Privacy Practices for User Location

With the rise of companies such as Uber Eats, Instagram, and Find My Friends, individuals are increasingly sharing their personal locations with other users and mobile apps.

There have been protections for the collection of personal information like addresses and debit cards in place for years. However, with the growing number of mobile app users, a user's location has recently seen a rise in legal protection.

This is why if your app collects location data from users at any point in time, you need to pay special attention to certain laws and methods to make sure you won't face any potential legal issues down the road.

User Location is Considered Personal Information

Is user location considered personal information? Yes.

"Personal information" can be defined in many different ways, but a common point is that it's data that can be used to identify a specific individual. Phone numbers, names, and credit card information can all be used to do this. Location data can as well.

While knowing the location of a phone or individual helps apps perform key functions and run analytics, the longitude and latitude of where a person is located at any point in time is enough to identify a specific person.

Users have a right to the protection of their data, including their location. This isn't always the case in certain situations. This is why understanding key privacy laws are paramount for app developers.

User Location and Privacy Laws

With over 1.85 million mobile apps in the world as of 2020, privacy laws are having to play catch up and adapt to the new features and functions of apps.

While regulating the collection of email addresses and political views is one thing, letting an app know your exact whereabouts is another. This is why you'll find a growing number of privacy laws including user location under their protection.

However, not every law clearly states geological location is included or is covered. Each country, and in the case of the U.S., each state, has its own restrictions on collecting personal data.

Not every privacy law may be applicable to your app, but you must be aware of the possibility that you may have to comply with more than one privacy law.

European Union

Arguably the most expansive and rigorous data protection law in the world, the EU's General Data Regulation Protection (GDPR) aims to protect the information of EU citizens collected by apps and websites. However, it also applies to any company that collects the information of EU citizens, no matter where the company is located.

The GDPR's definition of "personal information" is broad for a reason: to include as many types of potential collectible information as possible. This is why it covers names, email addresses, SSN, and location data.

The GDPR requires apps to include a "concise, transparent, intelligible, and easily accessible" Privacy Policy. The Privacy Policy must clearly disclose to users how, why, and when their data is collected, along with other details.

Another key EU law to keep in mind is the EU's Cookie Directive. This specific law applies to any cookies used to track the usage and geological location of an individual.

United States

Many states have their own data protection laws with varying degrees of protection. Saying that, here are the few that you should pay attention to regarding user location:

• California Online Privacy Protection Act (CalOPPA) applies to companies or apps that collect the personal information of California residents. CalOPPA requires websites/apps to include a Privacy Policy when collecting private data.
• The California Consumer Privacy Act (CCPA) came into effect on January 1, 2020, and is by far the strictest data protection law in the United States at this time. The California law adds onto CalOPPA by granting new rights to consumers to know and opt-out of the sale of their information collected by websites and apps. You should have a CCPA-compliant Privacy Policy if this act applies to you.
• The Children's Online Privacy Protection Act (COPPA) requires mobile apps or websites that collect the data of children under 13 to obtain parental consent, have an unambiguous Privacy Policy, and protect the information of the child.

The Federal Trade Commission (FTC) is the federal regulatory body that protects consumers from unfair practices by protecting the collection and storage of personal data, including location tracking analytics.

Other Important Laws

Outside of the U.S. and the EU, there are plenty of other data protection laws to pay attention to if your app uses location data:

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) only applies to private companies that collect or store the private information of users for commercial activity. PIPEDA states that any user location data collected should be "appropriate" and individuals must give consent to the collection.
• Australia's Privacy Act of 1988 and its 13 Privacy Principles (APPs) are the guidelines for privacy protection in Australia. Australia's definition of personal information is broad to include any information or opinion about an "identifiable individual," in which geological information would likely be included.

Location Data and App Stores

Just because apps may not be websites or companies, it doesn't mean they are exempt from complying with privacy laws. As you can see above, the protection of private information has become all-encompassing across the world.

Some apps can be downloaded from individual websites. While others partner with third-party companies to connect to users. The two most common third-party businesses are Apple and Google.

Along with a host of other third-party SDKs, Apple and Google have intense requirements when it comes to partnering with them. Below is a look at what both of these companies require apps to use their service.

Apple

Apple takes its protection of personal information of its users seriously. For example, Apple Store prides itself on its protection services and fostering relationships with apps. Its key goal is to "provide a safe experience for users to get apps and a great opportunity for all developers to be successful."

Apple wants to work with app programmers and companies to foster business. However, the company makes it clear that when apps partner with Apple, they are responsible for complying with Apple's guidelines, third-party SDKs, and any analytical services:

To partner with Apple, you must agree to follow the regulations in Apple's Xcode and SDKs Agreement. The Agreement manages the relationship between apps and Apple, including apps that use location-based APIs and when the apps can and can not use those services (i.e., MapKit) through Apple.

Apps must not only comply with Apple's rules but every other type of law, including data collection and location service laws to use their services:

In addition to the Xcode and SDKs Agreement, apps must also comply with Apple's Developer Guidelines. The App Store Review Guidelines states the requirements apps in Apple's App Store must follow.

