Location Data and Privacy

Jan 14, 2020, 09:45 AM by BBB National Programs

In today’s digital world, we carry around networked supercomputers that would make the machines that launched a rocket to the moon look laughable. The average user’s smartphone is packed with a number of apps: a weather app to tell them if it’s a good idea to throw on a rain jacket in the morning, a dating app to help them get a night on the town, a restaurant review app to help them choose a place to eat, their favorite map app to help them get to their destination, and a music app that contains a carefully-crafted library of songs and playlists.

Some of these apps use location data collected from a variety of sources— from triangulating cell towers, to WiFi signals, to the GPS satellite constellation (the network of 24 satellites that hovers over us 13,000 miles in space). That’s a lot of different ways to find out a user’s location!

Location data like this can be essential for an app to function—after all, a weather app is pointless if it doesn’t know where you are. But beyond helping an app function, location data is often transferred, collected, or sold to other parties. This is because advertisers and tech companies find this kind of data valuable. It helps them tailor particular ads to users on their devices, a phenomenon called interest-based advertising (IBA) or targeted advertising.

 

So, what’s the problem here?  

This is one of the privacy paradoxes that consumers and businesses deal with today: location data is often essential to the functioning of an app and helps monetize new digital products, but it can also reveal sensitive information, such as if you’ve been to a political rally, a psychiatrist visit, a gun show, a gay bar, a church, or a marijuana dispensary. And no doubt, consumers are generally sensitive about the multitude of technologies on earth or in space, that help track them.

 

Thinking about using location data? Think hard!

If you’re an app developer thinking about using location, you have to be careful. Location data, if used or collected improperly, can be privacy kryptonite. For example, many app publishers rely on the standard permissions tool to ask users if they can collect this type of data (you know, that little box that says “allow X app to access this device’s location”). However, this little box doesn’t tell consumers that other parties might be collecting location data for interest-based advertising purposes. As a result, some jurisdictions have decided that relying on this permissions tool isn’t enough. Last year, the city of Los Angeles sued IBM’s Weather Channel app, alleging it wasn’t properly disclosing to users that location was being collected by third-party advertisers.

 

Learning about industry best practices for location

As the digital world evolves to become more privacy sensitive, if you’re an app developer, you might want to think about your obligations under the Digital Advertising Alliance (DAA)’s Self-Regulatory Principles— best practices for privacy. These industry guidelines include principles that cover the use of precise location data (data precise enough to identify a particular person or device).

Notably, the BBB National Programs Digital Advertising Accountability Program (Accountability Program) is an enforcer for these guidelines. The program has issued15 public actions involving ad tech companies and app publishers related to these principles and location data. So, if you have an app, following these guidelines as part of your broader privacy management strategy might help you avoid getting hit by an Accountability Program inquiry or a letter from a regulator. If you’re a consumer, you might want to read up on how app publishers are complying with these principles and building privacy tools into their apps’ user experience to help you take control of your digital footprint.  

 

Notice

Let’s do a deep dive into compliance with the DAA Principles. If you’re an app publisher thinking about sharing location data for targeted ads, the first thing you need is a precise location data notice (PLD notice).

A PLD notice must provide a clear description of the fact that precise location data is transferred or collected from an app by an outside party. This notice must be placed on the app publisher’s website or be accessible through the app itself. It also has to include instructions for accessing a tool for providing or withdrawing consent. Critically, a consent withdrawal tool has to be clear and instructive. This type of tool can come in the form of:

  • Following instructions from major operating systems to withdraw location permissions on an app-by-app basis
  • Uninstalling the app
  • Any other tool that allows consumers to withdraw consent for the collection and use of precise location data with respect to a specific application without changing their preferences for other applications

By the way, telling people to globally disable their GPS radio, WiFi radio, etc. is not compliant! Remember, a consent withdrawal tool has to be app specific.

Finally, a PLD notice has to include a statement of adherence to the DAA Principles, which is sort of like a little badge that shows your company follows these best practices.

