‘Location, Location, Location’ Is Latest Challenge in Data Privacy Compliance

Companies that collect and process data containing precise geographic locations of customers via their mobile devices are grappling with a new compliance nightmare as emerging state privacy laws consider such data to be “sensitive personal information.”

The privacy laws enacted or under debate in at least a dozen states portend potential penalties—up to $7,500 per intentional violation in California—in addition to other regulatory actions and class action suits. These threaten to kneecap the $69 billion location-based advertising market and other users of this data.

Consider the $392 million settlement Google reached with 40 states in November over allegations that the company tracked customers with their devices even after they’d turned off location tracking.

Also, last year, the Federal Trade Commission (FTC) sued the data brokerage company Kochava, alleging that its data could track mobile device users to healthcare clinics and other locations. A federal judge dismissed the FTC suit, determining that location data didn’t reveal personal information or injure consumers. The FTC fought back with an amended complaint.

And just this week a Massachusetts woman sued tech company Foursquare in federal court, alleging that it sold geolocation data to Uber and other companies in violation of the Massachusetts Unfair and Deceptive Business Practices Act.

But the panoply of state privacy laws cropping up, with their varying regulations concerning what constitutes “precise geolocation data,” will pose a particular challenge to in-house legal and compliance teams.

The California Privacy Rights Act (CPRA) defines precise geolocation data as that which is used by a device to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.

Got that?

Under Virginia’s law governing geolocation data, that distance is 1,750 feet.

For organizations that may be collecting and using precise geolocation data, “the first thing you need to do is find it. Then you say, ‘What are the rules here?’” said Christian Auty, a partner and a leader of the U.S. Global Data Privacy and Security Team at Bryan Cave Leighton Paisner.

Companies need to determine whether they’re collecting general location data or precise geolocation data. The latter has the potential to reveal personally identifiable information (PII) directly or when combined with additional data sources.

“Data mapping—knowing what data you have and where it lives—is foundational for any effective data privacy and cybersecurity strategy,” Tara Cho, a partner and chair of the privacy and cybersecurity team for Womble Bond Dickinson, said in the firm’s 2023 Global Data Privacy Law Survey Report released last week.

Much of this data collection is enabled by apps. Smartphones also can determine location by such things as cell triangulation, Bluetooth pinging, and Wi-Fi capture.

Auty said that under most privacy laws organizations need to develop “a clear and actionable strategy for obtaining consent” from consumers for collection and use of their precise geolocation.

“For the first time in U.S. states, companies will need to collect meaningful permissions from their customers to gather and apply data relating to the customers’ position on the globe,” Theodore Claypoole, a partner at Womble Bond, said in a client advisory. Given the “pervasiveness and intrusion” of location-targeted advertising, “I am surprised that legislatures were not faster to place limits on equipment and applications that track and record our movements,” Claypoole said.

Such consent generally comes in the form of allowing customers to opt out of the processing of personal data for targeted advertising or selling their data. Auty said it’s important for organizations to ask: “How am I processing the opt-out? What happens internally, in an auditable way, that carries through?”

In some cases, aggregate location data that does not provide PII is not affected by state privacy laws. Of course, depersonalized data is subjective, as Kochava learned from the FTC’s argument that such data theoretically could be used in a nefarious manner, even though the company argues its datasets don’t contain personally identifiable information.

According to the Womble Bond report, nearly 60 percent of executives with U.S. operations view tracking the status of legislation and differences between state laws as a challenge, “yet only 42 percent have completed comparisons of state privacy law frameworks.”

A not-insignificant 40 percent surveyed by the firm said they are “very concerned” about privacy laws that include restrictions on collecting geolocation data for targeted marketing. “Litigation and enforcement actions—especially among U.S. respondents—were named as top concerns,” the report said.

Womble Bond has been telling clients to take such steps as designating an internal project manager or owner. In addition, it suggests establishing a dedicated multidisciplinary team that includes compliance, legal, HR, IT, engineering, and marketing, and engaging with outside counsel related to the state law changes.

Setting metrics and specific goals to track compliance progress is among several other recommendations.

In a piece written for the International Association of Privacy Professionals, Jason Sarfati, chief privacy offer and vice president of legal at Gravy Analytics, worried that state privacy laws might amount to overreach by lawmakers. He noted that pseudonymous identifiers are used in such essential functions as city planning, supply-chain monitoring, and public safety.

Sarfati said that so-called mobile advertising identifiers, or MAIDs—unique, anonymous alphanumeric identifiers that iOS or Android assigns to each mobile device—fall short of identifying a specific individual unless combined with a matching table that contains details such as names, phone numbers, and other information. He said most mobility data analytics companies substitute such device identifiers with their own proprietary pseudonymous identifier.

“This, in and of itself, is a fantastic privacy control, as it enables aggregate-level analysis of the places we go, while also ensuring the risk of re-identification is appropriately mitigated,” he said. Unfortunately, Sarfati added, current definitions for precise geolocation data under state privacy laws “fail to appreciate this nuance.”

From: Corporate Counsel