Location, Location, Location: California Attorney General Investigative Sweep and State Law Proposal Target Location Data

Clark Hill PLC
Contact

On March 10, the California attorney general’s office announced an “ongoing investigative sweep into the location data industry” (“investigative sweep”) for compliance with the California Consumer Privacy Act’s (“CCPA”) requirements surrounding location data.

The sweep follows on the heels of the Federal Trade Commission’s announcement of consent orders with four data brokers and aggregators for their collection of location data and coincides with a new state legislative proposal: the California Location Privacy Act.

From these enforcement acts and proposals, one thing is abundantly clear: Location matters.

The investigative sweep

The investigative sweep targets covered companies that collect location data (specifically mobile apps) and share that information with third parties and the companies who receive that data (advertising networks and data brokers).

The primary claims are that these companies’ practices do not comport with the CCPA’s requirement for allowing consumers to limit or opt out of sharing geolocation data.

Specifically, the attorney general indicated that these companies are:

  • Not providing mobile-friendly opt-out links (or allowing opt-outs setting the settings of mobile apps)
  • Selling or sharing geolocation data after a valid opt-out, when the consumer has not properly opted back in; or
  • Requesting that consumers opt back into sharing without waiting the mandatory 12 months after their out-opt.

The California attorney general sent letters to these mobile apps, advertising networks, and data brokers. The attorney general reports that the letters: (a) claim the receipients practices surrounding location data violated the CCPA, (b) discuss potential penalties for CCPA violations, and (c) request more information as part of the investigative sweep. The attorney general cites the sensitivity of geolocation data and concerns with the Trump Administration’s policies as the reason for this investigative priority.

This is not the first investigative sweep announced by the California AG. In 2023 the attorney general conducted an investigative sweep of employer compliance with the data rights of their applicants and employees, and in February 2024 the attorney general conducted an investigative sweep of steaming services compliance with consumer opt-opt rights. These investigative sweeps led to numerous enforcement actions and settlements with covered companies.

As with prior investigative sweeps, covered companies should take immediate action to minimize becoming a target of the AG’s current sweep. Mobile apps, advertising networks, and data brokers who collect, receive, or sell location data should evaluate their practices and policies to ensure they are compliant with the CCPA.

AB 1355: California Location Privacy Act

The investigative sweep coincides with the recently proposed California Location Privacy Act, AB 1355, which seeks to impose strict regulations on how businesses collect, use, and retain “location information” gathered from or about individuals in California.

  • Who is covered: AB 1355 would apply to virtually all private organizations, businesses, nonprofits, and individuals that collect or use location data. Narrow exceptions for healthcare data are covered by HIPAA or similar laws, while government agencies are excluded but prohibited from selling location data to third parties.
  • How is “location information” defined: The proposal defines location information as “information derived from a device or from interactions between devices, with or without the knowledge of the user and regardless of technological method used, that pertains to or directly or indirectly reveals the past or present geographical location or an individual or device within the state of California with sufficient precision to identify street-level location information within a range of five miles or less. The definition includes but is not limited to, GPS coordinates, IP addresses, cell-site location data, and information captured by automated license plate readers or facial recognition systems.
  • As discussed below, the definition of location information is much broader than current geo-location and sensitive personal information definitions under state privacy laws, which are generally defined as having a radius of 1850 square feet or less.

AB 1355 requirements:

  • Express opt-in model: Most notably, the bill sets forth an express opt-in requirement before the collection of any location information, again defined to be certain information collected within a five-mile range. This means that covered entities would need to obtain affirmative consent from individuals before collecting their location information.
  • Purpose limitation. Under the bill, location information may only be collected if necessary to provide a specific good or service requested by the individual. The proposal does not provide guidance on what is “necessary,” leading to much ambiguity for covered entities including employers who may be collecting location information as part of workplace monitoring, for example.
  • Ban on selling, renting, and trading location information: The bill introduces a strict ban on selling, renting, or trading location information. These actions are prohibited outright, regardless of the level of consent obtained.
  • Retention limits: The bill prohibits covered entities from retaining location information for longer than necessary to provide the goods or services requested by an individual.
  • No inferences allowed: Covered entities are prohibited from making inferences based on location information beyond what is necessary for the requested service. This could severely limit common advertising practices like personalized advertising and zip code targeting, or employer practices like employee productivity monitoring.
  • Enforcement: As currently devised, the violations of the Act could trigger civil penalties of up to $25,000 per violation, injunctive relief, and an award of attorney’s fees to prevailing plaintiffs. The bill permits enforcement by the California Attorney General, district attorneys, and certain public prosecutors.

