BBB National Programs Insights
Location Data and Privacy
In today’s digital world, we carry around networked supercomputers that would make the machines that launched a rocket to the moon look laughable. The average user’s smartphone is packed with a number of apps: a weather app to tell them if it’s a good idea to throw on a rain jacket in the morning, a dating app to help them get a night on the town, a restaurant review app to help them choose a place to eat, their favorite map app to help them get to their destination, and a music app that contains a carefully-crafted library of songs and playlists.
Some of these apps use location data collected from a variety of sources— from triangulating cell towers, to WiFi signals, to the GPS satellite constellation (the network of 24 satellites that hovers over us 13,000 miles in space). That’s a lot of different ways to find out a user’s location!
Location data like this can be essential for an app to function—after all, a weather app is pointless if it doesn’t know where you are. But beyond helping an app function, location data is often transferred, collected, or sold to other parties. This is because advertisers and tech companies find this kind of data valuable. It helps them tailor particular ads to users on their devices, a phenomenon called interest-based advertising (IBA) or targeted advertising.
So, what’s the problem here?
This is one of the privacy paradoxes that consumers and businesses deal with today: location data is often essential to the functioning of an app and helps monetize new digital products, but it can also reveal sensitive information, such as if you’ve been to a political rally, a psychiatrist visit, a gun show, a gay bar, a church, or a marijuana dispensary. And no doubt, consumers are generally sensitive about the multitude of technologies on earth or in space, that help track them.
Thinking about using location data? Think hard!
If you’re an app developer thinking about using location, you have to be careful. Location data, if used or collected improperly, can be privacy kryptonite. For example, many app publishers rely on the standard permissions tool to ask users if they can collect this type of data (you know, that little box that says “allow X app to access this device’s location”). However, this little box doesn’t tell consumers that other parties might be collecting location data for interest-based advertising purposes. As a result, some jurisdictions have decided that relying on this permissions tool isn’t enough. Last year, the city of Los Angeles sued IBM’s Weather Channel app, alleging it wasn’t properly disclosing to users that location was being collected by third-party advertisers.
Learning about industry best practices for location
As the digital world evolves to become more privacy sensitive, if you’re an app developer, you might want to think about your obligations under the Digital Advertising Alliance (DAA)’s Self-Regulatory Principles— best practices for privacy. These industry guidelines include principles that cover the use of precise location data (data precise enough to identify a particular person or device).
Notably, the BBB National Programs Digital Advertising Accountability Program (Accountability Program) is an enforcer for these guidelines. The program has issued15 public actions involving ad tech companies and app publishers related to these principles and location data. So, if you have an app, following these guidelines as part of your broader privacy management strategy might help you avoid getting hit by an Accountability Program inquiry or a letter from a regulator. If you’re a consumer, you might want to read up on how app publishers are complying with these principles and building privacy tools into their apps’ user experience to help you take control of your digital footprint.
Let’s do a deep dive into compliance with the DAA Principles. If you’re an app publisher thinking about sharing location data for targeted ads, the first thing you need is a precise location data notice (PLD notice).
A PLD notice must provide a clear description of the fact that precise location data is transferred or collected from an app by an outside party. This notice must be placed on the app publisher’s website or be accessible through the app itself. It also has to include instructions for accessing a tool for providing or withdrawing consent. Critically, a consent withdrawal tool has to be clear and instructive. This type of tool can come in the form of:
- Following instructions from major operating systems to withdraw location permissions on an app-by-app basis
- Uninstalling the app
- Any other tool that allows consumers to withdraw consent for the collection and use of precise location data with respect to a specific application without changing their preferences for other applications
By the way, telling people to globally disable their GPS radio, WiFi radio, etc. is not compliant! Remember, a consent withdrawal tool has to be app specific.
Finally, a PLD notice has to include a statement of adherence to the DAA Principles, which is sort of like a little badge that shows your company follows these best practices.
The next step in your compliance adventure is to make sure you provide an enhanced notice to your users. What’s that, you say? Basically, an enhanced notice is a bridge to relevant information about data collection for targeted ads. It’s a practice that’s meant to do away with burying important information about privacy in a massive legal tome.
Usually, companies opt to create a pop-up window or a full screen display to serve as their enhanced notice for precise location data, but you can use any method you want so long as it’s in the right place, appears at the right time, and has a link that takes users to the PLD notice.
Consent is cool
Finally, to be compliant with the DAA Principles, you have to get consent from consumers for the third-party collection of their precise location data by third parties. You have to get consent prior to any collection of location data.
Sounds simple, right? WRONG!
It’s easy to mess this up, because app publishers often just use the operating-systems’ permissions tools for location to get consent (like we talked about above—remember that little box?). However, because these tools usually do not mention the collection of location data for IBA purposes, they’re not compliant by themselves. Therefore, you need to pair this type of tool with something else that indicates that a user’s location may be collected for IBA purposes. The good news is your enhanced notice should do the trick just fine when its coupled with this type of tool—just make sure your user sees the enhanced notice then you can go ahead and ask them if it’s okay to collect precise location data.
So, to recap… if you’re an app developer, you have to:
- Provide a precise location data notice/PLD notice
- Provide an enhanced notice that includes a link to this PLD notice
- Make sure that users consent to the third-party collection of precise location data for IBA
Location data has helped build some of the best apps, many of which are integral to our digital lifestyles. Without this data, we’d still be pulling up big maps crammed in our gloveboxes and flipping to the news channel in the morning to get the weather while we’re already late to work. But with great data comes great responsibility. If you’re an app developer thinking about using this data, make sure you follow the DAA Principles. If you’re a consumer, be sure to learn about the options that are provided to you by companies so you can make informed choices about your privacy.