Peter A Clarke

I.                   Introduction

 Chairman Franken, Ranking Member Flake, and members of the Subcommittee, my name is Jessica Rich, and I am the Director of the Bureau of Consumer Protection at the Federal Trade Commission (“FTC” or “Commission”).1   I appreciate this opportunity to appear before you today to discuss the Commission’s efforts to protect the privacy of consumers’ geolocation information and to offer initial views on the draft Location Privacy Protection Act of 2014 (“LPPA”).

The LPPA addresses an important issue for the Commission, as reflected in its enforcement, policymaking, and consumer and business education efforts over a number of years:  protecting the privacy of consumers’ geolocation information.

This testimony first broadly discusses why precise location information is sensitive personal information and how geolocation data is used increasingly in products and services offered to consumers.  Second, it highlights the Commission’s recent law enforcement actions involving geolocation information.  Third, it discusses the Commission’s studies, workshops, and reports addressing geolocation privacy on mobile devices. Next, it describes the Commission’s efforts to educate both businesses and consumers about the importance of reasonable privacy controls and protections for geolocation information.  It concludes by providing some specific comments on the LPPA.

II.                The Sensitivity of Geolocation Information

 The mobile marketplace has experienced remarkable growth, with new products and services offered every day, many of which rely on consumers’ geolocation information.

Products and services that use geolocation information make consumers’ lives easier and more efficient.  For example, consumers can get turn-by-turn directions to their destinations, find the closest bank when they are far from home, and host impromptu gatherings with friends who have “checked-in” at a certain restaurant or bar.

At the same time, because geolocation information can reveal a consumer’s movements in real time, as well as provide a detailed, comprehensive record of a consumer’s movements over time, use of this sensitive information can raise privacy concerns.   Geolocation information can divulge intimately personal details about an individual.  Did you visit an AIDS clinic last Tuesday?  What place of worship do you attend?  Were you at a psychiatrist’s office last week? Did you meet with a prospective business customer?   Businesses can use consumers’ geolocation information to build profiles of a customer’s activities over time and may put the information to unanticipated uses.

Sensitive geolocation information could end up in the wrong hands in a number of ways, including by being sold to companies who then use it to build profiles with other sensitive information, such as medical conditions or religious affiliation, without consumers’ knowledge or consent, by being accessed by hackers, or by being collected through surreptitious means such as “stalking apps.”   Given that geolocation information reveals personal information – such as where individuals live, work, or attend school – a cybercriminal could use geolocation information to facilitate social engineering or install malware or key loggers to steal a user’s identity or mine credit card numbers or Social Security numbers.   Moreover, after obtaining an individual’s geolocation information, criminals could use it to identify the individual’s present or future location, thus enabling them to cause harm to an individual or his or her property, ranging from burglary and theft, to stalking, kidnapping, and domestic violence.

In 2012, the Government Accountability Office (“GAO”), in a report on mobile location data, discussed consumer benefits that come with use of geolocation information – such as services that provide local weather forecasts, navigation, and retail locations – but also warned that allowing companies to access and use consumers’ geolocation data exposes consumers to privacy risks, including disclosing data to unknown third parties for unspecified uses, consumer

tracking, identity theft, threats to personal safety, and surveillance.   Likewise, many consumers are concerned about the privacy of their location data. For example, one recent study found that nearly three quarters of consumers surveyed were reluctant to enable location tracking on their phones due to privacy concerns.

III.             Enforcement

The FTC is first and foremost a civil law enforcement agency. Absent specific laws that protect geolocation information, the FTC has used its core consumer protection authority – Section 5 of the FTC Act – to enforce against unfair or deceptive practices.   A company acts deceptively if it makes materially misleading statements or omissions.   A company engages in unfair acts or practices if its practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition.   The Commission has used its enforcement authority under Section 5 to take action against companies engaged in unfair or deceptive practices involving geolocation information.

