The late 20th and early 21st centuries have seen a proliferation of technologies and devices capable of creating geolocation data on a massive scale. While geolocation data is an extremely valuable tool with a wealth of innovative applications across several fields, including mapping, navigation, and competitive analysis, there are concerns around privacy and security.
It’s important that geolocation data can’t be used by organizations to identify the location of individuals, or reveal too much about their personal information. As a result, governments and other administrative bodies continue to draft legislation and guidelines that place limits on how geolocation data (and other personal information) can be collected, stored, shared, and used.
Understanding what these rules protect and how to abide by them is important for your business – not only for avoiding costly penalties for violations, but also for maintaining the trust of your customers and business partners. To ensure you know how to stay compliant with regulations, we’ll cover:
- Why geolocation data compliance is so important
- Which geolocation data regulations apply to your organization?
- Geolocation data compliance under the California Consumer Privacy Act (CCPA)
- Geolocation data compliance under the European Union’s General Data Protection Regulation (GDPR)
- How to follow geolocation data privacy regulations
- How to buy geolocation data while adhering to regulations
To begin, we’ll offer a more thorough overview of why geolocation data use is regulated and why your organization should commit to using it responsibly.
Why geolocation data compliance is so important
Geolocation data is essential for delivering many location-based services (weather, navigation, delivery, etc.). It can also be used to build behavioral profiles of people for modeling and predicting their activity, which has incredible applications in industries such as marketing and fraud prevention.
However, the use of geolocation data is not without controversy. If not properly anonymized, geolocation data could be used to personally identify an individual, compromising their privacy and security. Without proper protections, it can also be stolen and used to identify or locate someone.This is why many countries and jurisdictions around the world have legislation in place governing how geolocation data is collected, used, and handled.
Your company can face stiff penalties if it doesn’t comply with these laws. The current maximum fine under the General Data Protection Regulation (GDPR), for example, is €20 million or 4% of a company’s total revenues from the previous year, whichever is greater.
Industry self-regulation and compliance
Geolocation data privacy has proven difficult for governments to enforce on their own. Government legislation – and accompanying regulations – can’t keep pace with the rates at which location tracking technologies are improving and data science is achieving deeper levels of analysis.
However, there are steep sanctions for failing to comply with privacy laws, which are often wide reaching. Organizations in the industry have begun to look to oversight agencies that help member organizations understand and abide by compliance regulations, ensuring they’re always compliant.
Organizations are motivated to participate as they not only ensure compliance, but also get support in developing a compliance program, and making sure they stay on top of changing regulations.
Which geolocation data regulations apply to your organization?
Let us re-emphasize the point here that you may be subject to both government regulations and industry-wide standards when collecting, storing, and using geolocation data. Obviously, where your company primarily operates will influence which rules apply to it. However, your company may have to comply with government laws and industry best practices beyond those specific to your geographic area. This is becoming increasingly common as digital technology makes international trade easier.
If a customer resides in a country or region where specific privacy legislation is in place, your company needs to follow all of those regulations in addition to the ones it is locally subject to. We’ll explain how that works, and give some tips for determining when it applies to your company, below.
When does a certain regulation apply, and how do you know?
Let’s illustrate with a hypothetical scenario. Say a company outside of the United States wanted to do business in the US, and its business involved the collection of geolocation data in some way. It would be subject to not only its own country’s data privacy laws, but also to regulations from the Federal Trade Commission. Taking this further, if the company wanted to do business in California, it would also be subject to legislation like the California Consumer Privacy Act and the California Privacy Rights Act.
So how do you figure out which rules apply to your company? A good first step would be to do your homework regarding the regulations for the geographic area where your company is headquartered (and maybe also where your data is stored, if that location is different). You should also research applicable legislation for areas in which you do business, including if you have employees or business partners there.
Online customers can be more challenging, because they may shop from across the globe over the Internet. And they may not always provide complete contact details when they buy from your company (e.g. they may make a purchase as a guest, if your e-commerce platform allows for this). In that case, you’ll have to piece together the clues you have to figure out where customers are from and, consequently, which privacy regulations apply to them.
Billing information or shipping addresses may reveal a customer’s home country. Remember, though, their region can be important too, as specific places within a country (like California and some other states in the US, such as Washington and Virginia) may have their own local privacy laws. Some more accurate pieces of location information you can use are the customer’s phone number (if available), or even their Internet Protocol address as it was logged when they visited your e-commerce site. These types of contact information have conventions built into them that often allow for narrowing down at least the country and region a person is from. They can be faked, though, so don’t rely on them exclusively.
