Location tracking and the battle for digital privacy

While some online privacy issues can be subtle and difficult to understand, location tracking is very simple – and very scary. Perhaps nothing reveals more about who we are and what we do than a detailed map of all the places and people we visit, where we get medical treatment, where we practice our beliefs, where we turn for help in desperate circumstances like domestic abuse. Open access to our location data crosses a line that most of us can agree is going too far.

The data broker market for location tracking is a more than $12B a year industry that is rife with serious privacy issues. What’s on the line for consumers, beyond helping you book a ride or check the weather? If your data is sold to a data broker, the answer can be A LOT.

Of all the types of personal data collected without our knowing every day, precise location data is perhaps the most concerning. It shares more about us than we would ever want to share with strangers, and it can be misconstrued, manipulated and exploited with serious consequences.

Consider that this “sensitive personal” data can include the following:

• Where you go for medical care, and what type of medical care
• If you took your family to a domestic abuse shelter
• Where you practice your religion
• Where you kids are playing (if they have a cell phone)
• When you’re away on vacation, and where
• Where you shop and eat
• With whom you spend your time
• Where you bank, and the list goes on

Location information becomes a concern when it shows too much precision. The definition of “precise geolocation data” varies by state, but generally means within 1750 feet. And as we know, GPS can get down to 3 meters (the length of your car). Most state privacy laws now categorize precise geolocation data as “sensitive personal information,” and an increasing number of these laws are now requiring an explicit opt-in consent before collection.

Sharing our location data often starts with a legitimate use case, such as your maps app needing your location to work properly. The problem is that many apps use the data beyond the initial intended use case, and oftentimes our location data ends up with a data broker. Once this happens, our location data can be used for any number of other uses, from targeting us with an advertisement, to more serious issues like collections, stalking or worse.

There have been some infamous cases over the last few years including the FTC’s action against Kochava, which was accused of selling data that allowed unauthorized users to track access to reproductive clinics, places of worship and other sensitive locations.

Even more recently, we’ve seen cases against X-Mode and another private lawsuit against DRN, which tracks user movements via our license plates with special cameras and then sells the data to debt collection and repossession agencies. The trouble is that almost anyone who is willing to pay can access our most sensitive data, and it has been misused in some staggeringly bad cases.

How companies protect their data from violating geolocation regulations

The foolproof method is to not allow third party code on your apps or websites. But this may not be possible as many of these third parties provide critical services. Therefore, start by identifying the third parties on your apps or web sites which may be using geolocation data. iPhone users will get this prompt if precise geolocation data is being requested for use. Making sure this type of prompt is served on all platforms is critical.

Use contract controls with third parties. This contract needs to explicitly call out what data they are allowed to use, and that they are not allowed to sell or transfer precise geolocation data beyond the purposes you allow. For developers working on your web sites or apps, put controls in place to make developers aware of what they can and can’t do with user data.

Loopholes in phone location data privacy laws

Accessing our phone’s location data used to require law enforcement to get a search warrant. Legally, it still does. What happens when they don’t need to get a search warrant anymore? Moreover, anyone willing to pay can often access this data, so where does it stop?

We’re starting to see new laws like WA My Health My Data Act (MHMDA), not to mention action at the federal level regarding sharing data with foreign countries. However, once the data is collected by a third party, it’s often too late to control how it gets used. We must rigorously control second uses of our most sensitive data, particularly when it involves someone sharing it without our consent.

In addition to the WA MHMDA, other laws that address this include Connecticut and Nevada, and many more state agencies are following suit. There needs to be a federal law governing this too, at least one that sets a limit below which bad actors can’t go without being held accountable and liable.

How to stop data brokers

Your location data can be collected either through your mobile device, certain logged in accounts, internet connection and location services. To mitigate the risk of oversharing your data, make sure to at least do the following:

• Don’t authorize location sharing for apps on your phone that you don’t need.
• Make sure that you only authorize sharing “while using the app”.
• Don’t share “Find my Phone” with anyone except your most trusted friends and family.
• Review the list of third-party apps under location services. You are probably sharing more than you think.
• Apple also recommends not sharing ETA.
• If you have access to Apple’s Private Relay, turn that on, too.

Unfortunately, there is still only so much you can do, so lastly, make sure the companies you patronize offer clear and concise privacy information.