CTIA Best Practices for LBS

March 25, 2010 · Posted in Commentary, News 

This week it seems that CTIA issued its latest version of Best Practices Guidelines for LBS. While the guidelines are pretty short and straightforward, here is a summary anyway.

There are two basic underlying practices as part of the guidelines:

1. Users must receive notice about how location information will be used, protected and shared… although the form of notice is not dictated

2. LBS providers must show that users gave consent to divulge location before initiating the location based service and users must have the right to revoke consent at anytime… although the way in which consent is recorded or retracted is not dictated

Some other details of interest, and what one may potentially read between the lines: • CTIA encourages the industry to develop “new technology to empower users to exercise control”… in other words lets not just bury some words in the terms & conditions somewhere to cover our butts, someone please come up with a cool system to give consumer controls over their location data that they’ll actually use… maybe a fireeagle-ish thing?

• A wireless carrier is a LBS provider when it directly provides users with a service, not when it provides location information to an application developer who then turns around and offers a location based service. In other words the guy directly offering the service is the one bearing the LBS provider responsibilities, not the originator of the location data, so lets provide protection (and remove some risk) to the carrier providing location data, thus encouraging it.

• When location information is not linked to a specific device or person, but only used in the form of aggregated or anonymous data, notice must still be given, but the consent requirement seems to go away… ie you still need to tell people what you’re up to, but since it’s not about any individual, getting individuals consent would be over-kill.

• LBS providers must inform users of how long location data will be retained and should only retain location data as long as business needs require and should afterwards be destroyed or converted to aggregate or anonymous data. This seems to be a tricky one, in many cases it would seem to be in the business best interest to retain as much information as it can for as long as it can… so I don’t see many folks being anxious to destroy this information if there may be a valuable business purpose down the road that they haven’t come up with yet.

 • “Consent may be implicit such as when users request a service that obviously relies on the location of their device”… ie all that stuff about consent doesn’t really apply if you’re running an app called “Whats nearby me now?” where it’s obvious that it needs to know your location to perform.

The whole things reminds me quite a bit of what the web community has done with regards to browser cookies and PII online, so there seems to be a lot of precedence here. As you might expect there is nothing revolutionary in the guidelines and it is more or less common sense and doesn’t disrupt much of the way the location based services I’ve seen operate already.

It may have been my imagination, but while reading it I felt as though the CTIA was really hoping that someone would develop an innovation that would allow users to actively manage their location sharing while realizing that in reality it’s likely to go the route of check boxes on multi page terms and conditions documents that no one reads.

Tags: , , , , , ,

Comments

Better Tag Cloud