New York City is considering a law that could stop cellphone carriers and smartphone app vendors from selling their location data.
The bill would ban anyone from collecting and sharing location data from mobile phones in the city, imposing harsh penalties for violators. It says:
It is unlawful for a mobile application developer or a telecommunications carrier to share a customer’s location data where such location data was collected while the customer’s mobile communications device were physically present in the city.
Anyone violating the law would face fines of up to $1,000 for each user’s data, up to $10,000 per day.
Sales of location data are rife in the US. It comes from at least two sources: apps that gather it from the phone, and wireless carriers who continuously monitor phones’ locations. Both have been found sharing the location information with data aggregation companies who can then make it available to third parties.
In December, the New York Times reported on a database of a million New Yorkers’ phones that updated their location as frequently as every two seconds. At least 75 companies received precise location data from apps whose users enable location services on their phones to get location-specific information like weather reports, it said.
The Times tested 20 popular apps and found that 17 of them shared location data with third parties. Only four of them told users during the permissions process that their data could be used for advertising.
That’s not all such data might be used for. A month later, Motherboard reporter Joseph Cox explained how he had purchased data on a phone’s current location from a shady dealer (with the target’s consent). He reported that some companies selling this data aren’t that worried about who they sell it to or how it’s used.
Another study from Guardian Firewall found dozens of iOS apps that slurped location histories from the phones and sent them to data monetisation firms. In many cases, those apps also sent ongoing location data.
Many of these apps bury detail about their data sharing in lengthy privacy policies or license agreements.
The problem has privacy advocates concerned. Last week, the Electronic Frontier Foundation (EFF) sued AT&T and two data aggregators on behalf of Californian customers to stop them from letting companies access user location data. In a statement responding to New York City’s proposed law, it told us:
We’re glad to see proposals that would give users, not tech companies or app makers, control over who gets to see their location data. Users need strong privacy protection laws at the local, state, and national level to prevent the sharing and sale of their data without consent.
State law that would curb companies’ ability to sell personal data is already underway. The New York Privacy Act, proposed in May by state senator Kevin Thomas, would allow people to personally sue companies who are mishandling their data. However, the law is only a proposal right now, and a similar clause was removed from the California Consumer Protection Act before it reached the governor’s desk.
A spokesperson for New York City Council said that it didn’t want to wait for state legislators:
The bill failed to pass this session and therefore it is not yet law and we have no idea as to when it might become law. We have jurisdiction within the City of New York and so we will proceed with our bill.