The attorney general for California announced this week a wide-ranging investigation concerning the collection, processing, and use of consumer location data by several companies. This investigation targets advertising networks, mobile app providers, and data brokers, as their practices may potentially violate the California Consumer Privacy Act (CCPA), which is recognized as one of the strictest state privacy laws across the United States.
The attorney general’s office intends to examine how mobile app providers collect and resell data to third-party brokers, who then sell this information to the highest bidder. California Attorney General Rob Bonta emphasized the privacy risks associated with location data saying, "Every day, we give off a steady stream of data... Location data is deeply personal and can let anyone know if you visit a health clinic or hospital..." This raises significant concerns not only about how this data is handled within the private sector but also about its potential access by federal agencies under the current Republican administration.
Bonta expressed his apprehension over the handling of such sensitive data, expressing, "Given the federal assaults on immigrant communities, as well as gender-affirming health care and abortion, businesses must take the responsibility to protect location data seriously." To initiate this investigation, the California attorney general's office sent letters to numerous advertising companies, mobile app developers, and data brokers to notify them of potential violations and request additional information.
When CyberScoop reached out for details, the office declined to provide specifics about the letters or the number of businesses involved, citing the need to protect the integrity of the investigation.
Experts have long noted the absence of standardized regulations within this industry. Last year’s bipartisan push for comprehensive data privacy legislation opted against imposing strict limitations on data brokers, favoring instead self-reporting mechanisms for businesses to identify themselves as data brokers. Previous administrations’ regulatory bodies, such as the Federal Trade Commission and the Consumer Financial Protection Bureau, attempted to utilize existing laws to regulate individual brokers. Yet, the current administration’s cuts and deregulatory efforts have left significant oversight gaps.
Bill proposals like one from California Assembly member Christopher Ward, aiming to build on the investigation’s findings, would prevent companies from collecting geolocation data without the express consent of consumers. This bill stipulates businesses can only collect such data if it’s necessary to fulfill goods or services requested by consumers.
Data Privacy Attorney Myriah Jaworski stated, "I think whether it’s California or nationally, we see regulators focusing on location data as being... sensitive data element for which additional consent is required." This recognition indicates regulators are beginning to understand the importance of geolocation data and consumer privacy, which could prompt significant changes across industries where such data is collected.
Jaworski warned, though, about the potential overreach of laws defining data brokers, noting, "If you want to know what the weather is based on your location, I can provide information down to the ZIP code level or much more granularly. This depends on sharing information, which may constitute geolocation data." The challenge lies in filtering out less-sinister businesses aiming to provide valuable localized services from those engaging express data collection practices tied to large-scale operations.
This nuanced approach is necessary as jurisdictions like California aim to implement stricter regulations and enforcement on data privacy. Laws initially constructed to target specific industries often span broader applications than intended, as evidenced by New Jersey's "Daniel’s Law," which was enacted to protect judges and law enforcement officers’ contact information. Although few contested its intent, the law has opened pathways to lawsuits targeting legitimate businesses online. This serves as both a cautionary tale and illustrative example of the challenges presented to state regulators.
The California investigation is part of broader efforts to enforce consumer privacy protections, particularly as data collection continues to escalate within the tech industry. According to Bonta’s office, preserving consumer trust hinges on ensuring data privacy safeguards overlay demand for technological advancement, thereby enforcing consistent privacy standards across industries.
Regulatory actions within California have sparked discussions nationwide, potentially influencing other states to adopt similar initiatives. The stakes are high, as businesses, advocates, and consumers alike navigate the rapidly shifting digital terrain concerning data privacy. The outcome of this inquiry may well redefine how geolocation data is viewed legally and ethically, engaging stakeholders across the spectrum from consumers to industry leaders.
California's commitment to monitoring the practices surrounding consumer data remains steadfast, pushing for industry accountability, and setting the stage for potential legislative reforms aimed directly at enhancing individual privacy protections. The conclusion of this investigation and its ramifications may establish significant precedents for data privacy practices going forward.