Your car, your smartphone, your Bluetooth headphones, the WI-FI you used at your favorite coffee shop, and the GPS you used to get there – all make it easy for various businesses, government agencies, and even malicious actors to log and monitor your location.

Geolocation data tracking has sparked many privacy concerns over how consumers' location data is being collected, who it is being shared with, how it is being protected and stored, and most importantly, what it is being used for. Furthermore, as digital technology based on geolocation data continues to emerge to help monitor and contain the Covid-19 pandemic, questions are being raised around the collection of protected health information (PHI).

In this post, we'll aim to answer some of your most pressing questions around geolocation, its key benefits, and the potential privacy risks.

What is Geolocation?

Geolocation is a technology that uses data acquired from an internet-connected device (e.g., smartphone, computer, fitness tracker) to identify an individual’s geographical location, both longitudinal and latitudinal. Geolocation technologies can only pinpoint the location of a device, so if you leave your phone in the car for two hours while at the movies, your geolocation history for that time is the physical location of your car.

However, if you wore a fitness tracker or smart watch during that period, your geolocation could potentially be tracked in real-time and within a certain degree of accuracy. Many individuals carry multiple devices at a time and the average household has about 10 internet-connected devices. These devices can be cross referenced against each other for more accurate geolocation results. With the number of smartphone users reaching over 3.6 billion in 2020 and with a combined 5 million apps available in the Android and iPhone markets, the prevalence of geolocation technologies will only continue to increase.

What is the purpose of geolocation data?

Individuals often opt in to the location tracking of their personal devices and associated applications in efforts to use an underlying service (although they still have the ability to manage location tracking settings within each application). Obtaining directions to a nearby restaurant, checking the local weather, or determining your steps for the day all require geolocation services to operate.

Various industries and businesses also use geolocation for a multitude of purposes. The police can use it to identify devices that were in the vicinity of a crime, or track those wearing GPS-enabled ankle bracelets. Game developers can combine it with augmented reality to incorporate play into our daily lives (e.g., Pokémon Go). Travel websites can use it to display location-based content based on where the website visitor is located. Marketers can develop geolocation profiles to enhance the user experience and to create advertisements that are more relevant to each individual, in addition to running targeted advertising campaigns based on an individual's past locations or vicinity to a store. The ways geolocation data can be used are plentiful, for both businesses and consumers.

What are the types of geolocation data?

The goal of geolocation is to accurately identify and track the whereabouts of an internet-connected device. While various forms of geolocation-tracking capabilities exist, they are typically classified under one of the following:

Active, or Device-Based Information

This type of geolocation data is acquired through software that an individual has on their computer or other mobile device. Working with cellular and satellite networks, active trackers continuously transmit a signal that can process and deliver an individual's geolocation data in real-time. It's this type of constant data collection that allows you to locate yourself on a map at any given time. However, since this data collection relies on GPS and cellular networks (for triangulation purposes), it's more accurate in places with a larger device population. Consent from the user is also required for this type of data collection.

Passive, or Server-Based Lookup/Data Correlation

The other geolocation method is passive, or server-based lookup/data correlation. The main difference between active and passive data collection is time; this type of data collection does not provide real-time updates. Geolocation information is silently collected and stored until it can be downloaded or wirelessly transmitted. Fitness trackers are an example of this type of data collection, as steps are constantly being recorded but the location of each is not, or the route one took during a run is not calculated until the activity is finished. Server-based lookup/data correlation is tied to a device's IP address via a Wi-Fi or ethernet connection. These IP addresses are associated with a physical location and stored in a database to be sold by third-party service providers.

After both types of data are collected, they can then be cross-referenced against each other to determine the most accurate geolocation result.

What are the different geolocation methods?

