Your cell phone knows where you are.

Armed with a smartphone full of location-based applications, you can cue up Yelp reviews and Groupon offers for the nearest restaurants, get turn-by-turn directions there from Google Maps, and then use Foursquare to share your location with followers on Facebook or Twitter. Whether through GPS capability or cell-tower triangulation, today’s mobile devices gather and put geolocational information to use in a multitude of ways.

The marketing possibilities seem endless. At a mobile technology conference last October, Google’s director of emerging platforms called location-targeted coupons “the Holy Grail for local advertising.” Google projects mobile-coupon spending to reach $1 billion in 2011. McKinsey & Co. estimates the collection and analysis of personal location data to create more than $100 billion in revenue in the next decade. And consumers are benefiting, too—McKinsey estimates that over the same period, personal location applications will deliver up to $700 billion in value to consumer and business users.

It’s all very exciting—for the wireless industry, for marketers and for consumers. But there’s a whiff of Big Brother that comes along with a pocket-sized device that tracks your location and transmits that information. In April, Apple became the subject of headlines and consumer ire when hackers-turned-security experts discovered a file in the iPhone and iPad operating system that stored, unencrypted and unprotected, a timestamped list of locations visited by the phone’s owner. Apple quickly released a patch to address the data-storage flaw, but the incident served as a jarring reminder to users that their mobile devices, at least, are watching. 

It also focused the attention of lawmakers and regulators on how mobile devices and apps collect location information, to what extent consumers can control such collection, and how to ensure privacy and security of the collected data. The Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have held public forums on location-based services (LBS), and on Capitol Hill, lawmakers have held hearings and introduced legislation on the issue.

“Right now in the privacy world … the trend is toward protecting more information and then trying to figure out whether any of it is so special that it requires heightened protection,” says John Heitmann, a partner at Kelley Drye. “The consensus is that location data is special, and that it would require heightened protection and special procedures.”

Association Approach

Absent clear rules or authority, the industry has taken to self-regulation. A few years ago, CTIA—The Wireless Association, an industry trade group, adopted a set of best practices to which carriers as well as app developers now broadly subscribe. Premised on Fair Information Practice Principles that the FTC and privacy groups have championed for more than a decade, the CTIA best practices emphasize user notification and consent—users should know how the data is collected and used, and they should have the option to deactivate location-tracking features. 

A driving principle in this area is “privacy by design,” the concept that companies should proactively build default privacy protections into devices and services. Privacy by design would support, for instance, the “opt-in” approach, which requires users to activate LBS rather than having to “opt out” from pre-activated features. Another debate in the consent area is whether one-time user consent is adequate or whether certain apps should have to ask users for permission each time location data is collected.

Along with notification and consent, a third leg of the privacy discussion focuses on ensuring the security of the data—how is it stored, encrypted and/or anonymized? Who sees it? When is it destroyed? 

Major players in the mobile app world have generally accepted the principles of notification, consent and security, but implementation of industry best practices is uneven among smaller app developers.

“Some of the smaller players aren’t engaged in the debate,” Heitmann says. “How do you get app developers involved in this? The only way you really can do that is if app stores require [privacy protections]. That’s why the progress on LBS will probably continue to be industry-driven, and to the extent there are major gaffes, that could push legislation or regulation over the finish line.”

The debate rages as to whether the industry can be trusted to self-regulate, whether regulatory agencies need to regulate carriers and app developers, or whether there needs to be a combination of both—for instance, agency enforcers stepping in where self-regulation fails.

“We believe that self-regulation is going to be superior to legislation just because the technologies are evolving so quickly that any one-size-fits-all approaches are not likely to be very successful to the different use cases here,” says Michael Altschul, general counsel of CTIA. “But recognizing that, there are certainly some approaches we do think would be more successful than others, primarily those approaches that do rely on industry regulation but perhaps with some government oversight.”

Streamlining Regulation

Currently, Section 5 of the FTC Act, which prohibits unfair or deceptive acts, serves as a sort of backbone for privacy regulation in the U.S. If a company significantly deviates from stated privacy policies or industry-standard business practices, it will be considered in violation of Section 5. The FTC so far has been able to flexibly use the FTC Act to address data privacy issues, but debate continues as to whether the FTC needs more authority and whether the rules need to more specifically address location privacy.

Another question is whether the FTC should have complete authority rather than sharing it with the FCC. There’s no question that the industry would prefer to deal with one agency rather than two. Historically, the FTC has been the general privacy and data security regulatory agency, says Mark Brennan, an associate at Hogan Lovells. However, the FTC is restricted by statute from regulating common carriers, including telecommunications common carriers, which fall under the FCC’s jurisdiction. And Section 222 of the Communications Act of 1934 speaks to location privacy among telecommunications carriers, which the FCC has used as a hook to explore LBS privacy issues. Things get murky when it comes to companies offering both phone and broadband services. 

A federal regulatory framework on LBS would provide clarity on the jurisdiction issue as well as a unified privacy regime to replace a patchwork of regulations and sector-specific laws.

The FTC and FCC have held workshops and public forums on LBS over the past several years, and they will likely continue to solicit public comment on the issue.

There also has been a flurry of legislative activity addressing LBS. There’s little confidence such legislation will pass this year in the face of looming budgetary concerns. But Congress has made it clear that manufacturers, carriers and app developers need to address privacy issues surrounding LBS.

“I think the Hill is making enough noise, and enough people are making enough noise, that we’ll continue to see some movement,” says Rob Morgan, an associate at Davis Wright Tremaine. “A lot of that movement will be through companies taking measures that will make people more confident with what they’re doing and make the Hill more comfortable about what they’re doing.”