Last fall I spoke at the IAPP Privacy. Security. Risk. conference about the intersection of privacy and geolocation data. The timing could not have been more prescient as, for the first time ever, a state-level privacy (Connecticut, Virginia, California Privacy Rights Act) law had officially declared geolocation data as "sensitive."
Since then, a variety of state-level privacy laws have also declared some version of the words “precise location data” to be sensitive. Equally important, the U.S. Congress has upped the ante on this trend with the current draft of the American Data Privacy and Protection Act also declaring location data to be sensitive and places near-draconian restrictions on third-party data processing of this data.
What exactly is geolocation data?
In the Annotated Text of the California Privacy Rights Act, precise geolocation is “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.” Lost in translation, however, is one fundamental question all mobility analytics companies ask when processing this type data — can we tell who this device belongs to?
Misunderstandings around identifiability have tragically led to a significant overreaction from legislators and privacy advocates alike. Even more importantly, essential use cases around city planning, supply chain monitoring, and public safety — all of which leverage pseudonymous identifiers, appear to be on the chopping block if legislative efforts like the ADPPA come to fruition.
We clearly need a new approach. The task before us — an alternative location data privacy paradigm that addresses genuine privacy concerns around reidentification, but nevertheless still enables the free flow of privacy-filtered information our society has come to rely upon. Keeping this goal in mind, I wish to humbly offer three general guideposts that lawmakers should consider when crafting future legislation that impacts geolocation data.
Think beyond consent
Various state and federal privacy bills call for an “affirmative express consent” standard for collecting location data. But this interestingly represents a significant break from pre-established privacy norms. Fun fact, the EU General Data Protection Regulation does not require data controllers to obtain a data subject’s consent prior to collecting geolocation data. Rather, geolocation data falls under the Article 4 definition of “Personal Data,” meaning that it is instead governed by the six legal bases of processing espoused in Article 6.
Much has been made of the fact that geolocation data was excluded from the Article 9 special categories of data. Several of the GDPR’s original framers have justified this omission by pointing to the fact that one’s location does not relate to an inherently personal characteristic of an individual — namely because one’s location is always changing. This fact, on its own, is viewed by many to disqualify location data from meriting a consent/opt-in standard.
Other GDPR framers have similarly highlighted the general “uniqueness” of geolocation data as a data category. Because location data is used to achieve far different business and societal objectives, common sense suggests that there are genuine situations where it would be more appropriate for location data to avail itself of the other legal bases of processing. For example, location data is critical to supply chain monitoring, smart city planning, and disaster planning. None of these use-cases are predisposed to operating within a consent framework.
Legislators should consider these critical functions of our society, and the serious disruptions that are likely to occur if there is no reasonable alternative available beyond “consent.” The drafters of the GDPR concluded that such an alternative is necessary. For that matter, even FTC Chairwoman Lina Khan recently labeled notice and consent frameworks as outdated and insufficient. We should follow both their leads.
Legislative consideration for pseudonymized location data nuances
The privacy field has long been hamstrung by the difficulty in determining when a dataset should be viewed as “personal” or “personally identifiable.” Seemingly ancient definitions of “personally identifiable information” in the U.S. have traditionally placed a mental perimeter around information that can be used to identify a specific individual.
This begs the question regarding what should constitute personally identifiable geolocation data in the first place. As a starting point, much of the location industry relies upon mobile advertising identifiers. While a MAID can be used to identify a specific device, it falls short of identifying a specific individual unless combined with a secondary matching table that contains names, phone numbers and more.
Fortunately, a substantial majority of the revenue earned in the mobility data industry does not come from processing device identifiers like the MAID. While a persistent device identifier like the MAID is still typically needed at the original point of collection, most mobility data analytics companies substitute these device identifiers for their own proprietary pseudonymous identifier. This in and of itself is a fantastic privacy control, as it enables aggregate-level analysis of the places we go, while also ensuring that the risk of reidentification is appropriately mitigated.
Unfortunately, the current definitions for precise geolocation data under the ADPPA and state-level privacy laws fail to appreciate this nuance. In doing so, these proposed rules directly threaten important use cases that greatly benefit our society, while also completely disregarding the organic privacy controls that the mobility data analytics industry (and its customers) have been relying upon for years. Future legislation should include an alternative definition for precise geolocation data that focuses instead on whether an entity is able to reidentify a specific individual. Banning use cases around reidentification would also help in this regard.
Learn while protecting
At the outset, there is certainly a need for sound privacy legislation to prevent the reidentification of individuals using location data. This is especially true for those devices which have visited a sensitive place of interest. Despite this obvious work-around, many advocates are still calling for a wholesale blackout of mobility data processing for these locations. While additional protections are needed, wholesale blackouts would lead to damaging public policy and, in truth, hurt the vulnerable communities and constituencies we are seeking to protect.
Lost in most headlines is the important analytical and research work that is currently being performed over these places. In many cases, this important work is performed by city-planners, nonprofits and real estate developers, meaning they are not able to enjoy the public research exceptions that are contemplated by most privacy bills. Importantly, nearly all this work is being performed using pseudonymous location data.
While potentially difficult to codify, we can see here that a sound privacy law would need to explicitly permit location data processing over sensitive locations in instances where the data controller is performing a service that is beneficial to society. A well-crafted law would therefore need to simultaneously apply three core privacy tenants over sensitive locations: 1. Reidentification bans, 2. Data minimization standards, and 3. Fiduciary duties that would apply over pseudonymous devices observed at these locations. These three tenants should naturally form the cornerstone of a new geolocation data privacy paradigm as we move into the next decade.