In Light of Recent FTC Actions, Review Your Privacy Policy

Every day, billions of mobile and Internet-enabled computers, smartphones, watches, drones and even coffee machines are collecting vast amounts of geolocation data about their users. Apps such as Foursquare, Tinder and Waze, as well as mobile games such as Pokemon Go and Zombies Run all track and reveal an individual's physical location through GPS, Wi-Fi and cell-based tracking technologies. This information, in turn, can be used to market products and services, deliver context-specific content, monitor users or employees, and enforce location-based access restrictions, providing valuable information to companies that can help them uncover new insights about consumers and their behaviors. While this ubiquitous collection of data can have social and economic benefits, it can also pose significant privacy and security concerns.

FTC Protects Geolocation Data

The United States does not have comprehensive legislation addressing the privacy implications of the collection and use of geolocation data. However, the Federal Trade Commission (FTC) has used its enforcement authority under Section 5 of the FTC Act to regulate companies engaged in unfair or deceptive practices involving geolocation data. Indeed, in the past few years, the FTC has paid particular attention to companies with deceptive privacy policies that fail to disclose adequately — or that affirmatively misrepresent — the extent to which consumers' geolocation information is being collected or used. While these FTC actions are not binding on all companies, the commission's enforcement actions related to geolocation data provide guidance for balancing the utility of collecting this data against competing consumer privacy concerns.

For example, in 2014, the provider of the mobile messaging app Snapchat settled an FTC action that included a charge that its statement “[does] not ask, for, track or access any location-specific information” was false and misleading. Contrary to this statement in Snapchat's privacy policy, the Snapchat application on Android transmitted Wi-Fi-based and cell-based location information from users' mobile devices to its analytics tracking service provider, according to the FTC's complaint. The decision and order in this action categorized “precise geolocation data of an individual or mobile device, including GPS-based, Wi-Fi based or cell-based location information” as “covered information” subject to prohibitions on future use. Snapchat's settlement with the FTC included a requirement for biennial comprehensive information security and privacy assessments for 20 years. This action shows that the FTC considers precise geolocation data to be personally identifiable information that is subject to the fair information practice principles of notice and consent.

In another case, the FTC filed a complaint against computer rental franchisor Aaron's Inc. for knowingly allowing the installation of monitoring technology on its computers, which allowed franchisees to track the physical location of computers, capture images through the computers' webcams and activate keyloggers that captured users' login credentials. Among other settlement terms, the company's consent agreement with the FTC prohibited the installation or use of tracking technology to gather geolocation data without first providing clear and prominent notice to consumers (separate and apart from any privacy policy, terms of service or end user license agreement) and obtaining express consent. The company was also ordered to delete any previously gathered and stored geolocation data and was prohibited from misrepresenting the extent to which the company maintains the privacy, security or confidentiality of users' information.

The FTC has also pursued enforcement actions against companies based solely on deceptive geolocation data practices. For example, Goldenshores Technologies, the provider of the Brightest Flashlight app, settled with the FTC in 2013 on allegations that the company's privacy policy inadequately disclosed to consumers that the app transmitted data, including precise geolocation and persistent device identifiers, to third parties. The policy stated that the company collected and used “diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals.” But it did not mention geolocation data specifically, or indicate that the data would be shared with third parties such as advertising networks.

The FTC also objected to the company's allegedly false and misleading end-user license agreement (EULA), which presented users with an illusory option of refusing the terms of the EULA, including those related to the collection and use of data. In fact, the FTC alleged in its complaint against Goldenshores Technologies that the app began transmitting geolocation data and persistent identifiers while users viewed the EULA and before they ever accepted or refused its terms. Goldenshores Technologies' settlement with the FTC prohibited the company from misrepresenting the extent to which consumers' information is collected, used, disclosed or shared, and the extent to which users may exercise control over their data. The FTC ordered the company to delete any geolocation data collected prior to settlement, and to provide, immediately prior to the collection or transmission of user data, a clear and prominent disclosure of when, how, why and what geolocation data is being collected.

