Law Blog

Pokѐmon Go Privacy Problems: The Legalities of Mobile App Data Collection

Pokémon Go is the most popular mobile game in U.S. history. In the 24 hours after its release last week, it surpassed the daily active users numbers of every other mobile game that has ever existed–attracting nearly 21 million active users at once.  As a user myself, I can say that when the servers of the game are working properly, it’s a heck of a good time.

The game was created by Niantic and the Pokémon Company and allows users to roam the streets catching Pokémon in an augmented reality version of the real world. So successful is the game that Nintendo’s minority share in the game has boosted their market value by $11 billion in the week or so since it hit the market.

The game is free to play but features a number of available microtransactions–digital offerings within the app itself–to bring in money. However, like many mobile games, this is not the only source of revenue.  The app also collects personal information from its users, which it then strips of identifying information and sells to would-be advertisers.

In the last few days, this data collection has drawn the concern of not only users, but also U.S. Senator Al Franken. He has gone on record with serious concerns about the overreach of the privacy policy of the app–especially considering how many children it counts as users. The whole kerfuffle began in response to a blog post revealing that among the permissions you granted Niantic by creating an account was–for iPhone users using a Gmail to sign in–full access to your Google account.

The Pokѐmon Privacy Policy

The concerns, now known to be slightly alarmist, suggested that the permissions gave Niantic read/write permission for your emails, access to your Google Drive, and even the ability to pilfer your Google Wallet. This came as a heck of a shock to users, because, although the Pokѐmon Go Privacy Policy is available online, there was no indication such access was being granted when users made an account.

Since the initial accusations a few days ago, it has been established that Niantic did indeed get full access to your Google Account, however it was not quite the insidious plot that was initially insinuated.

Niantic issued a statement that the overreach in permission was a mistake and the access had never been taken advantage of–an assertion that Google has verified.  What’s more, while the permissions did give Niantic potential access to a substantial amount of biographical information such as your email address and phone number, they did not have access to any emails, Google Drive, or Google Wallet.  Niantic patched the access out of the app days after the concerns were raised.

However, don’t let these developments completely send your privacy concerns over Pokѐmon Go blasting off again. If you have not yet updated the app, do so in order to patch out the access to your Google account.  What’s more, it is important to stay informed about exactly how much information you agree to share by making an account or clicking “yes” to those Terms & Conditions.  Pokѐmon Go is still collecting a staggering amount of information on you for later sale.

By using the app, you are accepting that Pokѐmon Go will collect data from you and use it in accordance with their posted privacy policy.  As it stands, they collect your Internet Protocol (IP) address, browser type, operating system, the web page you visited before going on Pokѐmon Go, anything you click on or go to while using Pokѐmon Go, how long you stay on pages you go to, search terms, and more.  Also, because Pokѐmon Go uses GPS tracking to determine where you are and thus which Pokѐmon are around you, the app collects where you go, where you left from, how long you take to get somewhere, and how long you stay at any given location.

Once this data is collected Niantic, per their privacy policy, strips identifying information from the data and pools it together to sell to advertising companies.  If the company or Pokѐmon Go is ever purchased, all this information is part of what will be purchased.

This probably seems like an incredible amount of information for strangers to know about you–and it is. Unfortunately, the only way to avoid this data collection (as with many apps) is stop using Pokѐmon Go.  What’s more, the practice is both common and perfectly legal when done carefully.

Mobile App Overreach: An Ongoing Problem

The Federal Trade Commission requires that mobile apps clearly disclose their privacy policies and what sort of information they collect. They also require that businesses give users an option to decline collection–although that can just mean letting them choose not to use an app.  Failure to do any of these things, or to comply with your own privacy policy, can give rise to an FTC charge of deceptive practices.

For example, Runkeeper is a jogging app that has recently been in hot water for tracking your location–when the app is not active. This information is then sent to advertisers.  In 2012, a social media app called Path got in trouble for taking its users’ entire address book without their knowledge.  They settled an FTC charge, paying $800,000.

Apps that seek overreaching permissions, a perfectly legal practice, unless state law says differently, when properly disclosed, are also common. In 2015, it came to light that quite a few third-party flashlight apps were asking for a lot more permissions on your smartphone than they needed.

Many of the apps has the ability to read phone status and identity, view Wi-Fi connections, modify system settings, obtain full network access, and determine your precise location via your phone’s GPS, among other permissions. This was quite an ask for an app that is primarily for finding your keys when they fall under your car seat.

It’s not surprising that people were sensitive to potential privacy issues with Pokѐmon Go given the history mobile apps have with overreaching permissions and privacy law violations. A huge portion of apps include data gathering of some kind as part of how they make their money–especially free to use apps.

Even if you trust a business with this information, that same information makes them a target for hackers. The sheer popularity of Pokѐmon Go, combined with its ability to track your location, means that it is going to be capable of nearly unprecedented data collection.  While Niantic has a solid privacy policy and has complied with FTC privacy regulations, it still can be a privacy risk given how much information is going to pass through its hands.  Don’t let this stop you from catching them all–just remember to know what you’re getting into with Pokѐmon Go and any app you use.