The use of location-based services by consumers, such as for the provision of directions, traffic information, or mapping to locate nearby stores, should be subject to terms and conditions that address the quality of the service, and the reliability of the data. In addition, the contract should address the privacy concerns of the customer. The collection, use and sharing of location information might raise more concerns than that of other data such as their name, phone number or the duration of a call. Thus, special attention should be given to the protection of the location data.
For the service to occur, the service provider needs the ability to locate the client. The cell phone or GPS transponder must be active. Nevertheless, at other times, when customers do not need the service, they may wish to have the ability to turn off the location capability. Cellular phones can easily be turned off. In a car or other machine equipped with a GPS, the user may wish the ability to deactivate the GPS transponder without shutting down the engine, so that it cannot record movements. The same issue arises for RFID tags, such as those that come with EzPass or FastTrak. Is there an off/on switch? Or does the device, once attached to a car windshield, keep transmitting their radiofrequencies at all times?
Privacy and the use of personal data are of great concern to many individuals. To address privacy concerns, the service provider should use a privacy statement to notify users that the devices or service may be collecting information. In the United States, this may be a “Best Practice” since most US laws do not require privacy statements. Elsewhere, providing a notice of privacy practices may be required by law, for example under the European Union data protection laws.
In the Privacy Statement, the company would disclose what type of personal data will be needed and collected (e.g., identity, phone number, location), the purposes for which the data will be used (e.g., searches, tracking).
Individuals might wish to be informed, as well, when information about their location is generated, and how this information is generated. Since location information appears to be more sensitive than other types of personal information, the contract (and the related technology) may provide for ways that the customer would give her consent to the collection of location information, and ways to turn off the transponder.
The user may also be offered choices regarding management and use of information. This would include, as well, providing the ability to access and edit permissions. The customer could define which disclosures are permitted, and when the company may share data with third parties.
The protection of the collected data is of equal importance. How long will the data be retained? The 2002 European Union Directive on Privacy and Electronic Communication, to be implemented by the EU member states, for example, requires that location data be retained only for limited time. In addition, the 2006 European Union Data Retention Directive requires networks and service providers to retain traffic and location data generated in conjunction with electronic communications services for a minimum amount of time (6 to 24 months) to be specified by the national law of each European Union Member State.
When data are retained, what security will be used to ensure that the data is not exposed to unwanted disclosure, access, or modification?
The privacy statement or terms of service should also address marketing issues. There should be a clear description of the possibility that data (traffic data, location data, non contact information, such as prior searches) might be disclosed to third parties for marketing purposes. The customer should be given choice to prevent, or agree to these disclosures.
TRUSTe has worked with the telecommunications industry to outline the content of a privacy statement that would conform to the Fair Information Practices that have been recommended by the Federal Trade Commissions or other organizations such as the California Privacy Office. The proposed content of a Privacy Statement in the context of wireless services would include:
- Name of organization
- What information the wireless service provider collects
- Personally identifiable information
- Unique mobile device identifier
- Location information
- What information is collected by or through a third party
- How the Wireless Service Provider uses the information
- Secondary uses of the personal information
- Secondary uses of the location information
- With whom the information is shared
- Sharing the location information with the Location Based Service provider
- Sharing personal information or location information with third parties for secondary uses
- What choices are available to the consumer regarding the collection, use, and distribution of the personal information collected by the Wireless Service Provider
- Method for editing privacy preferences
- What types of security measures are in place to protect from the loss, misuses, alteration of personal information collected by the Wireless Service Provider
- How the consumer may access the information, and correct any accuracy
- Whether location information is retained beyond the time period reasonable needed to complete the transaction requested by the customer.
There are practical obstacles to the use of comprehensive privacy statements. One cannot post a full-length privacy statement on a RFID chip, or a telephone screen. Companies have been scratching their head to find appropriate ways to deliver privacy notices and options adapted to the wireless devices. Typical handheld devices are tiny and use small screens. They may also have limited power.
