When you want directions to your hotel, or to track your steps for the day, or to simply check the weather, geolocation is an extremely useful technology. While most of us use geolocation technology every day and rely on it to complete basic tasks, it can infringe on our privacy. Geolocation apps and services have two main purposes: to pinpoint the location of an individual and to provide and/or identify services related to the proximity to the individual. Businesses have started to realize the immense benefits geolocation can offer – from enhanced consumer insights and targeted advertising to fraud detection and prevention.
Although this technology provides significant value to both consumers and businesses, the collection and storage of geolocation data has raised privacy and data protection concerns worldwide. Many data protection regulations and laws outline the collection, use, and storage of geolocation data, but there has been confusion around what information constitutes this data and what rights consumers have regarding its collection practices.
In this blog, we'll explore the different data protection laws and standards that place restrictions on geolocation tracking and detail the steps your organization can take to protect your consumers and stay compliant.
Over 60% of the world's population owns a smartphone, and there is hardly a mobile device or application that does not have geolocation-integrated technology tracking an individual's movements. There are two main reasons for this. The first is to enable the data collector to provide the service requested by the individual, which can be anything from checking the weather to requesting a ride to ordering food delivery. All of these tasks require the user's location to fulfill.
The secondary (and more controversial) reason is to use location data to build profiles and make predictions about a tracked individuals' behavior in order to sell. In 2020, the global location-based advertising market was expected to reach $72.9 billion. Approximately 75 companies receive the anonymous precise location data of a user with enabled location services on their device.
However, since many of these location services run discreetly in the background, data is potentially being captured without the individual's knowledge or consent. And because geolocation data has the ability to reveal detailed information about a tracked individual's behavior, patterns, and personal life (accurate to within a few yards and updated over 14,000 times a day), it raises the question of whether the location data being collected can be used to personally identify an individual, despite anonymizing the dataset.
Various data privacy regulations subject location data to greater protections, like increased security measures and requiring express consent before the collection of personal data. Let’s take a closer look at the various regulations and how they govern geolocation data below.
Geolocation and Data Privacy Regulations
The Federal Trade Commission (FTC)
In the United States, there is not currently a federal law that regulates the use, collection, or sharing of geolocation data. However, the Federal Trade Commission (FTC) has made efforts to protect the privacy of consumers' geolocation data through enforcement, policy making, and education. The FTC considers precise geolocation data to be sensitive personal information, and failure to reasonably protect this information, or failure to adequately disclose its collection or sharing, would violate Section 5 of the FTC Act for unfair or deceptive trade practices. The FTC has already taken action against many well-known companies for their misrepresentations of a user's geolocation information, including Snapchat and Uber.
In addition, the FTC regulates children's online privacy through the Children’s Online Privacy Protection Act (COPPA). Under COPPA, geolocation data is defined the same way as the FTC – any information sufficient to identify the street name and name of a city or town – and considered personal information. If an app collects the longitude or latitude for a user in the U.S. under the age of 13, it will fall under COPPA regulations and be subjected to strict notice and consent requirements.
The General Data Protection Regulation (GDPR)
As one of the strictest and most influential privacy laws, the General Data Protection Regulation (GDPR) has many rules regarding geolocation data. Under the GDPR, location data is considered to be any information collected by a network or service about where an individual's device is or was located, including the following details:
- The latitude, longitude or altitude of the device
- The direction of travel of the user
- The time the location information was recorded
This excludes GPS-based location information collected from mobile devices since this information is created and collected independently of a network or service provider. Businesses can also only process location data with the authority of the network or service provider if it is anonymous or if consent is obtained from the user.
Consent must be freely given, specific, and informed and involve an affirmative action such as ticking a box or clicking a link. Information must also be given to the user that includes the type of location data being processed, what the data is being used for, how long the data will be stored, and whether it will be passed to a third party to provide value-added services. The GDPR emphasizes the importance of customers completely understanding who is using the data and who is providing the service. In addition, customers are entitled to withdraw their consent at any time.
