OneTrust_Square Banner_300x250_DD_ROS_01_19

By Kelsey Finch
IAPP Westin Research Fellow

Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry a smartphone with them every step of the day, and as these devices send and receive electronic signals they silently map their user’s movements. More and more organizations are seeking to utilize this data, and while the industry for location tracking analytics is becoming more sophisticated, so too is the range of interested parties – including regulators.

Tracking Technologies

The most familiar technology traditionally used for tracking the physical location of individuals or objects is GPS, which operates by timing signals sent from orbiting satellites to compute the precise location of a device. With the advent of internet-capable mobile devices, location tracking has become easier, cheaper and more pervasive; there is now a broad range of tracking technologies and embedded tools available to facilitate location-based applications. Additionally, because smartphones constantly send and receive electronic signals to establish connections with cell towers and wireless networks, system operators can recognize and trace the MAC addresses of WiFi- and Bluetooth-enabled devices as they come into the range of their networks. Given the rapidly growing distribution of connection points, network operators can track a device holder’s movements on an increasingly granular scale, including following movements within a building, office or house, something that’s largely not possible with GPS.   

How Government Approaches Location Data

In January last year, the U.S. Supreme Court handed down U.S. v. Jones, a significant privacy decision that addressed location tracking by the government. Jones specifically established that when the police attached a GPS device to a suspect’s car for 28 days without a warrant and used the device to monitor the vehicle’s movements it conducted an unreasonable search and seizure under the Fourth Amendment. However, the 5-4 majority opinion was narrowly tailored to the so-called physical intrusion involved in the act of attaching a GPS tracker to the suspect’s car. In addition, under what has been called the “mosaic” theory, a five-Justice plurality held that whether government conduct constitutes a search is measured not by analyzing any discreet act but rather the collective sum of different acts over time. It thus left open important questions concerning location-tracking practices, which do not imply a physical intrusion or persistent and long-term observation.

Last week, in U.S. v. Katzin, the Third Circuit Court of Appeals became the first federal appellate court to address some of the Jones questions after the Supreme Court. One question was whether the installation of a GPS device on a suspect’s vehicle is authorized by “probable cause” even without an actual warrant. The Court resoundingly held it had “no hesitation in holding that the police must obtain a warrant prior to attaching a GPS device on a vehicle, thereby undertaking a search that the Supreme Court has compared to ‘a constable’s concealing himself in the target’s coach to track its movements.’” Strengthening privacy protections for location data, the Court rejected the government’s arguments in favor of a “good faith” exception to the warrant requirement. While Katzin did not expressly address the contours of the mosaic theory, it required a warrant even though the tracking “yielded the results [police] were after within several days.”

How Retailers Approach Location Data

Outside of the government context, one of the most heated arenas of the location privacy debate involves consumer rights. Retailers are increasingly taking advantage of their networked spaces to track consumer devices as they move within stores. These technologies track and analyze how consumers move through stores in order to determine “when stores are busiest, when queues are longest and how the positioning of products and promotional displays affects sales . . . It also means returning customers can be spotted without the need for facial recognition, by looking out for known device IDs.” Yaron Dori of Covington & Burling, LLP, recently discussed the legal implications of emerging privacy technologies in the U.S. retail settings at the IAPP Privacy Academy.      

Last week, the Future of Privacy Forum (FPF) teamed up with Senator Charles Schumer (NY) and seven leading analytics companies to release a “Mobile Location Analytics Code of Conduct.” This is a pivotal step in the promotion of “consumer privacy and responsible data use for retail location analytics,” setting forth enforceable, self-regulatory standards for mobile location analytics (MLA) in retail spaces.

Specifically, the code requires MLA companies to adhere to notice principles, providing consumers with both physical and web-based “privacy notices that are clear, short, and standardized to enable comprehension and comparison of privacy practices” regarding tracking of personally identifiable information. Notice requirements may further necessitate conspicuous signage in stores where mobile device tracking is present. Further, the code not only requires that personal data be de-identified, but also that companies explain in privacy policies what steps have been taken to anonymize it. The code precludes MLA companies from “collecting personal information or unique device identification information, unless it is promptly de-identified or de-personalized, or unless the consumer has provided affirmative consent.”

Any combination of MLA data with third-party data in a user’s profile must be disclosed in a privacy notice. Similarly, the code requires that companies establish and publish internal policies for limited data retention and deletion; preclude the collection or use of personal data for adverse employment, credit, health care or insurance purposes; and in the case of any onward data transfer, require that third parties contractually agree to act consistently with the code.

Most importantly, the code establishes a two-part consent scheme: MLA companies should (a) provide consumers a link to a central industry opt-out website for the collection of general device data; and (b) obtain opt-in consent in order to link personal data to a mobile device identifier or contact a consumer based on MLA information. Strengthening the value of these consumer choice options, the code’s final principle promotes consumer education through the establishment of a central industry site, standardized symbols and continued efforts to inform consumers about retail tracking.

The key outcome of the code – adoption of which is, of course, voluntary – is increased transparency for consumers. At the same time, the code accounts for four practical exclusions: It does not restrict the use of data necessary for operation of a network; for security; or for employment purposes; nor any data collection to which a consumer has affirmatively consented.

How Employers Approach Location Data

There are currently no federal laws restricting the use of GPS or mobile-device tracking by employers. And although in recent years Senator Al Franken (MN) has repeatedly proposed a “Location Privacy Protection Act,” it has yet to survive committee.

The few state laws relevant to mobile device tracking practices require only minimal disclosure of electronic monitoring. With “Bring Your Own Device” (BYOD) programs increasingly common, employers have more opportunities than ever to track their employees. A 2012 report indicated that 37 percent of companies tracked the device location of employees.

Even in the absence of strong statutory or regulatory requirements, most employers deploy a measure of notice-and-choice to gain their employees’ affirmative consent to tracking. This is usually achieved through employee handbooks, acceptable use policies or other agreements. Generally, employees possess little or no rights or expectations of privacy in employer-provided devices; further, these rights are highly dependent on the terms laid out in employer-specific policy guides. Continued use by an employee of a device that she knows has tracking capabilities generally constitutes “implied consent” to an employer’s collection and use of the device’s location data. Some employers simply advise workers to “turn off their work phones at night” if they do not want their whereabouts known.

Stronger employee protection has been accorded with regard to event data recorders (EDRs), the “black boxes” that car manufacturers install inside consumer vehicles for accident reporting purposes. While fourteen states have laws regulating EDRs, some permitting data use only with a vehicle owner’s consent, the majority of employees operate company-owned vehicles, and thus are exempted from the scope of individual privacy protection.

For employers operating outside of the U.S., however, the standards for employee privacy can be dramatically different. The EU, in particular, privileges individual privacy rights over employer interests in many circumstances, and takes a dim view with respect to an employee’s ability to consent to tracking activities in light of the inherent power imbalance between employers and employees.


Mobile devices and tracking tools are silently broadcasting individuals’ location on the job, in stores and as they drive around town. Different legal standard apply to the collection of location information by government agents, retailers and employers. Given the rapid pace with which mobile location analytics are progressing, and in light of significant new developments in the government and retail landscapes, it is more important than ever for consumers to understand and exercise their privacy rights over their personal location data. 


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»