It is not possible to deliver privacy information in the ways traditionally used with a desktop or lap top computer. Alternatives would include providing a full privacy statement in locations where the individuals can access them easily, for example, at a store, or on line, or by delivery through the mails. A summary notice of the privacy statement, with a cross-reference to a URL or brochure, might be able to address the size and other constraints.
If the transaction is conducted on a wireless device, the company may opt to deliver a short privacy notice that informs customers of the existence of the Privacy Statement, and directs them to another location where the full length Privacy Statement may be available for review in its entirety. The company should deliver the full Privacy Statement as soon as practical, in an appropriate medium, for example through postal mail or email. For those devices that are equipped with viewing technology that is based on optimized protocols using a proxy server between the device and the content source, (e.g. WAP technology), it may be possible to add a “privacy” option, and links the “privacy” button to the URL of the statement.
If the transaction is conducted online, but not on a wireless device, the service provider may provide a link to the site where the full privacy statement is located. If the transaction is conducted offline, the service provider could deliver the full privacy statement separately; or include it in the service contract; or include a clear and conspicuous statement in the product or service brochure that the full privacy statement is available by asking an associate.
Mobile Marketing Association
The Mobile Marketing Association (MMA) has defined six fundamental elements to a positive consumer experience. These elements include:
- Choice. The consumer must “opt-in” to a mobile marketing program. Consumers have a right to privacy and marketers must therefore gain approval from consumers before content is sent, and include clear directions on how to unsubscribe from communication should it become unwanted.
- Control. Consumers should have control of when and how they receive marketing messaging on the mobile phone and must be allowed to easily terminate or “opt-out” of an unwanted program.
- Customization. Data supplied by the consumer for marketing purposes should be used to tailor such marketing to the interests of the consumer (e.g. restricting communications to those categories specifically requested by the consumer.). Targeting user consumer data made available to the marketer helps to eliminate spam, making content as relevant and useful to the consumer as possible.
- Consideration. The consumer must receive or be offered something of perceived value in return for receiving the communication (product and service enhancements, entry into competitions etc.).
- Constraint. The marketer must effectively manage and limit mobile messaging programs to a reasonable number of programs.
- Confidentiality. Commitment to not sharing consumer information with non-affiliated third parties.
The MMA has also issued has published a Global Code of Conduct for mobile marketers that choose to use user information in order to market their products and services to these users through mobile devices. This Code of Conduct has five elements: Notice; Choice and Consent (requires an opt-in); Customization and Constraints; Security; and Enforcement and Accountability.
Location Information in Commercial Contracts
Commercial contracts related to the provision of location-based services are likely to have complex structures because numerous entities might be involved. These entities could include, for example (a) Telco (ATT, Verizon); (b) Advertising networks; (c) Support (maps); (d) Information provider (e.g. traffic information, weather forecast): (e) Optimization technology service (mapping technology, fleet management technology); and (f) Search engines.
Handling Personal Information
Most location based services directed to consumers deal with the use of a person’s location to provide the service requested by that person. Protection of privacy is one of the major concerns of most individuals in connection with location-based services and the use of location information. Laws, regulations, and industry practices are creating pressure for companies to address data protection issues. The parties to contracts related to location-based services should negotiate provisions for the collection and protection of data. For example, will the device have the ability to collect personal information? Will performance of the service give the service provider the opportunity to view or access personal information? If personal information is available, what limitations should there be to collection, use, re-use, retention, or destruction of the information? What notice should be provided to individuals about the collection, use, or secondary uses of their information?
Collection of information
The parties should define what personal information the service provider needs in order to furnish the service. For example, to provide map information to the salesperson looking to organize his sales call, the mapping company might need the nature of the query and the geographic location of the device. It would not need to know who placed the query, from which device the query was placed (other than, perhaps the operating system), or to have the actual phone number of the salesperson’s device where he will receive the map. When the minimum information necessary for the provision of the service is identified, the contract would limit the collection of information and access to that information to that which is specified by the client.
