Attorney General Bonta Announces Investigative Sweep of Location Data Industry, Compliance with California Consumer Privacy Act

Location data can be used to track people’s precise movements — without them realizing 

OAKLAND — California Attorney General Rob Bonta today announced an ongoing investigative sweep into the location data industry, sending letters to advertising networks, mobile app providers, and data brokers that appear to be in violation of the California Consumer Privacy Act (CCPA). Some Mobile apps collect vast amounts of detailed data on consumers’ location and share this information with advertising networks and data brokers, which further sell and disseminate the data. This enforcement sweep focuses on how covered businesses offer and effectuate consumers’ right to stop the sale and sharing of personal information and right to limit the use of their sensitive personal information, which includes geolocation data. The letters issued as part of the sweep announced today notify recipients of a potential violation of CCPA requirements and request additional information regarding the recipient’s business practices. The risk posed by the widespread collection and sale of location data has become immediately and particularly relevant given federal threats to California's immigrant communities, and to reproductive and gender-affirming healthcare. 

“Every day, we give off a steady stream of data that broadcasts not only who we are, but where we go. This location data is deeply personal, can let anyone know if you visit a health clinic or hospital, and can identify your everyday habits and movements,” said Attorney General Bonta. “California boasts the nation’s most robust privacy protection law, and businesses that collect consumer data must follow the law. Given the federal assaults on immigrant communities, as well as gender-affirming healthcare and abortion, businesses must take the responsibility to protect location data seriously.”

Location data can be used to track individuals’ movements or identify them with precision — including when they visit sensitive locations and where they live. A wide variety of third-party apps collect location data from mobile devices and consumers may share this data without realizing it. Because location data could be weaponized to locate individuals offline, businesses should be keenly aware of their responsibilities to protect this data and ensure consumers understand their rights.   

The CCPA

The California Consumer Privacy Act is a landmark law that secures increased privacy rights for California consumers, such as the right to know how businesses collect, share, and disclose their personal information. Businesses that are subject to the CCPA have specific responsibilities, including responding to consumer requests to exercise these rights and giving consumers certain notices explaining their privacy practices. Under the CCPA, Californians can direct businesses to only use their sensitive personal information for limited purposes, such as providing consumers with the services they requested. Geolocation data is included in the CCPA's definition of sensitive personal information.

Your Right to Opt Out

Under the CCPA, California consumers have the right to request that businesses stop selling or sharing personal information, known as the right to “opt-out.”  With some exceptions, businesses cannot sell or share your personal information after they receive your opt-out request unless you later provide authorization allowing them to do so again. Businesses must wait at least 12 months before asking you to opt back in to the sale or sharing of your personal information. On mobile devices, consumers must be able to opt out through links or settings available in the apps they download.

Limit your Mobile Devices’ Tracking Features 

In addition to opting-out, consumers can limit the amount of location data shared from their mobile devices by reviewing which apps have access to location data and adjusting location permissions in your phone or device settings.

• For Android users, go to Settings > Personal > Location Access > App location permissions. Then, tap on the app to change permissions.
• For Apple users, go to Settings > Privacy > Location Services. Then, tap on the app to change permissions. 

Consumers can also disable the mobile advertising identifier (mobile ad ID) on your phone and mobile device. A mobile ad ID is a unique identifier associated with your phone that is used to track your online activity.  

• For Android users, go to Settings > Privacy > Ads. Tap “Delete advertising ID,” then tap it again on the next page. 
• For Apple users, go to Settings > Privacy > Tracking. Then set “Allow apps to Request to Track” toggle to the “off” position. Also, go to Settings > Privacy > Apple Advertising. Then set “Personalized Ads” toggle to the “off” position.  

Wi-Fi and Bluetooth settings may also inadvertently reveal the location of consumers; to limit this risk consumers can: 

• Turn Bluetooth off on their mobile devices when not in use and use it in “hidden” mode rather than “discoverable” mode. 
• Be careful about connecting to public WiFi — consider adjusting device settings so your device does not automatically connect. 
• Consider disabling WiFi to avoid inadvertently putting your sensitive information stored on your device and in online accounts at risk.

To learn more about consumer rights under the CCPA, please visit here.