How the NAI Helps Protect Consumer Location Data

In a recent article, Your Apps Knew Where you Were Last Night, and They’re Not Keeping it Secret, the New York Times raised some serious concerns about the collection and use of precise location information by mobile apps that deserve close attention by all parties in the mobile ecosystem, including the advertising technology industry.  

The ad tech industry, including NAI member companies, is integral to the innovation and benefits provided by mobile apps.  Partnering with app publishers, a number of NAI member companies offer services that empower significant benefits from users’ location data, fueling the rich and expanding app ecosystem. The location-specific features provided by apps have transformed how we interact with our environments. Users rely on their mobile devices to navigate to their destinations, find nearby services, and receive local information, all in realtime wherever they go. The advertising technology industry even powers systems that enable the delivery of location-specific severe weather alerts and missing children alerts which are especially important as fewer people receive their information from traditional sources such as televisions or radios.

Of course, location data is sensitive to users, and it has the potential to reveal specific personal details, so it should be collected and used responsibly by all parties in the diverse mobile ecosystem, including app publishers, operating systems, software developers, and ad tech companies. In many cases, however, limitations in the consent mechanisms for location data provided within mobile operating systems make it difficult or impossible for apps or software developers to modify the messaging provided to users, which makes it challenging to clearly explain an app’s data collection and use practices. All entities, therefore, have to work together to provide effective transparency and control for consumers.

Transparency and control for users is a fundamental pillar of the NAI Code of Conduct. To that end, the NAI has worked for years to provide an environment that enables the responsible use of location data, beginning with a set of requirements established in our original Mobile Application Code in 2013. Today, the 2018 NAI Code of Conduct (Code) requires member companies that obtain data, including the precise location information shared by applications, to adhere to a robust set of privacy protections. Member companies’ practices are also subject to annual compliance reviews by NAI staff. Specifically, the NAI Code establishes a number of privacy protections, including:

• Notice: The NAI requires member companies to provide clear, prominent, and meaningful notice regarding their data collection and use practices, including location data. In addition, NAI members must work to ensure that mobile applications which collect and share this data provide similar notices to users, although ultimately mobile applications are responsible for the disclosures they provide on their own properties.
• Opt-in Consent: The NAI requires member companies seeking to use precise location data for Personalized Advertising to obtain either (i) a user’s opt-in consent; or (ii) reasonable assurances that the app collecting the data has obtained opt-in consent before doing so.
• Use Limitations for Location Information: NAI members may not use location information collected for Personalized Advertising, or allow it to be used, to determine an individual’s eligibility for employment, credit, health care, or insurance.
• Limitations on Re-identification: NAI members generally do not associate location information with any information that identifies a particular individual for purposes of Personalized Advertising. If an NAI member sought to associate location data it had already received from an app with an identified individual for Personalized Advertising, it would first need to directly obtain that user’s separate opt-in consent. Similarly, an NAI member also may not transfer location information to a third party unless it first obtains a contractual guarantee that the third party will not attempt to re-identify the user for Personalized Advertising without the user’s separate opt-in consent.
• Sensitive Data: The NAI does not permit member companies to make inferences about sensitive health conditions, pregnancy termination, or sexuality for Personalized Advertising purposes without a user’s opt-in consent. This restriction applies equally to app interaction data, web browsing data, and precise location data.

The New York Times article raises concerns about the possibility that anyone could obtain pseudonymous location data, linked only to advertising IDs, and connect that information with an identified individual. While this is a technical possibility in some circumstances, the NAI Code and compliance program help ensure that NAI members, a number of whom were mentioned in the article, do not engage in such activities without a user’s permission.

Despite the privacy protections currently required by the Code, the New York Times article raises serious concerns about the adequacy of the current notice and choice protections offered for the use of location data. Mobile applications that collect a user’s data and share it with advertising technology companies must inform users about the nature of their data collection, use, and sharing. As noted, while the specific implementation of this notice is frequently outside the control of ad tech companies, there are additional privacy protective business practices that NAI recommends to help alleviate the concerns raised in the article.

First, NAI members are encouraged to engage in the use of general or “imprecise” location instead of precise location data where possible. NAI considers location data to be imprecise when it cannot be used to determine with reasonable specificity the actual physical location of a person or device. In general, NAI considers location data to be imprecise if it cannot be used to locate a person or device within a 500 meter radius – which is roughly the length of five football fields in any direction. The NAI has issued specific and detailed guidance on how members may render location information imprecise. As a result, many NAI members retain only imprecise location data or interest segments derived from such data, such as coffee shop visitor, rather than the underlying coordinates themselves.

Second, the NAI also encourages members to integrate just in time or enhanced notice provisions in the applications from which they obtain precise location data, in order to clarify the use of such data for advertising, such as the interstitial notice provided in the GasBuddy app referenced in the article.

Finally, companies should implement responsible data retention limits, whereby companies retain data, including precise location data, for only as long as necessary to fulfill a legitimate business need.

As mobile devices grow more capable, and become a bigger part of our daily lives, the NAI is actively exploring opportunities, through additional guidance or changes to our Code, to ensure that users have better notice and more control regarding the sharing and use of their data, including precise location data. For example, changes could include codification of some of the best practices highlighted above, expanding NAI notice and choice requirements to also apply to real-time contextual use of location data, and expanding requirements to other sensors on mobile devices.

The NAI also supports federal privacy legislation that would establish a national privacy framework to ensure that all companies–not just those who have already committed to strict industry self-regulation–are proactive about consumer privacy protection.  Such a framework should leverage existing self-regulation, like the NAI Code and compliance program, and strengthen the FTC’s enforcement capabilities to ensure bad actors are subject to strict penalties.