Although not a new practice, the application of geofencing continues to increase in sophistication and expand into personal space on an unprecedented scale, jumping beyond commercial retail advertising schemes and diving into the depths of employment, health care, law enforcement, and politics. As the growth of these applications prompt privacy and security concerns, including government surveillance concerns, regulations lag and may be further delayed considering lawmakers’ very use of geofencing to win a governing seat.
Geofencing is the practice of using wireless internet, cellular data, global positioning system (GPS) or radio-frequency identification (RFID), or a combination of such technologies, to create a virtual boundary around a particular geographic area. When a smart-phone, tablet, or other targeted device crosses over the geofence perimeter, it triggers a response from the geofence software. So-called “active” geofencing technology powers things like home applications or “apps” that automatically adjust ambient temperature and lighting when a person enters their house. “Passive” geofencing technology is used to both (1) push advertising and other information to consumers through social media apps and other channels and (2) monitor or pull information about a consumer’s habits.
Geofencing for advocacy purposes is specifically a silent threat to personal privacy and security. For instance, earlier this year it was reported that the campaign for Tony Evers, then a gubernatorial candidate in Wisconsin, placed an electronic fence around those attending a political event. “[B]ecause the technology pulled the unique identification numbers off the phones, a data broker could also use the digital signatures to follow the devices home. Once there, the campaign could use so-called cross-device tracking technology to find associated laptops, desktops and other devices to push even more ads.” Therefore, in attending a political event whether for support or information, a community meeting, or other fenced event, “chances are good your movements are being tracked with unnerving accuracy by data vendors on the payroll of campaigns…[and such] information gathering can quickly invade even the most private of moments.”
In late 2017, the Massachusetts Attorney General reached a settlement under the Massachusetts Consumer Protection Act with an advertising firm related to geofencing. The firm used geofencing around reproductive clinics in New York, Ohio, Virginia, Missouri, and Pennsylvania to target individuals with adoption and anti-abortion advertisements sponsored by a religious organization. Under the terms of the settlement agreement, the firm was enjoined from using geofencing technology at or near Massachusetts health care facilities to infer the health status, medical condition, or medical treatment of any individual.
In April of 2018, the U.S. Federal Trade Commission (FTC) issued letters to two foreign manufacturers of electronic devices and apps that appear to have been collecting geolocation data from children warning the companies that they may be in violation of the Children’s Online Privacy Protection Act (COPPA). Copies of these letters were also sent to the Apple App Store and the Google Play Store, which offer the downloadable apps to consumers. COPPA requires companies that collect personal information from children under the age of 13 to post clear privacy policies and to notify, and obtain the consent, of parents before collecting, using, or sharing personal information from a child. Monetary penalties under COPPA can be significant, as experienced by an advertising network, which settled a case with the FTC in 2016 for $4 million after allegedly tracking young consumers. The full amount due was since suspended; however, the company was required to “delete all the location information it collected, and to honor consumers’ privacy settings. It [was also] required to implement a privacy program that will be subject to a 20-year oversight by the FTC.”
The recently enacted California Consumer Privacy Act (CCPA) will likely give consumers and regulators in that state additional legal tools to rein in the use of geofencing. The CCPA is scheduled to go into effect January 1, 2020 and gives consumers broad new rights and protections with respect to consumers’ personal information and the disclosure, use, and sale to third parties. Rulemaking under the act is on-going, but the use of geofencing in California should be approached with care to ensure compliance with the CCPA beginning in 2020.
Due to the nature of internet business, CCPA will likely affect companies nationwide whether or not other states pass similar privacy laws. This was evidenced when the U.S. Senate Judiciary Committee convened a hearing in March of 2019 to examine the CCPA and the European Union’s General Data Protection Regulation (GDPR) amidst calls for a federal privacy law similar to the CCPA and GDPR to ensure uniform privacy regulation across U.S. jurisdictions. In 2017, federal legislation regarding the “internet of things” was proposed, but failed to pass and, in March of this year, the “IoT Cybersecurity Improvement Act of 2019” was introduced in the U.S. House of Representatives. While the form and substance of a federal privacy law is far from certain, privacy advocates will surely work to include provisions that impact the use of geofencing technology.
As novel uses of geofencing proliferate, those seeking to make use of this powerful tool should tread carefully, especially when individuals are targeted based on inferences about sensitive personal information such as their health status or their location, including information from entities and sites protected under the law, such as polling stations and health care facilities. While regulators are showing willingness to address existing consumer protection and data privacy laws in the context of geofencing, it is paramount that consumers stay vigilant, understanding that some of the very leaders entrusted to protect consumers are the most serious threats to their privacy.