In his spiritual reflections on the distinction between what he called our "true selves" and our "false selves," Trappist monk Thomas Merton wrote, "To be unknown of God is altogether too much privacy." By this he meant, in part, to remind us that an unexamined life is the same as an unintended one, the kind of life that prevents us from achieving our true potential.

In a way, he also meant our patterns of behavior are the only legacy against which we can be judged. Though a life lived without intentionality or introspection may well mean "too much" privacy from ourselves, these same patterns of behavior form the fabric of the most intimate details of our lives. All of us choose to keep some of these details private from others for a wide variety of reasons.

As the U.S. Supreme Court has quoted many times, "What one seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected."

Under U.S. constitutional law, geolocation data is due special protections. When collected over time, location data revealing a person’s activities cannot be accessed by law enforcement without a judicial warrant. Recently, the ability of law enforcement to obtain similar data on the open market has come under scrutiny. But through a Fourth Amendment lens, as the Supreme Court explained in its 2018 Carpenter decision, an individual has a "legitimate expectation of privacy in the record of his physical movements." Specifically:

"Mapping a cell phone’s location over the course of 127 days provides an all-encompassing record of the holder’s whereabouts. As with GPS information, the time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his 'familial, political, professional, religious, and sexual associations.'"

It has been five years since this landmark ruling, but the U.S. legal understanding of the intimacy of location data has not yet been formally extended beyond the protections of the Fourth Amendment.

An investigative report this week in The Washington Post again highlights it is more than a theoretical possibility to reidentify individuals through "needle in the haystack" analysis of troves of phone-derived location data. The report focuses on a nonprofit Catholic group in Colorado that allegedly "spent millions of dollars to buy mobile app tracking data that identified priests who used gay dating and hookup apps and then shared it with bishops around the country."

A Catholic canon lawyer quoted in the article defended the effort because priests have different privacy rights than other people, at least when it comes to their church: "The promise of celibacy is a public act, it’s not a private commitment. It’s of public interest when those are violated in a scandalous way."

Setting aside questions of a faith group’s right to surveil its leaders — or its members for that matter — such stories of private surveillance capabilities continue to garner serious scrutiny from privacy advocates and regulators.

In the post-Dobbs landscape, we are witnessing a shift in our approach to understanding the intimacy of location data along with our shift in understanding of health-related data. Rather than focusing on the sensitive nature of precise location itself, or even the sensitivity of its collection over time, restrictions are emerging around the commercial use of data that reveals visits to sensitive locations.

For example, when the Colorado Privacy Act goes into effect later this year, opt-in consent will be required before controllers can make inferences about individuals’ sex life or sexual orientation. Colorado’s newly adopted rules on the CPA, set to be finalized in the next month, clarify that the law’s definition of sensitive data includes anything "revealing" the listed sensitive categories, including "inferences made by a Controller based on Personal Data, alone or in combination with other data, which indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status."

The attorney general highlights inferences based on location data as the prime use case:

"While geolocation information at a high level may not be considered Sensitive Data, geolocation data which shows an individual visited a mosque and is used to indicate that individual’s religious beliefs is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a). Similarly, geolocation data which shows an individual visited a reproductive health clinic and is used to indicate an individual’s health condition or sex life is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a)."

Unlike most U.S. data privacy laws rooted in consumer protection, Colorado’s law also applies to nonprofit organizations such as the one implicated in the Post report. As this and other state laws come into effect, some expansion of data privacy protections over the patterns of our daily movements is arriving, but only for the residents of those states.

Here's what else I’m thinking about:

U.S. legislators have been busy introducing a handful of data privacy bills that fall outside of the usual consumer privacy activities of the commerce committees. Though none of these bills are expected to gain traction, they are worth noting as examples of ongoing legislative scrutiny over certain sectors and sensitive data categories.

  • The House Financial Services Committee approved a markup of the Data Privacy Act of 2023, which would modernize financial privacy laws like the Gramm-Leach Bliley Act covering financial institution privacy practices.
  • Sen. Ed Markey, D-Mass., joined by 15 colleagues, reintroduced the Facial Recognition and Biometric Technology Moratorium Act, which would "prevent the government from using facial recognition and other biometric technologies, which pose significant privacy and civil liberties issues and disproportionately harm marginalized communities."
  • On the health and location data front, Sens. Amy Klobuchar, D-Minn., Elizabeth Warren, D-Mass., and Mazie Hirono, D-Hawaii, introduced the Upholding Protections for Health and Online Location Data Privacy Act of 2023.

The U.S. Federal Trade Commission took the unusual step of publicly acknowledging an ongoing investigation after the House Judiciary Committee’s select subcommittee on the weaponization of the federal government published an interim staff report on the FTC’s oversight of Twitter that included excerpts of recent demand letters from the agency. As context, it is worth remembering the distinction between the FTC’s powers, in general, and its powers over companies that have signed consent orders. In a way that is only true of a small number of American companies, Twitter is subject to an FTC at the height of its power, with the authority to demand internal documentation, seek injunctions and impose financial penalties.

Gigi Sohn withdrew from consideration to serve as a commissioner on the Federal Communications Commission, after 16 months of waiting for Senate confirmation, leaving the agency in an ongoing 2-2 deadlock on any partisan matters. In a statement, Sohn condemned the "legions of cable and media industry lobbyists, their bought-and-paid-for surrogates, and dark money political groups with bottomless pockets" that she alleged distorted her "over 30-year history as a consumer advocate into an absurd caricature of blatant lies." Earlier, 22 LGBTQ advocacy organizations wrote in a letter that the delay to confirm Sohn was based in part on her private life, alleging that "homophobic tropes and attacks" were to blame.

Washington movers and shakers.

  • Deirdre Mulligan has taken a leave from teaching at UC Berkeley’s I School to serve as deputy chief technology officer for policy at the White House Office of Science and Technology Policy, where she will serve as a principal adviser to the National Artificial Intelligence Initiative Office
  • FTC Chair Lina Khan hired a "special advisor on stakeholder engagement." Sarah Miller is a prominent anti-monopoly advocate.

Upcoming happenings

  • April 3-5, IAPP hosts the Global Privacy Summit.

Please send feedback, updates and scandals to cobun@iapp.org.