New legislation aiming to protect the privacy of internet and phone users could shield not just their browsing and buying habits but their location information as well.
The American Data Dissemination (ADD) Act, introduced by Sen. Marco Rubio on January 16, covers service providers that use the internet and “collect records” — a very broad definition. The Act will also be enforced against common carriers — that is telecommunications companies.
The bill uses as its framework the Privacy Act of 1974, which governs how federal agencies handle and protect records about individuals. Under the 1974 Act the government cannot (with some exceptions) share data about someone without their prior permission and must allow a person to see, get a copy of and correct records about themselves. The government can be sued for violating the Act.
Interestingly, the 1974 Act also requires agencies to give the public notice of their systems of records, according to a Department of Justice synopsis. That is agencies must publish a list of the kind of records they keep in the Federal Register.
“A similar structure would provide consumers with protections against similar unwarranted intrusions from sophisticated actors in the private industry,” Rubio said in a summary of the bill.
“Senator Rubio has put forward a very good proposal to address growing concerns about privacy protection. The federal Privacy Act is also the right starting point,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in a tweet.
The ADD Act gives the Federal Trade Commission (FTC) 180 days to submit detailed privacy recommendations and then a little more than a year to propose regulations. Two years after the ADD Act is enacted — if a law is not enacted with protections similar to the 1974 Act — then the FTC is to come up with final regulations and “impose such privacy requirements.”
The protection of one’s geolocation, especially when tracked over time, is becoming an increasing concern because of what can be learned, for example, about a person’s politics, associations and health.
In a December New York Times story, reporters described how phone apps record location information — sometimes as often as every 2 seconds — for later sale to location tracking firms. That data is supposed to be anonymous but that veil can still be pierced especially when location is combined with other data. “Your Apps Know Where You Were Last Night,” the headline said, “And They’re Not Keeping It Secret.”
“The Federal Trade Commission (FTC) has already taken the position that certain geolocation data is sensitive data deserving of a greater level of privacy protection, according to a 2013 post by the law firm Hogan Lovells on the International Association of Privacy Professionals’ Tracker Blog.” That year the FTC updated its regulations to address how new developments, including the availability of geolocation information, affected children’s privacy. The FTC underscored the issue in its Privacy & Data Security Update 2017 calling out Uber for the way it handled sensitive consumer information, including geolocation data.