My Troutman Sanders colleagues have written before on the continuing judicial wrangling over whether GPS tracking devices, as well as location data maintained by wireless telecom providers, require a warrant before search and seizure by the government. Last July, a New York state court ruled that a government employer did not need a warrant to attach a GPS device to an employee’s car and monitor his movements continuously for a month, contradicting an earlier decision by the New Jersey Supreme Court. More recently, the U.S. Court of Appeals for the Third Circuit held — after a thorough review of precedent dating all the way back to 1981 — that law enforcement agents must indeed first obtain a warrant based on probable cause to attach a GPS device to a criminal suspect’s vehicle.
Cases dealing with this issue merit watching because they represent the “front lines” of the intersection between personal privacy and technological capability. The Supreme Court in United States v. Jones, 131 S. Ct. 3064 (2011), decided that GPS tracking generally requires a warrant, but left open the more important question whether warrantless use of GPS devices would be “reasonable — and thus lawful — under the Fourth Amendment where officers have reasonable suspicion, and indeed probable cause,” to execute such searches. Meanwhile, a divided Fifth Circuit Court ruled in 2013 that the government may compel a wireless company to turn over 60-days worth of cell phone location data without establishing probable cause, while just last week the Massachusetts Supreme Judicial Court held that people have a reasonable expectation of privacy in their phones and thus, under the state constitution, law enforcement needs a warrant before obtaining location data from a suspect’s wireless provider.
So what does all this mean for the business community? Although law enforcement and the rather esoteric realm of constitutional law has been at the front lines of GPS privacy, there are a number of developments indicating that location privacy is also an important business issue:
First, the Federal Trade Commission — which functions as the de facto privacy regulator in the United States — has launched an inquiry into GPS tracking with a seminar convened on February 19 in Washington, D.C. This followed an FTC staff report last year, titled Mobile Privacy Disclosures: Building Trust Through Transparency, which “recommended” that companies consider offering a Do Not Track (DNT) mechanism for smartphone users among other measures to protect location privacy. Since the FTC has authority over unfair trade practices, including privacy, in almost every industry other than telecommunications, this initiative portends a risk of administrative sanction for private businesses not offering consumer choice as part of location-based services.
Second, HTC and Samsung smartphones come pre-loaded with software from the company Carrier IQ. More than 100 lawsuits filed since 2011 in federal court claim the phones unlawfully track the keystrokes of text messages and Internet searches. While the company maintains that the data are collected for customer support and to help troubleshoot network problems, it has become embroiled in litigation despite serving only as a technology vendor to other, far larger firms. (Not to leave them out, both Microsoft and Apple have also been sued over the location tracking features of their phones.) The lesson of Carrier IQ is that businesses are at risk in the GPS space even where they are not consumer-facing enterprises.
Third, a number of start-ups (Turnstyle, RetailNext, Nomi, shopkick, etc.) offer brick-and-mortar retailers the ability to use indoor location sensors and security video feeds to track movements of shoppers, recreating in the retail realm the same in-depth data on customer behavior that online merchants have long collected. Some of these firms follow best-practices by obtaining explicit opt-in for location information sharing. But the potential for adverse consumer reaction, and class action litigation, remains high ever since Nordstroms was caught in a PR whirlwind in July and unilaterally discontinued its in-store location program after notifying shoppers they were being tracked.
Fourth, it matters not whether a company is actually in the business of commercializing GPS data. In December, the FTC settled with the makers of an Android flashlight app after the agency claimed the company’s privacy policy was deceiving users into sharing their location and personal information with third-party advertisers. So there is still legal exposure for location information collection even if a firm operates in a completely different space.
Legal maneuvering can, at least for now, offset some of these risks. Under the current rules governing consumer class actions, several courts have decreed that privacy injury is insufficiently direct and substantial economically to support standing or to qualify for class action certification in federal court. For instance, in a case challenging a mobile app’s collection of geo-location data without consent, Goodman v. HTC America, Inc., the Western District of Washington held that the putative class members had not sufficiently plead injury to have standing. The court accepted as cognizable injuries overpayment for phones (because the plaintiffs would have paid less if they knew their location was to be collected as alleged) and diminution in value of the phones because of reduced battery life caused by the collection of geo-location data. Still, the court concluded that the “assertion that defendants misappropriated their personal information is not a sufficiently particularized injury to support [plaintiffs’] standing.” Yet since this opinion, and others from similar cases, holds out the possibility that identity theft or other financial harm may in the future result from insecure information collection, the standing defense appears to be time-limited.
The 4th Amendment protects people only from overreaching by the government. That may have led some in the business community to conclude prematurely that GPS and location tracking are issues only of concern to hackers and criminal enterprises. As these four developments show, however, location privacy is a serious business issue too.
Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.