With the rise of companies such as Uber Eats, Instagram, and Find My Friends, individuals are increasingly sharing their personal locations with other users and mobile apps.
There have been protections for the collection of personal information like addresses and debit cards in place for years. However, with the growing number of mobile app users, a user's location has recently seen a rise in legal protection.
This is why if your app collects location data from users at any point in time, you need to pay special attention to certain laws and methods to make sure you won't face any potential legal issues down the road.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. User Location is Considered Personal Information
- 2. User Location and Privacy Laws
- 2.1. European Union
- 2.2. United States
- 2.3. Other Important Laws
- 3. Location Data and App Stores
- 3.1. Apple
- 3.2. Google
- 4. Best Methods for User Location Apps
- 4.1. Privacy Policies
- 4.2. Information that is Relevant
- 4.3. Consent
- 5. Summary
User Location is Considered Personal Information
Is user location considered personal information? Yes.
"Personal information" can be defined in many different ways, but a common point is that it's data that can be used to identify a specific individual. Phone numbers, names, and credit card information can all be used to do this. Location data can as well.
While knowing the location of a phone or individual helps apps perform key functions and run analytics, the longitude and latitude of where a person is located at any point in time is enough to identify a specific person.
Users have a right to the protection of their data, including their location. This isn't always the case in certain situations. This is why understanding key privacy laws are paramount for app developers.
User Location and Privacy Laws
With over 1.85 million mobile apps in the world as of 2020, privacy laws are having to play catch up and adapt to the new features and functions of apps.
While regulating the collection of email addresses and political views is one thing, letting an app know your exact whereabouts is another. This is why you'll find a growing number of privacy laws including user location under their protection.
However, not every law clearly states geological location is included or is covered. Each country, and in the case of the U.S., each state, has its own restrictions on collecting personal data.
Not every privacy law may be applicable to your app, but you must be aware of the possibility that you may have to comply with more than one privacy law.
Arguably the most expansive and rigorous data protection law in the world, the EU's General Data Regulation Protection (GDPR) aims to protect the information of EU citizens collected by apps and websites. However, it also applies to any company that collects the information of EU citizens, no matter where the company is located.
The GDPR's definition of "personal information" is broad for a reason: to include as many types of potential collectible information as possible. This is why it covers names, email addresses, SSN, and location data.
Another key EU law to keep in mind is the EU's Cookie Directive. This specific law applies to any cookies used to track the usage and geological location of an individual.
Many states have their own data protection laws with varying degrees of protection. Saying that, here are the few that you should pay attention to regarding user location:
The Federal Trade Commission (FTC) is the federal regulatory body that protects consumers from unfair practices by protecting the collection and storage of personal data, including location tracking analytics.
Other Important Laws
Outside of the U.S. and the EU, there are plenty of other data protection laws to pay attention to if your app uses location data:
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to private companies that collect or store the private information of users for commercial activity. PIPEDA states that any user location data collected should be "appropriate" and individuals must give consent to the collection.
- Australia's Privacy Act of 1988 and its 13 Privacy Principles (APPs) are the guidelines for privacy protection in Australia. Australia's definition of personal information is broad to include any information or opinion about an "identifiable individual," in which geological information would likely be included.
Location Data and App Stores
Just because apps may not be websites or companies, it doesn't mean they are exempt from complying with privacy laws. As you can see above, the protection of private information has become all-encompassing across the world.
Some apps can be downloaded from individual websites. While others partner with third-party companies to connect to users. The two most common third-party businesses are Apple and Google.
Along with a host of other third-party SDKs, Apple and Google have intense requirements when it comes to partnering with them. Below is a look at what both of these companies require apps to use their service.
Apple takes its protection of personal information of its users seriously. For example, Apple Store prides itself on its protection services and fostering relationships with apps. Its key goal is to "provide a safe experience for users to get apps and a great opportunity for all developers to be successful."
