Mobile Edition
Print
Get the Mag
Weekly UpdatesChoice means that consumers can make decisions about their personal information that is collected and must agree to use of that data by third parties. (84) Choice may be difficult in the wireless world since consumers will not likely know all the parties that are receiving personal information. (85) Additionally, privacy disclosures are often not easy to understand, and if they are only provided at the establishment of the service, informed consent may be questioned. (86)
Access requires that the consumer has the opportunity to view and challenge the accuracy of the data collected. (87) This provides accountability in the data collection process. (88) One concern here is that it is often expensive for a company to provide access and authenticate consumers' requests to view their collected location information, (89)
Security refers to the protection of the data against unauthorized access. (90) Although the public generally believes that wireless communication is vulnerable to interception over the airwaves, the greater vulnerability is within the carrier network. (91) The wireless community continues to develop technologies that increase both the protection of the consumer's personal information and the consumer's control over the security of that information. (92)
A related security concern is what is sometimes called the "pot of honey" issue. When valuable information is collected and stored, it becomes an attractive target of hackers. (93) One need only to look to the recent breaches of security of the information storehouses of LexisNexis and ChoicePoint to see that personal information has value and is vulnerable to attack. (94)
Enforcement is the type of regulation governing the violation of the four above principles. (95) This can be self-regulation, government regulation, or even civil and criminal lawsuits. (95) Although the FTC has brought a number of cases against Web sites for failure to enforce their own privacy statements, enforcement has generally been limited to payment of the money made from the illegal activity and renewed enforcement of the privacy agreement. (97)
The FTC privacy principles, although seen in varying forms, are consistently used in privacy regulations. The FTC has used these principles and its authority under Section 5 of the FTC Act to bring actions against Web sites that have breached their own privacy agreements. Without further legislation, it is likely that the FTC and industry self-regulation will be a temporary means for regulating the privacy of personal location information.
IV. PROBLEMS WITH CURRENT REGULATION MECHANISMS
The current regulation mechanisms provide minimal protection for location information. Individuals attempting to prevent a wireless carrier from storing their personal location information have little recourse if their requests are ignored. Individuals do have some statutory protection against further dissemination of that information, but the protection is minimal. (98) By considering each of the current regulation mechanisms, it is clear that there is little people can do to ensure the protection of their location information.
As we have already seen, both the Constitution and common law tort law provide little to no protection for individuals against the collection and use of personal location information by private businesses. (99)
Furthermore, the statutory protection is inadequate. Section 222 limits the use of "proprietary information from another carrier for purposes of providing any telecommunications service ..." but does not clearly limit the use of "proprietary information" by third party service providers. (100) The statute does not limit the collection and storage of location information but only the disclosure of CPNI without consent. (101) Therefore, a wireless carrier that collects and stores individual location information without disclosing it to third parties would not be in violation of the statute. (102)
If a wireless carrier or a third-party service provider disclosed an individual's location information, the individual has no remedy unless the individual can show actual damages. Therefore, the individual must rely on the FCC to take action to fine or penalize the wireless carrier. (103)
Therefore, as the law now stands, protection of location information must be found in a combination of industry self-regulation and FTC enforcement of the wireless carriers' voluntary privacy statements. Self-regulation is based upon the premise that the industry is motivated to protect the privacy of the consumer out of fear of bad publicity or the possibility of a backlash from consumers that are unsatisfied with the privacy protection provided. (104) Advocates of self-regulation often tout the heavy costs and inflexibility of regulatory controls, claiming that they will hinder technological growth and market developments since much of the fundamentals of location services are largely unknown. (105)
However, problems with self-regulation have become apparent with the Internet. (106) Initially, the FTC sought self-regulation of Web sites, relying on industry organizations to adopt enforcement mechanisms for violations of the privacy agreements. (107) When most Web sites failed to implement privacy protection for consumers, the FTC reversed itself and asked Congress for legislation to provide consumer protection. (108)
An example that illustrates the failure of self-regulation on the Internet is evident in the sale of personal information by Gateway Learning Corporation. Despite explicit promises in its privacy statement, Gateway Learning rented personal information to marketers. (109) After collecting personal information from customers, Gateway Learning changed its privacy statement, allowing disclosure of the personal information to third parties without the consumer's consent or notification. (110) The FTC and Gateway Learning settled the lawsuit. (111) Gateway Learning gave up the money that it earned from the sale of the personal information and promised not to retroactively sell consumer personal information without consent in the future. (112)
Most scholars have concluded that self-regulation to protect consumer privacy on the Internet has failed. (113) Furthermore, even if the five principles articulated by the FTC were implemented, the principles do not provide adequate consumer protection for location information. First, notice is often buried in a contract or provided in a complicated form at the commencement of service and consumers are often unaware of its existence, providing ineffective notice. Second, choice in this environment is dubious at best. If all the wireless providers require consent to provide location-based services, then there is really no consumer choice at all. The consumer has no bargaining power against the wireless carrier. The consumer is left with the choice of having the cell phone and giving up rights to location information or not having the cell phone and losing the benefits of the E-911 mandate. (114) This effectively defeats the benefit of increased safety through the E-911 mandate.
The FTC's "access" principle is included in the statute; however, it only appears to apply to telecommunications carriers. (115) Access should apply both to the wireless carrier and all third-party service providers. Therefore, under the FTC privacy principles, access would have to be addressed in the wireless carrier's privacy agreement. Additionally, there is no provision requiring security of the information in the statute, so the security of the information would also fall under the regulation of the privacy policy through the FTC. Since each individual company can determine its own level of security and is only held accountable for breaking promises as stated in the privacy statement, the protection provided by the FTC is inadequate.
Currently the FTC guidelines are also inadequate, in that there is not a sufficient remedy. Enforcement of violations of the Web site's own privacy statements has traditionally required the company to adhere to its stated privacy statement and pay a fine equivalent to the amount the company made by selling the personal information that was promised not to be disclosed. (116) At this point the harm has been done, as the information is now in the marketplace and can be freely distributed. (117) In order to recover damages or penalize the policy violator, the consumer would be required to show a specific injury for the harm suffered due to the illegal disclosure. Since in most cases the harm is annoyance or uneasiness in knowing that very personal information is being processed and made available to others, it is unlikely that the consumer can recover any damages from the wireless carrier or encourage future compliance.
Furthermore, the companies create their own privacy policies. There is no affirmative requirement that a privacy policy be developed. Even if the company does create a privacy policy, there are no requirements as to what must be included. Finally, most people do not read the privacy policy. (118) Therefore a company could create a policy with no privacy protection for the customer.
Despite the failure of self-regulation on the Internet, the wireless industry is at work developing technological solutions to improve the privacy and individual control of location information. (119) Ideas such as digital rights management would allow consumers to determine specifically which parties had access to their data. (120) Others are considering the use of a proxy to create privacy preferences for a user and similar solutions that allow changes to the preferences depending upon the time and the circumstances, which allows the creation of "work," "home," and "anonymous" personas to determine what information is transmitted. (121)
FEED