 Last month, Snapchat, the developer of a popular mobile messaging app, entered into a settlement with the Commission.   According to the Commission’s complaint, Snapchat made multiple misrepresentations to consumers about the fundamental features of its app, including the privacy features for which it was known. The FTC alleged that Snapchat deceived consumers by promising that photo and video messages sent through the service would disappear, misrepresenting the amount of personal data it collected, and misrepresenting the security measures taken to protect that data from misuse and unauthorized disclosure. Among other things, the Commission’s complaint alleged that Snapchat transmitted geolocation information from users of its Android app, even though its privacy policy claimed that it did not track users or access such information.  The Commission’s proposed consent order prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.  In addition, the proposed order requires the company to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

In another case involving a mobile app developer, the FTC alleged that the developer of a flashlight app – one of the most popular apps for the Android platform, downloaded tens of million times – deceptively failed to disclose that the app transmitted the device’s location, device ID, and other device data to third parties, including mobile advertising networks (“ad networks”). The company’s privacy policy stated that it would collect “diagnostic, technical, and related” information about consumers’ devices for such internal purposes as product support and software updates.  The policy, however, failed to mention that the company would collect the devices’ precise geolocation and persistent identifier and send them to third parties, such as ad networks.  In addition, the complaint alleged that the company deceived consumers by presenting them with an option not to have their data collected or used, but nevertheless collected and shared the data automatically, thus rendering the option meaningless.  The company and its manager agreed to an order that prohibits them from misrepresenting how consumers’ information is collected and shared and how much control consumers have over the way their information is used.  The respondents are also required to provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used, and shared, and the respondents must obtain consumers’ affirmative express consent before doing so.

Finally, in a series of settlements with national rent-to-own retailer Aaron’s, a company that leased software to Aaron’s, and seven of Aaron’s franchisees, the FTC alleged that the companies’ installation and use of software on rental computers that secretly monitored and tracked consumers ran afoul of Section 5.   The software could log key strokes, capture screen shots, and take photographs using a computer’s webcam, all unbeknownst to users. The FTC alleged that the information collected by the software revealed private and confidential details about computer users, such as user names and passwords for email accounts, social media websites, and financial institutions; Social Security numbers; medical records; private emails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home.  In its complaints against the companies, the FTC alleged that gathering and disclosing personal information about renters was unfair and violated the FTC Act. With respect to geolocation information, the FTC alleged that installing location tracking software on rented computers without consent from the computers’ renters, tracking the geolocation of computers without notice to the computer users, and disclosing that location information to rent-to-own store licensees, caused or was likely to cause substantial injury to consumers that could not be reasonably avoided and was not outweighed by countervailing benefits to consumers or competition. Among other things, the settlement orders prohibit the companies from using monitoring software and prohibit the use of geolocation tracking without consumer consent and notice, except in cases where the device has been stolen.

IV.             Policy Initiatives

 In addition to the Commission’s enforcement activities involving geolocation information, the Commission has conducted studies, held workshops, and issued reports on mobile privacy disclosures, mobile apps directed to kids, and other topics that elucidate best practices for companies collecting, using, and sharing information such as geolocation information.

FTC staff issued two reports about the disclosures provided in mobile apps for children: Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, published in February 2012, and Mobile Apps for Kids: Disclosures Still Not Making the Grade, published in December 2012.   The reports discussed what data is collected by children’s apps and how it is shared, and urged industry to take steps to provide parents easier access to information about the data apps are collecting and sharing.  In the February 2012 report, FTC staff surveyed the types of apps offered to children in the Apple App Store and the Android Market, and evaluated the disclosures provided to users, interactive features such as connectivity with social media, and the ratings and parental controls offered for such apps.  The report noted that mobile apps can capture a broad range of user information from a mobile device automatically, including the user’s precise geolocation, phone number, list of contacts, call logs, unique identifiers, and other

information stored on the device. After examining the disclosures of 400 apps, FTC staff concluded that there was a lack of information available to parents prior to downloading mobile apps for their children.  This was particularly problematic given the breadth of and sensitivity of the personal information apps can capture. The report called on industry to provide greater transparency about their data practices.

In December 2012, FTC staff released the results of a follow-up survey that examined whether app disclosures had improved, and whether and how apps were sharing certain types of data with third parties.   The survey results showed, in many instances, that apps still failed to give parents basic information about the privacy practices and interactive features of mobile apps aimed at kids. The staff found that many apps failed to provide any information about the data collected through the app, let alone the types of data collected, the purpose of the collection, and who could access to the data.  Even more troubling, the results showed that many of the apps shared certain information – such as device ID, geolocation, or phone number – with third parties without disclosing that fact to parents.   The report urged all entities in the mobile app industry to accelerate efforts to ensure that parents have the key information they need to make decisions about the apps they download for their children.