The California Consumer Privacy Act (CCPA)
The California Consumer Privacy Act (CCPA) is the most comprehensive state privacy law in the U.S., giving Californians more control over their personal information. To help protect consumer personal information, the CCPA includes precise geolocation data in its definition of personal information.
As a result, geolocation data is subject to notice and transparency requirements, along with the consumer right to access, deletion, and opt-out. Therefore, consumers have the right to request the types of location data being collected about them and how that information is being used. They can also direct companies to delete their location data being collected and restrict them from selling their location data to third parties.
Keep in mind, the CCPA includes eleven categories in its definition of personal information, one of which includes employee personal information. While some companies have a BYOD policy, many others supply their employees with various devices, ranging from smartphones to laptops to cars. Since these are all beacons for geolocation data, businesses will need to ensure any geolocation data collected on these devices is communicated to their employees, regardless of if it is being utilized or not. Especially since Assembly Bill 25, an amendment that exempted employers from complying with certain CCPA requirements when it comes to the data of employees, sunsets at the end of 2021.
The California Privacy Rights Act (CPRA)
Precise geolocation monitoring can reveal a significant amount of personal information about an individual, and the recently approved California Privacy Rights Act (CPRA) strives to increase protections around that data. Similar to the CCPA, the CPRA will give consumers more rights when it comes to their geographical data, including the ability to stop a business from knowing their exact location within a radius of 1,850 feet, otherwise known as precise geolocation. In addition, businesses will not be allowed to use or disclose a consumer's sensitive personal information for any purposes other than those necessary to provide the goods or services requested.
Consumers will also have the right to prevent the sharing of their personal geolocation information with third parties for behavioral advertising or advertising based on their precise geolocation. This includes the right to opt out of their information being used for automated decision making and consumer profiling. On the other hand, businesses that use third parties and vendors to determine a consumer's precise geolocation to create targeted advertisements will be required to handle this transfer of personal information as a "sale." Although the CPRA will not go into full effect until January 1, 2023, its regulations will apply to personal information collected starting January 1, 2022.
The Washington Privacy Act (WPA) of 2021
For the third year in a row, the Washington Privacy Act has been introduced to its state legislature. Under the Washington Privacy Act, specific geolocation data is information derived from technology (e.g., GPS coordinates) that identifies the specific location of an individual within a geographic area with a radius of 1,850 feet.
Under the WPA, geolocation data is viewed as a type of sensitive personal data and would require consent from the consumer or, when applicable, a child’s parent or guardian, before it can be processed. This privacy bill received approval from the Senate in early 2021 and is currently awaiting a verdict from the House.
The Consumer Data Protection Act (CDPA) - Virgina
Signed into law on Tuesday, March 2, 2021, the Consumer Data Protection Act (CDPA) makes Virginia the second state to pass a comprehensive privacy regulation in the U.S. Along with introducing increased protections for consumer data, the CDPA also established definitions regarding precise geolocation data:
"Information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet."
Precise geolocation data does not include any means of communication, or any data generated by or connected to utility metering infrastructure systems. Under the CDPA, controllers (the entity that determines the purpose or means of processing data) would need to obtain consent prior to collecting or processing geolocation information, which is considered sensitive personal information under this new law. Companies that are already aligned with the CCPA should have an advantage in complying with the CDPA, which goes into effect on January 1, 2023.
Self-Regulation and the Advertising Industry
As location tracking technologies further develop and data analytics becomes more advanced, keeping pace with these changes will be hard to maintain for government regulations and laws. Although not a new concept, self-regulation has become more prevalent over the last few years and has been a common measure within the advertising and marketing industry. Self-regulation is the idea that rather than creating a prescriptive law, governments allow an industry to set their own standard of rules and best practices that companies voluntarily agree to follow.
For the advertising industry, these rules are considered their Code of Advertising, which are based on the belief that advertisements should be legal, honest, and transparent, and that they have a responsibility to the consumer. Geolocation has proven difficult to regulate and is becoming more intrusive as companies look to capitalize on location data. Self-regulation can address certain issues around the collection and sale of geolocation information and provide the opportunity for consumers, regulators, and marketers to benefit.
