The Bottom Line
- Mobile location data is recognized by the industry and regulators as sensitive personal data.
- Therefore, app providers and others in the mobile ecosystem need to be aware of industry best practices and new laws targeting such data, including the recently proposed bill by the New York City Council that would make it unlawful for telecommunications and mobile app providers to share a customer’s location data that was collected while the customer’s mobile device was present in New York City.
A bill has been introduced in the New York City Council that, if enacted, would make it unlawful for a mobile application developer or a telecommunications carrier to share a customer’s location data with third parties without the customer’s consent based on whether the data was collected while the customer’s mobile communications device was physically present in New York City.
The bill prohibits the sharing of a mobile application or telecommunications customer’s location data (broadly defined to mean “information related to the physical or geographical location of a person or the person’s mobile communications device, regardless of the particular technological method used to obtain this information”) collected while the person or the person’s mobile communications device is located in New York City. It also bars a person who receives location data in violation of the bill from sharing it with any other person.
There are several exceptions to the sharing prohibition, the most significant being that it does not prevent individuals from providing, and telecommunications and mobile application providers from receiving, location data for the sole and exclusive purpose of providing a service explicitly requested by the individual, so long as such data is not collected, shared, stored or otherwise used by a third party (e.g., a subcontractor of the provider) for any purpose other than in connection with the provision of the requested service.
Other exceptions include the disclosure of information:
- To a law enforcement agency in response to a lawful process;
- To an emergency service agency responding to a 911 communication or any other communication reporting an imminent threat to life or property; or
- As otherwise required to be provided by federal, state or local law.
Private Right of Action
The bill creates a private right of action in favor of customers whose location data has been shared in violation of the bill’s prohibitions. Moreover, if a court finds a violation, the customer is entitled to recover actual damages, computed at a rate of $1,000 per violation (up to a maximum of $10,000 per day), plus the customer’s reasonable attorneys’ fees and costs of the action.
Irrespective of whether the New York City bill is ultimately passed, other steps are already being taken to protect customers’ location data from being improperly used.
For one, the Network Advertising Initiative’s (NAI) Code of Conduct requires that member companies obtain opt-in consent to use “precise location data” for interest-based advertising, and the NAI’s mobile application code has the same requirement for cross-app advertising. The NAI defines location data as “information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of a person or device, such as GPS level latitude-longitude coordinates or location based Wi-Fi triangulation.” It does not include data that is or will be altered so that NAI member companies cannot determine the actual physical location of a person or device. The NAI definition is quite a bit clearer and more focused than the broad definition of location data in the New York City bill.
In addition, most mobile platform providers already require consumers to opt-in before sharing their location data.
Lack of Clarity on Location Data
The governor of Hawaii recently vetoed legislation similar in intent to the New York City bill for reasons of lack of sufficient clarity to ensure consistency in compliance and enforcement. The New York City bill, which lacks specificity on a number of subjects, such as the nature of uses included within “authorized use,” the scope of permitted disclosures to third parties and the extent of liability of recipients of unlawfully obtained data, may be due for the clarifications called for in Hawaii.