Expanding on prior work regarding mobile disclosures, in February 2013, FTC staff issued Mobile Privacy Disclosures: Building Trust Through Transparency.   This staff report made recommendations for all players in the mobile marketplace – platforms, app developers, ad networks and analytics companies, and trade associations – to ensure that consumers get timely, easy-to-understand disclosures about what data companies collect and how that data is used. The report specifically discussed the need for just-in-time disclosures to consumers and obtaining affirmative express consent before allowing access to sensitive information like geolocation.

The FTC continually assesses new developments and emerging trends and threats in the privacy area.  Earlier this year, the FTC hosted a “Spring Privacy Series” to examine the privacy implications of a number of new technologies in the marketplace.   The first seminar, held in February, included a panel of industry, technical experts, and privacy advocates and examined the privacy and security implications of mobile device tracking, where retailers and other companies use technology that can reveal information about consumers’ visits to and movements within a location.   The seminar examined how mobile device tracking technologies work and how they are used; potential benefits to consumers, including improving customer flow through a store and efficient shopping and checkout; and privacy concerns, such as the lack of transparency of data collection, inability to opt-out, and potential profiling of customers’ buying habits and geolocation information.  FTC staff solicited public comments after the seminar, and a report summarizing the findings is forthcoming.

V.                Consumer Education and Business Guidance

The Commission has long viewed consumer education and business guidance as an essential part of its consumer protection mission. In addition to our enforcement and policy work, the Commission educates consumers and businesses about protecting the privacy of consumers’ geolocation information. The Commission has distributed millions of copies of educational materials for consumers and businesses to address ongoing threats to security and privacy and makes its guidance materials available online. The FTC recently released an  updated version of “Net Cetera: Chatting with Kids About Being Online,” our guide to help parents and other adults talk to kids about being safe, secure, and responsible online.   This new version deals with such topics as mobile apps and privacy, public Wi-Fi security, text message spam, and updated guidance on the Commission’s COPPA Rule. Likewise, the FTC’s Consumer Information website contains numerous guides on privacy and security topics salient to consumers, including a guide on understanding mobile apps and what information they collect from consumers.

The Commission also has released guidance directed to businesses operating in the mobile arena to help educate them on best practices to handle sensitive information, such as geolocation information.  The FTC published a guide, “Marketing Your Mobile App: Get It Right from the Start,” to help mobile app developers observe truth-in-advertising and basic privacy principles when marketing new apps.   Likewise, because mobile apps and devices often rely on sensitive consumer data, the FTC has developed specific guidance for mobile app developers as they create, release, and monitor their apps.

In addition to issuing written materials, FTC staff also has actively worked to educate mobile companies directly.  For example, staff members have spoken at numerous meetings of mobile app developers to urge them to move forward on their efforts to improve transparency and address consumer privacy issues.  The Commission’s hope is that these tools provide guidance to companies, large and small, on how to prioritize the privacy and security of consumer information as they develop new products and services.

VI.             The Location Privacy Protection Act of 2014

 The Commission supports the goals of the LPPA, which chiefly seeks to improve the transparency of geolocation services and give consumers greater control over the collection of their geolocation information.  Currently, in the commercial sphere, there are various laws that protect other types of sensitive information, for example: the Gramm-Leach-Bliley Act protects financial information; the Fair Credit Reporting Act protects information used for consumer reporting purposes; and the Health Insurance Portability and Accountability Act protects personal health information.  The LPPA represents an important step forward  protecting consumers’ sensitive geolocation information.

 In particular, this testimony highlights three important LPPA provisions that are consistent with the Commission’s views.  First, the bill defines “geolocation information” as information that is “sufficient to identify the street name and name of the city or town” in which a device is located.   This definition is consistent in many respects with the Commission’s COPPA Rule.  The COPPA Rule requires parental consent for the collection of children’s “geolocation information” that is “sufficient to identify street name and name of city or town.” The Commission supports the use of a consistent definition in the LPPA. Second, the LPPA requires that an entity collecting consumer geolocation information disclose its collection of such information.  The Commission has recommended that companies make their data collection practices more transparent to consumers.   The disclosure mechanism outlined in the LPPA is an important step forward on transparency concerning the collection of geolocation information. Third, the LPPA requires affirmative express consent from consumers before a covered entity may knowingly collect or disclose geolocation information, and the Commission supports that approach.