L.A. Joins the Growing Battle Over Location Data
Los Angeles is taking the Weather Channel to court over its treatment of app users’ location data. Expect that to be one of many such lawsuits in 2019.
At CES on Tuesday, IBM unveiled what it promises will be the future of weather forecasting: a new, hyperlocal model that aims to be the most accurate yet by predicting the weather at a 1.9-mile resolution across the globe, every hour.
While it’s made possible by advancements in artificial intelligence, the data that feeds the model might prove to be a challenge. It comes from devices whose users have downloaded the company’s popular Weather Channel app.
In her keynote address at the event, IBM CEO Ginni Rometty couldn’t ignore the legal battle brewing in the U.S. over the very source of the system’s capabilities: “As we work on these technologies, all that data that we talked about, that ownership, they belong to the user, and with their permission, we use that.”
That was a reference to a lawsuit filed last week by the city of Los Angeles against an IBM subsidiary, TWC Product and Technology, over what the city claims is the improper disclosure of what the company does with users’ personal information. According to several consumer privacy protection experts, this is likely the first of many such lawsuits this year as consumers and policymakers double down on data privacy protection.
“2018 was a watershed year in terms of the cascade of public scandal from companies that have been caught misleading their users,” says Adam Schwartz, senior staff attorney at the digital rights nonprofit Electronic Frontier Foundation. “I would expect the heat is going to continue, and that will generate more [consumer protection] laws and more lawsuits.”
By TWC’s own calculations, the app has roughly 45 million monthly users, though few may have realized the company was sharing their location data with advertisers. It’s not just general information that the app prompts users to share, according to L.A.’s lawsuit, but also their “movements in minute detail,” collected even when the app isn’t in use.
The lawsuit, citing a New York Times’ investigation from December, claims the company has been profiting off users’ geolocation data without disclosing to them that their data were being sold to third parties. And while TWC argued it has been transparent, the lawsuit alleges that, even so, the information is buried deep within a lengthy privacy policy. Without explicit notice, the app gives users no reason to look for it.
“If the price of getting a weather report is going to be the sacrifice of your most personal information about where you spend your time day and night, you sure as heck ought to be told clearly in advance,” L.A. City Attorney Michael Feuer told the Los Angeles Times. The city deems the lack of disclosure to be “fraudulent and deceptive,” and claims it’s in violation of California’s Unfair Competition Law. It’s seeking an injunction against TWC to have them stop the practices, along with a penalty of $2,500 for each violation.
That the defendant is TWC is not accidental. Feuer told the L.A. Times that the app is used by people of all demographics and places, and its seemingly “benign and innocuous” nature has allowed TWC to mislead consumers. “It’s very intuitive to us why a weather app would want our location, and people are very generally okay with that kind data collection,” says Natasha Duarte, policy analyst at the Center for Democracy and Technology. Yet location data collected over time reveal the most intimate details of our lives.
That’s why the issue at the heart of the case is not unique. “It reveals a major disconnect between business practices that are pretty well understood and even widespread within an industry and the actual understanding that people have when they are using their smartphones,” says Stacey Gray, policy counsel at the Future of Privacy Forum.
She adds that its unique for a city to bring on such a high-profile data privacy case; state attorneys general are usually the ones to file such lawsuits. But L.A. doesn’t shy away from taking large corporations to court on behalf of consumers. In the past, for example, the city hasfiled unfair-competition lawsuits against Uber after it failed to conceal a data breach and Wells Fargo after it opened unauthorized accounts.
In the absence of robust federal regulation over consumer data protection, “state enforcers are using existing [unfair and deceptive acts and practices] laws in creative ways,” Gray says. “It just so happens that California’s UDAP law is more robust than many others, in that it allows not just state AG’s to bring lawsuits, but also city attorney and individuals.” It’s worth noting that individuals have an added burden to prove economic loss, which would be a challenge in this case.
Indeed, while the federal government is still playing catch-up with consumer technology, states and cities are filling in the gap. All 50 states, including the District of Columbia, have passed or expanded their own data-breach notification laws, partly in response to Europe’s General Data Protection Regulation, which set a new standard for data privacy last year. And according to the National Conference of State Legislatures, at least 24 states have some sort of data security law—some weaker and more out of date than others.
On the federal level, Senator Ron Wyden, D-Ore. is renewing his call to ban mobile carriers from selling user data after Vice reporters paid a bounty hunter $300 to geolocate a phone, illustrating that companies like AT&T, T-Mobile, and Sprint were selling location data that could then become available on the black market.
It’s not just location data, either. Illinois holds the U.S.’s toughest law on the collection of biometric data—face scans, fingerprints, and the like—and other states are moving to pass similar legislation. New York state is moving on a bill to add biometric data to existing laws that protect consumers from cyberattacks. A separate bill proposed in New York City goes further, requiring businesses to clearly disclose at physical entrances and online if, and how, they are collecting and using such information. (The bill stops short of regulating the public sector, drawing criticism that it doesn’t go far enough.)
One of the most sweeping consumer privacy laws will come from the California Consumer Privacy Act of 2018, which will go into effect in 2020. It will give consumers four basic rights specifically related to the collection and sale of their data: the right to know how their data will be used, to opt out of having their data shared, to have a business delete their information, and to not be discriminated against for exercising those three other rights. That’s making companies nervous, as Californians make up a significant chunk of their consumer base.
Schwartz, at the Electronic Frontier Foundation, welcomes stronger state laws, as well as a “diffusion” of enforcement power. “It’s not enough for one federal agency and one attorney general officer across the 50 states to have the power. We want to diffuse enforcement, as in the case here, to city and county officials,” he says. “What’s even better is the diffusion of enforcement power to individual tech users to bring their own lawsuits.”
That’s not to say a baseline federal regulation is not needed, but Schwartz cautions that it’s somewhat of a double-edged sword. “There are a lot of demands from companies right now who are scared of state law, that Congress ought pass a new law—which of itself is a good thing,” he says. “But the price that is too high for us as privacy advocates is that the federal law would preempt state laws.”
It’s yet to be seen how L.A.’s lawsuit will play out, but Schwart adds that he’s optimistic that as companies get more sophisticated with their technology and consumers become more conscious of their data, new laws will rebalance the relationship between the two.