Legislation & Location Privacy: Now and in the Future

January 19, 2023

Societies have long been judged by the privacy rights granted to their citizens. For those fortunate enough to live in a time and place where privacy is respected, the value of individual privacy is often best shown in the most personal aspects of our lives. Examples include private finances, health, and family—especially when the most vulnerable members of our communities, such as children and the elderly, require care. Regrettably, many people take their privacy rights for granted until a major life event highlights why it is so important for a society to respect the privacy of its members.

With the rise of smartphones and other connected devices, the question of location privacy has recently come into focus. Over the years, lawmakers in several U.S. states and the European Union have steadily passed new laws putting in place additional consumer privacy protections. It was especially important to do so as more people joined the digital economy, which is always collecting more personal information, including location information. There has also been much discussion of proposed future laws, including a now-failed U.S. federal privacy bill called the American Data Privacy and Protection Act (ADPPA).

With the ever-evolving nature of legislation around location privacy, it can be difficult to keep up. So, we’ve outlined the current state of this issue, what may happen in the future, and what we think is the best course of action moving forward.

Current Legislation

While the location data industry has self-regulated for many years, holding its members to high standards, legislators have begun to take measures to officially regulate the industry. Currently, in the United States, there is the California Consumer Privacy Act (CCPA), which was enacted in January 2020 and is considered to be one of the strongest data protection laws in effect today.

Furthermore, the European Union set the standard for cross-border regulation of personal data with the General Data Protection Regulation (GDPR), which is a central component of EU privacy and human rights laws. It also sets parameters for the transfer of data outside of the EU and European Economic Area countries. Four years into its implementation, GDPR is widely seen as a net success.

Proposed National Regulation

Following the adoption of GDPR in Europe, there have been calls for a national data privacy policy in the United States. Precedent for a federal consumer data privacy law has long been set with the passing of the Health Insurance Portability and Accountability Act (HIPAA) and the Children’s Online Privacy Protection Act (COPPA).

The American Data Privacy and Protection Act (ADPPA) is the most recent attempt to establish blanket, national legislation regarding how companies capture, store, and use consumer data, including location data and intelligence in the U.S., but it failed to gain traction in the U.S. House of Representatives. Had it passed, the ADPPA would have superseded existing state laws, with exceptions for the parts of the CCPA that are not covered by the ADPPA.

Signing the ADPPA into law would have established “requirements for how companies, including nonprofits and common carriers, handle personal data, which includes information that identifies or is reasonably linked to an individual.” It would have also limited “the collection, processing, and transfer of personal data” to what is “reasonably necessary” to provide a requested service or product. Finally, it would have set strict limits on the situations in which companies can transfer (i.e., sell) an individual’s personal data without their affirmative agreement—otherwise known as their opt-in.

Considerations for Data Privacy Laws

Since the ADPPA did not move forward, a new approach is now needed, especially when it comes to the collection and use of geolocation data, which plays an important role in many critical aspects of our society, such as city planning, natural disaster response, and supply chain risk management, as well as numerous business activities.

When you consider some of the major challenges the world is facing right now—from supply chain shortages to skyrocketing inflation and the ongoing climate crisis—the fact is that key answers and solutions to these issues can all be derived from location data. New draft legislation will need to include provisions that effectively protect consumers while allowing organizations that handle location data to work within established parameters. This approach should consider the following tenets:

  • Think beyond consent. There are many use cases for location data that do not infringe on an individual’s privacy, for example, tracking material goods through the supply chain or measuring traffic levels for city infrastructure planning. In these situations, there is no authority to offer consent. An inanimate box of widgets cannot do so, and it would be impractical for drivers to opt-in to having their data collected every time they turn a corner. Yet the vast majority of regulations require an individual to proactively consent to having their data collected. 
  • Redefining “personal data.”  The definition of “personal data” has been debated for years. Much of the location industry uses mobile advertising identifiers (MAIDs), which identify a specific device but do not indicate any individual associated with that device unless paired with secondary data. While a MAID is required to collect the data, mobility data analytics companies trade them out for a proprietary pseudonymous identifier. These pseudonymous identifiers were not included in the ADPPA; however, we strongly believe that future legislation should include this definition. 
  • Learn while protecting. Many privacy advocates are calling for the wholesale blackout of location data when it comes to sensitive locations, such as women’s shelters, houses of worship, or healthcare facilities. As noted above, there are many use cases for location data that can benefit the entire community without jeopardizing the identity of the individual. Regulations that enable data processing at sensitive locations would need to include a ban on reidentification, standards to minimize the data collected, and fiduciary duties that would protect pseudonymous devices when observed at sensitive locations. 

U.S. lawmakers need to follow in the footsteps of their European colleagues in crafting—and passing—comprehensive data privacy regulations at the federal level. In this digital age, it is clear that individuals have a right to the privacy of their data. Any regulation, however, needs to take into consideration the value that aggregated, anonymized consumer data—especially location data—can provide to businesses, communities, and the world at large.

This blog is part of our five-post blog series on location intelligence that aims to educate readers about location data and its uses, while also dispelling common misconceptions. To learn more about how your organization can benefit from the use of location intelligence, contact an expert from Gravy Analytics today.

Scroll to Top