I. Introduction

A. Overview.

The relationship between geolocation data as intellectual property and the limitations that privacy laws have on said data is both complex and developing. This presentation will address some of the key issues regarding the collection and use of geolocation data, and provide some practical advice on practices that will help mitigate many of the privacy issues surrounding the use of geolocation data.

B. What is Geolocation Data?

Geolocation data is the information collected through tracking technologies or other means regarding an individual's location in the world. Geolocation data is collected through numerous means, as discussed below, and can be used for endless purposes, including: providing travel directions, unlocking vehicle doors, avoiding traffic congestion, directly marketing products and services, locating employees, assisting in an emergency, monitoring children or family members with memory deficiencies, locating gas stations, and monitoring sex offenders and other criminals. Despite these legitimate, and in some instances invaluable, uses, the collection of geolocation data also presents individuals, businesses and governments with serious privacy concerns and responsibilities. For example, as individuals, do we impliedly give up our right to privacy when we knowingly carry a device with tracking capabilities? What are the entities who collect this data doing with it and with whom are they sharing it? Are there other forms of data (financial or otherwise) that indirectly include geolocational information? And finally, is there legislation in place that could balance the privacy concerns of individuals with the valid intellectual property rights of geolocation data collectors?

C. Ways Geolocation Data is Collected and Who is Collecting It?

Geolocation data is collected in a variety of ways, including, but not limited to: global positioning system ("GPS") devices, web browsing via IP addresses, mobile telephones, credit/debit card transactions, highway toll-paying devices, recharging connection for electric automobiles (via Smart Grid technology), geotags in photos, and posts on Facebook and other social networking sites. As this information is collected, it is becoming increasingly easy for the companies providing these services – and/or those with whom they share it – to monitor an individual's routines and transactions and to accurately predict an individual's future course of action. With these predictions, businesses are able to target customers on a time and location specific basis, making geolocation data a valuable component of intellectual property for any business.

The entities collecting geolocation data are numerous, especially when, as discussed below, one considers the number of businesses that collect geolocation data supplemental to other data being collected (for example, credit card companies obtain geolocation data every time an individual uses their credit card; however, the collection of geolocation data is supplemental to the primary purposes for collecting the underlying transactional information – items purchased, amount of the purchase, avoiding fraud, etc.). Geolocation data collecting entities include mobile phone providers, cable providers, internet providers, financial institutions, GPS providers, state toll way agencies, law enforcement agencies, advertisers, and so on.

Notably, and as discussed below, there are few restrictions on how these entities can use the geolocation data collected, how long they can store it for, and/or who they can share it with.

II. Geolocation data as intellectual property

A. Ownership of Geolocation Data.

Geolocation data is valuable intellectual property that is typically owned by the entity collecting the data, unless transferred or sold to another entity. Therefore, the entity collecting geolocation data – whether purposely or supplemental to other information being collected – is responsible for the use, maintenance, security and disposal of such data.

B. Geolocation Data as Supplemental Information.

In addition, as noted above, many businesses collect geolocation data supplemental to other information. For example, when you use your electronic toll-paying device, the state tollway authority knows where you are and each time you go through a toll. As this data is aggregated, patterns may begin to develop. If you go through the same toll Monday through Friday at the same times, the tollway authority not only knows you paid a toll, but it knows approximately what time you go to work every day and what time you come home (and by what route). Although this information may not necessarily be valuable to the tollway authority, other businesses may have a use for such information. Moreover, geolocation data combined with other personal information on file with the state tollway authority may be valuable to criminals and other unauthorized individuals.

As this example points out, many businesses that monitor individuals collect geolocation data – even when it is supplemental to some other business purpose.

