It has been the year of location privacy.
The year was bookended with a series of groundbreaking enforcement actions from the U.S. Federal Trade Commission, beginning in January with XMode and ending this week with Gravy Analytics and Mobilewalla, as summarized in a recent FTC staff blog.
The FTC cases provide hefty precedent for the principle that precise geolocation data is sensitive, which is not a new idea. More importantly, through a unique and sustained use of the FTC's unfairness authority, these cases also make clear that a subset of location data — information that reveals individuals' visits to sensitive locations — is so special that it should never be sold to third parties, even if an individual has consented to the collection and use of their location data.
The FTC's fifth known investigation in this series remains embroiled in litigation, but the Kochava matter saw important complaint that dives deep into alleged business practices only hinted at in other location matters.
Agree to disagree
The amended complaint in the Kochava case also provided an opportunity to be reminded of the bipartisan nature of privacy concerns around sensitive locations. FTC Commissioner Melissa Holyoak issued a concurring statement supporting the ongoing litigation, one of the first public statements on privacy from the new Republican commissioner.
Echoing Holyoak's concerns, Commissioner Alvaro Bedoya's fiery concurrence to the Gravy matter focused on the achievement of aligning commercial practices with Fourth Amendment protections, especially in closing the ability of law enforcement to purchase commercial location datasets.
In her own concurring statement, Holyoak again showed support for this line of enforcement, with some procedural and substantive limitations. She cautioned against stifling legitimate advertising by overly limiting location data use across all contexts in comments that echoed a speech she delivered to the Network Advertising Division.
Commissioner Andrew Ferguson, too, is on board with this line of cases and the conclusion that it is unfair to sell nonanonymized precise location data without obtaining meaningfully informed consent or to collect and use this data from other parties without verifying consent. He dissents, however, from a separate unfairness charge related to selling inferences derived from location data about sensitive characteristics, calling this "indeterminate naughty categories list."
Holyoak fully dissented in the Mobilewalla case, sharing Ferguson's concerns but also with additional concerns that unfair collection and retention of data is too removed from harmful selling activities to meet the requirements of unfairness. Chair Lina Khan responds to Holyoak's concerns one-by-one in her concurring statement.
Enforcement from all sides
Meanwhile, and not to be outdone, the U.S. Federal Communications Commission settled its longstanding privacy investigations into the four major telecom companies, which I analyzed in a previous column. Those cases similarly reaffirmed the expectation that location data requires express affirmative consent to be shared with third parties.
Importantly, they also reminded data sellers that their responsibility for the spread of location data does not stop with contractual safeguards. We see this lesson echoed time and again this year: whether you are a buyer or seller of sensitive data, you must implement procedures to follow up on your contracting party.
We also began to see enforcement at the state level this year, as a few state comprehensive laws came into effect, with eight more to come in 2025.
The Texas attorney general's office began wide-ranging investigations into the entities that supply and market sensitive data, which appeared to focus on geolocation data alongside closely related data points, such as speed and movement data generated by cars and phones. The Texas approach serves as a reminder not only that new state laws have enforcement teeth, but also that they are built on the flexible foundation of consumer protection law.
And new laws keep coming
On the legislative side, 2024 state legislative sessions generated seven additional comprehensive privacy laws, all of which treat precise geolocation data as sensitive data that generally requires EU-style opt-in consent.
Maryland went even further, as Future of Privacy Forum Policy Counsel Jordan Francis, CIPP/E, CIPP/US, CIPM, explained in an IAPP analysis. Maryland's data minimization requirements divorce sensitive data from consent, requiring instead that processing sensitive data be "strictly necessary to provide or maintain a requested product or service," and entirely prohibiting the sale of sensitive data. Well, almost entirely.
And at the federal level, new national security restrictions on the export of sensitive data went into effect, with more to come. Not only do these limitations cover precise geolocation data, they include definitions of sensitive data far broader than any existing state privacy law.
Points of emphasis
As we approach the holiday season, what better way to commemorate the privacy lessons from the year — as delivered via geolocation enforcement actions — than through a festive listicle? Lacking as I am in any partridge, turtledoves, calling birds or assorted poultry, I must gift you instead with 12 takeaways:
1. Not all location data should be treated equal. Though precise geolocation data is sensitive and generally requires meaningful consent, datasets should also be scrubbed of "sensitive locations," with some exceptions provided for high-levels of consent with limited uses. Such locations include medical facilities, religious organizations, correctional facilities, labor union offices, education and childcare facilities, "associations held out to the public as predominantly providing services based on racial or ethnic origin," "locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees or immigrants" and military installations, offices or buildings.
2. The list of "sensitive locations" could continue to expand. As part of the mandated sensitive data programs in each of the FTC orders, the company is required to assess and update its list of sensitive locations regularly. In some orders, this also includes considering the addition of future categories, "such as those based on an announcement by a self-regulatory association." This is highly relevant given the Network Advertising Initiative’s recent embrace of "sensitive points of interest."
3. Sensitive inferences should also be handled with extreme care. Though FTC commissioners have more disagreement on this point, three of the four location complaints include a charge of some version of unfairly targeting consumers based on sensitive characteristics such as "medical conditions, political activities, and religious beliefs." This is separate from the improper collection and use of location data, as such inferences could be drawn from a variety of sources.
4. Sensitive data, generally, is also an ever-growing list. As technologies and norms change, it is important for privacy pros to remain flexible in applying rules for sensitive data to new data types that present similar risks as those explicitly mentioned in statute. Even as new statutes seem to include an ever-growing list of sensitive data types, many privacy laws also define sensitive data as an open-ended list, for example, "sensitive data includes …" This conceivably allows enforcers to read new sensitive data types into the law, especially when consumer protection norms would also support this expansion.
5. Safeguarding sensitive data is a shared responsibility. Suppliers, acquirers and users of geolocation data have all been on the hook this year. When data is sensitive but still used in a commercial context, every entity in the chain of control over that data must exercise enhanced caution. Those that collect data from consumers must find ways to include explicit disclosures and granular choices if they wish to use the data for purposes unrelated to delivering the service. Those that acquire and repackage this data must do so in a way that strips out sensitive locations, even as they verify adequate consent was received.
6. Contracts are not enough. Vetting partners in data transactions is a hands-on job, not just a paper exercise. The settlements with location data brokers include terms requiring contractual and other measures each company uses to verify data is not misused, including marking techniques to be able to identify datasets, annual assessments, and an explicit requirement to terminate relationships with data recipients that do not comply.
7. At a minimum, enhanced oversight of the use of location data should focus on three categories. The Gravy consent order includes explicit oversight instructions for the company to ensure it and all partners avoid "prohibited uses" of location data. This means ensuring location data is never associated with "(a) locations held out to the public as predominantly providing services to LGBTQ+ individuals such as service organizations, bars, and nightlife, or (b) locations of public gatherings of individuals during political or social demonstrations, marches, and protests" and to prevent the use of location data to "determine the identity or the location of an individual’s home."
8. Advertising opt-out choices should be interpreted to prevent the collection of location data. Even if browser- or device-based opt-out choices are generally interpreted as restrictions on the use of personal data rather than its collection — a view that is quickly going out of style as state laws require otherwise — the recent FTC orders require location data to be thought of differently. They ban the collection and use of location data from any device where the user has enabled setting to "opt out of, limit, or otherwise decline targeted advertising or tracking," unless additional consent requirements are met.
9. Follow the rules when you engage in real-time bidding. The unique elements in the Mobilewalla matter focus on the company's alleged practice of harvesting personal data from RTB exchanges even when it did not win the bid to serve an advertisement. This use of bidstream data is not only contrary to contracts for the RTB ecosystem, but also a realization of the potential for harms to consumers from the widespread availability of this data. FTC staff released a blog with further insights. Some may disagree on whether this is enough harm to violate Section 5, but nevertheless the lesson stands: the ad ecosystem is only as trustworthy as its least trustworthy partner.
10. Privacy officers need responsibility and authority. The location data orders require most of the companies to establish a qualified senior officer responsible for data privacy who reports directly to the board. This officer will oversee the mandated location privacy program, as well as the contractual and other measures required under the orders.
11. Unfair practices can take place at each stage of the data life cycle. Whether collecting sensitive data without affirmative express consent, using data in potentially harmful ways contrary to consumer's expectations, or even retaining sensitive data indefinitely, as alleged in the Mobilewalla matter, unfairness can pop up at any time. This is why privacy programs must be holistic, with policies and procedures across the data life cycle. Nowhere is this more important than when sensitive data is at issue.
12. When in doubt, leave it out. As U.S. privacy enforcement continues to heat up, there has never been a better time to "think like a regulator" when considering new products or services. Even if a practice does not explicitly violate black-letter privacy laws, if consumers may feel tricked, suffer financial harms, or suffer the privacy invasion of their intimate information spreading to third parties, it is best to say no.
My wish for 2025 is that when it matters most, privacy pros can practice saying "no" loudly, clearly and repeatedly.
Please send feedback, updates and your "bed down location" to cobun@iapp.org.
Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director in Washington, D.C., for the IAPP.