Laws and regulatory bodies that govern geolocation data
So what are some of the actual guidelines on managing geolocation data your company might have to comply with? And who enforces them? The following are some notable examples at national, international, regional, and industry levels.
1. Federal Trade Commission (FTC)
The Federal Trade Commission (FTC) regulates trade in the United States, including watching for unfair or deceptive trade practices. These include collecting or sharing precise geolocation information about people without sufficiently notifying them first, or failing to make a reasonable effort to protect this information from being stolen. This applies especially to minors, who are protected under the FTC’s Children’s Online Privacy Protection Act (COPPA).
The FTC defines “precise geolocation data” as any information that is able to determine a person’s street address and city, and the FTC considers this sensitive personal information.
2. General Data Protection Regulation (GDPR)
Created by the European Union and implemented in 2018, the General Data Protection Regulation (GDPR) is a law that has had a huge influence on geolocation data regulation. As defined by the GDPR, geolocation data consists of any information that a network or service collects about where a person’s digital device is or has been.
The GDPR emphasizes anonymity and consent for users, including the right to know which companies are providing the services they use and whether or not those companies are using their location data (and how). It also gives users the right to revoke access to their personal data at any time.
3. Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA is Canada’s law that governs personal information privacy. In public statements, Canada’s Office of the Privacy Commissioner (OCP) – the government branch that enforces this law – has declared that geolocation data is “information about an identifiable individual.”. This means any organization processing geolocation data has to adhere to “fair information” principles, including the right of users to access and correct their own data. These principles also place other limits on collecting, using, and retaining geolocation data as personal information.
4. California Consumer Privacy Act (CCPA)
Modeled on the GDPR and put into force in 2020, the CCPA is designed to give Californians more control over their personal data. Geolocation data, under the CCPA, is considered personal information, and so companies are required to disclose when they are collecting it.
Californians also have the right to ask what kind of location information is being collected, and how these types of data are being used. Additionally, Californians can legally request that a company not sell their location data to third parties, or even delete any of the data the company has already collected.
5. California Privacy Rights Act (CPRA)
An extension of the CCPA, the CPRA affords Californians even more rights for protecting their personal information. For instance, it lets Californians opt out of any service tracking their location to within 1,850 feet. It also allows Californians to opt out of having their geolocation data used for location-based or behavior-based advertising, consumer profiling, or automated decision-making. Furthermore, it requires companies to represent any transmission of geolocation data to other businesses for marketing purposes as a business transaction (“sale”).
The CPRA will come into full effect in 2023, but some of its provisions regarding personal data are already in force.
6. Consumer Data Protection Act (CDPA)
The CDPA is another state-specific privacy regulation in the US; in this case, Virginia. It defines geolocation data as sensitive personal information derived from technology (including, but not limited to, GPS) that can identify a person’s location to within 1,750 feet. However, it does not cover location data related to communications or utility metering.
It requires personal data controllers to get consent from consumers before collecting or processing their data. It will come into effect starting in 2023.
7. Network Advertising Initiative (NAI)
The NAI is a self-regulatory agreement for the US advertising industry, enforceable by the FTC. Marketing companies that commit to it must obtain opt-in consent from consumers before directly collecting or using their geolocation data, or at least receive reasonable assurance that any third parties they get this data from had explicit permission to collect it.This includes “imprecise” geolocation data, though rules for it are somewhat looser.
The NAI judges location data to be precise or imprecise based on at least four factors: how accurate it is, whether or not it includes a timestamp (and how precise that is), how dense the population is in the nearby area, and how many notable points of interest are in the nearby area.
8. Digital Advertising Alliance Self-Regulatory Principles (DAA Principles)
The DAA Self-Regulatory Principles are American regulations that cover advertising on websites and within mobile applications. They are enforced by the Better Business Bureau, the Association of National Advertisers, and the FTC. They define geolocation data similarly to the CCPA: data that is specific enough to give the physical location of an individual person or device. This includes GPS, cellular data, and WiFi signals, but doesn’t include things like ZIP codes, city names, or IP addresses.
Committed website owners or app publishers that allow advertisers to collect precise location information from users must get those users’ legitimate consent beforehand. They must also give “clear, meaningful, and prominent notice” to users that this data collection and transfer will happen if the user consents to it. Furthermore, they must include the following somewhere prominent on their website or app (usually in the privacy policy):
- a declaration of commitment to the DAA Principles
- a more thorough explanation of how collecting location data for advertising works
- a tool that allows users to opt out of having their location data collected
Geolocation data compliance under the California Consumer Privacy Act (CCPA)
We’ll devote some additional discussion here to the CCPA and its significance. The CCPA was modeled after the GDPR, and is currently seen as the most all-encompassing data protection legislation in the United States. It’s also serving as the blueprint for other state-specific data privacy laws in the US, such as in Virginia and Washington.
