The inability for consumers to turn off detailed tracking has been a lawsuit and enforcement issue. In 2011, HTC and AccuWeather were sued in Seattle for selling phones with a location-tracking weather app that couldn’t be turned off. In a similar case from 2019, The Weather Channel was sued for geotracking its app customers beyond what it claimed, to the extent of wholesale surveillance, including second-by-second location monitoring. Weather apps can give you an accurate weather reading for New York even if you are sitting in California at the time, so such tight location surveillance is not necessary for the app to work properly. Contrary to what some might believe, your smartphone weather app is not sensing the weather at your location, just reporting the weather information that you request. So it does not need to take constant readings of your location data, and may not need that data at all for any practical purpose.
Starting in 2023, collecting and using consumer geolocation information will be restricted by state law. New omnibus consumer privacy laws in California, Colorado and Virginia coming into force next year include restrictions on company treatment of personally-identifiable consumer information, but they also make a further protection for a new (to the US) category of consumer information known as “sensitive data.” As you would expect, this protected sensitive data includes information about a consumer’s religion, ethnicity, sexuality, and genetic data, but in California and Virginia statutorily-protected sensitive information includes specific geolocation data. So, for the first time in US states, companies will need to collect meaningful permissions from their customers to gather and apply data relating to the customers’ position on the globe.
In Europe, the GDPR already contains limitations on activity around sensitive data, including geolocation information. Under the EU regime, the processing of sensitive data is prohibited by default, with companies burdened to show why such processing falls under a specific exception, including the express consent of the data subject. By contrast, under California’s new privacy law (the “CPRA”), companies must limit their use of sensitive data to the business purpose for which the sensitive data was collected, but consumers can further limit use and disclosure of this data to listed business purposes such as such as performing services on behalf of the business, protecting data security and integrity, or undertaking activities to verify and maintain the service or device owned or controlled by the business. Virginia’s new privacy law states that data controllers are not allowed to collect or process sensitive data without the data subject’s consent. Unless something changes as Virginia develops regulations, consumer consent seems to be the only basis for processing sensitive data.
This means that smartphone manufacturers, phone connection companies, and app providers that have instituted location surveillance of customers for years will soon need to ask specific permission to gather precise geolocation data or incur the wrath of the Virginia enforcement authorities. This change may significantly alter the way that geotracking is managed in the US. Making this a privacy shift with serious practical consequences. The secondary location data market, with billions in sales, will operate on less data and less frequently-collected data. If the new California and Virginia laws are enforced, we may all see an opportunity to exert better control over who knows where we are.