“Tag, You’re Tracked!” Mapping Boundaries and Navigating Teen Privacy
Nina-Belle Mbayu, Counsel, Privacy Technology, Privacy Initiatives, BBB National Programs
Picture this: your teenager is at a local coffee shop getting their favorite drink, a blueberry matcha, and tags the shop and its location on Instagram. Typical, right? But did you know that with new map-based updates, there is an increased likelihood of complete strangers – potentially even those who have not seen the post -- knowing both your teen’s drink of choice, as well as their real-time location?
A number of social media companies (such as Instagram, Snapchat, and Life360) allow users to share their real-time location within their posts via maps-based features that are growing in popularity. However, recent high-profile settlements and enforcement actions with Apitor, GM/OnStar, XMode, Healthline, and others show that scrutiny of location data practices is also increasing. So, what’s causing all this commotion? This blog will examine the different levels of location tracking, recent state-level updates to protect this data, and implications for teenagers.
While no federal-level laws broadly cover teens (13-17 years old) in this specific context, the Federal Trade Commission (FTC) has been increasing its scrutiny of social media companies’ personal data collection practices that impact this age group. The FTC’s recent $10 million settlement with Disney and COPPA Rule updates also highlight federal oversight in how companies use children’s data (under 13 years old) and underscore the value of companies being more cognizant of social media websites’ potential use of such data for advertising.
Next, tech-focused risks include the fact that while location data may be “temporary” by being publicly displayed for 24 hours, such data is collected and stored for longer periods. This database of movements can be hacked, leaked, or otherwise sold, particularly when paired with the lack of uniformity in state laws for precise location data. Most importantly, tech gaps may result in accidentally sharing users’ precise location sharing without their consent. This is especially concerning since many platforms cannot verify a user’s being under 13 (or under 18) beyond self-attestations.
While some states like Utah and Arkansas have regulations requiring more thorough age verification, these regulations are both rare and heavily contested. No federal privacy law currently exists to broadly regulate the processing of sensitive geolocation data (the Department of Justice’s Bulk Data Rule has narrow applicability), whether used for its primary purpose intended to operate an app or service, or for secondary purposes like targeted advertising.
But, the FTC has indicated it is watching when it comes to the processing of sensitive geolocation data for secondary purposes such as advertising in cases like the one against data broker Kochava. The FTC has also come down hard on companies like Apitor that were sharing children’s geolocation data without consent. Still (for now), it’s mainly up to parents and companies to consider safeguards to protect teens.
Picture this: your teenager is at a local coffee shop getting their favorite drink, a blueberry matcha, and tags the shop and its location on Instagram. Typical, right? But did you know that with new map-based updates, there is an increased likelihood of complete strangers – potentially even those who have not seen the post -- knowing both your teen’s drink of choice, as well as their real-time location?
A number of social media companies (such as Instagram, Snapchat, and Life360) allow users to share their real-time location within their posts via maps-based features that are growing in popularity. However, recent high-profile settlements and enforcement actions with Apitor, GM/OnStar, XMode, Healthline, and others show that scrutiny of location data practices is also increasing. So, what’s causing all this commotion? This blog will examine the different levels of location tracking, recent state-level updates to protect this data, and implications for teenagers.
Location Tracking 101: Precise Location and Geolocation
Having access to a person’s location can allow companies to piece together many details about that person’s everyday life, down to the most intimate details. However, part of what makes the location tracking controversy difficult to analyze is the nuance between precise geolocation (referred in this blog as “precise location”) and geolocation. Often used interchangeably, each term has a different literal meaning and (in many instances) different legal ramifications. Let’s walk through the distinctions:- Precise Location Data is data that can identify a person’s location within a specific radius. This includes GPS coordinates, Bluetooth beacon proximity, and data that can locate someone within a specific, defined radius of feet or meters. How “precise” is precise depends on the law and region. For example, precise location has been defined at the federal level as location data that identifies the physical location of an individual or a device within 1000 meters (3280 feet). States typically define it as within a 1750-1850 meter range. Importantly, several states include precise location as a type of “sensitive data” (also known as “sensitive personal information”), as it can identify sensitive and intimate details related to healthcare, religion, and overall lifestyle.
- Geolocation Data is broadly defined as data that indicates the general location of a device or person. This can include IP address-based location (e.g., city or region), cell tower triangulation, and Wi-Fi network proximity. It’s typically less granular and may not pinpoint an exact physical location within a closely defined radius. This category of location data is generally not treated as sensitive data for legal and regulatory purposes – but geolocation is a category of personal information under the Child Online Privacy Protection Act (COPPA) that calls for verifiable parental consent if COPPA applies to your target audience and respective business practices.
