerce … also have been assessing mobile privacy issues, raising consumer awareness, and encouraging proactive industry involvement to address challenges and concerns. In addition, Congress conducted several hearings that addressed location data privacy.” But the FCC’s role is rooted in the Communications Act of 1934, as amended (the “Act”), which charges the FCC with implementing a number of privacy protection provisions. for example, the FCC has adopted rules implementing Section 222 of the Act, which requires telecommunications carriers and interconnected Voice over Internet Protocol providers to secure customer proprietary network information (“CPNI”). Sections 338(i) and 631 establish requirements for satellite and cable television providers, respectively, for the treatment of their subscribers’ personally identifiable information (“PII”).
The FCC declined to adopt any regulations or best practices, but stated it would “continue to monitor industry compliance with applicable statutory requirements and evolving industry best practices.”
The FCC identified several privacy issues implicated by location-based services, specifically:
- Notice and transparency. The report stressed the principles of notice and transparency as core privacy values, and recognized various industry efforts by CTIA, the Mobile Marketing Association, the Direct Marketing Association, and private companies to provide users with notice of how LBS information is used. But the FCC cited several indications that many apps still lack basic privacy policies.
- Meaningful consumer choice. The FCC believes that consumers should have an opportunity to “opt in” to programs that use LBS data, and to be able to decide what a company can and cannot do with their information. But the report also acknowledges that challenges arise between real-time meaningful choice and user experience.
- Third party access to personal information. Noting that various people and groups may have access to LBS information, the FCC called out developers in particular as possibly not having adequate privacy standards in place. The report noted that entities like the Future of Privacy Forum and TRUSTe are recommending app developers adopt privacy practices, and that mobile operating systems and carriers are requiring apps seek permission before using location-based services.
- Data security and minimization. The FCC noted that because location data is considered particularly sensitive information, the industry should adopt heightened security requirements. It further suggested that as little data should be stored for a short a period as possible to lessen security breaches, although there is a tension because law enforcement would find location data valuable suggesting longer storage times would be valuable.
“While industry is taking steps to minimize these threats,” the report concluded, “the degree of responsiveness varies, new issues continue to emerge, and LBS industry players face challenges as they attempt to provide consumers with appropriate notice and choice. Nonetheless, there is room for additional steps to be taken, particularly with respect to less established LBS providers, to ensure growing concerns are addressed as quickly and as comprehensively as possible.” Issues that the FCC sees as worthy of consideration include:
- Consideration of Privacy Issues at Earliest Stages of Product Development. What are the most effective means to ensure privacy considerations become an integral part of the product design and development process for all players in the LBS industry? What should consumers be told?
- Security of data. What are the rights, duties, and obligations of the parties that generate, aggregate, or hold LBS-related data to secure such data from unauthorized disclosure or access? Do they vary as a result of a party’s relationship with the customer?
- Timing and sufficiency of notice. How much information should be pushed to consumers at different points in their interaction with an LBS, mobile, application or other provider and how should it be presented? Must the information be provided each time an application or service is used? Should there always be an opt out?
- Data Minimization. Should parties be encouraged to collect the minimal amount of data technically required to provide a location-based service and retain that data for the minimum amount of time necessary?
The FCC ended its report with a note of warning. It will “continue to monitor industry compliance with applicable statutory requirements and evolving industry best practices,” it said, and “additional steps may be necessary if privacy issues are not met as effectively and comprehensively as possible or within reasonable time frames.”