III. Privacy Issues affecting geolocation data

A. Overlap of IP and Individual Privacy Concerns.

As should be obvious by now, geolocation data can be valuable intellectual property to businesses and advertisers. Geolocation data can tell businesses a lot about an individual's behaviors and habits, allowing businesses to predict an individual's actions and target them in unprecedented ways. This increasing ability to combine data from many sources with an individual's geolocation data means not only that individuals can be tracked with respect to their physical movements, but also with respect to their other activities, like buying habits and typical routes to work. Moreover, even if an entity has no direct use for the geolocation data it is collecting, advertisers and similar businesses are more than willing to purchase the data for their own specific needs – making geolocation data valuable to its owner, even when the owner has no direct use for the data.

However, it goes without saying that most consumers do not want advertisers and business to know their every movement and to target them at any time (just think for a moment how annoying telemarketing calls at dinner time were – now imagine being targeted at any time on your mobile phone, etc.). Instead, most individuals expect – when they know that their geolocation data is being collected -- that the data is being used for a specific and limited purpose. If the tollway authority is collecting geolocation data, then consumers likely expect that the data is being collected for the limited purpose of monitoring toll payments. If a financial institution is keeping records of a consumer's credit card transactions, then the consumer likely expects that the geolocation data is being used to prevent fraud and to monitor purchases. If a consumer's GPS device information is being collected, consumers likely expect that the information is being used solely for providing directions and avoiding traffic.

Privacy concerns arise when geolocation data collectors use the data for purposes other than what the consumer reasonably expects. However, the temptation to use geolocation data for other purposes can be tempting, especially when geolocation data is combined with other consumer information (e.g., name, address, etc.). This combination allows businesses to send individualized and targeted advertisements to consumers or to monitor an individual's every movement – acts that many consider to be an invasion of privacy arising from individual profiling resulting from the aggregation of previously disparate and unconnected bits of personal data.

Accordingly, it is easy to see how the collection of geolocation data can collide with consumer privacy concerns. The more difficult analysis is determining when a business goes beyond the valid use of geolocation data and encroaches on consumer privacy expectations. Unfortunately, there is little legislation or guidance on this issue.

B. Collecting, Using and Maintaining Geolocation Data.

1. Existing Legislation and Policies.

Statutes and regulations regarding the collection, maintenance, and use of geolocation data alone are still limited at both the state and federal levels. However, when geolocation data is combined with other information that allows an entity to identify a specific individual and/or a specific industry or category of information that is itself regulated (e.g., financial records, health information, mobile carriers, etc.), the data can be considered personally identifiable information ("PII") and expose an entity to additional laws and regulations. For example, Title II of the Communications Act imposes various obligations on telecommunications entities regarding the handling of customer information, which includes geolocation data, and requires customer consent before such information can be shared.1 Further, the Cable Communications Policy Act of 1984 (added to the Communications Act of 1934), which applies to cable operators who may collect geolocation data through internet services or other means, imposes various obligations on cable operators that involve PII.2

In the area of online advertising, where advertisers use geolocation data to determine an individual's behavior for marketing purposes, the Federal Trade Commission ("FTC") issued a report in 2009 containing self-regulatory guidelines for the online advertising industry.3 In addition, numerous online advertising industry groups released similar self-regulatory guidelines for industry actors.4 In its report, the FTC recommends, in part, that entities provide notice on their websites that data is being collected,5 that individuals have the ability to opt-out of the collection,6 that individuals are made aware of any changes in an entity's privacy policy and must provide consent before previously-collected data is used in a way not originally stated in the privacy policy,7 and mandatory "opt-in" for the handling of sensitive information.8 However, these recommendations are not binding and only serve as a guide to online advertisers collecting relevant data, except where FTC law explicitly states otherwise.