Teenage Privacy + Precise Location Tracking: Regulation at the State Level
State-level regulation of precise location data continues to rise in the U.S., especially in relation to the precise location data of teens that isn’t captured in federal law. For example, here is a snapshot of select states that define precise location as sensitive data:- Location-Specific Laws and Regulations: Regulations in states like Connecticut (currently in effect) and Colorado (going into effect on Oct. 1) prohibit the collection of minors’ (under 18) precise location data without their consent (or parent/guardian consent if under 13). Additionally, companies must provide a persistent signal to minors that their precise location data is being collected.
- Design Codes: California enacted its Age-Appropriate Design Code (CAADC) in 2022, modeled after the United Kingdom design code. The CAADC prohibits sharing or selling minors’ (under 18) precise geolocation data and permits collecting such data only when strictly necessary to fulfill services to the user. Maryland, Nebraska, and Vermont have also enacted age-appropriate design codes (AADCs) as of August 2025, and several other states have proposed the same. While enforcement in states like California and Maryland are impacted by legal/constitutional challenges, the uptick in AADCs signal state-level attempts to hold social media companies accountable for safer design standards.
While no federal-level laws broadly cover teens (13-17 years old) in this specific context, the Federal Trade Commission (FTC) has been increasing its scrutiny of social media companies’ personal data collection practices that impact this age group. The FTC’s recent $10 million settlement with Disney and COPPA Rule updates also highlight federal oversight in how companies use children’s data (under 13 years old) and underscore the value of companies being more cognizant of social media websites’ potential use of such data for advertising.
Risks and Safeguards Associated with Location Sharing
Beyond the general risks of teens using social media apps, including mental health concerns associated with prolonged use, there are unique risks tied to increased location sharing. First, teens may not clearly understand what it means to opt-in for precise location sharing. Many teens accept followers they don’t personally know, increasing the group of people who may know their real-time location even if limited to just followers. Concerns cited by a group of Senators and Attorneys General include stalking, harassment, and other forms of exploitation.Next, tech-focused risks include the fact that while location data may be “temporary” by being publicly displayed for 24 hours, such data is collected and stored for longer periods. This database of movements can be hacked, leaked, or otherwise sold, particularly when paired with the lack of uniformity in state laws for precise location data. Most importantly, tech gaps may result in accidentally sharing users’ precise location sharing without their consent. This is especially concerning since many platforms cannot verify a user’s being under 13 (or under 18) beyond self-attestations.
While some states like Utah and Arkansas have regulations requiring more thorough age verification, these regulations are both rare and heavily contested. No federal privacy law currently exists to broadly regulate the processing of sensitive geolocation data (the Department of Justice’s Bulk Data Rule has narrow applicability), whether used for its primary purpose intended to operate an app or service, or for secondary purposes like targeted advertising.
But, the FTC has indicated it is watching when it comes to the processing of sensitive geolocation data for secondary purposes such as advertising in cases like the one against data broker Kochava. The FTC has also come down hard on companies like Apitor that were sharing children’s geolocation data without consent. Still (for now), it’s mainly up to parents and companies to consider safeguards to protect teens.
- Safeguards for Parents: If you have supervisory access, restrict access to location sharing and enable notifications to ensure you are updated when your teen posts their location. Make sure your teens understand the inferences that can be made on posts with tagged locations, the risks associated with sharing real-time location (even if just for 24 hours), and the more serious harm connected to sharing real-time location.
- Safeguards for Social Media Companies: Companies should consider implementing stricter safeguards like outright disabling location-sharing capabilities for child accounts (per the AGs recommendations) and improve supervisory capabilities and notifications for parents. Next, companies should create clear notice and risk alerts that are simple for children and teens (and adults) to understand, and they should simplify opt-outs. This helps to strike a balance between protecting children and teens, improving consumer choice and transparency for all users, and avoiding what has been described by AADC opponents as unconstitutional content regulation that hinders free speech.
- Use of the TAPP 2.0 Roadmap: Companies can look to resources like the TeenAge Privacy Program (TAPP) Roadmap, created by BBB National Programs’ Center for Industry Self-Regulation with multi-stakeholder input, specifically to help companies identify the harms associated with various features and data privacy requirements impacting teen online privacy.