Geolocation and Children

The collection and use of geolocation data becomes a particularly sensitive issue when it involves children. The Children's Online Privacy Protection Act (COPPA) “prohibits unfair or deceptive acts or practices” in the “collection, use and/or disclosure of personal information” over the Internet about children under age 13. Under COPPA, protected “personal information” includes “geolocation information sufficient to identify street name and name of a city or town.” The FTC has clarified that geolocation data that constitutes “personal information” includes longitudinal and latitudinal coordinates, but excludes more coarse-grained data that might be tantamount to collecting a zip code.

In an FTC enforcement action settled last year, United States v. InMobi PTE, No. 3:16-cv-3474 (N.D. Cal. June 22, 2016), mobile advertising company InMobi PTE Ltd. agreed to pay $950,000 in civil penalties to settle FTC charges that it had deceptively tracked the locations of hundreds of millions of consumers — including children — without their knowledge or parental consent. InMobi's advertising network, which runs in conjunction with thousands of apps, has the ability to targets ads to consumers based on location. InMobi represented in its privacy policy that its ad software would track consumers' locations only when the consumer opted in to such tracking. But the FTC found that even when consumers had affirmatively turned off geolocation services, InMobi would still collect data on the nearest wireless network to infer the physical location of consumers and serve geo-targeted ads to the consumer.

It also misrepresented in its privacy policy that it did not collect information for children under 13. It failed to implement adequate privacy processes, resulting in the collection of children's personal information (including geolocation). The FTC required InMobi to delete all information that it collected from children and implement a comprehensive privacy program, to be monitored by an independent privacy professional, for 20 years. This action reinforced the commission's willingness to follow through on its message that app operators must take steps to comply with COPPA when offering ad-supported apps directed at children, and geolocation data collected through any means (including inference from wireless network connections) is subject to the same notice and consent requirements as other personal information.

Lessons Learned

These recent FTC actions provide some useful practice tips for companies:

1. Tell the truth scrupulously in your privacy policies. While it seems like common sense, companies continue to find themselves in the FTC's crosshairs by including false statements in their privacy policies. Companies are under no obligation to refrain from collecting or sharing consumer geolocation data, but they should not make misrepresentations about these practices and should keep their privacy promises to consumers. Snapchat's privacy policy affirmatively stated that the company did not “ask for, track or access any location-specific information from your device at any time while you are using the Snapchat application.” In reality, the app transmitted Wi-Fi-based and cell-based location information from users' mobile devices to the company's analytics-tracking service provider. As FTC chairwoman Edith Ramirez explained in a press release announcing the Snapchat settlement, “any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

2. Disclose fully. Even without an affirmative misrepresentation, companies risk being the subject of an FTC enforcement action by omitting details about what type of geolocation data they are collecting, how they are collecting it, how they are using it and to whom it is being disclosed. Although Goldenshore's description was not false, the FTC took issue with that company's vague description of the type of data it collected (which omitted any mention of geolocation data) and the company's failure to inform its users that geolocation data would be shared with third parties.

3. Comply with COPPA. Failure to abide by COPPA can subject a mobile app or web service company to significant fines and bad publicity. The FTC authorizes the filing of a complaint when it has “reason to believe” that COPPA has been or is being violated, and the proceeding is in the public interest. It is thus important that any service that may be targeted at children notify and receive verifiable consent from parents before collecting geolocation data from children, including geolocation data obtained from the device the child is using.

4. Provide meaningful control and honor consumer choice. When providing consumers with control of how their geolocation data is collected, used and disclosed, it is prudent to confirm that the technology itself will honor these choices. Although InMobi gave consumers the apparent ability to opt out of the geolocation tracking portion of services through the location services of the operating systems, the actual service continued to use other means to track consumers' locations even when those consumers had affirmatively opted out. Those drafting a privacy policy should communicate with a company's engineering team to ensure that they understand how geolocation data is actually collected and used by the site or service, and how choices about the collection and use of such data will be respected.

In short, when the marketing department of your company says that good business is all about “geolocation, geolocation, geolocation,” remind them that good business should also be about “notice and consent, notice and consent, notice and consent.”

*****
Devika Kornbacher is a Partner based in Vinson & Elkins' Houston office. At the time of this writing, Scott Breedlove was a Partner in the firm's Dallas office. Janice Ta is a senior associate based in the firm's Austin, TX, office, and Aislinn Affinito is an associate. The views herein represent those of the authors and not necessarily their firm or its clients.

