All Terms

Register

What is Precise Geolocation?

April 14, 2022 by David Jarzabek, Esq. CIPP/US

Location tracking can be particularly useful for businesses and users. Businesses can provide personalized and relevant recommendations to users if they know which sections of a physical store they visit. Users benefit when a map application provides them with a route home after they leave retail locations and head to a parking lot. Privacy regulation has historically treated geolocation information with enhanced protection and restrictions. The distinction between geolocation information and precise geolocation information is at times unclear for businesses not intimately familiar with privacy law.

In part, this distinction has been unclear because of the rapid development of technology and the manner in which users can be tracked. For example, in 2011, an independent European advisory body (this advisory body was the forerunner of the current European Data Protection Board) on data protection and privacy released a document on “Geolocation on smart mobile devices.” This document focused on three main types of infrastructure used to provide geolocation services, namely, GPS, cellular network location, and Wi-Fi.

At the time the document was published, the authors considered Wi-Fi access to be new infrastructure. As smart phones and other IOT devices have become ubiquitous, Wi-Fi access has progressed past new infrastructure to a widely developed technology. Current tests using the signal strength from different Wi-Fi access points can determine the location of a device with a median accuracy of 40 centimeters. Smart phones have also increased the use of GPS. A GPS capable chip was first introduced to the iPhone 3G in 2008. Currently, GPS-enabled smartphones are typically accurate to within a 4.9 m (16 ft.) radius under open sky.

These technologies, their development, new technologies, and significant differences in population density has left regulators with a potentially difficult task: how to define geo location and whether to provide additional protections for precise geolocation.

State Legislation and Geolocation

The California Online Privacy Protection Act (“CalOPPA”), the first state privacy legislation passed in 2003 in the United States, did not explicitly reference geolocation as a subcategory of personal information. The first major reform to privacy regulation in California, the California Consumer Privacy Act (“CCPA”), explicitly references geolocation data as a subcategory of personal information. However, while the CCPA does reference precise geolocation in the introductory paragraphs of the bill, it does not amend California law with regard to precise geolocation.

The California Consumer Privacy Rights Act (“CPRA”), an expansion of the CCPA was the first time that a comprehensive California privacy law references precise geolocation and creates associated regulation. The CPRA defines precise geolocation as “any data that is derived from a device and that is used or intended to be used to locate a consumer within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.”

CPRA not only enshrines precise geolocation information into California law, but it places it in a special subcategory of personal information known as “sensitive personal information.” Any information deemed to be sensitive personal information provides California consumers additional rights and the controllers of such information with additional responsibilities. Additionally, the CPRA provides the California Attorney General the authority to issue regulations to further define precise geolocation if the current size is not sufficient to protect consumer privacy in sparsely populated areas or when the personal information is used for normal operational purposes, including billing.

We've examined the history of California privacy regulation as it relates to precise geolocation to illustrate the modern trend in regulation for geolocation information. It is expected that as time passes, additional states will move to regulate precise geolocation information. In fact, California is not the only state to have passed laws regulating precise geolocation.

The Virginia Consumer Data Protection Act defines precise geolocation data as, “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of a natural person with precision and accuracy below 1,750 feet.” The two other states that have passed comprehensive privacy regulation, Colorado and Utah, reference “specific geolocation data.” At this time, it does not appear that either of these privacy laws provide a special category for precise geolocation information. However, based on current trends, businesses can expect that these laws may be amended in the future to address precise geolocation information.

Federal Legislation and Geolocation.

On a federal level, privacy regulation is generally older than state regulation. As a result, generally federal legislation does not directly reference geolocation as the associated legislation was passed prior to widespread concerns about geolocation tracking. As an example, the Children's Online Privacy Protection Act (“COPPA”) was passed in 1998, before widespread GPS tracking in cellphones and Wi-Fi tracking. COPPA does not explicitly reference geolocation in the text of the Act.

However, the Federal Trade Commission, which has the authority to issue regulations and enforce COPPA, provided a press release in 2014, describing the Commission's interpretation of geolocation information. In the press release, the FTC indicated that it viewed, with regards to COPPA, “geolocation information” as information that is “sufficient to identify the street name and name of the city or town” in which a device is located.

Trade Group Definitions

While regulation has attempted to provide exact parameters to what constitutes precise geolocation, trade groups have eschewed precise terms. The 2020 Code of Conduct posted by the Network Advertising Initiative (“NAI”) defines precise location data as “information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of an individual or device, such as GPS level latitude longitude coordinates or location based radio frequency signal triangulation.” Similarly, the Digital Advertising Alliance defines “Precise Location Data” as “data obtained from a device about the physical location of the device that is sufficiently precise to locate a specific individual or device.”

Conclusion

With California and Virginia passing state regulation addressing privacy, we expect the remaining states in the United States to eventually pass similar legislation. Looking at these prior laws, we can reasonably expect that states which choose to provide a parameter for precise geolocation will define it somewhere around 1750 to 1850 feet. Additionally, some states may follow California's model by allowing the respective attorney general to promulgate additional rules if any distance not sufficient to protect consumer privacy. As a result, sparsely populated states may consider significantly larger areas to be precise.

We are closely watching for additional guidance from the California Attorney General's office. Additionally, we are continuously reviewing privacy regulation on a state level. Due to the lack of an all-encompassing federal privacy legislation, businesses may expect to deal with a fair amount of variance in what constitutes precise geolocation as additional state privacy regulation is passed.

About

All Terms is dedicated to helping all business types generate and maintain privacy compliance. Our tools were developed based on years of legal working assisting businesses with their privacy needs. We know that privacy compliance is a ongoing task. We've leveraged our experience to lower the costs of generating privacy documents by automating the generation process. Our years of experience in the legal field have exposed the limitations of having an attorney or a team of attorneys ensure accurate and continuous compliance. So we've leveraged technology to make sure that you have access to afffordable, continuous, and available tools to maintain compliance.

Begin Privacy Compliance

  1. Create a privacy notice
  2. View your privacy notice
  3. Review your dashboard