[Congressional Record Volume 147, Number 96 (Wednesday, July 11, 2001)]
[Senate]
[Pages S7497-S7499]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. EDWARDS:
  S. 1164. A bill to provide for the enhanced protection of the privacy 
of location information of users of location-based services and 
applications, and for other purposes; to the Committee on Commerce, 
Science, and Transportation.
  Mr. EDWARDS. Mr. President, I rise today to introduce much-needed 
legislation to protect the privacy of consumers who use technologies 
that can pinpoint their location. Under my bill, the Location Privacy 
Protection Act, any company that monitors consumers' physical location 
will be prohibited from using or disclosing that information without 
express permission from the consumer. And third parties that gain 
access to the information cannot use or disclose it without the 
individual's permission first.
  Within the next few years, new technologies will allow companies to 
know our location any time of day or night. Our cell phones, pagers, 
cars, palm pilots and other devices will enable companies to constantly 
track where we go and how often we go there. These services can have 
enormous advantages. For example, public safety and rescue teams can 
save lives with systems that enable them to quickly locate crash 
victims. Imagine being able to ask your cell phone for directions to 
the nearest Italian restaurant. Or imagine you are traveling in a new 
city and your pager alerts you when you are within a block of your 
favorite coffee shop, which happens to be running a sale on coffee. The 
possibilities for location-based services and application are endless.
  But these new technologies also raise serious privacy issues. 
Location information is very private, sensitive information that can be 
misused to harass consumers with unwanted solicitations or to draw 
inaccurate or embarrassing inferences about them. And in extreme cases, 
improper disclosure of location information to a domestic abuser or 
stalker could place a person in physical danger.
  The wireless industry is unique in that it has worked with Congress 
to guarantee some privacy protections in the law, and it should be 
commended for recognizing the sensitivity of location information. 
However, although these laws are a good first step, we need to build on 
them and strengthen them. For example, although under the law customers 
must give their permission before wireless carriers can use or disclose 
their location information, the law does not require carriers to 
clearly notify consumers about how their location information will be 
used if they do grant their permission. Consumers also have no control 
over what happens to their information once third parties gain access 
to it. These parties are free to share it with anyone they please. And 
shockingly, there are no laws that protect the privacy of users of new 
technologies like telematics, services that allow drivers to get 
directions at the push of a button in their cars, and global 
positioning systems.
  My legislation puts control over location information in the hands of 
the consumer. It requires the FCC to issue new regulations prohibiting 
all providers of location-based services and applications from 
collecting, using, disclosing, or retaining location information 
without the customer's permission first. And customers must be given 
clear and conspicuous notice about what the company is going to do

[[Page S7498]]

with their location information. Customers also will have the right to 
ensure the accuracy of the information that is collected and companies 
will be required to keep that information safe from unauthorized 
access.
  Third parties will not be able to use or disclose location 
information without prior authorization from the customer. In this 
regard, my bill makes an exception if the third party is an emergency 
service. I believe that the FCC must be very careful not to interfere 
with the laws that have been carefully crafted to allow emergency 
medical rescue teams, public safety, fire services, hospital emergency 
facilities and other emergency services to respond to the user's call 
for help. These laws are critical to saving lives and I believe we 
should do everything we can to make sure they work.
  I would also like to point out that while my bill requires that the 
FCC rules not interfere with the ability of law enforcement to obtain 
location information pursuant to an appropriate court order, it does 
not provide the FCC with extraordinary authority to control when law 
enforcement can and cannot gain access to location information. 
Although I have concerns about unnecessary and surreptitious government 
surveillance, I believe that this issue is best addressed either 
separately, or at a later date. The purpose of my bill is primarily to 
lay down guidelines for when private persons, such as businesses, are 
able to use and disclose consumers' location information.
  The law needs to be strengthened, and we have the opportunity to do 
so while these location-based technologies are in their infancy. We 
have a unique opportunity to give consumers power over their location 
information before its commercial value becomes so great that it is 
impossible for consumers to prevent the buying and selling of this very 
personal information.
  In sum, I believe the Location Privacy Protection Act is a common 
sense measure offered at an ideal time. I know that wireless carriers 
and many companies such as OnStar, ATX, Qualcomm and others care deeply 
about privacy. I applaud them for their efforts and I look forward to 
continuing working with them on this issue.
  I ask unanimous consent that the text bill be printed in the Record.
  There being no objection, the bill was ordered to be printed in the 
Record, as follows:

                                S. 1164

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Location Privacy Protection 
     Act of 2001''.

     SEC. 2. FINDINGS.

       Congress makes the following findings:
       (1) Location-based services and applications allow 
     customers to receive services based on their geographic 
     location, position, or known presence. Telematics devices, 
     for instance, permit subscribers in vehicles to obtain 
     emergency road assistance, driving directions, or other 
     information with the push of a button. Other devices, such as 
     those with Internet access, support position commerce in 
     which notification of points of interest or promotions can be 
     provided to customers based on their known presence or 
     geographic location.
       (2) There is a substantial Federal interest in safeguarding 
     the privacy right of customers of location-based services or 
     applications to control the collection, use, retention of, 
     disclosure of, and access to their location information. 
     Location information is nonpublic information that can be 
     misused to commit fraud, to harass consumers with unwanted 
     messages, to draw embarrassing or inaccurate inferences about 
     them, or to discriminate against them. Improper disclosure of 
     or access to location information could also place a person 
     in physical danger. For example, location information could 
     be misused by stalkers or by domestic abusers.
       (3) The collection or retention of unnecessary location 
     information magnifies the risk of its misuse or improper 
     disclosure.
       (4) Congress has recognized the right to privacy of 
     location information by classifying location information as 
     customer proprietary network information subject to section 
     222 of the Communications Act of 1934 (47 U.S.C. 222), 
     thereby preventing use or disclosure of that information 
     without a customer's express prior authorization.
       (5) There is a substantial Federal interest in promoting 
     fair competition in the provision of wireless services and in 
     ensuring the consumer confidence necessary to ensure 
     continued growth in the use of wireless services. These goals 
     can be attained by establishing a set of privacy rules that 
     apply to wireless location information, regardless of 
     technology, and to all entities and services that generate or 
     receive access to such information.
       (6) It is in the public interest that the Federal 
     Communications Commission establish comprehensive rules to 
     protect the privacy of customers of location-based services 
     and applications and thereby enable customers to realize more 
     fully the benefits of location services and applications.

     SEC. 3. PROTECTION OF LOCATION INFORMATION PRIVACY.

