Location, Location, Location: Recent Developments in Location Data Privacy

Privacy issues surrounding location data were in the news this month. Hawaii’s legislature passed a bill to regulate the sale of GPS data which now awaits the governor’s decision to sign it or veto it. And Twitter announced that it had accidentally collected and disclosed the location data of some of its users. As debates around the privacy of consumers’ data location continue to unfold, these news stories raise two more points to consider.

Hawaii Moves to Restrict Sale of GPS Location Data

Hawaii may soon prohibit the sale of location data collected via GPS-enabled devices unless the device’s primary user provides consent. HB702 HD1 SD2 has been awaiting Governor David Ige’s signature since the legislature passed it at the beginning of May. If it becomes law, it would apply only to devices equipped with technology “that uses communication between electronic receivers and satellites to determine geolocation and time information,” specifically including (but not limited to) GPS technology. Sales of location data collected by such devices without the “explicit consent” of the primary user would be declared an unfair or deceptive practice, allowing aggrieved consumers to sue for the greater of $1000 or treble damages for each violation. The state attorney general would also be able to enforce the law with civil penalties of up to $10,000 per violation per day.

The bill originally passed both the state Senate and House unanimously, with the support of the ACLU of Hawaii, and it overcame intense lobbying to receive a narrow majority vote in the state House to adopt the Senate’s (non-substantive) amendments on the final day of the legislative session. Governor Ige has until June 24 to decide whether he will veto the bill. If he does not act, the bill will automatically become law.

Twitter Discloses Location Data Mistakes

Twitter announced on May 13 that it had accidentally shared location data. While many details remain unknown, it is expected that more details will come to light over the next few months.

The company revealed that it mistakenly collected location data from some of its users without their consent, and that that information may also have been included in a separate inadvertent disclosure of location data to a trusted advertising partner. Twitter did not provide an estimate of the number of users affected or specify the timeframe during which the disclosures occurred. The third party with whom it shared location data likewise remains unnamed.

Apparently a bug in Twitter’s iOS app meant that users with more than one account on a device may have had location data collected from all their accounts even if only one account had opted in to location sharing. Then an unrelated error resulted in the company including - in a dataset share with an advertising partner - user location information it had intended to remove.

Twitter did report that the location data unintentionally shared with its partner had already been “fuzzed” so that it was only accurate to about the size of a zip code rather than a precise location. It was also able to verify that the advertising partner did not retain the fuzzed data it received, and that the information was in the partner’s system for “a short time” before being deleted as part of their normal process.