Limitation to use of the data
When addressing limitations to the use of the data that are necessary for the provision of the service, or that are created through the use of the service, it might be appropriate to distinguish between different categories of data. While personal information related to billing, invoicing, or account numbers might need to flow freely (although with appropriate restraints to avoid the disclosure of credit card numbers), the location information might be subject to more restrictions. Thus confidentiality, security, and other clauses that relate to the handling, use, protection, dissemination of information should address with specificity the different requirements and restrictions depending on the nature of the information to be protected.
Quality; data integrity
The quality and accuracy of the information collected should be ensured. Quality of the information is essential to ensure the quality of the services. It is also crucial for providing the needed help in case of an emergency. The parties should require that those who collect, create, maintain, use, disclose or distribute location information ensure that the information is accurate and complete for the purpose of the contract. Otherwise, the service would furnish inaccurate results, the wrong person would be charged for a product purchase; the wrong route would be displayed on the map, and the ambulance would arrive too late to save the stroke patient.
Confidentiality and security
Adequate security measures should be required to ensure the protection of the personal and other information. Recent events have shown that databases and computer systems are vulnerable to numerous types of attacks. When data are accessed, the individuals or institutions to which the data pertain are at a higher risk of harm. Since several organizations may access or transmit personal or confidential data, the risk of losing or misplacing information grows exponentially. Those who collect or hold the information must make sure that the information is kept secure. Each entity involved in the provision of the service should be required to take appropriate confidentiality and security measures, including an obligation to require their subcontractors to implement the same measures.
Protecting the confidentiality and security of the personal data and company data collected should be a crucial component of any contract associated with the provision of location based services. The contract should define what security measures are to be used in order to protect the location information and the personal information to which the other company may receive access. The measures to be taken should be designed to prevent unauthorized use, access, disclosure, or alteration. The contract clause(s) should provide specific and detailed information such as (1) who may have access to the location information; (2) what restrictions will be placed on organizations that handle location information; or (3) what should be done to ensure the protection of personal or sensitive information at each stage of the services.
The parties may need to tailor the security measures to the nature and type of information collected or used. The measures should take into account the nature of the information that is collected or stored. For example, anyone with a suitable reader can scan an RFID chip unless adequate measures have been taken to protect the information. Thus, the information on the RFID chip would require special security measures to prevent hack attacks.
The parties should evaluate the appropriateness, utility, and risk of preserving the information after the service has been provided. Retention of information should be limited to the period reasonably needed to complete the transaction required by the consumer, while taking into account the applicable legal requirements. The E-Discovery amendments to the Federal Rules of Civil procedures create strict data retention requirements. The contract may have to include provisions for cooperation between the parties to ensure compliance with discovery requests. There might be requirements for specific retention period, such as in the case of credit card transactions. Other laws, such as those that implement the 2006 European Union Data Retention Directive may also dictate how long information must be retained.
In addition, at some point, it will be necessary to dispose of the stored data. Experience has shown that devastating security breaches occur at the time of the disposal of information if the appropriate measures are not used for the destruction of the data. State and federal laws such as the FCRA Disposal Rule ray require specific provisions to be taken for the disposal of certain categories of data. If no law or specific regulation applies, the use of proper methods for disposing of personal information would nevertheless be required as part of the general duty of care of the holder of the data as a fiduciary. Security standards usually include provisions for the use of appropriate measures to destroy data.
For example, the ISO 27001 standard requires both the secure disposal of equipment and that of the media. Under ISO 27001, all items of equipment containing storage media must be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten before disposal. In addition, media must be disposed of securely and safely when no longer required, using formal procedures.
Rights of individuals; access and modification
Since location based services use, collect, or process a lot of personal information, the parties should also address whether, how and to what extent individuals (data subjects) will be granted the ability to access the information collected, such as account, transaction or contact information. In addition, individuals may be granted the right to make changes to this information, including changes to marketing permissions. If this right of access and modification are granted, methods for verification of the identity of the individuals who have access to the information would have to be implemented to reduce the risk of unauthorized access to personal or confidential data.
Limitations to Use and Re-Use of Information
As always, personal information, purchasing patterns, travel schedules, and the like are of great interest to advertisers. The parties to location-based services should discuss whether any of the entities involved might have access to the data subjects’ contact information or profiles. For those who have access to this information, clear guidelines should be set forth about the ability or not to use or re-use the personal information other than to fulfill the contract.
