Carriers Say Third Parties Can Use Consumer Location Data Without Consent
Wireless carriers can’t completely control how third parties use location and other personal data of consumers, top carriers said. Reps. Ed Markey, D-Mass., and Joe Barton, R-Texas, on Thursday released the carriers’ responses to the lawmakers’ inquiry on customer location tracking (CD March 31 p15). Also Thursday, the Senate Commerce Committee announced a hearing next month on mobile privacy and consumer protection, becoming the second Senate panel to do so. The developments on Capitol Hill came one day after Apple said it would fix an iPhone “bug” that stores users’ location logs (CD April 28 p5).
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The wireless carriers’ responses left Barton “with a feeling of uneasiness and uncertainty,” he said in a statement. “While I am happy to hear that carriers inform their customers of the risks of using independent third-party applications, third-party developers can access the location of customers anytime they want.” Third parties “shouldn’t have free reign over your location data and personally identifiable information,” he said. “Consumer consent and control are critical to ensure adequate privacy protections,” said Markey. “Personal data should be made unreadable to those without a legitimate need to access it to the greatest extent possible, and the data should not be retained longer than absolutely necessary."
Carriers said they provide notice and consent when providing the location-based service themselves, but have little control over how third parties use customer information. For apps and services provided by third parties without using Verizon Wireless technologies, the carrier “does not and indeed cannot control the collection and use of location information,” but Verizon warns customers about third-party LBS and provides tools to protect them, it said. AT&T cited situations where it “has no role in the provision of LBS to the customer, and therefore, plays no role in providing notice or obtaining consent.” Sprint Nextel’s privacy policy doesn’t cover third-party apps, it said, but Sprint warns consumers in device documentation and on the devices themselves before customers can download and use the apps. T-Mobile can only provide notice and require customer consent when it “directly provides” LBS, it said.
"With the dizzying array of third party applications now available to users which are not provided by carriers at all, it is understandable that consumers may be confused or less informed,” Sprint said. “While new third party applications bring many consumer benefits, there are risks too. And because mobile devices now are an open platform, consumers no longer can look their trusted carrier with whom they have a trusted relationship to answer all of their questions."
All the carriers said they honor Section 222 of the Communications Act. “Sprint does not engage in ’tracking’ its customers,” and it requires customer approval before disclosing Customer Proprietary Network Information (CPNI) to any third party, Sprint said. T-Mobile said its “policy is not to use, disclose, or permit access to its customers’ CPNI except as permitted without customer approval or as otherwise provided in Section 222 or other legal requirements."
None of the four top carriers rent or sell customer information, but they do use it for marketing, they said. Verizon said it “cannot control the extent to which third-party applications and services may collect, use, or sell information that may be collected from the applications or services independently downloaded or used by customers on their devices.”
AT&T keeps customers’ personal information “as long as needed for business, tax or legal purposes, after which we destroy it by making it unreadable or undecipherable,” it said. Location-related information “may be retained for as little as several days … or as long as five years.” Verizon generally retains customer account and billing information for seven years, it said. Sprint usually keeps “basic customer account information … for the life of the account plus 3 years,” it said. Requests for location data, but not the data itself, are “logged and retained in an unreadable format for 2 years,” Sprint said. T-Mobile keeps the data “for only as long as we have a business need, or as applicable laws, regulations, or government orders require."
The Senate also is taking up mobile privacy issues. Commerce Committee Chairman Jay Rockefeller, D-W.Va., announced Thursday that the committee would have a hearing in May. Consumers are “encountering a mobile marketplace that collects and uses a wide range of personal information -- often with inadequate or untimely disclosure,” Rockefeller said. “Reports of mobile devices tracking the location of users is just the latest in a string of concerns raised in the mobile marketplace.” Rockefeller said concentration in the mobile platform market raises further concerns about whether or not competition will drive pro-consumer practices."
The Senate Judiciary Subcommittee on Privacy previously announced a mobile privacy hearing for May 10. Officials from Google and Apple have agreed to testify, full Committee Chairman Patrick Leahy, D-Vt., announced Thursday. The subcommittee has also invited officials from the Department of Justice and the FTC.