Geolocation data breaks down into four main categories:

1. Geocoding: The process of associating a specific address with coordinates on a map. For example, when you search for an address or type in the name of a place, your will be shown a marker at its exact location on a map.
2. Georeferencing or Geo-positioning: The process of determining or estimating the geographical position of an object. Information about the physical location of the object is achieved via GPS data, such as in car navigation systems. The data can be used in real-time or stored for later.
3. Geotagging: The process of adding geographical location information to a media file, such as photos, videos, websites, or social posts. "Checking in" at a restaurant or tagging your location on a social media post would be an example. Many phones automatically add geolocation data into a picture's metadata, otherwise known as unintentional geotagging.
4. Geofencing: The process of defining a geographically bound area (geofence) that allows advertisers to target consumers based on their real-time location. This type of location method allows you to set your own boundaries, like a one-mile radius around your business (or even your competitors). When an individual enters the geofence, it can prompt push notifications, trigger text messages, or initiate a social media advertising campaign.

What information can be gathered from geolocation data?

Since an individual's device is always either actively or passively collecting data, geolocation data can reveal a significant amount of personal information about a user. Geolocation data can clearly identify an individual's physical address, including their exact longitude and latitude at a point in time.

However, it can also be used to track an individual's movements to determine patterns and behaviors. By cross-referencing the location data collected on an individual's device and the time spent at each spot, it can reveal where an individual lives, where they work, their daily schedules, which stores they frequent, their regional preferences, and even vacation times. It can also reveal highly sensitive categories of data, such as hospital visits, religious affiliations, and political associations, which can be dangerous in the wrong hands.

Who has access to geolocation data?

• Mobile Phone Carriers: Since phones use cell towers for reception, cell phone carriers can use this data to determine where their devices are located.
• Operating Systems: Mobile operating systems (i.e., Android and iOS) can learn where a device is located based on the location services provided such as Google Location Services. Additional information can be gained from nearby Wi-Fi networks to generate a more precise position.
• Applications: Applications with location-based services are used every day by consumers, like those for ridesharing and food delivery. This location data is often shared with advertisers in order to personalize advertisements, promote coupons and discounts, and better customize the user experience.
• Internet Service Providers (ISP): In order for a device to use the internet, your ISP will assign it an IP address, which is used to initiate the connection between the device and the website, or the device and the service being used. Since IP addresses are roughly based on geography, the ISP can approximate your location based on the IP address generated.
• Employers: Many companies provide their employees with cell phones, laptops, and even a car. Since these are all beacons for geolocation data, companies can track the location of these devices, and in turn, the location of their employees.
• Third Parties: The average webpage and mobile application shares its data with dozens of third parties. These third parties use this data, which includes your geolocation information, to build individual profiles with demographics and interests for businesses to purchase in order to better target consumers based on those traits.

How is Geolocation Data Gathered?

Whether through a smartphone, laptop, fitness tracker, or mobile application, geolocation data is constantly being collected. The most well-known and precise way to determine where a device is located is through GPS. Other commonly used methods for geolocation data include Wi-Fi networks, cell towers, and Bluetooth – all of which provide a different level of precision and purposes.  

Global Positioning System (GPS)

Many smartphones and other devices are able to detect location via satellite GPS, independent of reception or internet. While GPS offers the most precise geolocation information, it is a satellite-based system, so it does not work as accurately indoors and can be affected by the weather or a physical interference. For these reasons, most devices use GPS in combination with other forms of location signals to create a more accurate location picture.

Wi-Fi Networks

Wi-Fi networks are commonly used by smartphones and laptops as a way to infer location data or to provide an approximate location inside of buildings. Mobile devices scan for nearby access points and creates a list of them, along with their relative signal strength. The number of global Wi-Fi networks is expected to reach over 628 million globally by 2023, and each of these Wi-Fi access points has their own unique identifier and known location. By comparing this list of Wi-Fi networks to the signal strength coming from the device, your location can be revealed.

Cell Towers

Cell towers are used by carriers (e.g., Verizon, Sprint, AT&T) in order to provide cellular service to its users. These cell towers can also approximate a device's location depending on the cell tower it's connected with. Each cell tower emits a unique "cell tower ID," which are freely detected by mobile devices. By combining which cell tower a device is connected with and the signal strength of the cell tower ID, the location of a device can be determined. This type of data collection requires an active cellular service plan and proximity to a cellular tower in order to generate information.