Some location-based services rely on the existence of third party content. For example, a phone company may offer customers the latest movie show times. It may display restaurant locations on maps. This content may not be used or displayed without the appropriate license. As part of the pre-contract due diligence, the entity that will use this content to provide the services should verify the service provider’s ability to license and distribute the content for the contemplated purposes. The analysis should include, for example, questions as to the content and scope of the licenses. Do the company’s existing licenses apply to the range of new services to be offered? Does a license for distribution via the Internet also include a license for distribution via handheld device?
Other questions would need to be raised. What content will be provided to the customer’s personnel or clients? What criteria for the quality, such as completeness, accuracy of the maps being used? What updates? How frequent modifications or corrections should be made?
In addition to privacy and content issues, the use of Geographical Information Systems and Global Positioning Systems raise numerous technical issues, as well. While the technical teams must first resolve them, these issues also need to be reflected in the related service agreements.
There should be a clear understanding of the technical capabilities of the system, in particular with respect to accuracy of the data. For example, if a delivery truck must deliver packages to several businesses located next-door to each other on a street, will the system be able to analyze the GPS data with sufficient precision to ensure accuracy of reporting? Or will the deliveries to Starbucks coffee shop be mixed with those of Noah’s Bagel, whose store is adjacent?
Another potential challenge is integration. The companies may face challenges when integrating applications based on GPS or geographical information systems with other applications that must send or receive geospatial data. The product functionalities and the representations and warranties made or received should accurately reflect the understanding and expectations of the parties.
There might be concerns about the quality of the images. There may be circumstances when getting two sets of GPS coordinates to match can be difficult because available maps from different service providers may provide different granularity of image resolution. The shortcomings of the technologies or underlying products should be explained clearly to the customer, and the contract provisions or exhibits should state these issues and limits.
Availability, response times
If an application requires access to certain databases, the continued availability of the database for the life of the contract should be part of the terms and conditions of the contract. There might be a similar need to specify the speed of access and response times, and ensure proper commitments from the database or technology provider.
Since these applications may require the use of cellular networks, there should be proper cellular network coverage. While GPS receivers can usually receive GPS signals from satellites, they may not always be able to relay the information to the company’s head office, because of deficiencies in the cellular network.
Use of Subcontractors
Contract for services rely in great part on the quality of the service provider. An individual or an organization will retain a particular service provider for its reputation, and the quality of its work or services. In many cases, the customer has conducted a thorough due diligence before choosing one vendor. To ensure that quality standards are maintained, the service agreements should discuss the possibility to use subcontractors, and define what restrictions would be imposed on the use of subcontractors. Consider for example, the obligations to ensure confidentiality and security of personal and other confidential data; or the restriction on the uses or reuses of data.
Compliance with applicable laws
A party to a Manufacturing Agreement or Supply Agreement for the provision of RFID or GPS devices may wish to confirm in writing whether or not the deliverable will / or will not contain any radio frequency device. If RFID tags are used, the purchaser would need appropriate warranties and representations that the equipment will comply with the applicable FCC requirements.
As seen above, the information and data to be handled might be highly sensitive. There might be issues with content, and the technologies might have shortcomings. As a result, it is important that the parties agree on the appropriate allocation of liability for errors, delays, or system unavailability. Consider, for example:
Liability for errors in the input
Who should be liable for errors in the collection of the data, or the failure to record incoming data (e.g., the location data, the identity of the data subject) properly?
Liability for errors in the output
Who should be liable for providing inaccurate measures?
Liability for breach of security
Who should be liable for errors caused because of technology glitches that allow data to be accessed by the wrong person?
The availability of location information is rapidly becoming ubiquitous as the underlying technologies become more advanced, cheaper, and more widely distributed. Even recent commercial contracts may predate these developments and will not address many of the questions raised by the new capabilities and the new uses of the information. They should be reviewed to determine whether they need to be revised immediately or can wait until their next renewal, but they will certainly need to be updated to cover at least some of the issues discussed above.