By Kelsey Finch
IAPP Westin Research Fellow
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry a smartphone with them every step of the day, and as these devices send and receive electronic signals they silently map their user’s movements. More and more organizations are seeking to utilize this data, and while the industry for location tracking analytics is becoming more sophisticated, so too is the range of interested parties – including regulators.
The most familiar technology traditionally used for tracking the physical location of individuals or objects is GPS, which operates by timing signals sent from orbiting satellites to compute the precise location of a device. With the advent of internet-capable mobile devices, location tracking has become easier, cheaper and more pervasive; there is now a broad range of tracking technologies and embedded tools available to facilitate location-based applications. Additionally, because smartphones constantly send and receive electronic signals to establish connections with cell towers and wireless networks, system operators can recognize and trace the MAC addresses of WiFi- and Bluetooth-enabled devices as they come into the range of their networks. Given the rapidly growing distribution of connection points, network operators can track a device holder’s movements on an increasingly granular scale, including following movements within a building, office or house, something that’s largely not possible with GPS.
How Government Approaches Location Data
In January last year, the U.S. Supreme Court handed down U.S. v. Jones, a significant privacy decision that addressed location tracking by the government. Jones specifically established that when the police attached a GPS device to a suspect’s car for 28 days without a warrant and used the device to monitor the vehicle’s movements it conducted an unreasonable search and seizure under the Fourth Amendment. However, the 5-4 majority opinion was narrowly tailored to the so-called physical intrusion involved in the act of attaching a GPS tracker to the suspect’s car. In addition, under what has been called the “mosaic” theory, a five-Justice plurality held that whether government conduct constitutes a search is measured not by analyzing any discreet act but rather the collective sum of different acts over time. It thus left open important questions concerning location-tracking practices, which do not imply a physical intrusion or persistent and long-term observation.
Last week, in U.S. v. Katzin, the Third Circuit Court of Appeals became the first federal appellate court to address some of the Jones questions after the Supreme Court. One question was whether the installation of a GPS device on a suspect’s vehicle is authorized by “probable cause” even without an actual warrant. The Court resoundingly held it had “no hesitation in holding that the police must obtain a warrant prior to attaching a GPS device on a vehicle, thereby undertaking a search that the Supreme Court has compared to ‘a constable’s concealing himself in the target’s coach to track its movements.’” Strengthening privacy protections for location data, the Court rejected the government’s arguments in favor of a “good faith” exception to the warrant requirement. While Katzin did not expressly address the contours of the mosaic theory, it required a warrant even though the tracking “yielded the results [police] were after within several days.”
How Retailers Approach Location Data
Outside of the government context, one of the most heated arenas of the location privacy debate involves consumer rights. Retailers are increasingly taking advantage of their networked spaces to track consumer devices as they move within stores. These technologies track and analyze how consumers move through stores in order to determine “when stores are busiest, when queues are longest and how the positioning of products and promotional displays affects sales . . . It also means returning customers can be spotted without the need for facial recognition, by looking out for known device IDs.” Yaron Dori of Covington & Burling, LLP, recently discussed the legal implications of emerging privacy technologies in the U.S. retail settings at the IAPP Privacy Academy.
Last week, the Future of Privacy Forum (FPF) teamed up with Senator Charles Schumer (NY) and seven leading analytics companies to release a “Mobile Location Analytics Code of Conduct.” This is a pivotal step in the promotion of “consumer privacy and responsible data use for retail location analytics,” setting forth enforceable, self-regulatory standards for mobile location analytics (MLA) in retail spaces.
Specifically, the code requires MLA companies to adhere to notice principles, providing consumers with both physical and web-based “privacy notices that are clear, short, and standardized to enable comprehension and comparison of privacy practices” regarding tracking of personally identifiable information. Notice requirements may further necessitate conspicuous signage in stores where mobile device tracking is present. Further, the code not only requires that personal data be de-identified, but also that companies explain in privacy policies what steps have been taken to anonymize it. The code precludes MLA companies from “collecting personal information or unique device identification information, unless it is promptly de-identified or de-personalized, or unless the consumer has provided affirmative consent.”
Any combination of MLA data with third-party data in a user’s profile must be disclosed in a privacy notice. Similarly, the code requires that companies establish and publish internal policies for limited data retention and deletion; preclude the collection or use of personal data for adverse employment, credit, health care or insurance purposes; and in the case of any onward data transfer, require that third parties contractually agree to act consistently with the code.
Most importantly, the code establishes a two-part consent scheme: MLA companies should (a) provide consumers a link to a central industry opt-out website for the collection of general device data; and (b) obtain opt-in consent in order to link personal data to a mobile device identifier or contact a consumer based on MLA information. Strengthening the value of these consumer choice options, the code’s final principle promotes consumer education through the establishment of a central industry site, standardized symbols and continued efforts to inform consumers about retail tracking.
The key outcome of the code – adoption of which is, of course, voluntary – is increased transparency for consumers. At the same time, the code accounts for four practical exclusions: It does not restrict the use of data necessary for operation of a network; for security; or for employment purposes; nor any data collection to which a consumer has affirmatively consented.
How Employers Approach Location Data
There are currently no federal laws restricting the use of GPS or mobile-device tracking by employers. And although in recent years Senator Al Franken (MN) has repeatedly proposed a “Location Privacy Protection Act,” it has yet to survive committee.
The few state laws relevant to mobile device tracking practices require only minimal disclosure of electronic monitoring. With “Bring Your Own Device” (BYOD) programs increasingly common, employers have more opportunities than ever to track their employees. A 2012 report indicated that 37 percent of companies tracked the device location of employees.
Even in the absence of strong statutory or regulatory requirements, most employers deploy a measure of notice-and-choice to gain their employees’ affirmative consent to tracking. This is usually achieved through employee handbooks, acceptable use policies or other agreements. Generally, employees possess little or no rights or expectations of privacy in employer-provided devices; further, these rights are highly dependent on the terms laid out in employer-specific policy guides. Continued use by an employee of a device that she knows has tracking capabilities generally constitutes “implied consent” to an employer’s collection and use of the device’s location data. Some employers simply advise workers to “turn off their work phones at night” if they do not want their whereabouts known.
Stronger employee protection has been accorded with regard to event data recorders (EDRs), the “black boxes” that car manufacturers install inside consumer vehicles for accident reporting purposes. While fourteen states have laws regulating EDRs, some permitting data use only with a vehicle owner’s consent, the majority of employees operate company-owned vehicles, and thus are exempted from the scope of individual privacy protection.
For employers operating outside of the U.S., however, the standards for employee privacy can be dramatically different. The EU, in particular, privileges individual privacy rights over employer interests in many circumstances, and takes a dim view with respect to an employee’s ability to consent to tracking activities in light of the inherent power imbalance between employers and employees.
Mobile devices and tracking tools are silently broadcasting individuals’ location on the job, in stores and as they drive around town. Different legal standard apply to the collection of location information by government agents, retailers and employers. Given the rapid pace with which mobile location analytics are progressing, and in light of significant new developments in the government and retail landscapes, it is more important than ever for consumers to understand and exercise their privacy rights over their personal location data.