With another Thanksgiving and another Black Friday having come and gone the holiday shopping season is in full swing yet again. As brick-and-mortar retail continues to experience a decline in favor of more convenient ecommerce options, retailers are increasingly looking for ways to enhance the in-store experience, with more and more looking to drive revenue through a targeted mobile strategy. In a counterintuitive approach, given that the rise of smartphones appears to be one of the main driving forces in the decline of brick-and-mortar retail, many retailers are utilizing mobile engagement with consumers to drive sales. These strategies can provide consumers with a number of benefits, including real-time reviews, recommendations and discounts, and even precise location maps to demonstrate where they can find the product they are looking for down to the aisle. However, the technology driving this mobile engagement is becoming the subject of increased scrutiny.

It is important to note that location data comes in a variety of forms. For instance, nearly any smartphone user is familiar with apps requesting access to their “Location Services.” This service, which is controlled by the phone’s operating system, relies on a combination of GPS, cellular triangulation, Wi-Fi and Bluetooth to provide a reliable determination of the individual user’s location. Shopping apps can then use this data to serve location-specific ads.

Geolocation data is governed under a patchwork of FTC enforcement actions and industry self-regulatory frameworks, but is otherwise largely untouched by any state or federal regulation, although the Children’s Online Privacy Protection Act includes geolocation data sufficient to identify a street name and city or town within its definition of personal information and requires verified parental consent before it may be collected from a child under the age of 13.

Illinois attempted to become the first state to confer protections to geolocation data through the Geolocation Privacy Protection Act. The Act, which passed both the Illinois House and Senate before subsequently being vetoed by Governor Bruce Rauner in September 2017, would have prohibited a private entity from collecting, using, storing or disclosing geolocation data from a location-based application on a person’s device without first receiving that person’s affirmative express consent. Further, the Act required as a prerequisite to obtaining affirmative express consent that any app desiring to use geolocation data provide the user with “clear, prominent, and accurate notice” informing the user in writing of the specific purposes for which their geolocation data would be collected, used or disclosed.

Under the act, “geolocation data” was given a fairly broad reading, as it was defined to mean “information that (i) is not the contents of the communication; (ii) is derived from, in whole or in part, the operation of a mobile device, including, but not limited to, a smart phone, tablet, or laptop computer; and (iii) is sufficient to determine or infer the precise location of the device,” with a specific carve-out for IP addresses. Still, the above definition begs the question of how “precise” the location data must be. Governor Rauner ultimately vetoed the bill, citing a lack of material improvements to consumer privacy expectations at the expense of job loss; however, geolocation is not likely to disappear from the legislative agenda anytime soon.

While states continue to debate the sensitivity and protections required of geolocation data, the FTC has set some standards for the use of geolocation data that retailers and advertisers can rely on to shape their own practices. For example, in 2015, the FTC reached a settlement agreement with Nomi Technologies to resolve charges that the retail analytics firm misled consumers by promising to both inform consumers when locations were using Nomi’s tracking services and provide a mechanism for consumers to opt out of tracking at these stores. The FTC charged that Nomi deceived consumers through its privacy policy on both promises, as consumers were not given any in-store opt-out provisions and were not actually informed when they were being tracked. In a related yet distinct agreement, last year the FTC settled similar charges related to deceptive location-based tracking with mobile advertising company InMobi. There, the FTC alleged that InMobi deceptively promised that consumers would only be tracked when they expressly opted in to those services; however, InMobi was allegedly tracking consumers without ever asking their permission and, in some cases, even after consumers had denied permission. These actions espouse notice, transparency and choice as the hallmarks of any location-based tracking services. For a more detailed description of the InMobi action, see Alan Friel’s Data Privacy Monitor post, available here.

These principles have been codified in certain industry-specific rules and self-regulatory frameworks. The Digital Advertising Alliance, for example, has developed guidance for “precise location data” or “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device” that centers on transparency and control. Transparency is focused on offering “clear, meaningful, and prominent” notice to consumers about transferring of data to third parties, while control revolves around obtaining consent from the consumer and allowing the consumer to withdraw consent. Further, many retail-specific advertising companies are now participating in a program called “Smart-Places,” which allows consumers to opt out of mobile location analytics run by certain participating companies by entering their Wi-Fi and Bluetooth MAC addresses. The principles of notice and choice are even being implemented in the application development phase, as all of the relevant mobile app platforms’ developer rules require notice to and express consent from app users in order to collect and use their precise location information. (However, it should also be noted that Google was just recently observed to be collecting Android users’ location data even after location services were turned off.  For more information on industry and self-regulatory frameworks on precise location data, see the Data Privacy Monitor blog posts available here, here and here, and consider reading BakerHostetler’s detailed guidelines on compliance here.

With more and more IoT devices relying on user geolocation data being pushed to market, and new applications of geolocation being explored, we are only beginning to comprehend the sensitive nature of an individual’s real-time, precise location. For example, geolocation data may in some instances be closely tied to, if not directly inferring, certain sensitive medical information, an issue raised in a recent action by the Massachusetts attorney general against a company using “geo-fencing” to serve targeted ads to women discouraging them from abortion when they were within the vicinity of reproductive healthcare clinics. Some security researchers even envision geolocation as a strong authorization and authentication factor for use in multi-factor authentication schemes, adding a potential fourth factor – “where you are” – to the traditional triumvirate of “what you know (password/security question),” “what you have (token)” and “what you are (biometrics).”

While the applications of geolocation data are exciting to say the least, the risks are certainly apparent. Despite a murky regulatory framework, organizations that wish to gain better and more actionable insights from geolocation data in hopes of driving business would be well-served to discuss all of the potential implications with privacy and legal experts. One of the first steps is for a business to develop a clear and concise policy that specifies the purposes of the collection, use, sharing and disclosure of any geolocation data they collect and maintain, and to convey that to their users in a way that promotes transparency and choice.