Growing Scrutiny of Mobile Data Collection

Regulators in the U.S. and Europe are stepping up their scrutiny of the mobile technology and marketing space, specifically regarding the collection of location data and other behavioral information.

The U.S. Senate Committee on Commerce, Science, and Transportation held a subcommittee hearing on Thursday titled “consumer privacy and protection in the mobile marketplace,” and invited representatives from Google, Apple, and Facebook to testify alongside David Vladeck, Director of the Bureau of Consumer Protection of the Federal Trade Commission.

Meanwhile in Europe this week, the European Commission’s Article 29 Working Party – a collection of data authorities from across the EU responsible for promoting pan European privacy practices – issued an opinion classifying location data from smartphones as “personal data,” the collection of which it suggested is only legal following consumers’ “prior informed consent.”

During Thursday’s subcommittee hearing, Senator John Rockefeller voiced concerns about the amount of information mobile devices can collect about their owners, thanks largely to their personal nature, and called for stronger controls over how and when that data is shared. 

“As smartphones become more powerful, more personal information is being concentrated in one place. Consumers want to understand and have control of their personal information,” said Rockefeller, who is chairman of the U.S. Senate Committee on Commerce, Science, and Transportation.

Unfortunately, today this expectation is not being met, he said, adding that companies operating in the space should “create better privacy notices and controls that work in the mobile world.”

Vladeck broadly agreed, citing the FTC’s ongoing investigations into the data collection practices of multiple mobile-related companies as evidence of its own increased focus on the space. The Commission refused to comment on those investigations when asked by ClickZ.

In a prepared statement submitted to the committee, the FTC also said its suggested “Do-Not-Track” mechanism should apply to mobile as well as desktop devices. “At least for purposes of web browsing, the issues surrounding implementation of Do Not Track are the same on mobile devices and desktop computers,” the statement read. It went on to note FTC’s staff is examining ways to implement a Do Not Track mechanism for mobile applications.

During her testimony, Apple’s VP of worldwide government affairs, Catherine Novelli, said the company already provides tools that allow consumers to control the collection and use of data on its mobile devices, including data relating to location. “Apple does not track users’ locations – Apple has never done so and has no plans to ever do so,” she said, although the company admitted that it does use location-data to target mobile ads across its iAd network. Apple found itself under fire last month for collecting location-related data even after users opted out of sharing it, a bug that it has since fixed through a software update for iPhone, iPad and iPod Touch devices.

Meanwhile Google’s director of public policy for the Americas, Alan Davidson, simply said his company supports the development of a legal privacy framework that can “ensure broad-based user trust and that will support continued innovation.”

Speaking on behalf of Facebook, Bret Taylor, the company’s Chief Technology Officer, took a stronger stance, warning that heavy-handed regulation could potentially stifle innovation among mobile technology and service providers. “Adopting overly restrictive policies will prevent our social features from functioning in the way that individuals expect and demand,” he said, in reference to Facebook’s collection and use of consumers’ data.

The opinion issued in Europe this week called for tighter control over the use of mobile consumers’ geolocation data.   

The Article 29 working party concluded that “location data sent from smart mobile devices are personal data,” meaning information can only be collected following “prior informed consent,” and that any location services must be switched off by default. Further, it said consent must be given for each specific data use, meaning any profiling or ad targeting uses must be clearly disclosed.

Related reading