Every day, billions of mobile and Internet-enabled computers, smartphones, watches, drones and even coffee machines are collecting vast amounts of geolocation data about their users. Apps such as Foursquare, Tinder and Waze, as well as mobile games such as Pokemon Go and Zombies Run all track and reveal an individual's physical location through GPS, Wi-Fi and cell-based tracking technologies. This information, in turn, can be used to market products and services, deliver context-specific content, monitor users or employees, and enforce location-based access restrictions, providing valuable information to companies that can help them uncover new insights about consumers and their behaviors. While this ubiquitous collection of data can have social and economic benefits, it can also pose significant privacy and security concerns.

FTC Protects Geolocation Data

The United States does not have comprehensive legislation addressing the privacy implications of the collection and use of geolocation data. However, the Federal Trade Commission (FTC) has used its enforcement authority under Section 5 of the FTC Act to regulate companies engaged in unfair or deceptive practices involving geolocation data. Indeed, in the past few years, the FTC has paid particular attention to companies with deceptive privacy policies that fail to disclose adequately — or that affirmatively misrepresent — the extent to which consumers' geolocation information is being collected or used. While these FTC actions are not binding on all companies, the commission's enforcement actions related to geolocation data provide guidance for balancing the utility of collecting this data against competing consumer privacy concerns.

For example, in 2014, the provider of the mobile messaging app Snapchat settled an FTC action that included a charge that its statement “[does] not ask, for, track or access any location-specific information” was false and misleading. Contrary to this statement in Snapchat's privacy policy, the Snapchat application on Android transmitted Wi-Fi-based and cell-based location information from users' mobile devices to its analytics tracking service provider, according to the FTC's complaint. The decision and order in this action categorized “precise geolocation data of an individual or mobile device, including GPS-based, Wi-Fi based or cell-based location information” as “covered information” subject to prohibitions on future use. Snapchat's settlement with the FTC included a requirement for biennial comprehensive information security and privacy assessments for 20 years. This action shows that the FTC considers precise geolocation data to be personally identifiable information that is subject to the fair information practice principles of notice and consent.

In another case, the FTC filed a complaint against computer rental franchisor Aaron's Inc. for knowingly allowing the installation of monitoring technology on its computers, which allowed franchisees to track the physical location of computers, capture images through the computers' webcams and activate keyloggers that captured users' login credentials. Among other settlement terms, the company's consent agreement with the FTC prohibited the installation or use of tracking technology to gather geolocation data without first providing clear and prominent notice to consumers (separate and apart from any privacy policy, terms of service or end user license agreement) and obtaining express consent. The company was also ordered to delete any previously gathered and stored geolocation data and was prohibited from misrepresenting the extent to which the company maintains the privacy, security or confidentiality of users' information.

The FTC has also pursued enforcement actions against companies based solely on deceptive geolocation data practices. For example, Goldenshores Technologies, the provider of the Brightest Flashlight app, settled with the FTC in 2013 on allegations that the company's privacy policy inadequately disclosed to consumers that the app transmitted data, including precise geolocation and persistent device identifiers, to third parties. The policy stated that the company collected and used “diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals.” But it did not mention geolocation data specifically, or indicate that the data would be shared with third parties such as advertising networks.

The FTC also objected to the company's allegedly false and misleading end-user license agreement (EULA), which presented users with an illusory option of refusing the terms of the EULA, including those related to the collection and use of data. In fact, the FTC alleged in its complaint against Goldenshores Technologies that the app began transmitting geolocation data and persistent identifiers while users viewed the EULA and before they ever accepted or refused its terms. Goldenshores Technologies' settlement with the FTC prohibited the company from misrepresenting the extent to which consumers' information is collected, used, disclosed or shared, and the extent to which users may exercise control over their data. The FTC ordered the company to delete any geolocation data collected prior to settlement, and to provide, immediately prior to the collection or transmission of user data, a clear and prominent disclosure of when, how, why and what geolocation data is being collected.

