This post discusses some of the contractual requirements imposed by Apple and Google regarding the collection and sharing of locational information. What consents, if any, do Apple and Google require that app publishers obtain before collecting and using locational information? This is a question that is being asked with increasing frequency. In fact, a regular beat of media coverage on the issue (see, e.g., here or here), has reached crescendo levels with a much-discussed article this past week in the New York Times. Coincidentally (or maybe not?), the NYT article was published the day before Google CEO Sundar Pichai testified before the House Judiciary Committee on Google’s privacy and data collection practices, among other things.So what are Apple’s and Google’s contractual requirements for app developers with respect to consent to locational tracking today?
Apple, in Section 5.1.5 (“Location Services”) of its App Store Review Guidelines states the following:
“Use Location services in your app only when it is directly relevant to the features and services provided by the app….Ensure that you notify and obtain consent before collecting, transmitting, or using location data.”
The Apple Human Interface Guidelines goes into greater detail, specifying that users must grant permission for an app to access locational information:
Once collected, can locational information be shared with third parties?
Apple in Section 5.1.2[i] (“Data Use and Sharing”) of the App Store Review Guidelines states: “Data collected from apps may only be shared with third parties to improve the app or serve advertising.” This provision does not address onward sharing by those third parties.
Google provides in its “Privacy, Security and Deception” section of the Google Play Developer Policy Center that a developer must be “transparent in how you handle user data (e.g., information collected from or about a user, including device information). That means disclosing the collection, use, and sharing of the data, and limiting the use of the data to the purposes disclosed, and the consent provided by the user.”
The section provides additional requirements for the collection and use of “Personal and Sensitive Information.” Personal and Sensitive Information, the section states, “includes, but isn’t limited to personally identifiable information, financial and payment information, authentication information, phonebook, contacts SMS and call related data, microphone and camera sensor data, and sensitive device or usage data.” The disclosure requirements for personal and sensitive information are more detailed, and the section provides that in cases where users may not expect that their personal or sensitive user data will be required to provide or improve the features of the app, additional requirements, including obtaining a user’s express in-app consent, are needed.
Locational information is not expressly included in Google’s identification of personal and sensitive information. Does location data fall under the “personal and sensitive information” catchall? Some regulators may take the position that location information is sensitive information (e.g., the FTC’s 2012 final consumer privacy report, which considers precise geolocation data as sensitive information). The federal Children’s Online Privacy Protection Rule (COPPA Rule) states that a child’s location information “sufficient to identify street name and name of a city or town” is personal information subject to COPPA. And notably, in the testimony of Google’s own CEO, Sundar Pichai before the House Judiciary Committee, when asked by Rep. Karen Handel whether he agreed with the FTC’s general policy that precise geolocation information is considered sensitive information and that consumers must opt-in to the sharing of such data, Mr. Pichai stated that he did.
Further, Google’s Developers documentation provides a list of so-called “dangerous permissions” (as opposed to “normal” permissions) which the Android user must expressly agree to grant via a system dialog box. As shown below, “dangerous permissions” include permissions for the collection of both “fine” and “coarse” geolocation data.
This post is not a substitute for your own review of the relevant platform terms and conditions, as the post could quickly become out of date. While legislative or regulatory changes take time to roll out, the contractual requirements of Apple and Google can be changed with the click of a mouse. In fact, both have made a series of changes to their requirements over the last few months. So, it is very possible that they may impose new and stricter requirements on their app publisher communities to address some of the comments generated by the recent media coverage and, in the process, seek to discourage extensive regulatory or legislative involvement.
Is legislation likely? It is unclear whether Congress will pass a federal privacy law that addresses these mobile privacy issues. Maybe such issues will be enacted at the individual state level instead (e.g., the California Consumer Privacy Act).
In this evolving landscape, app developers and users of mobile-gathered locational data should be sure to stay current on platform contractual requirements and legislative developments. Also everyone should be aware that, depending on the facts and circumstances of a particular situation, there may be other federal or state laws, or self-regulatory industry guidelines that apply to cases where locational information is collected and used by app developers and other third parties.