Hawley, Coons demand Facebook explain their privacy practices concerning user location data

Today, U.S. Senators Josh Hawley (R-Mo.) and Chris Coons (D-Del.) sent a letter calling on Facebook CEO Mark Zuckerberg to explain Facebook’s privacy practices concerning user location information. In the letter, the Senators express concern that Facebook has misled its users about the company’s collection of location data and how much control users actually have over their privacy settings.

“Location data is among the most sensitive personal information that a user can share with a company. Today, modern smartphones can reveal location data beyond a mere street address,” the Senators wrote. “We appreciate Facebook’s attempt to proactively inform users about their privacy options. However, we are concerned that Facebook may not in fact be offering users the level of control that the company suggests these settings provide.”

The Senators continue, “If a user has decided to limit Facebook’s access to his or her location, Facebook should respect these privacy choices.”

The letter is copied below and is available here.

November 19, 2019

Dear Mr. Zuckerberg,

We write regarding Facebook’s privacy practices concerning user location information. Recently, Facebook published a blog post in response to new updates to Apple’s iOS and Google’s Android operating system that are designed to provide users with greater control and information about when their location data is collected by apps on their mobile devices.

Location data is among the most sensitive personal information that a user can share with a company. Today, modern smartphones can reveal location data beyond a mere street address. The technology is sophisticated enough to identify on which floor of a building the device is located. New updates to iOS and Android have been designed to give users greater insight and control over how and when they share their location with apps on their phones. In light of these developments, Facebook published a blog post, titled “Understanding Updates to Your Device’s Location Settings,” in which Facebook describes the different privacy settings that a user can choose to determine when a user shares location information with Facebook. We appreciate Facebook’s attempt to proactively inform users about their privacy options. However, we are concerned that Facebook may not in fact be offering users the level of control that the company suggests these settings provide.

Specifically, in the blog post, Facebook explains that the location settings on a device running the newest versions of iOS and Android allow a user to decide whether to share the user’s “precise” location information with Facebook either (1) all the time, (2) only while using the app, (3) not at all, or (4) if using iOS, only once. Facebook asserts that this means “[y]ou’re in control of who sees your location on Facebook. You can control whether your device shares precise location information with Facebook via Location Services.” However, in the next sentence, the post goes on to say that “[Facebook] may still understand your location using things like check-ins, events and information about your internet connection.” We are concerned that this language and practice undermines users’ actual control of their location data and the blog post’s assurances to that effect.

If a user has decided to limit Facebook’s access to his or her location, Facebook should respect these privacy choices. The language in the blog post, however, indicates that Facebook may continue to collect location data despite user preferences, even if the user is not engaging with the app, and Facebook is simply deducing the user’s location from information about his or her internet connection. Given that most mobile devices are connected to the internet nearly all the time, whether through a cellular network or a Wi-Fi connection, this practice would allow Facebook to collect user location data almost constantly, irrespective of the user’s privacy preferences. Users who have selected a restrictive Location Services option could reasonably be under the misimpression that their selection limits all of Facebook’s efforts to extract location information.

In light of these concerns, we kindly request that you respond to the following questions:

1. Does Facebook collect any information about a user’s location if the user has turned off or limited Location Services for Facebook? If so, please explain why Facebook collects such information and the process used to collect that data.
2. Does Facebook collect any information about a user’s location based only on information about a user’s internet connection?
3. How frequently does Facebook collect location data based on information about a user’s internet connection when a user has turned off or limited Location Services?
4. What is the difference between the “precise” location information collected when a user has Location Services enabled and the location information collected by Facebook using other data, such as the user’s internet connection, when a user has turned off or limited Location Services? How detailed is the location data that Facebook collects when a user has turned off or limited Location Services?
5. Does Facebook target advertisements or otherwise monetize the location information it collects when a user has turned off or limited Location Services?
6. If Facebook does target advertisements based on the location information that it collects when a user has turned off or limited Location Services, is it possible for a user to configure his or her privacy settings such that Facebook never monetizes any location information about that user?
7. Does Facebook share the location information that it collects when a user has turned off or limited Location Services with third parties?

We appreciate your prompt attention to this matter and respectfully request a response by December 12, 2019.