How is Geolocation Data collected?
When talking about Privacy and the Ad Tech environment, it is important to understand how geolocation data is collected and accessed by third parties. Over the past year, we have seen increased scrutiny around the collection of Geolocation Data. We see that privacy watchdogs and regulators around the globe have prioritized the regulation of geolocation data collection and use. Preparing for and complying with such shifts in the privacy landscape requires an accurate understanding of how geolocation data is collected and transmitted in the Ad Tech environment.
How geolocation data is collected
The hardware of devices collects geolocation data by detecting signals from their surroundings; this includes cell towers, nearby Wi-Fi networks, proximity to other devices, etc. These signals are interpreted by the devices to generate a precise location of the device.
Geolocation data is collected regularly and sometimes many times by various applications, including common applications like Facebook, Google, Amazon, etc.
Many websites also track locations, but the location data of the visitors may be derived from IP addresses. There are many business reasons for collecting location data, including providing personalized or just-in-time goods and services, targeted advertising, fleet planning, security, etc.
Location data is considered as sensitive PI in many states, including CA and VA.
How can privacy be strengthened when it comes to geolocation data?
Geolocation data is considered Sensitive Data under many regulations and hence requires additional care when handled throughout its lifecycle. Here are some ways in which privacy surrounding geolocation data can be strengthened
Precise geolocation should be avoided wherever possible
Extremely precise geolocation data is revealing and increases the chances of risks, especially in cases where such precise data is not required for the functioning of the mobile app features. Reducing the precision of the geolocation data to a point where the purpose of collection is met while still maintaining the privacy of the individual is recommended. Proximity of the device to other devices or signals can also be used instead of precise geolocation data.
Avoid persistent collection of geolocation data
Geolocation data collected persistently over a period of time is extremely revealing of a person’s identity, especially when combined with more geolocation data or other personally identifiable information. Continuous and frequent collection of geolocation data should be avoided, especially when it is not required for the purposes of its collection.
Provide proper disclosure to users
Users should be made aware of how their data is collected and processed, the purpose of collection, to whom their data is sent, and how they can exercise their privacy rights under the applicable regulations.
Maintain effective opt-out mechanisms
Mechanisms need to be in place for users to opt out of the collection of their geolocation data or submit requests to delete data that has already been collected. The details of such requests should also be passed on to any third parties who have received such data. The importance of providing users with the ability to opt-out was highlighted in 2021 when the Federal Trade Commission imposed a $2 million fine on OpenX Technologies for failure to provide users with the ability to opt out of the collection of precise geolocation data.
Carefully handle collected geolocation data
Since geolocation data is considered sensitive data in many cases, special care should be taken while handling the data throughout its lifecycle. Appropriate PETs should be employed, such as anonymization or pseudonymization techniques. Timely privacy assessments should be conducted on such data, access controls need to be put in place, and appropriate retention records should be applied and followed on such data.