Finally, geolocation data is a hot topic as it relates to the Fourth Amendment and law enforcement surveillance.9 Although not of significant relevance to this audience, it is important to note that there is still debate as to whether an individual has a reasonable privacy interest in their own movement (i.e., geolocation data). Currently, federal case law generally allows the installation and use of GPS devices by the government to track a suspect's vehicle without a warrant for a limited time.10

C. How You Should Use Geolocation Data In a Way to Mitigate Privacy Issues.

There are multiple options to consider in attempting to mitigate privacy issues when handling an individual's geolocation data. In addition, the FTC and other related organizations and industry groups offer ample suggestions to entities keeping sensitive information, including, but not limited to, geolocation data. However, each collecting entity is different and uses geolocation data for different purposes. Regardless, here are some things to consider that can help mitigate any privacy concerns:

  • Know what geolocation data you are collecting, how you are collecting it, how you are using it, and how long you keep it for. Without an understanding of what information you are collecting and why you are collecting it, it is impossible to narrowly tailor your collection and use of geolocation data in a way that mitigates privacy issues while at the same time, allows you to benefit from your valuable intellectual property.
  • If you do retain geolocation data, keep only what is necessary to successfully manage your business and/or achieve your specified purpose in collecting the data – nothing more.
  • Ensure that the geolocation data you retain is secure. If someone is able to access geolocation data without permission or authorization – in combination with other sensitive data – you expose yourself to state breach notification laws and potential litigation from affected individuals.
  • Retain geolocation data for only as long as you need it and ensure that you properly dispose of what you no longer need.
  • Avoid merging geolocation data with personally identifiable information (full name, social security number, driver's license number, financial account information, health information, birthday, etc.). Once you combine this information, you may open yourself up to additional laws and regulations.
  • Provide clear notice to individuals of the geolocation data collected, how it is collected and why it is collected. Moreover, whenever possible, give individuals the ability to "opt-in" or, at the very least, "op-out" of the data collection.
  • Whenever possible, do not share geolocation data with other businesses.
  • Create an internal plan to respond to security breaches and monitor state data breach notification laws to ensure that you comply with relevant statutes in the case of a breach of geolocation data.

Depending on your business and your purpose for collecting geolocation data, it may be impossible to implement all of these suggestions. However, the more you are able to limit your collection, use and retention of geolocation data, the more successful you will be in mitigating individual privacy concerns.

IV. Conclusion

Geolocation capabilities are rapidly expanding both qualitatively and in breadth, and as usual, the technology is well ahead of the law. Legislators need to focus on the current status of these developing capabilities and implement a flexible framework by which to protect individuals from unexpected intrusions into their privacy, while at the same time responding to the always-changing face of technology. As with the areas of social networking and behavioral advertising, action is becoming more urgent. Given the national scope of this dilemma, Congress needs to join with the Federal Trade Commission now to devote the resources necessary to address these issues and to keep pace with the accelerating technology sector.

Foonotes

* This article was authored by Kenneth K. Dort and Jeremiah J. Posedel of Drinker Biddle & Reath LLP. Mr. Dort is a partner, and Mr. Posedel is an associate, in the firm's Intellectual Property Practice Group, focusing on information technology implementation disputes, intellectual property protection, data security and privacy matters out of the firm's Chicago office.

1. 47 U.S.C. §§ 222.

2. 47 U.S.C. §§ 551.

3. Federal Trade Commission Staff Report, Self-Regulatory Principles For Online Behavioral Advertising: Behavioral Advertising Tracking, Targeting & Technology (Feb. 2009), available at http:// www.ftc.gov/opa/2009/02/behavad.shtm ("Staff Report").

4. Practising Law Institute, Online Behavior Advertising: Industry's Current Self-Regulatory Framework is Necessary, but Still Insufficient On Its Own To Protect Consumers, 994 PLI/Pat 797 , 804 (West 2010).

5. Staff Report at 35-36.

6. Staff Report at 46.

7. Staff Report at 47.

8. Staff Report at 43-44. Although the FTC has not specifically defined "sensitive data", precise geographic location is provided as an example of "sensitive data."

9. "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized." U.S. Constitution, 4th Amendment.

10. See, e.g., United States v. Moran, 349 F. Supp. 2d 425, 432 (N.D.N.Y 2005); but see United States v. Maynard, 615 F.3d 544, 558 (D.C. Cir. 2010) cert. denied, 131 S. Ct. 671, 178 L. Ed. 2d 500 (U.S. 2010) (warrantless use of global positioning system (GPS) device on defendant's vehicle for a month was a search).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.