State Laws Shift Geolocation’s Spot On The Privacy Map

Where are you?

Your exact location is a tidbit of information that can infringe on your privacy. Knowing your location all the time can help someone map your life.

Were you at the pool hall during working hours? Did you tell the police you were at home when you weren’t? Was your visit to the plastic surgeon recorded for posterity? And what were you doing in that hotel room?

Early in the age of privacy regulation, the US legislators and regulators have been concerned with consumer’s financial data, patient’s health care treatment information, and the identification and targeting of children. Then came identity theft protection laws in every state, which tended to address personal identifiers and account information that could be collected online. Currently, US states enforce specific privacy laws covering capture of biometrics, including a number of rules about use of facial recognition AI, and additional rules around permissions needed for use of DNA.

With the advent of smartphones nearly 15 years ago, and then a general acceptance of wearables a few years later, we have all been carrying/wearing beacons that may constantly report our locations to companies. Smartphones contain at least four methods of tracking location – cell triangulation, geolocation, WiFi capture, and Bluetooth pinging – and phone/hardware/app companies are often sneaky about when your location is recorded and who that record is sent to. There is a primary market for your location data, where the phone company or app provider uses the data to provide a service you are requesting. But there is also a secondary market for that data, where the company makes commercial predictions about the data subject using location data, and mixes that location data with other information to perform analytics. 

The location data taken from your phone or wearable device is likely more extensive and more valuable than you realize. In 2018 the New York Times reported, “At least 75 companies receive anonymous, precise location data from apps whose users enable location services to get local news and weather or other information, The Times found. Several of those businesses claim to track up to 200 million mobile devices in the United States—about half those in use last year. The database reviewed by The Times—a sample of information gathered in 2017 and held by one company—reveals people’s travels in startling detail, accurate to within a few yards and in some cases updated more than 14,000 times a day. These companies sell, use or analyze the data to cater to advertisers, retail outlets and even hedge funds seeking insights into consumer behavior. It’s a hot market, with sales of location-targeted advertising reaching an estimated $21 billion this year.” Given the pervasiveness and intrusion of this activity, I am surprised that legislatures were not faster to place limits on equipment and applications that track and record our movements.

The inability for consumers to turn off detailed tracking has been a lawsuit and enforcement issue. In 2011, HTC and AccuWeather were sued in Seattle for selling phones with a location-tracking weather app that couldn’t be turned off. In a similar case from 2019, The Weather Channel was sued for geotracking its app customers beyond what it claimed, to the extent of wholesale surveillance, including second-by-second location monitoring. Weather apps can give you an accurate weather reading for New York even if you are sitting in California at the time, so such tight location surveillance is not necessary for the app to work properly. Contrary to what some might believe, your smartphone weather app is not sensing the weather at your location, just reporting the weather information that you request. So it does not need to take constant readings of your location data, and may not need that data at all for any practical purpose.

Starting in 2023, collecting and using consumer geolocation information will be restricted by state law. New omnibus consumer privacy laws in California, Colorado and Virginia coming into force next year include restrictions on company treatment of personally-identifiable consumer information, but they also make a further protection for a new (to the US) category of consumer information known as “sensitive data.” As you would expect, this protected sensitive data includes information about a consumer’s religion, ethnicity, sexuality, and genetic data, but in California and Virginia statutorily-protected sensitive information includes specific geolocation data. So, for the first time in US states, companies will need to collect meaningful permissions from their customers to gather and apply data relating to the customers’ position on the globe.

In Europe, the GDPR already contains limitations on activity around sensitive data, including geolocation information. Under the EU regime, the processing of sensitive data is prohibited by default, with companies burdened to show why such processing falls under a specific exception, including the express consent of the data subject.  By contrast, under California’s new privacy law (the “CPRA”), companies must limit their use of sensitive data to the business purpose for which the sensitive data was collected, but consumers can further limit use and disclosure of this data to listed business purposes such as such as performing services on behalf of the business, protecting data security and integrity, or undertaking activities to verify and maintain the service or device owned or controlled by the business. Virginia’s new privacy law states that data controllers are not allowed to collect or process sensitive data without the data subject’s consent. Unless something changes as Virginia develops regulations, consumer consent seems to be the only basis for processing sensitive data.

This means that smartphone manufacturers, phone connection companies, and app providers that have instituted location surveillance of customers for years will soon need to ask specific permission to gather precise geolocation data or incur the wrath of the Virginia enforcement authorities. This change may significantly alter the way that geotracking is managed in the US. Making this a privacy shift with serious practical consequences. The secondary location data market, with billions in sales, will operate on less data and less frequently-collected data. If the new California and Virginia laws are enforced, we may all see an opportunity to exert better control over who knows where we are.