 

Enhanced notice

The next step in your compliance adventure is to make sure you provide an enhanced notice to your users. What’s that, you say? Basically, an enhanced notice is a bridge to relevant information about data collection for targeted ads. It’s a practice that’s meant to do away with burying important information about privacy in a massive legal tome.

To provide enhanced notice to users, you have to provide some up-front language indicating that your app may share location data with third parties. This language must appear at the time the app is downloaded, at the time the app is opened, or at the time precise location data is first collected. This language has to include a link directing users to the PLD notice described above (for example: “We may collect your location data to serve you with better ads. Click here for our precise location data policy.”).  Finally, you also have to place the link to your PLD notice in your app’s settings or in your privacy policy.

Usually, companies opt to create a pop-up window or a full screen display to serve as their enhanced notice for precise location data, but you can use any method you want so long as it’s in the right place, appears at the right time, and has a link that takes users to the PLD notice. 

 

Consent is cool

Finally, to be compliant with the DAA Principles, you have to get consent from consumers for the third-party collection of their precise location data by third parties. You have to get consent prior to any collection of location data.

Sounds simple, right? WRONG!

It’s easy to mess this up, because app publishers often just use the operating-systems’ permissions tools for location to get consent (like we talked about above—remember that little box?). However, because these tools usually do not mention the collection of location data for IBA purposes, they’re not compliant by themselves. Therefore, you need to pair this type of tool with something else that indicates that a user’s location may be collected for IBA purposes. The good news is your enhanced notice should do the trick just fine when its coupled with this type of tool—just make sure your user sees the enhanced notice then you can go ahead and ask them if it’s okay to collect precise location data.

 

A recap:

So, to recap… if you’re an app developer, you have to:

  • Provide a precise location data notice/PLD notice
  • Provide an enhanced notice that includes a link to this PLD notice
  • Make sure that users consent to the third-party collection of precise location data for IBA

Location data has helped build some of the best apps, many of which are integral to our digital lifestyles. Without this data, we’d still be pulling up big maps crammed in our gloveboxes and flipping to the news channel in the morning to get the weather while we’re already late to work. But with great data comes great responsibility. If you’re an app developer thinking about using this data, make sure you follow the DAA Principles. If you’re a consumer, be sure to learn about the options that are provided to you by companies so you can make informed choices about your privacy.

 
The Digital Advertising Accountability Program protects consumers' privacy online by providing independent, third-party enforcement of cross-industry best practices governing the collection and use of data in online interest-based advertising. The Accountability Program also provides guidance to companies looking to come into compliance with the DAA’s principles and responds to complaints filed by consumers about online privacy.


Other Blog Articles

Blog

Defining 'Child-Directed' and Addressing New Technology: Discussing COPPA Updates at CARU 2020

On September 22, the 2020 CARU Conference kicked off the Fall Series with a keynote from the Federal Trade Commission’s (FTC)'s Peder Magee, and Phyllis Marcus, a Partner at Huton Andrews Kurth and one of the original authors of the Children's Online Privacy Protection Act (COPPA).
Read more
Blog

What Parents Need to Know About Mobile App and Device Permissions

If there is one thing most parents know, it’s that Kids. Love. Apps. But how do you determine what apps are "safe" for your child to download? If you want to evaluate an app to determine how safe your child’s data will be if they use it, let's start by understanding the permissions the app asks for.
Read more
Blog

Schrems II: What Do Privacy Shield Businesses Need to Know?

The July 16 decision from the CJEU, known as Schrems II, addressed two mechanisms for transferring EU individuals’ personal data outside the EU. As the situation continues to develop, and before making changes to their practices around international data transfers, businesses should pause to review their data flows, contracts, and substantive commitments, and their current chain of compliance and accountability for data received from the EU.
Read more
Blog

CARU’s Summer Series Wrap-Up: The Need-to-Know Takeaways from our Expert Speakers

Now at the halfway point of the CARU Conference 2020, it seems like a good time to reflect on the four sessions of the Summer Series that are under our belt and the key takeaways from our expert speakers.
Read more