       (a) Rulemaking Required.--Not later than 180 days after the 
     date of the enactment of this Act, the Federal Communications 
     Commission shall complete a rulemaking proceeding for 
     purposes of further protecting the privacy of location 
     information.
       (b) Elements.--
       (1) In general.--Subject to the provisions of paragraph 
     (2), the rules prescribed by the Commission under subsection 
     (a) shall--
       (A) require providers of location-based services and 
     applications to inform customers, with clear and conspicuous 
     notice, about their policies on the collection, use, 
     disclosure of, retention of, and access to customer location 
     information;
       (B) require providers of location-based services and 
     applications to obtain a customer's express authorization 
     before--
       (i) collecting, using, or retaining the customer's location 
     information; or
       (ii) disclosing or permitting access to the customer's 
     location information to any person who is not a party to, or 
     who is not necessary to the performance of, the service 
     contract between the customer and such provider;
       (C) require that all providers of location-based services 
     or applications--
       (i) restrict any collection, use, disclosure of, retention 
     of, and access to customer location information to the 
     specific purpose that is the subject of the express 
     authorization of the customer concerned; and
       (ii) not subsequently release a customer's location 
     information for any purpose beyond the purpose for which the 
     customer provided express authorization;
       (D) ensure the security and integrity of location data, and 
     give customers reasonable access to their location data for 
     purposes of verifying the accuracy of, or deleting, such 
     data;
       (E) be technology neutral to ensure uniform privacy rules 
     and expectations and provide the framework for fair 
     competition among similar services;
       (F) require that aggregated location information not be 
     disaggregated through any means into individual location 
     information for any commercial purpose; and
       (G) not impede customers from readily utilizing location-
     based services or applications.
       (2) Permitted uses.--The rules prescribed under subsection 
     (a) may permit the collection, use, retention, disclosure of, 
     or access to a customer's location information without prior 
     notice or consent to the extent necessary to--
       (A) provide the service from which such information is 
     derived, or to provide the location-based service that the 
     customer is accessing;
       (B) initiate, render, bill, and collect for the location-
     based service or application;
       (C) protect the rights or property of the provider of the 
     location-based service or application, or protect customers 
     of the service or application from fraudulent, abusive, or 
     unlawful use of, or subscription to, the service or 
     application;
       (D) produce aggregate location information; and
       (E) comply with an appropriate court order.
       (3) Additional requirement.--Under the rules prescribed 
     under subsection (a), any third party receiving, or receiving 
     access to, a customer's location information from a provider 
     of location services or applications pursuant to the express 
     authorization of the customer, shall not disclose or permit 
     access to such information to any other person without the 
     express authorization of the customer.
       (4) Express authorization.--
       (A) Form.--For purposes of the rules prescribed under 
     subsection (a) and section 222(f) of the Communications Act 
     of 1934 (47 U.S.C. 222(f)), the Commission shall specify the 
     appropriate methods, whether technological or otherwise, by 
     which a customer may provide express prior authorization. 
     Such methods may include a written or electronically signed 
     service agreement or other contractual instrument.
       (B) Modification or revocation.--Under the rules prescribed 
     under subsection (a), a customer shall have the power to 
     modify or revoke at any time an express authorization given 
     by the customer under the rules.
       (c) Application of Rules.--The rules prescribed by the 
     Commission under subsection (a) shall apply to any person 
     that provides a location-based service or application, 
     whether or not such person is also a provider of commercial 
     mobile service (as that term is defined in section 332(d) of 
     the Communications Act of 1934 (47 U.S.C. 332(d)).
       (d) Relationship to Wireless Communications and Public 
     Safety Act of 1999.--The rules prescribed by the Commission 
     under subsection (a) shall be consistent with the amendments 
     to section 222 of the Communications Act of 1934 (47 U.S.C. 
     222) made by section 5 of the Wireless Communications and 
     Public Safety Act of 1999 (Public Law

[[Page S7499]]

     106-81; 113 Stat. 1288), including the provisions of section 
     222(d)(4) of the Communications Act of 1934, as so amended, 
     permitting use, disclosure, and access to location 
     information by public safety, fire services, and other 
     emergency services providers for purposes specified in 
     subparagraphs (A), (B), and (C) of such section 222(d)(4).
       (e) State and Local Requirements.--
       (1) In general.--No State or local government may adopt or 
     enforce any law, regulation, or other legal requirement 
     addressing the privacy of wireless location information that 
     is inconsistent with the rules prescribed by the Commission 
     under subsection (a).
       (2) Preemption.--Any law, regulation, or requirement 
     referred to in paragraph (1) that is in effect on the date of 
     the enactment of this Act shall be preempted and superseded 
     as of the effective date of the rules prescribed by the 
     Commission under subsection (a).
       (f) Definitions.--In this section:
       (1) Aggregate location information.--The term ``aggregate 
     location information'' means a collection of location data 
     relating to a group or category of customers from which 
     individual customer identities have been removed.
       (2) Customer.--The term ``customer'', in the case of the 
     provision of a location-based service or application with 
     respect to a device, means the person entering into the 
     contract or agreement with the provider of the location-based 
     service or application for provision of the location-based 
     service or application for the device.
                                 ______