Hawaii Gov. David Ige last week vetoed a bill that would have required telecommunications companies to obtain explicit consent from customers before selling their location data.
The bill, which was similar to legislation now being considered in more than a dozen other states, targeted a common practice of selling consumer location data to companies called location aggregators, which was revealed last year by the New York Times.
The four largest mobile carriers — AT&T, Verizon, T-Mobile and Sprint — told the Federal Communications Commission in May that they had stopped selling customer location data following a phase-out period that started in June 2018. But civil rights advocates and lawmakers, such as Hawaii state Rep. Chris Lee, who sponsored the bill Ige vetoed, are calling for stronger consumer protections nonetheless.
Lee called the sale of consumer location data an “incredibly scary” practice that could potentially jeopardize anyone’s personal privacy.
“If you’re able to identify all the devices and phones that are going into a Planned Parenthood facility and track those phones back to their home addresses, you could be setting people up for all kinds of harassment and danger,” Lee told StateScoop.
The information disseminated by location aggregators was shown largely to have been sold to commercial interests seeking more detailed information about consumer habits, but Lee pointed out several other potential political uses, such as tracking people going into certain religious buildings or collection by immigration authorities or law enforcement.
Lee said that no phone companies wanted to come out against the bill publicly but that CTIA, the industry association that represents wireless carriers, lobbied hard against the bill. In a letter to state House leaders, CTIA Vice President Gerard Keegan complained that the legislation contained vague wording that did not define terms such as “location data” or “sale,” which he said could lead to “a host of unintended consequences.”
Ige’s office used similar language in explaining the governor’s veto.
“This measure attempts to regulate a complex national industry without sufficient and appropriate wording to ensure consistent compliance and enforcement,” Ige’s statement read “There are concerns about unintended consequences if this measure becomes law.”
Ige’s office did not respond to a request for further clarification.
California, Maine and Nevada have all passed online privacy laws, with the California Consumer Privacy Act serving as one of the broadest examples in the United States and a template that many other states are now modeling their legislation after. (Though California’s privacy law, which is set to go active next year, could be weakened substantially if any one five bills now under consideration by the state legislature become law.)
Lee told StateScoop that he hasn’t given up, and that he’s now speaking with lawmakers in New York, California and the European Union to develop a stricter and broader privacy bill that will include a provision on location data along with other types of information collected by technology companies.
“As data beaches and privacy concerns are coming to light through Facebook and other platforms, there’s a real question as to how deep that rabbit hole goes,” Lee said.