The Invisible Stalker - How to handle geolocation data
Location data has for some time been a challenge for consumers, organizations, and regulators to wrap their heads around. This has been a rising issue, particularly in the US and Canada, in the past couple of months as consumers are becoming more aware that there is an invisible stalker following them and tracking their digital footprints.
In June 2022, Tim Hortons suffered scrutiny for collecting, using, and disclosing consumer locations. According to Tim Hortons, the data was used for targeted advertisement. Tim Hortons collected app users’ geolocation both when they were using the Tim Hortons app but also when they were not using the app. In other words, Tim Hortons was collecting their app users’ location data at all times. Tim Hortons did not notify or obtain explicit consent from app users to collect their geolocation data when they were not using the app. In a joint investigation, the Privacy Commissioners of Canada, Quebec, Alberta, and BC looked into whether (a) Tim Hortons obtained adequate consent from app users to collect and use their granular location data; and (b) whether it used GPS-based location information for a purpose that a reasonable person would consider appropriate in the circumstances.
The outcome of the investigation revealed that Tim Hortons “did not collect or use personal information for appropriate purposes in the circumstances.” The OPC determined that (i) Tim Hortons did not have a legitimate need to collect the vast amounts of sensitive location information where it was not using that information for its stated purpose; and (ii) the collection of personal information represents a loss of privacy that is not proportional to the potential benefits that Tim Hortons may have gained from improved targeted advertising to promote its products better.
The Office of the Privacy Commissioner of Canada (OPC) also noted that Tim Hortons did not obtain consent to process the information to the extent and in the manner that it did. Furthermore, “individuals cannot be made to consent to the collection, use, or disclosure of personal information when the purpose is not appropriate, reasonable or legitimate within the meaning of the Acts”. In this instance even where companies take the time to obtain consent, the purpose of the collection must still be appropriate in the circumstances. In this case, Tim Hortons had no business collecting geolocation data from app users at all times for the purpose of targeting them with advertisements. (Note: Tim Hortons was sharing this location data with a third party, which was also investigated by the regulators, however, that issue is beyond the scope of this article.)
When we look at our neighbours to the south, we find an intriguing case between FTC (Federal Trade Commission) and Kochava Inc case with their counter law suits involving the selling and sharing of geolocation data. In this instance, the geolocation data was collected and sold by a data broker. The data was precise enough to be able to trace an individual’s movements and identify locations, including sensitive locations, such as attendance at abortion clinics, places of worship, and domestic abuse shelters. The FTC took exception from this on the back of the controversial Roe v Wade decision in 2022 and the harmful implication of selling geolocation data that may link individuals to abortion clinics. While there is some debate over the wide net that the FTC is casting and some circumspection around the targeting of ad tech companies, the FTC is relying on the FTC Act to prohibit the “unfair or deceptive acts or practices in or affecting commerce”. The FTC is arguing that by selling data that tracks individuals, Kochava is enabling third parties to identify individuals and expose them to threats of stigma, stalking, discrimination, job loss, and even physical violence.
Jump a few months forward into December 2022, Google has had quite a year with 2022 ending in settling two lawsuits brought by the Attorney General of the District of Columbia (Washington DC) and Indiana over Google’s default location settings. At issue was Google’s location tracking practices which "can be used to infer personal details such as political or religious affiliation, income, health status or participation in support groups -- as well as major life events such as marriage and the birth of children.” This was on the back of Google settling other lawsuits with a group of States regarding privacy disputes. The three main themes in these lawsuits included disclosure, choice, and minimization of location data. Aside from the significant monetary settlements, which were $9.5 million and $20 million respectively, Google revamped its geolocation policies and practices to demonstrate responsible use of geolocation data and more importantly how to avoid “deceptive and unfair acts”.
When we look at these cases, it is worthwhile noting that privacy compliance is not black and white. Many companies serve as examples, whether fairly or unfairly, as to what is deemed appropriate in the eyes of regulators, commissioners, and the law. These cases, which can only be added to a pile of other similar cases spread throughout the US and Canada, provide us with insight into how companies that collect and use geolocation data, can do so responsibly:
1. Have a good and comprehensive privacy program:
- have a process to ensure the geolocation data to be collected is necessary, and proportional to the potential privacy impacts identified;
- conduct privacy impact assessments on the collection of geolocation information to identify and remediate privacy risks; and
- have mechanisms to ensure that privacy communications are transparent, consistent with, and adequately explain processing activities.
2. Be transparent and reasonable:
- ensure your privacy notice covers all processing activities and disclosures of information and where required obtain consent; and
- understand what a reasonable user would expect when providing you with their information and comply with that reasonable expectation or notify them further.
3. Obtain consent and disclose what you are doing with information:
- where there is precise geolocation tracking, explicit consent is required;
- the disclosure to consumers must be unavoidable providing the user with clear instructions on how to disable the feature and delete any historical data;
- maintain a webpage in a clear and conspicuous manner, including details on location technologies (e.g., types of location information collected and stored, sources, the circumstances of collection / retention, frequency of collection and the effect of enabling or disabling the feature has on retention, any limitations that can be enacted);
- retention periods should be made clear as well as how users can delete their own information;
- the disclosure must include a hyperlink to the location technologies page; and
- email communication on any material changes to your privacy notice concerning the collection from users and storage of location information.
4. Include disclosure and consent where required into the account creation flow:
- create and implement clear and conspicuous disclosures regarding the collection, retention, and use of location information, including, but not limited to GPS, IP address, device sensor data, Wi-Fi data, and Bluetooth data, that the user agrees to prior to creating an account;
- include a hyperlink to the location privacy disclosure; and
- advise users of location-related account settings enabled by default and provide users with the option to disable the settings.
5. Have account controls in place to ensure privacy is upheld:
- Users must be provided with the ability to disable a location-related account setting and delete the location information stored by that setting in a single, continuous flow without needing to exit or renavigate to a separate page.
6. Only use and retain information for a purpose and within a reasonable time:
- without express consent from the user – refrain from sharing a user's precise location information with a third-party advertiser;
- automatically delete location information derived from a device or from IP addresses within thirty (30) days of collection of such location information;
- automatically delete location history data for inactive users within 180 days of the user receiving an email notification that their data in location history will be deleted unless users take steps to keep their data (the notification must be sent within ninety (90) days of the user becoming inactive); and
- before materially changing how precise location information is used – conduct a privacy impact assessment and update your notices and, if necessary, consent.
Collecting geolocation information is not prohibited, however, companies that collect precise geolocation information need to play by the rules. In fact, they should want to be transparent and provide their users with choices, otherwise risk being viewed as a “creepy stalker”. This, of course, would be the opposite of building trust and loyalty with customers.