Privacy Policy for location data

Privacy Policy for location data

In February of 2015, the Federal Trade Commission (FTC) expanded their guidelines for mobile app developers who create apps that collect user data, specifically user location data.

This expansion builds upon the original guidance published by the FTC in February of 2013 in their report "Mobile Privacy Disclosures: Building Trust Through Transparency".

A recently settled lawsuit initiated by the FTC shows that these guidelines should not be disregarded by app developers without the risk of being charged with deceptive practices. The lawsuit will be discussed further in this article.

Guidance from the FTC

Guidance from 2013

Key points for mobile app developers from the 2013 report include:

  • Mobile apps should include a Privacy Policy that is easily accessible to people before downloading the app.

    Here's what a user sees on the Apple App Store when looking to download the Facebook app:

    Privacy Policy of Facebook Linking from App Store

    Facebook links directly to its Privacy Policy page from the App Store profile page.

    The same link can be placed on the profile page of the app, but when users are looking from the App Store webpages and not from their iOS devices:

  • iOS Privacy Policy Link in the App Store

  • Before any personal information is collected and shared by the app with the necessary third parties, the collecting and sharing of information should be disclosed to the user and express consent must be obtained.

    Here's an example of consent from users agreeing to a new updated Terms and Conditions agreement from Airbnb iOS app:

  • AirBnb iOS: I agree to updated Terms checkbox

Guidance from 2015

The 2015 update addresses mobile apps that collect the location data of a user when the app is not being actively used.

The FTC states that this collection of data, while the app is not in use:

  • Should be disclosed very clearly
  • The user should be given the chance to not allow the continual location tracking

This is especially important for apps that a user would not assume would be collecting location data when not actively in use.

For example, someone using a navigation app to get turn-by-turn driving directions will be aware that the app is actively collecting location data during the drive.

However, if that navigation app continues to collect location data after the user arrives at the location and exits out of the app, this should be disclosed and consent obtained because it's not intuitive that the app would do this.

Foursquare Location Data in Privacy Policy

Foursquare constantly tracks the location of users, but makes this very clear in their Privacy Policy seen above by stating that:

If you have 'background location' turned on, the Foursquare app will, from time to time, tell us about your device's location even if you are not directly interacting with the application.

This language lets the user know that the tracking is continual regardless of active interaction with the app, but also provides the user with a way to avoid the tracking: by turning "background location" off.

While some operating systems, such as iOS8, have a measure in place that requires all mobile apps to require express consent before location data is allowed to be collected when an app is not in use, other operating systems do not.

Because of this, mobile app developers should work to add the appropriate disclosures and consent requirements into each mobile app developed. It's legally risky to not do this.

FTC v Goldenshores Technologies

In December 2013, the FTC filed a formal complaint against Goldenshores Technologies alleging unfair or deceptive acts or practices.

Goldenshores developed and provided a mobile app called Brightest Flashlight Free.

The Privacy Policy for the Brightest Flashlight Free app didn't alert users that personal data, including location data, was being collected, and a deceiving choice on whether to share such data was presented to the users.

The case was settled and Goldenshores was required to comply with a number of requirements. The most notably are the following:

  • A just-in-time disclosure must be provided to users that fully informs them of when, how, and why their location data is being collected, used, and shared
  • Affirmative express consent must be obtained by users before location data can be collected.

How to stay compliant

As a mobile app developer, there are a few easy steps you can take to make sure your app is compliant with FTC guidelines while collecting location data:

Update Privacy Policy

Make sure that your mobile app's Privacy Policy agreement includes a section about location data collection. "Location Data" is common clause found in this legal agreement.

Be very clear on the following:

  1. When you collect, use and share location data.

    If your mobile app collects location data constantly, whether the app is being actively used or not, let your users know this.

    If location data is only collected when the app is being used, make this clear as well.

    Let your users know when that collected data will be used, and when you share it with any third parties.

  2. How you collect, use and share location data.

    Let users know what technologies your mobile app uses to collect location data.

    Be clear about what the app uses the data for, as well as how exactly the data is shared with any third parties.

    A portion of the Privacy Policy of Google outlines the technologies used to collect location data:

    Google Location Data in Privacy Policy

    By telling the user that "various technologies [are used to] determine location, including IP address, GPS, and other sensors" a user is able to better control when and if location data is to be collected from his devices.

  3. Why you collect, use and share location data.

    Be completely transparent about why you need or choose to collect location data.

    Facebook Location Data In Privacy Policy

    The Privacy Policy of Facebook makes it clear what location information is used for by stating that:

    When we have location information, we use it to tailor our Services for you and others, like helping you to check-in and find local events or offers in your area or tell your friends that you are nearby.

Use notifications

When a user first opens your app, use a dialogue box to include a notification about when location data will be collected:

iOS Notification On Allow Current Location

Require the user to have an option to either consent to this data collection or disallow it.

You can also integrate pop-up reminders that an app requires location tracking to be enabled in order to work, which gives users a choice as to whether to allow location data to be collected at that moment.

The Google Maps app informs users if their location data settings are disabled:

Google Maps Informs About Current Location

These pop-up messages are great ways to ensure a user is aware of location data being used and require the user to consent or choose not to continue.

By having a clear Privacy Policy agreement that tells a user when, how and why you're recording location data and requiring active consent before obtaining this data, your mobile app will remain compliant with FTC guidelines.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.