How difficult is it to access location data in the US? After the recent Supreme Court ruling you may need warrants to do so. With data privacy issue taking centrestage globally, especially the GDPR catching the eyeballs, the US needs to fast revamp its data privacy laws.
With an exponential increase in smartphone users, tracking your location has become a child’s play. With people increasingly sharing their location data with map or navigation, weather services, etc. there is an incredible amount of data that can be tapped and used for innovative business decisions. However tracking your personal location data without a prior permission or warrant can certainly make you very uncomfortable.
On these lines, the US Supreme Court ruled on June 22, 2018 that the government needs a warrant to access a person’s cellphone location history.
This decision came while hearing the case of Carpenter v. United States. The American Civil Liberties Union represented a man who had months of his cellphone location information turned over to law enforcement without a warrant. Investigators received the cell tower records with a court order that requires a lower standard than the “probable cause” needed to obtain a warrant.
The court found that to obtain such information is a search under the Fourth Amendment and that a warrant from a judge based on probable cause is required.
This step comes at a time when the US privacy law needs a much required update for many years, finally bringing it in line with the realities of modern life.
US data protection law
As of now the the US does not have a comprehensive centralized, formal legislation regulating the collection and use of personal data. But it does insure the privacy and protection of data through the United States Privacy Act, the Safe Harbor Act and the Health Insurance Portability and Accountability Act.
Referring to Thomson Reuters Practical Law, there are already a panoply of federal privacy-related laws that regulate the collection and use of personal data. Some apply to particular categories of information, such as financial or health information, or electronic communications. Others apply to activities that use personal information, such as telemarketing and commercial e-mail. In addition, there are broad consumer protection laws that are not privacy laws per se, but have been used to prohibit unfair or deceptive practices involving the disclosure of, and security procedures for protecting, personal information.
Some of the most prominent federal privacy laws include:
The Federal Trade Commission Act (15 U.S.C. §§41-58) (FTC Act) is a federal consumer protection law that prohibits unfair or deceptive practices and has been applied to offline and online privacy and data security policies. The FTC has brought many enforcement actions against companies failing to comply with posted privacy policies and for the unauthorised disclosure of personal data. The FTC is also the primary enforcer of the Children’s Online Privacy Protection Act (COPPA) (15 U.S.C. §§6501-6506), which applies to the online collection of information from children, and the Self-Regulatory Principles for Behavioural Advertising.
The Financial Services Modernization Act (Gramm-Leach-Bliley Act (GLB)) (15 U.S.C. §§6801-6827) regulates the collection, use and disclosure of financial information. It can apply broadly to financial institutions such as banks, securities firms and insurance companies, and to other businesses that provide financial services and products. GLB limits the disclosure of non-public personal information, and in some cases requires financial institutions to provide notice of their privacy practices and an opportunity for data subjects to opt out of having their information shared. In addition, there are several Privacy Rules promulgated by national banking agencies and the Safeguards Rule, Disposal Rule, and Red Flags Rule issued by the FTC that relate to the protection and disposal of financial data.
The Health Insurance Portability and Accountability Act (HIPAA) (42 U.S.C. §1301 et seq.) regulates medical information. It can apply broadly to health care providers, data processors, pharmacies and other entities that come into contact with medical information. The Standards for Privacy of Individually Identifiable Health Information (HIPAA Privacy Rule) (45 C.F.R. Parts 160 and 164) apply to the collection and use of protected health information (PHI). The Security Standards for the Protection of Electronic Protected Health Information (HIPAA Security Rule) (45 C.F.R. 160 and 164) provides standards for protecting medical data. The Standards for Electronic Transactions (HIPAA Transactions Rule) (45 C.F.R. 160 and 162) applies to the electronic transmission of medical data. These HIPAA rules were revised in early 2013 under the HIPAA “Omnibus Rule”.
The HIPAA Omnibus Rule also revised the Security Breach Notification Rule (45 C.F.R. Part 164) which requires covered entities to provide notice of a breach of protected health information. Under the revised rule, a covered entity must provide notice of acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule, unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised.
The Fair Credit Reporting Act (15 U.S.C. §1681) (and the Fair and Accurate Credit Transactions Act (Pub. L. No. 108-159) which amended the Fair Credit Reporting Act) applies to consumer reporting agencies, those who use consumer reports (such as a lender) and those who provide consumer-reporting information (such as a credit card company). Consumer reports are any communication issued by a consumer reporting agency that relates to a consumer’s creditworthiness, credit history, credit capacity, character, and general reputation that is used to evaluate a consumer’s eligibility for credit or insurance.
The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act) (15 U.S.C. §§7701-7713 and 18 U.S.C. §1037) and the Telephone Consumer Protection Act (47 U.S.C. §227 et seq.) regulate the collection and use of e-mail addresses and telephone numbers, respectively.
The Electronic Communications Privacy Act (18 U.S.C. §2510) and the Computer Fraud and Abuse Act (18 U.S.C. §1030) regulate the interception of electronic communications and computer tampering, respectively. A class action complaint filed in late 2008 alleged that internet service providers (ISPs) and a targeted advertising company violated these statutes by intercepting data sent between individuals’ computers and ISP servers (known as deep packet inspection). This is the same practice engaged in by Phorm in the UK and several UK telecommunications companies that resulted in an investigation by the European Commission.
In 2016, Congress enacted the Judicial Redress Act, giving citizens of certain ally nations (notably, EU member states) the right to seek redress in US courts for privacy violations when their personal information is shared with law enforcement agencies.
On 3 April 2017, President Donald Trump signed into law a bill that repealed a set of privacy and data security regulations for broadband internet service providers adopted by the Federal Communications Commission (FCC) in the last months of the Obama administration. The FCC adopted the Privacy Rule for broadband ISPs at the end of October 2016, after acknowledging that ”the current federal privacy regime, including the important leadership of the Federal Trade Commission (FTC) and the Administration efforts to protect consumer privacy, does not now comprehensively apply the traditional principles of privacy protection to these 21st Century telecommunications services provided by broadband networks.”
The FCC Privacy Rule (which would have taken effect later in 2017) established a framework of customer consent required for ISPs to use and share their customers’ personal information that was calibrated to the sensitivity of the information. The rules would have incorporated the controversial inclusion of browsing history and apps usage as sensitive information, requiring opt-in consent. They also would have included data security and breach notification requirements. The Federal Trade Commission (FTC), which oversees consumer privacy compliance for other companies, does not currently treat consumer browsing history or apps usage as sensitive data.