Selling location data collected by mobile phones has become a lucrative business, The New York Times reported Monday.
Location advertising sales are expected to reach US$21 billion this year, according to the article. At least 75 companies receive anonymous, precise location data from applications with the location services feature activated.
Several of those outfits claim to track 200 million mobile devices in the United States — about half of all devices in the country, the Times reported.
The data is very accurate, coming within a few yards of a person’s whereabouts at a point in time, and is updated often — as frequently as 14,000 times a day, the paper noted.
With that kind of accuracy and frequency, calling the data “anonymous” is a bit misleading.
“If you are collecting a person’s location over time, and it’s tied to a unique identifier, it’s disingenuous to call that anonymous,” said Natasha Duarte, a policy analyst with the Center for Democracy & Technology in Washington, D.C.
“If you have information about where people are going and where people live, you can build the story of who that location data belongs to,” she told BlueHillco.
Someone can learn a lot about you from your location, said French Caldwell, CFO of The Analyst Syndicate, an IT research and analysis group.
“They can tell what your interests are and who you’re meeting with,” he told BlueHillco. “Your location data tells more about you than your Social Security number.”
Not So Anonymous
Businesses that collect consumer data typically say they’re not interested in individuals but in patterns. Data collected on individuals is “anonymized” by attaching it to an ID number. However, that ID doesn’t even have the cover of a fig leaf for anyone with access to raw location data.
Those people, who include employees or customers of the data collector, still could identify individuals without their consent, as the Times did in compiling its report.
Not surprisingly, the leaders in location-based advertising are Google and Facebook. Both companies offer mobile apps that they use to collect location data. They say they don’t sell it but use it only internally, to personalize services, sell targeted ads online, and determine if the ads lead to sales in the physical world.
Google did not respond to a request for comment for this story. Facebook, through spokesperson Jay Nancarrow, declined to comment.
Some large companies have started to get in front of the location data issue before it becomes a problem for them. For example, Verizon and AT&T announced during the summer that they would stop selling their customers’ location data to data brokers.
Most mobile apps request permission to use a device’s location services before accessing them, but the Times found that process could be misleading. An app might ask for location services access for one purpose but use the information for multiple purposes.
“Not all app notices are perfectly clear as to what location data is being used for,” CDT’s Duarte said.
“Often the app will ask, ‘Do you want us to use your location to provide you with local weather information, or personalize your experience, or improve the accuracy of the maps that you’re using?’ They don’t list all the other purposes the data will be used for — like advertising and sales to third parties,” she pointed out.
Some 1,400 popular applications contain code to share location information, the Times reported. About 1,200 were written for Android phones and 200 for Apple models.
In a sample of 17 apps sending precise location data, three Apple iOS programs and one Android offering mentioned that location data could be used for advertising while seeking permission to access the service, the Times found.
Understanding what’s done with location data can be an onerous task for a consumer. It requires reading user agreements and privacy policies, and changing settings for all the apps on a phone.
“That can be incredibly time-consuming,” Duarte said. “No individual has the capacity to do that properly, and it’s not a burden we should be placing on individuals to depend on location-based services.”
How concerned are consumers about possible abuse of their location information?
“Most consumers don’t care, but there’s a creepiness factor that bothers them a little bit,” said The Analyst Syndicate’s Caldwell.
“We’ve all been on the Web and looked at a new pair of shoes or something, and all of sudden all you see in your browser for hours are ads for those things,” he continued.
“The same kind of thing is happening with your physical location,” Caldwell pointed out. “Stores are tracking your location and will start pushing suggestions to you based on where you went in that store. There’s a creepiness factor there.”
Consumers are very concerned about what’s being done with their location data, maintained Duarte.
“The problem isn’t that consumers are not concerned,” she said.
“It’s that even if you’re very concerned, it’s impossible for anyone to have the capacity and time to understand all the things companies are doing with your data, and then go into your settings and make the choices that align perfectly with your personal privacy interests,” Duarte explained.
“What really needs to happen is for our laws to recognize that location privacy in a commercial context has to be built into any service,” she suggested.
Congress should pass a commercial privacy law, “which would include limits on how companies can collect and use location information,” Duarte said.
Such a law might include provisions already adopted in Europe’s General Data Protection Regulation, which allow people to access information companies have collected about them, correct information if it’s used to make important decisions about them, and delete information.
One area where U.S. lawmakers may want to depart from the GDPR is in consent. The European rule allows data to be collected if consent is given by the owner of the data.
“Some uses of information shouldn’t be allowed even with consent,” Duarte said. “One of those uses might be repurposing of location information — collecting the information for a location-based service, then reusing it for something completely unrelated — like location-based advertising — or selling it to a data broker.”