Increased scrutiny around collection of Geolocation Data
Today, the geolocation of consumers is a valued component of their already extensive consumer profiles. Collected anywhere from maps to dating apps. Geolocation provides access to very intimate details of a consumer's life, activities and patterns in real time. Most regulations like CPRA, VCDPA, UCPA and CTDPA consider precise geolocation sensitive data and hence it requires special handling and stronger protection.
Recently, we have been seeing increased scrutiny around its collection by data brokers. The CNIL, Commission Nationale de l'Informatique et des Libertés, or the French Data Protection Authority has launched a 15-month investigation into the collection of consumers geolocation. More precisely, to check whether the app collected geolocation data is de-identifiable or not. If the data is identifiable, the consumers will need to be informed individually. The data they intend to use for the study is time stamped geolocation data from nearly 5,000,000 smart phone advertising identifiers. An advertising ID is a unique string of characters assigned to a mobile device. This ID is used by advertisers to track user's ad behaviour and personalize their offers. It is essentially a way to identify and understand the behaviour of a particular smart phone user. The data collected will be from over a period of 1 week in 2021. The investigation will link the various location points to a specific smartphone. In other words, the advertising ID’s will be used to track the locations of the smartphone. Should data subjects be identified, the processing of their data will be suspended until they are informed of the same. The CNIL “will verify the compliance with the GDPR of professionals in the [commercial prospecting] sector, in particular those who resell data, including, the many intermediaries in this ecosystem (also called data brokers)". The full resource can be found here The CNIL launches a study on geolocation data collected by mobile applications | CNIL
In another case highlighting the increased concern over the collection of geolocation data, an investigation led by the Canadian federal and provincial privacy authorities found the infamous fast food chain Tim Hortons in violation of Canadian Privacy laws as the chain's mobile app was tracking and collecting geolocation data every few minutes. This occurred even when the app was not open.
Privacy Commissioner of Canada Daniel Therrien said “Tim Hortons clearly crossed the line by amassing a huge amount of highly sensitive information about its customers. Following people’s movements every few minutes of every day was clearly an inappropriate form of surveillance,”
A research report by the Office of the Privacy Commissioner of Cananda highlighted the ease with which consumers can be identified by their movements. It was recommended that Time Hortons:-
1. Delete any remaining location data and direct third-party service providers to do the same 2. Establish and maintain a privacy management program that: includes privacy impact assessments for the app and any other apps it launches; creates a process to ensure information collection is necessary and proportional to the privacy impacts identified; ensures that privacy communications are consistent with, and adequately explain app-related practices; and 3. Report back with the details of measures it has taken to comply with the recommendations. The company agreed to implement all the above suggestions. Read more Report: Tim Hortons collected location data without consent • The Register, News release: Tim Hortons app violated privacy laws in collection of ‘vast amounts’ of sensitive location data - Office of the Privacy Commissioner of Canada
In yet another geolocation data related case, The FTC reached a settlement with OpenX technologies. The company had to $2 million in civil penalties for 2 reasons.
1. For not allowing people to opt out of the collection of precise geolocation data and 2. For violating COPPA by collecting personal information from children below the age of 13.
Even after choosing not to have their data collected, the company collected precise geolocation data from Android users. Further, the company collected personal data from children below the age of 13 without parental consent. The data collected was then passed to third parties who used it for targeted advertising. This is in violation of the federal child privacy protection law, COPPA. The company, along with the $2 million penalty, will have to delete data collected for targeted ads and implement a privacy program compliant with the applicable regulations. The full resource can be found here Where in the world is…? FTC challenges stealthy geolocation tracking and COPPA violations | Federal Trade Commission
The scrutiny around the collection of geolocation data has even reached Australia, with Deloitte Australia addressing the same in their 2022 Privacy Index. The report focuses on various privacy related issues, including information collected from consumers in the form of statistics. When it came to the collection of the geolocation data, the report found that 22% of the consumers were unlikely to allow their location to be shared by an online service when asked, 5% were likely and 34% were neither likely nor unlikely among others. Significantly, 82% are unhappy with their location information being shared with other brands. The two instances in which they are happy with the sharing of geolocation is when they are shown similar services nearby (56%) and the distances to nearby services (58%)
The company, in its Top Takeaways noted that the default settings around the collection and use of geolocation data should be in the interest of the consumers privacy and should protect it. The full report can be found here Deloitte Australian Privacy Index 2022 | Deloitte Australia | Risk Advisory
Given the attention and scrutiny the collection of geolocation data is facing, companies and data brokers will have to be mindful and aware of the ways in which it is done and how it is handled. Attention will have to be given to the existing laws in place, and the different nuances around geolocation data. Geolocation data is considered sensitive in most cases and therefore, will require additional, more careful handling throughout its lifecycle. Right from its collection, user consent is critical. As seen in the OpenX case, efficient, working opt out mechanisms need to be in place, and the requests of consumers must be respected. Users are privy to proper disclosure of matters relating to the collection and processing of their geolocation data. Clear information needs to be provided on how they can exercise their consumer rights. Further, timely assessments, proper storage and standard compliant removal and destruction practises will have to implemented.