IBM, the owner of the Weather Channel mobile app, has reached a settlement with the Los Angeles city attorney’s office after a 2019 lawsuit alleged that the app was deceiving its users in how it was using their geolocation data.
The 2019 lawsuit claimed, the app’s permission prompt for users to share their geolocation data did not make them aware that it was also selling that data to third-party companies. Instead, users were led to believe that the collected location data would be for the sole purpose of personalized forecasts and alerts, according to the lawsuit.
The Weather Channel in the ensuing settlement, released this week, argued that it disclosed this information to its 45 million monthly users via its online privacy policy.
“The Weather Company has always been transparent about its use of location data,” an IBM spokesperson told Threatpost. “We fundamentally disagreed with this lawsuit from the start, and during the case we showed that the claims were baseless. However, in recognition of IBM’s long-standing relationship with Los Angeles and our history of providing technology solutions to improve its operations, we are donating technology to help the city and county deal with COVID-19 relief and contact tracing efforts.”
Regardless, according to Los Angeles City Attorney Mike Feuer, under the settlement IBM agreed to revise their data privacy disclosures, which he said will help “ensure transparency and informed consent.” They will do so by changing the permission prompts presented to users when they decide whether to allow location tracking.
“Personal privacy in the digital age is one of the most pressing issues of the 21st Century,” said Los Angeles City Attorney Mike Feuer in a Wednesday statement. “Our successful work to ensure meaningful consumer notice and consent and to hold The Weather Channel App accountable puts other Apps on notice: We’re monitoring their practices and will continue to be vigilant in fighting for consumers.”
The lawsuit comes on the heels of a groundbreaking 2018 New York Times investigation that outed 75 companies – including the Weather Channel app – for misleading consumers about data collection and selling location data to advertisers. It shed light on how companies are expected to relay their policies around collecting and using data.
In The Weather Channel’s case, the app did disclose how it was using the data in its privacy policy – but the lawsuit argues that the average user doesn’t take the time to sift through the fine print on these policies.
“Location is a sensitive matter, however, and consumers need to understand how their location is being used and to what extent their information is being shared,” Stephen Banda, senior manager with Security Solutions at Lookout, told Threatpost. “A quick look at an app’s permissions on the Google Play store will show if exact or precise location is used. Unfortunately, beyond this information, the onus is on the end-user to further validate the privacy policy details and how their information is being used before accepting the usage terms.”
Data privacy has continued to make headlines over the past year – particularly how geolocation data is collected, stored and utilized when it comes to the apps and services used by consumers carrying their phones around with them. In a 2019 incident, an Associated Press report claimed that the Google services prevalent on both Android and iOS phones – including Google Maps – store location data, despite device users opting out. The report resulted in Google also being slapped by a lawsuit, alleging that the tech giant violated both California’s Constitutional Right to Privacy as well as California’s Invasion of Privacy Act.
Steve Durbin, managing director of the Information Security Forum, told Threatpost that these types of regulatory efforts – and subsequent fines that companies are receiving for violating them – are forcing companies to re-evaluate the transparency of their privacy policies.
“With all of the focus on breaches and the loss of personal data, it is understandable that the main attention for organizations today seems to have shifted to data privacy,” he said. “We are seeing a growth in legislative requirements to protect personal information along with the associated fines and sanctions for non-compliance.”
It’s the age of remote working, and businesses are facing new and bigger cyber-risks – whether it’s collaboration platforms in the crosshairs, evolving insider threats or issues with locking down a much broader footprint. Find out how to address these new cybersecurity realities with our complimentary Threatpost eBook, 2020 in Security: Four Stories from the New Threat Landscape, presented in conjunction with Forcepoint. We redefine “secure” in a work-from-home world and offer compelling real-world best practices. Click here to download our eBook now.