How is AB 1355 different from the CCPA?

As mentioned, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), defines geolocation data as “personal information” subject to disclosure requirements and consumer rights protections.

The CCPA/CPRA further defines “precise geolocation” to include any location data derived from a device that identifies a person’s location within a 1,850-foot radius. This type of data is considered “sensitive personal information,” and subject to additional protections such as consumer rights to limit its use and disclosure for certain purposes such as inferring characteristics about an individual.

But AB 1355’s requirements, including specifically its strict opt-in, necessity standard, and five-mile radius rule go well beyond the CCPA’s requirements for location data and precise geolocation. The proposal is an entirely new framework for dealing with location data – arguably requiring that businesses not collect it in the first instance unless strictly necessary. The proposal could restrict how businesses track and advertise to customers, and how employers monitor and manage their workforce.

What can businesses do?

California’s focus on location data – whether through an AG’s investigative sweep or future legislation – requires businesses to stay vigilant concerning their collection and use of location data. Businesses should be particularly proactive about their collection and use of location data, including:

  • Data mapping and in-take assessments: Businesses must understand whether and where the information they collect may be regulated as location data. This requires a degree of focus on changing regulatory definitions, but also a focus on collection points other than in-person or on the website. In fact, one of the largest location-data points of collection is software development kits (SDKs) embedded in digital applications (apps) which businesses may not even realize are defaulted on to collect geo-location data. In the employment context, location data may be collected in the form of remote workforce monitoring data, workplace safety and cybersecurity monitoring, or fleet management and logistics. The point of collection and basis for that collection will vary significantly based on context.
  • Notice requirements: Under existing laws, businesses should prominently disclose when and by whom location data is collected, and how that data is shared. Depending on the context, businesses should consider enhanced notice requirements and work to obtain affirmative consent, if required. To be effective, an in-app notice of data collection may look and feel different from an employee notice.
  • Enable and encourage user controls: Consumer-focused businesses may wish to educate users about their ability to control the collection of location data, including through in-app and other device-setting controls, and opt-outs.
  • Audit user settings and make sure opt-outs are honored: Regulators and plaintiffs bar alike are focused on whether opt-outs and other consumer rights are actually being honored. As we have seen in CIPA litigation, plaintiffs now claim that while they were presented with a consent banner before their information being collected, the choices that they exercised on the consent banner were not honored (i.e., non-essential cookies continued to be deployed).  Similarly, in the context of location data, the Investigative Sweep announcement makes clear that the attorney general has identified businesses that are not honoring consumer opt-outs for sensitive personal information including geolocation data. This appears deceptive and may open businesses up to additional UDAP or other claims.
  • Third-Party data sharing: Businesses are accountable for their data-sharing activities, including the sharing (or “sale”) of location data with third parties online. Whether this sharing is necessary, and whether proper consents and contractual agreements are in place, must be evaluated. For example, an employer monitoring a remote workforce through the use of third-party location tracking technology should limit the use of that data strictly to purposes necessary to effectuate the contract. A consumer brand may collect a similar type of location data and share it with third parties in the ad tech ecosystem, but those actors may not as readily agree to contractual prohibition on their own data use.

Location data can present significant challenges and risks, including the risk of regulatory enforcement. Clark Hill will continue to monitor AB 1355’s progress and provide updates.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Clark Hill PLC 2025

Written by:

Clark Hill PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Clark Hill PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide