California’s legal push on geolocation data collection must take aim at the right targets, privacy experts say

The attorney general for California announced this week a wide-ranging investigation into the way companies collect, process and use consumer location data.

The investigation will include scrutiny of advertising networks, mobile app providers and data brokers whose practices may violate the California Consumer Privacy Act (CCPA), one of the strictest state privacy laws in the nation.

Specifically, the attorney general’s office will look into how mobile app providers collect and resell data to third-party brokers, who then sell it to the highest bidder. The current ecosystem may violate the CCPA, which gives consumers the right to request or delete collected data, opt out of having their data sold to third parties, and limit the use of their personal information. 

“Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements,” California Attorney General Rob Bonta said in a statement. “California boasts the nation’s most robust privacy protection law, and businesses that collect consumer data must follow the law.” 

Bonta, a Democrat, added that in addition to concerns about how the private sector might handle such data, he was also worried about such data falling into the hands of federal agencies under Republican President Donald Trump.

“Given the federal assaults on immigrant communities, as well as gender-affirming health care and abortion, businesses must take the responsibility to protect location data seriously,” Bonta said.

As part of the investigation, the California attorney general’s office sent letters to numerous advertising companies, mobile app providers and data brokers to notify them of potential violations and request additional information.

When contacted by CyberScoop for more information, the office declined to make the letters available, identify the businesses by name or disclose how many letters were sent, citing an ongoing investigation.

Data privacy experts in the United States have long lamented the lack of standardized regulations for data brokers. For a sense of  how unregulated the space is, last year’s bipartisan push for comprehensive data privacy legislation opted against imposing strict limits on the industry’s data collection practices, instead favoring self-reporting mechanisms for businesses to identify themselves as data brokers.

In prior administrations, regulators like the Federal Trade Commission and the Consumer Financial Protection Bureau have attempted to wield existing laws to conduct investigations and regulate against individual brokers. Both agencies are currently facing cuts and deregulatory pushes under Trump.

That has left room for large states like California and Texas to impose their own data privacy laws and undertake enforcement actions that could influence how other states approach their own industries.

Lawmakers in California are seeking to push even stricter laws around location data. A bill proposed in the California General Assembly by Christopher Ward would prevent businesses from collecting geolocation data “unless doing so is necessary to provide goods or services requested by that individual and the individual has expressly opted into the collection or use of their location information for that purpose. The bill would impose various other restrictions on covered entities with regard to location information.”

Myriah Jaworski, a data privacy attorney at Clark Hill, told CyberScoop that the California AG’s investigative sweep is part of a larger recognition from state regulators about the importance of geolocation data to consumer privacy.

“I think whether it’s California or nationally, we see regulators focusing in on location data as being a very important and potentially sensitive data element for which additional consent [is] required,” Jaworski said. 

For many businesses, that collection tends to occur at the mobile app level, which is why California regulators have honed in on the industry in their investigative sweep. Such efforts, she said, could significantly change how businesses collect geolocation data by default, and offer  consumers more opportunities to become aware of and opt out of such data sharing.

But Jaworski also cautioned that the way many states like California define data brokers can be overly broad, and sweep up a variety of businesses and data-sharing practices that have become core to modern digital services.

“If you want to know what the weather is in your location, I can give it to you at the ZIP code  level, or at a much more granular level that’s helpful to you, [like] ‘is it going to rain in my immediate location today?’” Jaworski said. “That does depend to some extent on the sharing of information that may constitute geolocation data.”

Developing clear definitions that can separate these less-sinister businesses from data brokers who buy and sell geolocation data at scale will be an important component of investigations like the kind being undertaken by California.

Additionally, laws passed to target one industry or type of business can wind up being used in broader ways than intended. In 2020, New Jersey passed “Daniel’s Law,” which limited online disclosure of judges’ and law enforcement officers’ contact details, like telephone numbers and addresses.  The law is named after Daniel Anderl, the son of a judge who was murdered by a defendant that found the judge’s address online.  

While few opposed the law’s aim, Daniel’s Law has since become the impetus for a wave of privacy lawsuits in the four years since its passage, with a significant number targeting businesses like real estate platforms and other online services that post information about property records.

Those are the nuances that states like California will have to grapple with as they seek to enforce greater privacy protections on the data-location industry.

“I think they intend to go after a certain subset of businesses during the regulator or legislative phase,” Jaworski said. “And then what we see in action is much broader, and a wider net is being cast.”