What is the CCPA, and who does it apply to?
The California Consumer Privacy Act is a data protection law specific to the US state of California, passed in 2018. However, the CCPA doesn’t just regulate businesses inside California. It also applies to companies in other US states and outside countries that want to collect Californians’ personal information. It’s estimated that over 500,000 businesses had to become compliant with the CCPA when it was brought into force in 2020.
An amended version of the CCPA, the California Privacy Rights Act (CPRA), is set to take effect in 2023. This will give Californians even stronger control over their personal data, including the right to a 1-year moratorium on businesses asking for consent to collect their personal information after a person has explicitly opted out.
How does the CCPA regulate the collection and use of geolocation data?
The CCPA defines personal information as that which directly or indirectly “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular consumer or household.” Under the CCPA, geolocation data is one of eleven categories of data considered to be personal information. This includes any information inferred from geolocation data that could relate to a consumer’s identity (e.g. what a person’s movement patterns might reveal about their residence, employment, lifestyle, or shopping habits).
As such, when residents of California go to use a product or service that may collect their geolocation data, they must be notified that this collection will happen and informed of what this collected information will be used for. They also have the legal right to opt out of this collection if they so choose. Additionally, the CCPA gives Californians legal rights to access any personal data a company has collected about them, and even to direct the company to delete any personal data it has already collected on the person in question.
The CCPA also covers situations where Californians would not reasonably expect to have their geolocation data collected. One is with mobile applications that provide non-location-related services; a notable example came up in a 2014 FTC case in which an app augmenting smartphones’ flashlight functions was collecting geolocation data without user consent.
Geolocation data compliance under the European Union’s General Data Protection Regulation (GDPR)
We’ll also take some time to discuss the GDPR in particular, as it’s currently one of the world’s most far-reaching, strict, and influential laws governing geolocation data. Several prominent companies have incurred large penalties for violating the GDPR, and several countries/territories have modeled their own privacy legislation on the GDPR’s rules.
What is the GDPR, and who does it apply to?
The General Data Protection Regulation is a privacy law that was adopted by the European Union in April of 2016, and came into force in May of 2018. It applies to all member countries of the European Economic Area (i.e. all member states of the EU plus Iceland, Norway, and Lichtenstein). In addition, although the United Kingdom withdrew from the EU and EEA in 2020, its privacy laws continue to function in virtually the same way as the GDPR.
Though the GDPR is based in the EEA, it applies to all personal data that could be transferred out of the EEA as well. That means any organization outside the EEA wanting to collect or process personal data from anyone inside the EEA still has to follow the GDPR. It doesn’t matter if an individual is a citizen of an EEA country, or even has a residence in one. As long as they are within the borders of the EEA, they are protected by the GDPR.
How does the GDPR regulate the collection and use of geolocation data?
Geolocation data, under the GDPR, is regulated as personal information because it is considered a type of data that is able to directly or indirectly identify an individual person (i.e. “data subject”). As such, lawful collection and use of geolocation data by an organization (i.e. “data controller”) must meet at least one of the following six criteria:
- A data subject actively consents to it (e.g. by clicking a link or marking a check box).
- It is for the purpose of entering into, or fulfilling, a legally-binding contract.
- It is required in order for a data controller to comply with a legal obligation.
- It is necessary for protecting the vital interests of a data subject or other person.
- It is needed for a task that advances the public good.
- It serves other legitimate purposes for the data controller or a third party.
Since “legitimate purposes” covers a broad range of activities, this criterion can be subject to additional restrictions. These include extra measures to anonymize the collected data, as well as strict limits on how long a data controller can keep this information before being required to destroy it.
The GDPR also covers the use of geolocation data for profiling. It defines “profiling” as using any automated means of processing someone’s personal data to analyze or predict certain facets about them, including where that person is and where they are likely to go. The GDPR allows for profiling as long as it’s not used in decisions that could have significant impacts on a data subject’s life (e.g. charging them with a crime). If profiling involves geolocation data, it may need to meet specific compliance criteria.
How to follow geolocation data privacy regulations
It’s true that there are many different laws governing how geolocation data can be collected, processed, and shared. And though these regulations may be based in certain jurisdictions, your company may still have to comply with them if it has customers, employees, or business partners in those places.