Geolocation and Children

The collection and use of geolocation data becomes a particularly sensitive issue when it involves children. The Children's Online Privacy Protection Act (COPPA) “prohibits unfair or deceptive acts or practices” in the “collection, use and/or disclosure of personal information” over the Internet about children under age 13. Under COPPA, protected “personal information” includes “geolocation information sufficient to identify street name and name of a city or town.” The FTC has clarified that geolocation data that constitutes “personal information” includes longitudinal and latitudinal coordinates, but excludes more coarse-grained data that might be tantamount to collecting a zip code.

In an FTC enforcement action settled last year, United States v. InMobi PTE, No. 3:16-cv-3474 (N.D. Cal. June 22, 2016), mobile advertising company InMobi PTE Ltd. agreed to pay $950,000 in civil penalties to settle FTC charges that it had deceptively tracked the locations of hundreds of millions of consumers — including children — without their knowledge or parental consent. InMobi's advertising network, which runs in conjunction with thousands of apps, has the ability to targets ads to consumers based on location. InMobi represented in its privacy policy that its ad software would track consumers' locations only when the consumer opted in to such tracking. But the FTC found that even when consumers had affirmatively turned off geolocation services, InMobi would still collect data on the nearest wireless network to infer the physical location of consumers and serve geo-targeted ads to the consumer.

It also misrepresented in its privacy policy that it did not collect information for children under 13. It failed to implement adequate privacy processes, resulting in the collection of children's personal information (including geolocation). The FTC required InMobi to delete all information that it collected from children and implement a comprehensive privacy program, to be monitored by an independent privacy professional, for 20 years. This action reinforced the commission's willingness to follow through on its message that app operators must take steps to comply with COPPA when offering ad-supported apps directed at children, and geolocation data collected through any means (including inference from wireless network connections) is subject to the same notice and consent requirements as other personal information.

Lessons Learned

These recent FTC actions provide some useful practice tips for companies:

1. Tell the truth scrupulously in your privacy policies. While it seems like common sense, companies continue to find themselves in the FTC's crosshairs by including false statements in their privacy policies. Companies are under no obligation to refrain from collecting or sharing consumer geolocation data, but they should not make misrepresentations about these practices and should keep their privacy promises to consumers. Snapchat's privacy policy affirmatively stated that the company did not “ask for, track or access any location-specific information from your device at any time while you are using the Snapchat application.” In reality, the app transmitted Wi-Fi-based and cell-based location information from users' mobile devices to the company's analytics-tracking service provider. As FTC chairwoman Edith Ramirez explained in a press release announcing the Snapchat settlement, “any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

2. Disclose fully. Even without an affirmative misrepresentation, companies risk being the subject of an FTC enforcement action by omitting details about what type of geolocation data they are collecting, how they are collecting it, how they are using it and to whom it is being disclosed. Although Goldenshore's description was not false, the FTC took issue with that company's vague description of the type of data it collected (which omitted any mention of geolocation data) and the company's failure to inform its users that geolocation data would be shared with third parties.

3. Comply with COPPA. Failure to abide by COPPA can subject a mobile app or web service company to significant fines and bad publicity. The FTC authorizes the filing of a complaint when it has “reason to believe” that COPPA has been or is being violated, and the proceeding is in the public interest. It is thus important that any service that may be targeted at children notify and receive verifiable consent from parents before collecting geolocation data from children, including geolocation data obtained from the device the child is using.

4. Provide meaningful control and honor consumer choice. When providing consumers with control of how their geolocation data is collected, used and disclosed, it is prudent to confirm that the technology itself will honor these choices. Although InMobi gave consumers the apparent ability to opt out of the geolocation tracking portion of services through the location services of the operating systems, the actual service continued to use other means to track consumers' locations even when those consumers had affirmatively opted out. Those drafting a privacy policy should communicate with a company's engineering team to ensure that they understand how geolocation data is actually collected and used by the site or service, and how choices about the collection and use of such data will be respected.

In short, when the marketing department of your company says that good business is all about “geolocation, geolocation, geolocation,” remind them that good business should also be about “notice and consent, notice and consent, notice and consent.”

*****
Devika Kornbacher is a Partner based in Vinson & Elkins' Houston office. At the time of this writing, Scott Breedlove was a Partner in the firm's Dallas office. Janice Ta is a senior associate based in the firm's Austin, TX, office, and Aislinn Affinito is an associate. The views herein represent those of the authors and not necessarily their firm or its clients.