How to Comply with Geolocation Laws
With so many different standards and regulations that govern geolocation data, it can seem overwhelming to attempt to comply with them all. Fortunately, there are certain steps your organization can take to assure compliance with applicable laws.
Determine which regulations apply to your organization.
A critical step in your geolocation compliance efforts is to determine which regulation(s) and/or best practice framework(s) are in scope for your organization. While the CCPA and GDPR have been around for a while, the CDPA in Virginia and the WPA in Washington are relatively new. In addition, new bills are constantly being introduced to increase consumer rights. Many of these regulations also have a list of entities and data that are exempt from its scope. For example, the CDPA excludes government entities, non-profits, and higher education institutes and information subject to COPPA. Understanding which regulations are in scope of your organization can help you streamline your compliance efforts, reconcile overlapping data security requirements, and help you build a data privacy program that can adapt to the changing legislative landscape.
Update your privacy policies to include geolocation collection practices.
Under most privacy laws and regulations, consumers have the right to know how their data is collected, used, or shared, and the opportunity to opt-out and revoke consent to the sharing/selling of their personal information. The same goes for geolocation data. You will need to update your privacy policies to give consumers and employees notice of these geolocation data rights. You should also include what third parties will be granted access to this information. These practices will not only help you comply with the requirements of various data privacy laws, but also prevent the collection and disclosure of geolocation information from being considered "deceptive" by the FTC and other regulatory bodies.
Gain explicit consent before the collection of geolocation data.
Consent is an important part for many privacy laws. Regardless of which regulation is in scope of your organization, ensure that each individual has provided affirmative, express consent before any location data is collected. The disclosures provided to gain consent should clearly explain how the location tracking is being conducted and for what purposes, so each individual clearly understands to what they are providing consent.
Place limits on the collection of geolocation data.
After your organization obtains consent from an individual, ensure that the only geolocation data being collected is necessary to provide the service. Collection that goes beyond the purposes of the original consent can result in noncompliance penalties and increase privacy and security risks to both the individual and your organization. Geolocation data should also not be stored beyond the time period necessary to provide the requested service to further reduce any potential risks in the event of a breach. Since departments like Marketing and Human Resources are constantly collecting consumer and employee information, it is imperative that these departments are made aware of these geolocation data requirements and that you work alongside them to establish appropriate collection limits and policies.
Establish proper policies for third parties collecting geolocation data.
Whether your business collects the geolocation information of consumers and shares them with third parties, or simply uses the geolocation data provided by a vendor, it is important to properly evaluate these relationships. Performing your due diligence will clarify how these third parties are using this data and if the data will be combined with any other personal data by the third parties (e.g., fitness tracker with social network capabilities). Thereby, protecting both your business and your consumers.
Ensure individual geolocation data is anonymized (but beware of the associated risks).
Many businesses claim that they are more interested in the patterns geolocation data provides, rather than the identity the data could reveal about a consumer. Nevertheless, be sure that any location data being collected is anonymized, especially since anonymized data is not subject to data protection laws. However, an even more crucial step is to understand that achieving irrevocable anonymity with geolocation data is extremely challenging. For example, simply identifying where an individual spends most nights and checking public records can disclose the name behind the anonymous account. Therefore, it is important to have strict access controls to help prevent against this re-identification.
Provide awareness training for employees on the proper handling of geolocation data.
Geolocation information has the potential to reveal intimate details about an individual. Those with access to this data (i.e., employees) have the potential to either exploit it for their personal use or mishandle the information, exposing it to potential risks. Ensure your employees are correctly trained on the proper handling of geolocation information and that they understand the implications, benefits, and associated responsibilities involved in the collection and use of geolocation information.
Geolocation data has the capability to reveal a significant number of intimate details about a person's life, making it a lucrative business for many organizations. However, these data collection practices raise privacy concerns among consumers and can pose noncompliance threats to many businesses. With more and more privacy laws being enacted every day, ensuring your organization complies with all the appropriate geolocation standards will ensure your organization is on the right track to protecting your consumers.
Want more insights into the latest privacy news?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.