New York City is considering a law that could stop cellphone carriers and smartphone app vendors from selling their location data.
The bill would ban anyone from collecting and sharing location data from mobile phones in the city, imposing harsh penalties for violators. It says:
It is unlawful for a mobile application developer or a telecommunications carrier to share a customer’s location data where such location data was collected while the customer’s mobile communications device were physically present in the city.
Anyone violating the law would face fines of up to $1,000 for each user’s data, up to $10,000 per day.
Sales of location data are rife in the US. It comes from at least two sources: apps that gather it from the phone, and wireless carriers who continuously monitor phones’ locations. Both have been found sharing the location information with data aggregation companies who can then make it available to third parties.
In December, the New York Times reported on a database of a million New Yorkers’ phones that updated their location as frequently as every two seconds. At least 75 companies received precise location data from apps whose users enable location services on their phones to get location-specific information like weather reports, it said.
The Times tested 20 popular apps and found that 17 of them shared location data with third parties. Only four of them told users during the permissions process that their data could be used for advertising.
That’s not all such data might be used for. A month later, Motherboard reporter Joseph Cox explained how he had purchased data on a phone’s current location from a shady dealer (with the target’s consent). He reported that some companies selling this data aren’t that worried about who they sell it to or how it’s used.
Another study from Guardian Firewall found dozens of iOS apps that slurped location histories from the phones and sent them to data monetisation firms. In many cases, those apps also sent ongoing location data.
Many of these apps bury detail about their data sharing in lengthy privacy policies or license agreements.
The problem has privacy advocates concerned. Last week, the Electronic Frontier Foundation (EFF) sued AT&T and two data aggregators on behalf of Californian customers to stop them from letting companies access user location data. In a statement responding to New York City’s proposed law, it told us:
We’re glad to see proposals that would give users, not tech companies or app makers, control over who gets to see their location data. Users need strong privacy protection laws at the local, state, and national level to prevent the sharing and sale of their data without consent.
State law that would curb companies’ ability to sell personal data is already underway. The New York Privacy Act, proposed in May by state senator Kevin Thomas, would allow people to personally sue companies who are mishandling their data. However, the law is only a proposal right now, and a similar clause was removed from the California Consumer Protection Act before it reached the governor’s desk.
A spokesperson for New York City Council said that it didn’t want to wait for state legislators:
The bill failed to pass this session and therefore it is not yet law and we have no idea as to when it might become law. We have jurisdiction within the City of New York and so we will proceed with our bill.
Anonymous
$10k/day isn’t really that harsh a penalty by cellphone carrier standards.
Mahhn
Your right, it’s just a tax so the city can profit from it too.
Eddie
Yeah that f all for a carrier, but 10k per user per day that would stop it.
Anon
App developers will just identify users located in NYC and brick them from using their app at all. Problems for them solved.
Dave
As long as this is limited to a single city, I can understand the intent. But, on a larger scale, what about things like credit card transactions done through the phone via on-line shopping or NFC or other? Don’t the financial systems track location to help against fraud? Perhaps they just determine a transaction from a particular Smart Phone is secure regardless of location? I don’t know. I suppose the location could be gathered from the vendor in the case of NFC, but what about on-line shopping?