location « LexDigerati

Four Reasons Location Privacy Is A Business Issue

My Troutman Sanders colleagues have written before on the continuing judicial wrangling over whether GPS tracking devices, as well as location data maintained by wireless telecom providers, require a warrant before search and seizure by the government. Last July, a New York state court ruled that a government employer did not need a warrant to attach a GPS device to an employee’s car and monitor his movements continuously for a month, contradicting an earlier decision by the New Jersey Supreme Court. More recently, the U.S. Court of Appeals for the Third Circuit held — after a thorough review of precedent dating all the way back to 1981 — that law enforcement agents must indeed first obtain a warrant based on probable cause to attach a GPS device to a criminal suspect’s vehicle.

Cases dealing with this issue merit watching because they represent the “front lines” of the intersection between personal privacy and technological capability. The Supreme Court in United States v. Jones, 131 S. Ct. 3064 (2011), decided that GPS tracking generally requires a warrant, but left open the more important question whether warrantless use of GPS devices would be “reasonable — and thus lawful — under the Fourth Amendment where officers have reasonable suspicion, and indeed probable cause,” to execute such searches. Meanwhile, a divided Fifth Circuit Court ruled in 2013 that the government may compel a wireless company to turn over 60-days worth of cell phone location data without establishing probable cause, while just last week the Massachusetts Supreme Judicial Court held that people have a reasonable expectation of privacy in their phones and thus, under the state constitution, law enforcement needs a warrant before obtaining location data from a suspect’s wireless provider.

So what does all this mean for the business community? Although law enforcement and the rather esoteric realm of constitutional law has been at the front lines of GPS privacy, there are a number of developments indicating that location privacy is also an important business issue:

First, the Federal Trade Commission — which functions as the de facto privacy regulator in the United States — has launched an inquiry into GPS tracking with a seminar convened on February 19 in Washington, D.C. This followed an FTC staff report last year, titled Mobile Privacy Disclosures: Building Trust Through Transparency, which “recommended” that companies consider offering a Do Not Track (DNT) mechanism for smartphone users among other measures to protect location privacy. Since the FTC has authority over unfair trade practices, including privacy, in almost every industry other than telecommunications, this initiative portends a risk of administrative sanction for private businesses not offering consumer choice as part of location-based services.

Second, HTC and Samsung smartphones come pre-loaded with software from the company Carrier IQ. More than 100 lawsuits filed since 2011 in federal court claim the phones unlawfully track the keystrokes of text messages and Internet searches. While the company maintains that the data are collected for customer support and to help troubleshoot network problems, it has become embroiled in litigation despite serving only as a technology vendor to other, far larger firms. (Not to leave them out, both Microsoft and Apple have also been sued over the location tracking features of their phones.) The lesson of Carrier IQ is that businesses are at risk in the GPS space even where they are not consumer-facing enterprises.

Third, a number of start-ups (Turnstyle, RetailNext, Nomi, shopkick, etc.) offer brick-and-mortar retailers the ability to use indoor location sensors and security video feeds to track movements of shoppers, recreating in the retail realm the same in-depth data on customer behavior that online merchants have long collected. Some of these firms follow best-practices by obtaining explicit opt-in for location information sharing. But the potential for adverse consumer reaction, and class action litigation, remains high ever since Nordstroms was caught in a PR whirlwind in July and unilaterally discontinued its in-store location program after notifying shoppers they were being tracked.

Fourth, it matters not whether a company is actually in the business of commercializing GPS data. In December, the FTC settled with the makers of an Android flashlight app after the agency claimed the company’s privacy policy was deceiving users into sharing their location and personal information with third-party advertisers. So there is still legal exposure for location information collection even if a firm operates in a completely different space.

Legal maneuvering can, at least for now, offset some of these risks. Under the current rules governing consumer class actions, several courts have decreed that privacy injury is insufficiently direct and substantial economically to support standing or to qualify for class action certification in federal court. For instance, in a case challenging a mobile app’s collection of geo-location data without consent, Goodman v. HTC America, Inc., the Western District of Washington held that the putative class members had not sufficiently plead injury to have standing. The court accepted as cognizable injuries overpayment for phones (because the plaintiffs would have paid less if they knew their location was to be collected as alleged) and diminution in value of the phones because of reduced battery life caused by the collection of geo-location data. Still, the court concluded that the “assertion that defendants misappropriated their personal information is not a sufficiently particularized injury to support [plaintiffs’] standing.” Yet since this opinion, and others from similar cases, holds out the possibility that identity theft or other financial harm may in the future result from insecure information collection, the standing defense appears to be time-limited.

The 4th Amendment protects people only from overreaching by the government. That may have led some in the business community to conclude prematurely that GPS and location tracking are issues only of concern to hackers and criminal enterprises. As these four developments show, however, location privacy is a serious business issue too.

Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.

Retailers Battle Back Against Technological Disruption

Despite the failures in recent years of such well-known retail chains as Circuit City, Borders and the like, it is way too soon to declare that the Internet will replace brick-and-mortar retailing. In part that is because consumer research suggests that in some segments, such as clothing, feeling and touching merchandise is an important part of the buying experience. Of interest to students of technological disruption, retailers are beginning in earnest to deploy technologies marrying the best aspects of online retailing with shopping malls and physical stores.

Delivery is one area where online retailers remain at a disadvantage. Amazon counters with its Prime membership for free two-day delivery, Amazon Lockers for local pick-up and its experimental foray into drone deliveries. Startups like Deliv (described as “a crowdsourced same-day delivery service for large national multichannel retailers”) are now providing equivalently fast store or home delivery for both online and in-person purchases.

Four of the nation’s largest mall operators are turning their properties into mini-distribution centers for rapid delivery, meaning shoppers can ditch their bags and keep spending. The service promises set delivery times for purchases consumers make at the mall or online from mall tenants, facilitated by a Silicon Valley start-up, Deliv Inc….The move highlights how delivery has become a key battleground in the war between physical and online retailers.

Startup Offers Same-Day Delivery at Shopping Malls | WSJ.com.

That in itself is remarkable. It shows that disruption is not a one-way street for legacy retailers. Yes, theirs is a challenging business environment, but technology is beginning to supply features for physical stores that meet and in some cases can beat online shopping providers. Home Depot, for instance, offers a smartphone app that allows consumers to check store inventory and aisle location, scan QR and UPC codes to get more information about products and order online with in-store delivery, overcoming some of the chain’s long-standing weaknesses: confusing layouts, out-of-stock merchandise and resulting abandoned visits.

Perhaps the most controversial realm is that of in-store consumer tracking and special offer distribution. This made news just last week when Apple Inc. turned on its iOS7 “iBeacon” service at its own retail stores. Macy’s has activated a shopkick-powered service through which simply walking into a Macy’s location will automatically send specialized offers to customers depending on where they are in the store. As Wired observed:

That’s just the beginning, though. Retailers are already talking about things like in-store navigation and dynamic pricing, all made possible by beacon-enhanced retail locations. For independent shops, iBeacon is a chance to jump into the smartphone era with one fell swoop. A $100 beacon is all it takes for even the mustiest book store to track customers, make recommendations, and offer discounts to customers’ pockets.

The risk, however, is that consumers may reject secret tracking technologies that retailers use internally, absent notice and consent. Over the last two years, retailers such as Nordstrom have hired software firms that gather Wi-Fi and Bluetooth signals emitted from smartphones to monitor shoppers’ movements around stores. They use the data to study things like wait times at the check-out line and how many people who browse actually make a purchase. At the prompting of Sen. Charles Schumer (D-NY) and the Washington, DC-based advocacy group Future of Privacy Forum, several location-tracking firms agreed in October to a code of conduct under which they will ask retailers to post signs in “conspicuous” spots in stores which inform consumers that their movements are being monitored and direct them to a website where they can opt-out. As Kashmir Hill noted in Forbes:

As with many novel and unexpected uses of technology, people have tended to be creeped out by the practice when they learn about it. Ask Path, which was tracking shoppers in malls (in 2011). Or Nordstrom, which came under fire earlier this year for tracking its shoppers without clear notice. Or London, which was using trash bins to collect info from passerbys’ mobile devices.

The flip side is that by offering recommendations and deals with an opt-in policy, retailers could dramatically bridge the divide between the online and brick-and-mortar experiences, making the latter still more like the former. Few consumers react negatively to Amazon or Netflix offering recommended products based on their past purchases. By doing the same thing in real-time, when a shopper passes the relevant store aisle or section, physical retailers would be in a position to offer something no e-commerce site can match: customized shopping with the ability to see, feel and take home impulse purchases enabled by technology.

There remain a slew of legal questions about whether the data collected by location-technology providers and retailers qualifies as personally identifiable data subject to the European Union Privacy Directive and the corresponding EU Safe Harbor in the U.S. In this country, it seems likely that the unique phone IDs associated with wireless devices — which are only linked to subscribers in the carrier’s switching and billing systems — would not be considered personal data by the Federal Trade Commission. In Europe, countries like the Netherlands and France have already articulated a more expansive view which could encompass device information in addition to name, address, phone numbers and the like. But even in the more liberal America, some have questioned whether retailers will be forced, whether by consumers or regulators, to dial-back autonomous tracking and adopt more transparent location practices.

All of this brings back memories for me personally. Nearly 15 years ago, I represented a start-up that was developing GPS chips for smartphones. While they are now ubiquitous (the start-up was sold to Qualcomm in March 2000), the challenges in making GPS work without a dedicated, external antenna were substantial. So like any good disruptor, my client went to the Federal Communications Commission to advocate cell phone location rules for E911 service that could give it a competitive advantage in the marketplace. The anecdote we used in our lobbying was that McDonald’s could message your phone, when passing one of its outlets, asking “Have you had your break today?” (That certainly dates the message, of course).

Technology has evolved so much that shopping is now almost at that place. Location tracking platform providers and their retail clients are offering a degree of interactivity never before available at retail. Whether it is compelling or creepy to consumers, of course, remains to be determined.

Note: The author has represented shopkick Inc., but not in connection with the company’s privacy policies and practices. Originally prepared for and reposted with permission of the Disruptive Competition Project.