By Holden Williams
In December, 43 members of Congress called on the Federal Trade Commission (FTC) and the Federal Communications Commission (FCC) to regulate the sale, use, and transfer of location data. According to the letter, app developers are able to collect sensitive user information and sell it to interested parties for a substantial profit. Apps can harvest personal information, such as geolocation and phone identifiers. According to research by the MarkUp, there is a multi-billion dollar market for users’ location data, and, according to The Future of Privacy Forum, the collection and sharing of location data has proven to be “challenging and difficult to define and regulate.”
Location data is particularly sensitive because of the amount of information it reveals about a user, including their hobbies, lifestyle choices, and habits. In its investigations, the IDAC team has regularly come across apps that are inferring location using conventional and workaround ways, as well as failing to appropriately let users know about the collection of this data.
Importantly, the recommendations by Congress could give the FTC and FCC more robust authority and power to regulate the sale, use, and transfer of location data. In their letter, Congress members outlined some immediate steps that the agencies can take to address some of these concerns, including:
- The FTC can use its Section 18 rulemaking authority to define the sale, transfer, use, or purchase of precise location data collected by an app for purposes other than the essential function of the app as an “unfair act or practice,” which would essentially be defining the act as one that likely causes injury to consumers.
- The FCC can use its rulemaking power to reaffirm prohibitions on the “surveillance of location data.” Previously, the FCC issued a declaratory ruling stating certain heightened protections apply to information collected from a mobile device, including “the location of a customer’s use of a telecommunications service.” The FCC has also found that this type of data falls within its enforcement, specifically Section 222 of the Communications Act. The members of Congress urged the FCC to solidify these findings through the Commission’s rulemaking and enforcement actions.
We strongly agree that the FTC and FCC should regulate the sale of location data. When consumers consent to share location data for non-essential purposes, most of them are not aware that this information can be shared or sold to unaccountable third parties.
Platforms have an important role to play in protecting user data, but these efforts must be coupled with regulation and civil law enforcement. While platforms like Google Play prohibit apps from selling location data for purposes not strictly related to the functionality of the app, the sheer number of apps on the store means widespread, uniform enforcement is a significant challenge.
However, if regulators raise the bar, then better self-regulation by platforms will likely follow. For instance, in a recent investigation into more than 150 health apps on the GooglePlay store, the IDAC team identified an app, PsyTests, that appeared to violate Google Play Ads policy because it failed to provide a working privacy policy properly disclosing its collection of location data while we observed multiple transmissions of location data to advertising providers. If the FTC were to adopt the recommendations in this letter, then this app’s actions may constitute an unfair or deceptive practice, and platforms like Google may do more to prevent these kinds of cases in the first place.
Members of Congress also correctly point out that the mislabeling of users’ location data as “anonymous” should constitute a “deceptive practice.” As the letter indicates, stating that location data will be collected anonymously gives users a false sense of security because users can still be tracked with “de-anonymization tactics.” Two femtech apps from our health apps investigation claim to collect users’ location data anonymously. According to their iOS privacy labels, the apps MyDaysX Pregnancy and Pregnancy & Baby Tracker by What to Expect state that the apps do not link the user’s identity to the location data collected. An FTC investigation, if this recommendation is adopted, could find these apps to be engaging in “deceptive practices.”
We are encouraged by the letter and that Members of Congress are calling attention to this issue. IDAC echoes the calls for the FTC and FCC to more strongly regulate and enforce rules regarding the collection and sale of consumers’ data. Platforms, law enforcement, Congress and watchdog groups like IDAC should work together and coordinate efforts and share knowledge in order to fully protect consumers.