[co-author: Stephanie Kozol]*
On March 10, California Attorney General (AG) Rob Bonta announced an investigative sweep of the location data industry for potential noncompliance with the California Consumer Privacy Act (CCPA).
The investigation centers on mobile application providers that collect consumers’ location data and sell or share the information with advertising networks and data brokers, who further sell and share such data with third parties. The AG is focused on whether covered businesses are properly effectuating consumer rights requests under the CCPA as related to selling, sharing, and utilizing sensitive personal information. Pursuant to the CCPA, “sensitive personal information” includes geolocation data.
As part of the sweep, the AG has issued letters requesting information of the business practices of those advertising networks and data brokers potentially in violation of CCPA requirements.
Under the CCPA, a consumer may request that a business stop selling or sharing their personal information, which, once received, prevents the business from further sharing and selling unless the consumer later affirmatively consents to such. The business must then wait at least 12 months until asking the consumer to consent to opting back in to the sale or sharing of their personal information. Furthermore, businesses must provide “reasonable methods” for effectuating such opt-out requests. This includes allowing for opt-out on mobile devices and through links or settings available in their apps.
Geolocation data can be used to track and identify individuals’ movements, which may include sensitive locations such as where they reside. This allows for individual identification that presents potential security risks when the data is sold, shared, or potentially misused without an individual’s knowledge. Businesses must therefore be aware of their responsibilities under the CCPA and implement defensible measures to protect geolocation data.
Notably, Bonta has ramped up enforcement under the CCPA, and indeed this is not his first investigative sweep pursuant to the law. In early 2023, he announced a sweep of businesses with mobile applications for allegedly failing to comply with the CCPA. The sweep targeted popular mobile applications in the retail, travel, and food service industries that fail to offer a mechanism for consumers to opt out of data sales or that fail to process consumer opt-out requests, including requests submitted via an authorized agent. In January 2024, he announced a sweep of streaming services pursuant to the CCPA. And in late 2024, he launched an investigative sweep of streaming services’ compliance with consumers’ right to “opt out” of the sale of their personal data under the CCPA. According to Bonta, this right should involve minimal steps and should be “easy” for a consumer to accomplish.
To further highlight the potential regulatory risk for businesses collecting geolocation and other personal information, the AG has reached several settlements over the past three years for alleged violations of the CCPA, including with Sephora for allegedly failing to notify consumers of the sale of their data and to process opt-out requests, DoorDash for allegedly failing to notify consumers of the sale of their data, Glow for failing to properly secure a fertility tracking application, and most recently in June, Tilting Point Media for allegedly sharing children’s data collected from a SpongeBob application without parental consent. The breadth of Bonta’s sweeps serves as notice that no industry or business is immune from regulatory scrutiny.
While consumers can limit the sharing of location through their mobile device settings, and by disabling Wi-Fi and Bluetooth settings in certain situations, businesses collecting such data must also ensure they have implemented fulsome measures to protect such data as required by the CCPA. This includes promptly and effectively processing opt-out requests, conspicuously posting notice of the sale or sharing of personal information, maintaining and disclosing robust privacy policies, and implementing proper cybersecurity measures to protect collected information. Businesses controlling geolocation and other sensitive personal information must also enact policies, procedures, and agreements that ensure that service providers and third parties handling such data are also in compliance with CCPA requirements.
California is just one of 19 states that have enacted comprehensive consumer privacy laws, with several more considering similar legislation. To successfully navigate this patchwork of ever-changing state law and mitigate regulatory risk, businesses must constantly evaluate their legal compliance measures and consult competent outside counsel.
*Senior Government Relations Manager