Bluetooth

Bluetooth is a wireless, low-power, one-way connection method used to connect devices directly to each other in order to transfer data. Transferring information from the fitness tracker on your wrist to its associated app on your phone requires Bluetooth to transfer the data. Many apps and devices are designed to detect their proximity to beacons, or small radio transmitters that broadcast one-way Bluetooth signals.

How Does Geolocation Work?

Initial Collection of Location Data

The purpose of initial collection of location data is to allow the data collector (e.g., application) to provide the service requested by the individual. If an individual downloads a map application on their phone, they will have to consent to their location being tracked in order to receive personalized directions. The phone and app software then use GPS and other tracking technologies to determine the individual's location. Finally, the wireless carrier transmits that location data in real-time to a third party who transmits the data to the app to provide directions.

This is the initial transaction between the individual and data collector and this location information can only be shared if:

• It is necessary to fulfill the user's request
• It is essential to ensuring application consistency across different devices
• The individual has consented to their location tracking

Secondary Location-Data Market

The secondary location data market uses the information provided from the initial collection to make conclusions and predictions about tracked individuals in order to sell. Companies can purchase this anonymized location data or individual profiles for business purposes, such as for targeted advertising. Since geolocation information can reveal intimate personal details about individuals, the secondary location market is a lucrative business, with the industry expected to have reached $350 million in 2020.

What are the Business Benefits of Geolocation?

Although not an extensive list, geolocation can provide businesses with a variety of benefits, including:

• Competitive advantage: From tourism to event planning to dating apps, geolocation has been integrated into applications and businesses around the globe. Businesses that utilize geolocation technology can increase overall performance within the organization and allow them to better serve their customer's needs.
• Improved consumer insights: Geolocation information allows businesses to better understand their consumers' demographics, patterns, and behaviors. With this information, businesses can personalize their messaging and specifically target consumers within their desired area.
• Increased overall sales: By collecting and analyzing customer geolocation information and understanding their top consumer profiles, businesses can maximize their marketing plans, better target their key clientele, and increase overall sales.
• Better business planning: Location-based information and marketing can play a key role in predicting the sales performance of a physical store by understanding its proximity to existing customers, targeted consumers, and competitors. It can also help identify opportunities for expansion and the potential need for closures.
• Measured results: Through geolocation, businesses can effectively track customer movements to learn more about the sales at their physical locations. Businesses can also use geolocation to improve search engine rankings by using geographically based review sites like Yelp.

What are the Privacy Risks of Geolocation?

As location tracking technologies advance further and become more widely accessible, the number of privacy risks associated with this type of data collection will also increase. Various data privacy regulations around the world are already subjecting location data to greater protections measures, such as requiring express consent before the collection of location data or giving consumers the ability to stop a business from knowing their exact location within a radius of 1,850 feet (i.e., the California Privacy Rights Act (CPRA).

Some organizations have lost consumer trust over their geolocation data collection practices and the lack of transparency around these practices. In addition, these data collection practices have grown more intrusive for consumers as more businesses look to capitalize on the secondary data market. Businesses also have to contend with the possibility of certain businesses using geolocation as an unfair competitive advantage, like using it to track rival employees and executives to learn about research opportunities or potential acquisitions.

Within the organization, employers can use geolocation data to track the whereabouts of company devices. However, some businesses might use this data to track an employee's work and recreational behaviors, which can negatively impact employee performance and company reputation. In addition, employee data is protected under the CCPA, so the gathering of this information could lead to noncompliance. Businesses will need to balance the benefits geolocation can provide with the potential privacy risks it can cause to both your consumers and your organization as a whole.

Geolocation applications and services add great value to consumers and businesses alike. As its technology continues to improve, the opportunities and uses geolocation can offer will only grow. Understanding how geolocation works now and ensuring your organization recognizes its associated privacy risks, will ensure you can pinpoint all the benefits of geolocation in the future.

Want more insights into the latest privacy news?

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.