What is now more popular than Facebook, Twitter, and Tinder? Pokémon Go. As the hit smartphone game’s popularity has grown since it was released on July 6, so has scrutiny of the type and quantity of data it collects, uses, and shares. Regulators and users are concerned that the game is accessing and storing users’ private data, such as location, emails, and photos. A range of privacy and consumer protection laws could be used to address these growing concerns.
Niantic Inc., which spun-off from Google in 2015, developed Pokémon Go with Nintendo and The Pokémon Company. The Pokémon franchise became a cultural phenomenon in the early 2000s, initially as a trading card game, and then with spin-offs into other games, movies, and a television show. The franchise is now making a comeback with Pokémon Go. Niantic originally developed the hugely popular augmented reality game “Ingress,” which allows competing teams to catch virtual items through their smartphones, in a real-world setting. Pokémon Go combines the Pokémon game with the Ingress platform. Like Ingress, Pokémon Go uses smartphone cameras and the ability to track users’ time and location to create a real-world scenario in which users can catch virtual Pokémon. The game also uses “lure” and “gym” features to steer users to one location to catch Pokémon.
The amount of publicity the game has received has led to heightened attention around the now common privacy issues of over-collection of adult users’ data and protection of children’s data.
The game’s privacy policy allows it to collect “fairly extensive” data on users. Although the game’s disclosures appear to be fairly standard and comprehensive in explaining how and what data is collected from both adults and children, the Federal Trade Commission (“FTC”) and state consumer protection and unfair competition authorities may scrutinize whether these disclosures match up with the data the game actually collects and how such information is used.
Given the FTC’s recent concerns about technology companies tracking users’ precise locations, regulators could be particularly focused on how Pokémon Go uses location data. In June, the FTC imposed a $4 million civil penalty on mobile advertising company Inmobi to resolve claims that it tracked smartphone users’ exact locations to target them with geo-specific advertising, but did not secure their permission to do so. The allegations against Inmobi included assertions that the company violated the Children’s Online Privacy Protection Act by gathering information about children without their parents’ permission.
Similarly, Pokémon Go may be scrutinized for how it tracks data on the location of children—one of its target audiences—although the game does take steps to identify the users under age 13 and gain their parents’ consent. Some lawmakers are already questioning whether this consent provides enough protection. For example, Senator Al Franken of Minnesota sent a letter to Niantic Chief Executive John Hanke asking how the game ensures that the parents’ consent is “meaningful.” “I am concerned about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent,” Sen. Franken wrote.
Even if consent is obtained, there is concern that the game collects information it does not need. For example, initially, the game’s disclosure policy allowed Pokémon Go to delve into iPhone users’ Google email accounts and documents without alerting the users. A patch released on July 13 allows the company only to see basic account information. But this may not stop hackers from gaining access to the information, and because the game collects so much data on users, it may be a tempting target for hackers.
One area of interest is how Niantic will share the data it collects through the game. The company’s privacy policy states that the company may “share aggregated information and non-identifying information with third parties for research and analysis, demographic profiling, and other similar purposes.” This may allow Niantic to sell this information to marketers to track players’ daily commutes, for example, as long as the data is aggregated and contains no identifying information.
In the future, users who have claims relating to the game’s use of personal information, and its ability to potentially share that information with others, may file lawsuits under the Computer Fraud and Abuse Act or the Video Privacy Protection Act. But those lawsuits would raise new legal questions regarding what constitutes “authorization” to access information on a smartphone, and whether Pokémon Go players are “subscribers” of goods or services, respectively.
