The Los Angeles city attorney’s office alleges in a lawsuit that a subsidiary of IBM deceptively mined the private location data of users of the Weather Channel app and sold it to advertising and marketing companies.
When users download the app, a prompt asks them to grant access to their location so the app can provide “personalized local weather data, alerts and forecasts.” The app then tracks the user’s movements, allowing the Weather Company, which operates the app independent of the Weather Channel and uses its data to fuel IBM’s Watson Advertising products, to sell that information to hedge funds, advertising firms and corporate clients like McDonald’s and Subway.
The suit filed Thursday alleges that the disconnect between that prompt and the company’s ultimate use of the data constitutes fraudulent and deceptive business practices. The suit seeks an injunction against the company, which would require it to stop the practices, and civil penalties of up to $2,500 for each violation in California.
“Think how Orwellian it feels to live in a world where a private company is tracking potentially every place you go, every minute of every day,” Los Angeles City Atty. Mike Feuer said at a news conference Friday. “If you want to sacrifice to that company that information, you sure ought to be doing it with clear and advanced notice of precisely what’s at stake.”
The Weather Channel app has 45 million monthly users, and the company’s suite of weather apps have been downloaded more than 200 million times, according to the company.
"The Weather Company has always been transparent with use of location data,” said Saswato Das, an IBM spokesperson. “The disclosures are fully appropriate, and we will defend them vigorously."
The suit cited an investigation by the New York Times last month that found at least 75 companies that collected precise location data via smartphone apps — in one case pinging a user’s location 14,000 times in one day — then used it to fuel consumer insight research and the $21-billion location-based advertising industry.
“We zeroed in on the Weather Channel app because this app touches all demographics,” Feuer said. “This is not an ideologically driven app, it’s not a geographically driven app — it touches all of us.”
Feuer said his office also chose to target the Weather Company because its app “seems to be benign and innocuous,” but “engages in what we have alleged are affirmative misstatements” to users about how their location data will be used. Since the New York Times investigation was published in December, IBM said that it had stopped offering location data to hedge funds, but Feuer noted that the company had not changed its data-use disclosure practices.
Users of the Weather Channel app are able to find some indication that their location data is being monetized in the app’s privacy agreement, but Feuer notes that it is buried in the smartphone’s settings menu.
The practice of collecting and monetizing location data is widespread across mobile apps. Google and Facebook are leaders in the location-based advertising industry, using data from their own suite of mobile products.
A recent study by the British privacy advocacy group Privacy International found that the Weather Channel app for Android also shares private user data with Facebook — even if the users don’t have a Facebook account — along with other popular Android apps.
Feuer’s office used the same Unfair Competition Law to go after Wells Fargo in 2015 for opening unauthorized accounts, which resulted in a $50-million settlement. The city attorney’s office has pursued technology companies in the past, suing Uber in 2017 for failing to promptly report a data breach that exposed the personal data of millions of drivers and riders.
But seeking penalties for an ongoing and common business practice marks a new approach to protecting consumer privacy, and comes at a time when tech companies are facing increasing scrutiny and regulation over their collection and use of data.
The last year was marked by scandals regarding corporate handling of private user data. Millions of users’ private information was compromised in data breaches at companies like Google, Facebook and Marriott. Facebook faced congressional inquiries over its sharing of data with political consulting firm Cambridge Analytica, which accessed the data of 87 million users without their consent.
The European Union put strict regulations on transparency and reporting in place in May 2018, when the General Data Protection Regulation, or GDPR, went into effect. Under that law, companies found in violation can be fined up to 4% of their worldwide annual revenue.
A new California data privacy law, passed last year and set to go into effect in January 2020, requires companies to be more transparent about their use of user data, gives users more control over the use and storage of their private information, and will make it easier for consumers to sue companies found violating the law.