Law enforcement has been using location information from mobile phones to investigate and apprehend suspects, and to dispatch emergency assistance for years (although their methods have sometimes been secretive and questionable). The recent Supreme Court decision overturning Roe v. Wade has now opened the door for health services – including but not limited to abortions – to be criminalized in some jurisdictions. This means that law enforcement may be able to obtain location data from a data broker to determine whether someone went to a health clinic or similar location. Beyond law enforcement, some jurisdictions may additionally permit civil liability, meaning third parties unaffiliated with law enforcement could attempt to access geolocation data to bring a lawsuit. In short: the collection and sharing of mobile phone location data with law enforcement and with third parties (e.g. selling location data) has taken on renewed importance for all Americans.
This troubling situation underscores the risks that Americans continue to face because of Congress’ failure to enact a comprehensive federal privacy law. Congress has inquired about the tracking practices of tech companies such as Apple and Google, the Federal Trade Commission (FTC) has signaled its interest in this area, and there are bills in Congress that address both limits on the amount of personal data companies may collect and use (such as the American Data Privacy and Protection Act (ADPPA)) and warrantless access to consumer data by law enforcement (the Fourth Amendment Is Not For Sale Act)—however as of today the United States is woefully still without a law to protect us from this commercial surveillance.
In October 2021, the FTC published a report that addressed the data sharing practices of internet service providers (ISPs), including both broadband and mobile providers (noting that several sold real-time location data derived from provision of their services to third-parties). Regarding mobile carriers specifically, in February 2020 the Federal Communications Commission (FCC) issued a Notice of Apparent Liability to major mobile carriers in light of their involvement in the illegal and dangerous sale of consumer location information resulting in rogue law enforcement officers, bounty hunters, and others obtaining real-time and historical location information. This sale was in violation of the FCC’s rules regarding Consumer Proprietary Network Information (CPNI), which includes when, for how long, and to/from whom a phone subscriber made or received a phone call. There has been no public announcement indicating that these fines have ever been collected by the FCC or by the U.S. Department of Justice.
In July 2022, FCC Chair Jessica Rosenworcel sent Letters of Inquiry (LOIs) to fifteen of the largest mobile carriers about consumer geolocation data, requesting information about their data retention and data privacy policies and practices. Chair Rosenworcel stated in the letters: “the highly sensitive nature of this data—especially when location data is combined with other types of data—and the ways in which this data is stored and…