Location data, specifically data relating to “sensitive locations,” has recently become a hot topic in the privacy world. Following the Federal Trade Commission’s (FTC) actions against data broker companies, it has become clear that the collection and selling of location data will be subject to more stringent restrictions.

Data brokers are companies or individuals that sell personal information to other businesses, and location data is merely one of many kinds of data that they collect and sell. However, their boundless selling activity has finally reached a limit, and such invasive activity has prompted the FTC to investigate and bring enforcement actions against them. In January 2025, the FTC issued a final order against Mobilewalla, a data broker company based in Georgia, prohibiting them from using, transferring, selling, and disclosing location data of sensitive locations. The final order further specified that consumers may withdraw consent, including affirmative express consent, that has been given in connection with location data, and the company will be obligated to immediately stop collecting or using such data. Another action against Kochava, also a data broker, is still ongoing, and in its complaint, the FTC alleged that Kochava collected precise geolocation data that revealed consumers visits to sensitive locations, thereby creating a great risk of privacy. All in all, it is evident that the FTC is determined to put an end to this unlawful practice as mentioned in its blog post in January 2024  that “[t]he FTC will take action to protect consumers against the illegal collection of their location data.”

Then, the main question is what implication this would have on you. First, we must start with understanding what location data is and what kinds of location data are afforded greater protection. Location data is a broad term that refers to geographic information related to a device. Precise geolocation data is slightly different, as it refers to highly accurate geographic information related to a device and is treated as sensitive personal data under California Consumer Privacy Act (CCPA), which is a state privacy law.  For a company to collect precise geolocation data, they must provide notice and a link that will allow consumers to limit the use and disclosure of their data.

The FTC cases take one category of location data even further—sensitive location data. Sensitive locations include medical facilities, religious organizations, correctional facilities, labor union offices, education and childcare facilities, and other places that could reveal a person’s sensitive characteristics. However, the list is expected to expand. In the FTC’s final order (January 2025) against Gravy Analytics, the use, sale, and disclosure of sensitive location data are prohibited in other instances, such as associating such data with places providing services to LGBTQ+ community or places of public gatherings during political or social demonstrations, or using the data to identify an individual or private residence of an individual. The company is only exempted from this prohibition for national security or law enforcement purposes.  Limitations on collection, use, maintenance, and disclosure of location data have been ordered as well, permitting processing of location data only when the company obtains express affirmative consent from the consumers.

California is also actively taking measures to limit the sale of data.  Notably, California maintains a public registry of data brokers that allows for greater transparency between consumers and data brokers. Under the Data Broker Registration requirements, California requires data brokers to register with the California Privacy Protection Agency (CPPA) and to disclose whether they collect certain sensitive data, such as precise geolocation data. If a data broker fails to follow these requirements, they may be subject to administrative fines and costs in an administrative action or investigation brought by the CPPA. By implementing these requirements, California warrants its residents more control over their information and allows them to understand how their data is being used.

As a consumer, you may feel uncomfortable about companies tracking your location or unsure of what steps you can take to address this. There are ways to empower yourself:

• Review the privacy notice or policy of the company you interact with. Learn what data they are collecting even while you are not using the app, and whether they are using data to create profiles or to sell to third parties. This may help you make informed choices about sharing your information.
• Check your privacy settings. You may choose not to share your location with every app or service you interact with. Even if you previously provided consent, you could always change your settings and privacy preferences at any time.
• Evaluate what apps and services you have signed up for or downloaded. If you no longer use the app or account, delete it! This may help protect against unnecessary data collection.

Please remember, protecting our privacy is incredibly important. To raise awareness of our privacy rights, please share the information you’ve learned with others!

Resources:

• What is Data Privacy and Why Should you Care?
• Federal Trade Commission: Protecting consumers’ location data
• Federal Trade Commission: Location, health, and other sensitive information
• California Consumer Privacy Act of 2018 (CCPA)
• SB 362 Data Broker Registration