The Continued Regulation of Geolocation Data

There is a myriad of geolocation data use-cases in mobility and automotive applications and other software applications. While geolocation functionality can provide valuable, direct benefits to consumers, consumer advocates maintain that the disclosure of consumer geolocation data poses real safety and privacy concerns. Geolocation regulation and test-case enforcement is here: state legislatures are beginning to regulate the collection, use, disclosure and sale of consumer geolocation data and the Federal Trade Commission is actively pursuing litigation in U.S. District Court against a geolocation data broker in FTC v. Kochava Inc¹. This commentary focuses on the use-cases where geolocation data is collected after the point of sale for purposes directly benefiting the user. Whether helping users navigate unknown locations or facilitating public safety personnel reaching stranded motorists, certain geolocation use-cases in mobility and automotive applications provide valuable and immediate benefits to consumers and can be safely deployed with risk mitigation strategies.

When consumers given the option to “turn on” or “opt out” of geolocation tracking, the added functionality provided by geolocation-enabled solutions is legally justifiable. While the sale of geolocation data and targeted marketing practices are facing increasing regulation, distinguishing the use of geolocation data for these consumer-functionality use-cases from the uses that are being targeted is critical and strategic. When geolocation and other personal data are processed or used in ways that do not further requested services by consumers (I.e., are not tied to a legitimate business purpose or activated by consumers), the justification for its use wanes.

U.S.-based privacy laws and regulations continue to be enacted to provide individuals with increased rights to control the use of their personal data and restrict the processing of the most sensitive of personal data, including geolocation data. At least three states (California, Connecticut and Virginia) have classified geolocation data as “sensitive personal data” (SPI), requiring heightened levels of transparency and opportunities for consumers to control or limit the use of geolocation data. Indeed, the California Consumer Protection Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides data subjects with the specific right to limit use and disclosure of SPI. And other states are considering passing similar statutes.

Businesses should consider enhancing their data governance and consent management frameworks to provide consumers with choice in all tiers of the data lifecycle — from source and point of collection. With headwinds signaling more states restricting the use of geolocation data, it behooves companies to reevaluate geolocation use cases for appropriate notice, consent and processing. These three considerations go hand in hand: transparent and specific notice permits consumers to exercise informed consent and capturing that consent provides the legal basis for processing SPI, like geolocation data, as a best practice and beyond.

Notice, Consent and Processing Best Practices

• Privacy Notices and Terms of Use: in plain language, clearly articulate what and why personal data and SPI is collected and by who (including any third party collecting or processing of the geolocation data). If collection and processing is conducted by a third party with no pass-through of SPI to the manufacturer, this should be stated and the consumer directed to the privacy policy and terms for these third parties.
• Practice Data Minimization and Pseudonymization: consider policy against acquiring access to geolocation data that is not connected to a legitimate reason consistent with the consumer’s consent at time of collection. Collecting or processing or holding on to SPI “just in case” it is needed later is not a legitimate purpose. Even if there is a legitimate purpose, consider pseudonymization of the data to shrink legal exposure related to mishandling of the data and to limit data subject requests.
• Implement Consent Management and Data Governance Framework: new requirements to secure the opportunity of consumers to consent to and opt out of the processing of SPI throughout the data lifecycle means that a business subject to notice, consent, and opt out rules may have to readily provide to regulators (and per data subject requests in California) a written record with the appropriate scope of processing detail.

About the Authors

The views and opinions expressed in the article represent the view of the authors and not necessarily the official view of Clark Hill PLC. Nothing in this article constitutes professional legal advice nor is it intended to be a substitute for professional legal advice.

Clark Hill PLC is an MMA Premium Associate Member and has been an MMA member since February 1908. Visit online: clarkhill.com.

¹For FTC court filings and press releases in Kochava see https://www.ftc.gov/legal-library/browse/cases-proceedings/ftc-v-kochava-inc. In this action, the FTC alleges that Kochava and an affiliate data broker is enabling others to identify individuals at sensitive locations like reproductive health centers and places of worship and exposing them to threats of stigma, stalking, discrimination, job loss, and physical violence.