First, apps that partner with Apple must include a Privacy Policy that includes what data is collected, if the data is shared with third parties, and how the data is protected and stored. The link to the app must also be "easily" accessible:

Second, apps must get user consent before they can collect any data. Users must also have a simple way they can revoke consent:

Apps should also remember to comply with other laws if they are collecting data without consent for a "legitimate interest."

Third, the Guidelines include a specific section on location services. Apps can only use this feature when it is "directly relevant" to their services. Apps must ensure that they also receive consent before they collect any location-specific information:

Google

Like Apple, Google has its own agreements apps must follow for Google to distribute them.

When partnering with Google you must agree to Android's Software Development Kit License Agreement. Agreeing to the SDK creates a legally binding agreement between the app and Google.

If apps collect the private information of users, they must notify users of the collection. Google also requires apps to include an "adequate" privacy notice to users before collection:

Google Play is the equivalent of Apple's App Store. App companies must agree to Android's SDK and Google Play's Developer Distribution Agreement. Failure to comply with the agreement will lead to your app being deleted or suspended.

Apps are required to protect the privacy rights of users and notify them through a Privacy Notice of any collection of personal information:

Google puts a limit on when you can collect the information. Apps can only collect for "limited purposes" (such as location service) after obtaining consent.

Best Methods for User Location Apps

Location-specific apps generally have to comply with the same requirements of other types of apps and websites. Although there are three key methods apps need to adhere to when collecting the user location information.

They are:

• Include a Privacy Policy
• Collect user location data only when it is required or relevant
• Obtain consent and allow it to be revoked

Privacy Policies

For most privacy laws, user location data is considered protected as private information. This means you need to include a Privacy Policy to notify the user of the collection of information.

The Privacy Policy needs to be in simple, unambiguous language. It must include the following:

• How data is collected
• Why the data is collected
• How the data is stored and retained
• Protection of the data
• Third-party partners

Both the GDPR and the FTC require transparency between companies and users so the policy needs to be understandable and fair.

Links to the policy need to be accessible on the app or the app's website. They can be included in pop-ups, sign-up forms, or in the Settings of the app. As long as the user can easily find the link, you should be fine.

Grubhub includes full disclosure of the information it collects ranging from addresses to payment info to answers on surveys in its Privacy Policy:

For apps that collect user location data, you must include a statement about the information you collect and how. A feature of Snapchat is that you are able to see where your Snapchat friends are in relation to yourself. Snapchat does this by using GPS, cell towers, and routers, all of which are stated in its Privacy Policy:

For an example that goes a little more into detail about the information that is collected, take a look at Instagram's Location-related information clause:

Information that is Relevant

Any personal information that is collected needs to be for a specific purpose of the app. Apps are not allowed to collect data for any reason. It must be relevant to the app's service. Google and Apple both require this when they partner with apps.

User location data must be collected to perform a particular function of an app. Why and how this information is collected needs to be included in the app's Privacy Policy.

The Weather Channel gathers location data for specific reasons such as weather alerts that it states in its Privacy Policy:

Bumble includes in its Privacy Policy how it collects data so users can see others "nearby" and even explains how users can enable its geolocation services:

Consent

As we saw in Google and Apple's agreements, obtaining consent from users is paramount when collecting information. Without consent your app could face some serious legal issues.

The first place to start is to include in your Privacy Policy that you do not collect any information without consent and the type of information users are consenting to be gathered.

Match.com states in its policy that it only collects geographical information when you give permission and does not collect it when you decline:

Apps must obtain request permission before collecting the data. For apps on Apple devices, Apple allows you to grant permission for user location while using the app, at all times, or never. This "location access" feature can be found in the Settings on your phone:

For Android users, Google also allows users to control an app's user location settings from the phone's general Settings menu. You can also access and control your location history and sharing on an Android. Google reminds its users that in addition to Google's location controls, apps have their own settings which you can control:

In addition to obtaining consent, apps must also provide users with ways to opt-out of the user location collection. Users must be allowed to revoke or opt-out of their consent.

Twitter's Tweet Location FAQ's states users have great control over their location preferences. Tweet location is "off by default," but users can choose to opt-in if they want and are able to delete past locations from tweets:

Uber collects location data for a slew of reasons such as navigation and pickups. You can also share your location with other riders. Uber's Privacy Policy states users can simply enable or disable these functions through their mobile devices or the Uber App's Privacy menus:

Summary

You'll be hard pressed to find a mobile app that doesn't collect user location information to run their app. This data is important for apps to function, but this personal data must also be protected.

Apps that collect location data need to pay attention to current laws and new privacy protection laws that are continuously popping up to match technology growth.

If you remember these few key privacy practices to implement when saving user location information, your app should be well protected:

• Include a simple and clear Privacy Policy
• Only collect information that is "relevant" for the app's function
• Obtain clear consent and provide ways for users to opt-out or revoke consent