Location Data Gathering Under Europe’s New Privacy Laws

By Kathryn Allen

The rise in popularity of apps and services that use location data (technology that pinpoints a consumer’s location automatically), like the smash-hit Pokémon Go, have EU privacy regulators calling on companies to ‘mind the gap.’ The much-anticipated General Data Protection Regulations (the “GDPR), as well as other EU privacy laws, aim to tighten up the rules for obtaining consent from consumers about what data they are sharing and to restrict how companies can use the data they are mining from consumers. There has been much speculation about how these new regulations, not directives, coupled with a much higher potential for fines, will impact U.S. companies that operate or plan to operate in the EU. Those using location data in apps and for passive tracking should pay close attention to EU regulators as GDPR implementation draws near. 

Why are EU regulators particularly concerned about location data?

Location-specific data can reveal very specific and intimate details about a person, where they go, what establishments they frequent and what their habits or routines are. Some location-specific data garners heightened protections, such as where and how often a person obtains medical care or where a person attends religious services. 

In the U.S., consumers typically agree to generalized privacy policies by clicking a box prior to purchase, download or use of a new product or service. But the new EU regulations may require more informed notice and consent be obtained for each individual use of the data that a company acquires. For example, a traffic app may collect location data to offer geographically-focused traffic reports and then also use that data to better target advertisements to the consumer, a so-called “secondary use” of the data.

The secondary use is what is concerning to EU regulators. They want to give citizens back control over their personal data, which means meaningfully and fully informing them of how and when it is used. For example, personal data can only be gathered for legitimate purposes, meaning companies should not continue to collect location data beyond what is necessary to support the functionality of their business model; also additional consent would need to be obtained each time the company wants to re-purpose or re-analyze the data they have collected. This puts an affirmative obligation on companies to know if, when and how their partners are using consumer data and to make sure such use has been consented to by the consumer.

What should a company do that collects location data in the EU? 

  1. Consumers should be clearly informed about what location information is being gathered and how it will be used, this does not just mean the primary use of the data, but any ancillary uses such as to target advertisements, etc.; 
  2. Consumers should be given the opportunity to decline to have their data collected, or to be able to “opt-out” of any of the primary or secondary uses of their data; 
  3. Companies need to put a mechanism in place to make consumers aware if the company’s data collection policies change, for example, a company may not have a secondary use for the data now, but in 2 years it plans on packaging and reselling that data to an aggregator; and
  4. Companies must have agreements in place with their partners in the “business ecosystem” to ensure their partners are adhering to the data collection permissions that the company has obtained.

For a review of your company’s privacy policies and guidance on how these new regulations may impact your organization, contact the author or a Polsinelli Privacy and Data Security team member.