This week, the Senate Judiciary Subcommittee on Privacy, Technology and the Law held a hearing to discuss the Location Privacy Protection Act of 2014, a bill reintroduced in March by Senator Al Franken (D-MN). Most concerned with the potential for misuse and abuse of location data for purposes of stalking and perpetrating domestic violence, Senator Franken, who chairs the Subcommittee on Privacy, made clear at the hearing his view that, “Stalking apps must be shut down.” Franken clarified, however, that his bill is not only intended to protect victims of stalking, but provides basic privacy safeguards for sensitive location information pertaining to all consumers. Most critically, Senator Franken suggested that because location data lacks sufficient legislative protection, some of the most popular apps used widely by average consumers have been found to disclose users’ precise location to third parties without obtaining user permission. Further, he noted that in light of stalking apps that are deceptively labeled as something else, such as “parental monitoring,” it is necessary to create a law with basic rules for any service that collects location information.
The witnesses representing law enforcement, federal agencies, and consumer-advocacy and anti-domestic violence groups gave testimony sharing Senator Franken’s concerns, and also suggested that industry self-regulation in this area so far has not been consistent or transparent. Jessica Rich, Director of the Federal Trade Commission’s Bureau of Consumer Protection, for example, noted that broadly speaking, while many industry groups and individual companies purport to adopt the opt-in model as a best practice, enforcement has shown that the standard is in fact not complied with on a regular basis.
In response, witnesses representing industry largely rejected the notion that legislation like Senator Franken’s is needed at this time. Expressing particular worry that laws and regulations are inflexible and can quickly become outdated in the face of rapidly evolving technologies, Lou Mastria, Executive Director of the Digital Advertising Association (“DAA”), testified that innovation is better served by self-regulation, which can adapt to new business models because it is more “nimble” than government regulation, as subcommittee ranking member Senator Jeff Flake (R-AZ) phrased it. Mr. Mastria pointed to the DAA’s Self-Regulatory Principles as an effective framework for self-regulation. Sally Greenberg, Executive Director of the National Consumers League, however, contested the usefulness of DAA’s code, calling it weak, “full of holes,” and “late to the game,” especially in the face of her view that there is “monumental evidence that self-regulation is not working.”
Throughout the hearing, Senator Flake was especially focused on the possibility of “static regulations that deal with a dynamic sector of the economy,” and the potential for bills like the Location Privacy Protection Act to stifle innovation. As an example of such crippling effects, he suggested that the proposed law could sweep too broadly, undercutting legitimate apps that might run tracking “imperceptibly” in the background, for instance, but do not make location data available to individuals who could misuse it. Robert Atkinson, President of the Information Technology and Innovation Foundation, agreed that “imperceptible” is a “vague standard” and suggested re-consideration of using that term. Senator Flake also recognized that the loophole identified in Senator Franken’s bill allowing for the sharing of location data with third parties might leave open the potential for abuse, but expressed skepticism that a serious problem exists and that data is actually being misused for criminal purposes. When asked whether such criminal activity has yet been proven, Ms. Rich responded no.
Senator Richard Blumenthal (D-CT) focused on the intersection of cyberstalking and campus sexual assault. He inquired about what additional preventative steps colleges could take to incorporate cyberstalking into messaging around sexual assault, and noted how stalking apps can escalate behaviors that often are precursors to other crimes like sexual assault or even homicide.
If enacted, the Location Privacy Protection Act of 2014 primarily would:
- require companies to obtain consumers’ permission before collecting or disclosing to a third party the geolocation data obtained from consumers’ electronic communications devices;
- require any company collecting the location data of 1,000 or more devices to post online the nature and purpose of the data collected, the parties with whom the data is shared, and how consumers can opt out of the collection and disclosure of such data;
- for companies that initially collect location information in a manner that the company has reason to believe is “imperceptible” to the consumer, require in addition to consent: (1) notice to the consumer that location data is being collected, along with (2) the same information required of companies who collect the data of 1,000 or more devices; and
- ban the development, operation, and sale of “stalking apps,” requiring forfeiture of any proceeds from the use or sale of such a device.
The proposed bill contains exceptions for parents locating or tracking their children, emergencies, and similar circumstances. Finally, the bill would give enforcement authority to the U.S. Attorney General, but also contains a private right of action, with damages capped at $5,000 per violation per day.