To make compliance a little easier, we’ll chunk the process down into a series of general tasks your company can complete.
1. Determine which privacy regulations apply to your company.
Consider the privacy laws in all the geographical areas where your company has employees, business partners, or customers. However, still check if your company is outside the scope of certain laws. For instance, certain jurisdictions may give exemptions to government bureaus, non-profit organizations, or colleges/universities.
Figuring out right off the bat which data privacy laws your company is or isn’t subject to has two interconnected benefits. First, it lets you identify which regulations actually apply so you can disregard the ones that don’t. Second, it lets your company establish not only how well it is already complying with its existing privacy obligations, but also how much more it will need to do to align with any applicable privacy legislation introduced in the future.
2. Evaluate what your company already does to protect personal data.
Once you’ve worked out what all of your company’s data privacy requirements are, you can start verifying whether or not your company’s current practices match them. Begin with the basics: what types of personal data your company collects about its contacts, where it’s stored, who has access to it, and under what conditions your company will share it.
From there, look at how well your company’s official data protection policies line up with both actual data practices and legal obligations. Ask yourself:
- Has your company clearly indicated to customers when and how their data will be collected and used?
- Are there specific protocols for how personal data is to be managed inside your company?
- Does your company place responsibility on business partners it shares personal data with to protect that data’s privacy as well?
- If a data breach occurs, is your company ready with a tangible action plan?
3. Add provisions to your company’s privacy policy for geolocation data.
The vast majority of laws around the world that govern personal data privacy consider geolocation data (or at least some forms of it) to be personal data. So if your company’s privacy policy doesn’t already have explicit terms regarding customers’ rights related to the collection, use, and sharing of their geolocation data, see that they’re added in. Failing to do so could land your company in trouble with certain regulatory bodies, who may judge this omission to be a deceptive business practice.
If you need an example to follow, check out Veraset’s privacy policy.
4. Train your company’s employees on why and how to properly manage collected geolocation data.
It’s crucial for your company’s employees to know the implications of managing geolocation data (whether it’s being collected, stored, or shared). They should comprehend what organizations (particularly your company) use it for, and the potential risks to consumers involved in doing so. This will help them have a clear understanding of why handling geolocation data responsibly is paramount.
This is an especially important step for employees who will be directly in charge of managing any geolocation data your company manages. But it’s also good for the rest of your company’s staff to get informed as well. Otherwise, there’s a greater risk an employee may accidentally expose data intimate enough to personally identify someone, or even purposely use this data for their own gain.
5. Work with third parties your company shares geolocation data with – or gets this data from – to build adequate data protection policies.
Your company may choose to acquire geolocation data from another business instead of trying to collect the data manually, or share geolocation data with another business, perhaps to provide a value-added feature to a product or service. In either case, make sure you have conversations with these business partners about their policies on collecting, managing, and using personal data.
For instance, ask about whether a third party may join the geolocation data your company shares with it to other types of personal information. As an example, some applications may facilitate posting an update on a social network after completing some sort of task. This could include arriving at a certain location, taking a picture of an identifiable place, completing a workout, or achieving a high score in a game.
Understanding the data management policies of third parties your company sources geolocation from – or shares geolocation data with – will help you choose business partners that will handle personal data responsibly. This helps protect your own company from bad press and possible legal trouble. More importantly, it helps to keep your customers’ data safe.
6. Create a mechanism for obtaining affirmative, informed consent before collecting geolocation data.
Many privacy regulations allow organizations to collect personal information only from individuals who explicitly opt in. So it’s important for your company to have a notice that allows for this at any point where a customer’s geolocation data might be collected. It should clearly explain the method through which this data will be collected, as well as the purposes for which the data will be used. It should also require the customer to take a clear and specific action if they consent to their data being collected. This could include having to click through a splash page or pop-up box before continuing to an app or website.
How to buy geolocation data while adhering to regulations
At Veraset, we don’t directly collect geolocation data from within applications using software development kits (SDKs). Instead, we license data from apps, SDKs, and other data aggregators, then combine these datasets, remove duplicate entries, and perform data cleansing to remove incomplete or bad data.
When using Veraset’s Movement and Visits product, you ensure you’re getting data that has been handled with care, as we work hard to ensure data compliance regulations are followed.
Veraset requires all of our data supply partners to comply with applicable data privacy law, including providing consumer disclosures and obtaining opt-in consent.
Veraset also requires all of our data science customers to comply with applicable data privacy laws and follow best practices, including never re-identifying the data of individuals.