Apple wants to work with app programmers and companies to foster business. However, the company makes it clear that when apps partner with Apple, they are responsible for complying with Apple's guidelines, third-party SDKs, and any analytical services:
To partner with Apple, you must agree to follow the regulations in Apple's Xcode and SDKs Agreement. The Agreement manages the relationship between apps and Apple, including apps that use location-based APIs and when the apps can and can not use those services (i.e., MapKit) through Apple.
Apps must not only comply with Apple's rules but every other type of law, including data collection and location service laws to use their services:
In addition to the Xcode and SDKs Agreement, apps must also comply with Apple's Developer Guidelines. The App Store Review Guidelines states the requirements apps in Apple's App Store must follow.
Second, apps must get user consent before they can collect any data. Users must also have a simple way they can revoke consent:
Apps should also remember to comply with other laws if they are collecting data without consent for a "legitimate interest."
Third, the Guidelines include a specific section on location services. Apps can only use this feature when it is "directly relevant" to their services. Apps must ensure that they also receive consent before they collect any location-specific information:
Like Apple, Google has its own agreements apps must follow for Google to distribute them.
When partnering with Google you must agree to Android's Software Development Kit License Agreement. Agreeing to the SDK creates a legally binding agreement between the app and Google.
If apps collect the private information of users, they must notify users of the collection. Google also requires apps to include an "adequate" privacy notice to users before collection:
Google Play is the equivalent of Apple's App Store. App companies must agree to Android's SDK and Google Play's Developer Distribution Agreement. Failure to comply with the agreement will lead to your app being deleted or suspended.
Apps are required to protect the privacy rights of users and notify them through a Privacy Notice of any collection of personal information:
Google puts a limit on when you can collect the information. Apps can only collect for "limited purposes" (such as location service) after obtaining consent.
Best Methods for User Location Apps
Location-specific apps generally have to comply with the same requirements of other types of apps and websites. Although there are three key methods apps need to adhere to when collecting the user location information.
- Collect user location data only when it is required or relevant
- Obtain consent and allow it to be revoked
- How data is collected
- Why the data is collected
- How the data is stored and retained
- Protection of the data
- Third-party partners
Both the GDPR and the FTC require transparency between companies and users so the policy needs to be understandable and fair.
Links to the policy need to be accessible on the app or the app's website. They can be included in pop-ups, sign-up forms, or in the Settings of the app. As long as the user can easily find the link, you should be fine.
For an example that goes a little more into detail about the information that is collected, take a look at Instagram's Location-related information clause:
Information that is Relevant
Any personal information that is collected needs to be for a specific purpose of the app. Apps are not allowed to collect data for any reason. It must be relevant to the app's service. Google and Apple both require this when they partner with apps.
As we saw in Google and Apple's agreements, obtaining consent from users is paramount when collecting information. Without consent your app could face some serious legal issues.
Match.com states in its policy that it only collects geographical information when you give permission and does not collect it when you decline:
Apps must obtain request permission before collecting the data. For apps on Apple devices, Apple allows you to grant permission for user location while using the app, at all times, or never. This "location access" feature can be found in the Settings on your phone:
For Android users, Google also allows users to control an app's user location settings from the phone's general Settings menu. You can also access and control your location history and sharing on an Android. Google reminds its users that in addition to Google's location controls, apps have their own settings which you can control:
In addition to obtaining consent, apps must also provide users with ways to opt-out of the user location collection. Users must be allowed to revoke or opt-out of their consent.
Twitter's Tweet Location FAQ's states users have great control over their location preferences. Tweet location is "off by default," but users can choose to opt-in if they want and are able to delete past locations from tweets:
You'll be hard pressed to find a mobile app that doesn't collect user location information to run their app. This data is important for apps to function, but this personal data must also be protected.
Apps that collect location data need to pay attention to current laws and new privacy protection laws that are continuously popping up to match technology growth.
If you remember these few key privacy practices to implement when saving user location information, your app should be well protected:
- Only collect information that is "relevant" for the app's function
- Obtain clear consent and provide ways for users to opt-out or revoke consent