By Kelsey Finch
IAPP Westin Research Fellow

Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry a smartphone with them every step of the day, and as these devices send and receive electronic signals they silently map their user’s movements. More and more organizations are seeking to utilize this data, and while the industry for location tracking analytics is becoming more sophisticated, so too is the range of interested parties – including regulators.

Tracking Technologies

The most familiar technology traditionally used for tracking the physical location of individuals or objects is GPS, which operates by timing signals sent from orbiting satellites to compute the precise location of a device. With the advent of internet-capable mobile devices, location tracking has become easier, cheaper and more pervasive; there is now a broad range of tracking technologies and embedded tools available to facilitate location-based applications. Additionally, because smartphones constantly send and receive electronic signals to establish connections with cell towers and wireless networks, system operators can recognize and trace the MAC addresses of WiFi- and Bluetooth-enabled devices as they come into the range of their networks. Given the rapidly growing distribution of connection points, network operators can track a device holder’s movements on an increasingly granular scale, including following movements within a building, office or house, something that’s largely not possible with GPS.   

How Government Approaches Location Data

In January last year, the U.S. Supreme Court handed down U.S. v. Jones, a significant privacy decision that addressed location tracking by the government. Jones specifically established that when the police attached a GPS device to a suspect’s car for 28 days without a warrant and used the device to monitor the vehicle’s movements it conducted an unreasonable search and seizure under the Fourth Amendment. However, the 5-4 majority opinion was narrowly tailored to the so-called physical intrusion involved in the act of attaching a GPS tracker to the suspect’s car. In addition, under what has been called the “mosaic” theory, a five-Justice plurality held that whether government conduct constitutes a search is measured not by analyzing any discreet act but rather the collective sum of different acts over time. It thus left open important questions concerning location-tracking practices, which do not imply a physical intrusion or persistent and long-term observation.

Last week, in U.S. v. Katzin, the Third Circuit Court of Appeals became the first federal appellate court to address some of the Jones questions after the Supreme Court. One question was whether the installation of a GPS device on a suspect’s vehicle is authorized by “probable cause” even without an actual warrant. The Court resoundingly held it had “no hesitation in holding that the police must obtain a warrant prior to attaching a GPS device on a vehicle, thereby undertaking a search that the Supreme Court has compared to ‘a constable’s concealing himself in the target’s coach to track its movements.’” Strengthening privacy protections for location data, the Court rejected the government’s arguments in favor of a “good faith” exception to the warrant requirement. While Katzin did not expressly address the contours of the mosaic theory, it required a warrant even though the tracking “yielded the results [police] were after within several days.”

How Retailers Approach Location Data

Outside of the government context, one of the most heated arenas of the location privacy debate involves consumer rights. Retailers are increasingly taking advantage of their networked spaces to track consumer devices as they move within stores. These technologies track and analyze how consumers move through stores in order to determine “when stores are busiest, when queues are longest and how the positioning of products and promotional displays affects sales . . . It also means returning customers can be spotted without the need for facial recognition, by looking out for known device IDs.” Yaron Dori of Covington & Burling, LLP, recently discussed the legal implications of emerging privacy technologies in the U.S. retail settings at the IAPP Privacy Academy.      

Last week, the Future of Privacy Forum (FPF) teamed up with Senator Charles Schumer (NY) and seven leading analytics companies to release a “Mobile Location Analytics Code of Conduct.” This is a pivotal step in the promotion of “consumer privacy and responsible data use for retail location analytics,” setting forth enforceable, self-regulatory standards for mobile location analytics (MLA) in retail spaces.

Specifically, the code requires MLA companies to adhere to notice principles, providing consumers with both physical and web-based “privacy notices that are clear, short, and standardized to enable comprehension and comparison of privacy practices” regarding tracking of personally identifiable information. Notice requirements may further necessitate conspicuous signage in stores where mobile device tracking is present. Further, the code not only requires that personal data be de-identified, but also that companies explain in privacy policies what steps have been taken to anonymize it. The code precludes MLA companies from “collecting personal information or unique device identification information, unless it is promptly de-identified or de-personalized, or unless the consumer has provided affirmative consent.”

Any combination of MLA data with third-party data in a user’s profile must be disclosed in a privacy notice. Similarly, the code requires that companies establish and publish internal policies for limited data retention and deletion; preclude the collection or use of personal data for adverse employment, credit, health care or insurance purposes; and in the case of any onward data transfer, require that third parties contractually agree to act consistently with the code.

Most importantly, the code establishes a two-part consent scheme: MLA companies should (a) provide consumers a link to a central industry opt-out website for the collection of general device data; and (b) obtain opt-in consent in order to link personal data to a mobile device identifier or contact a consumer based on MLA information. Strengthening the value of these consumer choice options, the code’s final principle promotes consumer education through the establishment of a central industry site, standardized symbols and continued efforts to inform consumers about retail tracking.

The key outcome of the code – adoption of which is, of course, voluntary – is increased transparency for consumers. At the same time, the code accounts for four practical exclusions: It does not restrict the use of data necessary for operation of a network; for security; or for employment purposes; nor any data collection to which a consumer has affirmatively consented.

How Employers Approach Location Data

There are currently no federal laws restricting the use of GPS or mobile-device tracking by employers. And although in recent years Senator Al Franken (MN) has repeatedly proposed a “Location Privacy Protection Act,” it has yet to survive committee.

The few state laws relevant to mobile device tracking practices require only minimal disclosure of electronic monitoring. With “Bring Your Own Device” (BYOD) programs increasingly common, employers have more opportunities than ever to track their employees. A 2012 report indicated that 37 percent of companies tracked the device location of employees.

Even in the absence of strong statutory or regulatory requirements, most employers deploy a measure of notice-and-choice to gain their employees’ affirmative consent to tracking. This is usually achieved through employee handbooks, acceptable use policies or other agreements. Generally, employees possess little or no rights or expectations of privacy in employer-provided devices; further, these rights are highly dependent on the terms laid out in employer-specific policy guides. Continued use by an employee of a device that she knows has tracking capabilities generally constitutes “implied consent” to an employer’s collection and use of the device’s location data. Some employers simply advise workers to “turn off their work phones at night” if they do not want their whereabouts known.

Stronger employee protection has been accorded with regard to event data recorders (EDRs), the “black boxes” that car manufacturers install inside consumer vehicles for accident reporting purposes. While fourteen states have laws regulating EDRs, some permitting data use only with a vehicle owner’s consent, the majority of employees operate company-owned vehicles, and thus are exempted from the scope of individual privacy protection.

For employers operating outside of the U.S., however, the standards for employee privacy can be dramatically different. The EU, in particular, privileges individual privacy rights over employer interests in many circumstances, and takes a dim view with respect to an employee’s ability to consent to tracking activities in light of the inherent power imbalance between employers and employees.


Mobile devices and tracking tools are silently broadcasting individuals’ location on the job, in stores and as they drive around town. Different legal standard apply to the collection of location information by government agents, retailers and employers. Given the rapid pace with which mobile location analytics are progressing, and in light of significant new developments in the government and retail landscapes, it is more important than ever for consumers to understand and exercise their privacy rights over their personal location data. 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»