The following is drawn from a white paper issued by the Centre for Spatial Law and Policy
There has been a great deal of attention paid recently to the privacy issues associated with the collection, use and distribution of personal information by technology companies. For example, Facebook has come under increased scrutiny for the complexity of its privacy settings and for its policies for sharing customer information with third parties. Google has been scrutinized over its Street View collection and also is currently involved in civil litigation on the matter. In addition, Twitter recently entered into a comprehensive and broad-based consent order with the Federal Trade Commission (FTC) regarding its information security practices. The Wall Street Journal covered these and other issues in a week-long series found here. (See here for the article in the series on "cyberstalking").
The privacy associated with location data has been part of this broad discussion. For example, in February the House of Representative held hearings specifically on location privacy as part of a broader review of internet privacy. These hearings resulted in Representative Rick Boucher (D-VA) and Representative Bobby Rush (D-IL) each drafting proposed legislation to protect consumer personal data. Both of these bills defined “precise geolocation information” as sensitive information that is subject to greater regulation with regards collection and use. In addition, Senator John Kerry (D-MA) recently announced that he was preparing legislation to protect consumer privacy
However even in the absence of definitive legislation, companies that collect, use or distribute consumer location data should expect increased scrutiny from the Federal Trade Commission (FTC). Section 5 of the Federal Trade Commission Act grants the FTC broad enforcement authority to protect consumers from unfair trade practices. The FTC appears to have expanded its enforcement actions to protect customer data other than traditionally sensitive information such as credit card information or social security numbers. For example, in a recent enforcement action against Twitter, the FTC found that Twitter failed to provide “reasonable safeguards to protect user information from unauthorized users”. This information included passwords to send messages (“tweets”) but not sensitive personal information. The FTC is apparently trying to warn businesses that even non-sensitive data must be protected if it is stored in a non-public place. (It is also important to note that some of the breaches occurred when Twitter was in its start-up phase)
Given the recent media attention on privacy concerns associated with location data and recent efforts in Congress, it is fair to assume that the FTC is scrutinizing what authority it has with respect to location data. As a result, companies that collect or use location data should begin to closely monitor FTC enforcement actions related to the protection of personal data. In addition, they should consider developing an information security program with respect to such data. Such a program may not only be required by the FTC in the future, but is also good business practice in today’s environment.