When the Supreme Court overturned Roe v. Wade on Friday, the likelihood for location data to be used against people suddenly shifted from a mostly hypothetical scenario to a realistic threat. Although location data has a variety of purposes — from helping municipalities assess how people move around cities to giving reliable driving directions — it’s the voracious appetite of digital advertisers for location information that has fueled the creation and growth of a sector selling data showing who visited specific points on the map, when, what places they came from and where they went afterwards.
Over the years, the digital ad industry has been resistant to restrictions on the use of location data. But that may be changing. The overturning of Roe not only puts the wide availability of location data for advertising in the spotlight, it could serve as a turning point compelling the digital ad industry to take action to limit data associated with sensitive places before the government does.
Friday’s Supreme Court decision has heightened the significance of risks associated with location data reflecting sensitive places, said Grace Briscoe, senior vice president of Client Development at digital ad company Basis Technologies.
It appears that the industry organizations have been slow to act, and I do think there's opportunity for them to tighten the location data policies.
“It wasn't as sensitive a month ago as it suddenly is now,” Briscoe said. “It appears that the industry organizations have been slow to act, and I do think there's opportunity for them to tighten the location data policies, and prohibiting collection of certain types of sensitive location data and putting some consistent industry-wide guidance around that would be really valuable.”
There is moderate movement in this direction already. The Network Advertising Initiative, a digital ad industry trade group, last week announced a new set of voluntary guidelines prohibiting member companies that adopt them from using, selling or sharing any information about device or user activity associated with locations deemed sensitive, such as fertility or abortion clinics, mental health treatment facilities, places of religious worship, correctional facilities, addiction treatment centers, immigration centers, military bases or payday loan institutions.
The NAI wants to preempt an outright ban on location data, said David LeDuc, vice president of Public Policy at the NAI. “The notion that all the data should just be eliminated — I just don’t think it passes the test. It’s really fair how concerned people are, but we just don’t think throwing all the data away is where we should end up,” he said.
Pharmaceutical makers or other advertisers do use location data associated with health care facilities, Briscoe said. “Finding people who are at the hospital every day — that is actually a really good way to identify people who work in health care or frontline workers,” she said. Briscoe said she was not aware of industry-imposed restrictions on use of location data associated with health or medical facilities, although there are some limits on location data reflecting school locations or places of worship.
The NAI’s standards did not come together in response to last week’s Supreme Court decision, of course. They had been in the works for months, propelled in part by news last July that mobile app records obtained by Catholic news outlet The Pillar showed a Wisconsin priest visited gay bars and private residences while using location-based hookup app Grindr. The publication’s investigation led to his resignation.
“We as an industry need to take proactive steps to make sure we are being more responsible and raising the bar and preventing this type of data leakage,” said LeDuc, noting that the NAI wanted to help prevent bounty hunters or law enforcement from obtaining data associated with sensitive locations that could be used to out or penalize people.
“We recognize that self-regulation hasn’t solved all the problems and we can do more and we need to do more — and that’s where this came from,” LeDuc said regarding the voluntary standards.
But there are gaps in this self-regulatory regime.
Only three member companies have publicly agreed to implement the principles, including Foursquare. Google, an NAI member, did not sign on publicly to adopt the standards. After a draft Supreme Court opinion presaging the eventual overturning of Roe v. Wade was leaked in May, legislators wrote to Google urging the company to “stop unnecessarily collecting and retaining customer location data, to prevent that information from being used by right-wing prosecutors to identify people who have obtained abortions.” Google declined to comment for this story.
The NAI does not categorize Google as a precise location information solution provider, the narrow category the group carved out for applying the new standard. “We didn’t seek to include Google because it’s a different business model,” said LeDuc. He added that “it’s fair” to ask why Google or other companies outside the narrow location provider category have not adopted the standards.
Other NAI member companies selling or using location data including Place Exchange and Ubimo also did not publicly agree to the standards.
Fodder for abortion bounty hunters
As industry introduces new self-regulatory limits on data reflecting sensitive locations, pressure from actual regulators is mounting.
Senators recently demanded that location data providers SafeGraph and Placer.ai give details about their data collection practices related to abortion clinics. After it was reported in May that SafeGraph sold information showing where groups of people visiting family planning and abortion clinics had traveled from, how long they stayed and where they traveled, the company said it would stop selling data associated with family planning center locations.
After Roe was overturned last week, lawmakers signaled their intentions to establish new laws that could affect data use in their states. When announcing his plan to push for a constitutional amendment to protect abortion rights in Washington state on Saturday, Governor Jay Inslee said, “We are going to be very alert to plug any gaps in our privacy laws, so that no one can expose private information from a Washington citizen or a citizen of a different state, who comes here for services. We are not going to allow that data to get back to Texas or Missouri or Idaho.”
It’s not just Google, Apple or mobile carriers that have been subject to law enforcement demands for location data. “We have received subpoenas in the past, and we’ve had to provide information,” said Elizabeth Hein, associate general counsel of privacy, product and compliance and global data protection officer at Foursquare. “We do only respond when we have the appropriate legal documentation; they would have to have a subpoena or a court order,” Hein said.
Foursquare has limited its use of information associated with sensitive places for the past few years. Today Hein said the company includes 1.5 million locations throughout the U.S. in its list of sensitive places.
Foursquare already self-imposes the limitations put in place by the NAI’s voluntary standards. In practice, that means that while a Foursquare app user can still “check in” at a sensitive place – say a church or doctor’s office or gay bar – Foursquare does not ingest check-in information associated with places on the sensitive list into its system. It also prevents partners that use its location data and services in their apps from getting that information. That means ads cannot be targeted using that information, and customers can’t use it to measure the performance of their ads.
“This information is just too sensitive to be sharing or using in products downstream,” Hein said.
A history of fighting regulation while pushing for more location data collection
The recent Supreme Court decision may have made the harmful implications of location data more palpable, but the ad industry has faced pressure from lawmakers for more than a decade to put better protections and limits on the location data flowing through its ad systems.
“Location information is extremely sensitive. But it’s not being protected the way it should be,” said Minnesota Democratic Sen. Al Franken in 2014, when he pushed for passage of his Location Privacy Protection Act, originally introduced in 2011, during a Senate Judiciary Committee hearing. The goal of the bill was to protect people from stalking facilitated by location-tracking apps.
During the hearing, Lou Mastria, then executive director of the Digital Ad Alliance, a consortium of advertising trade associations, emphasized that existing industry self-regulation “is not intended to prevent criminal activity.” He added, “The DAA does not believe that such new legislation is needed at this time.”
Even then, the DAA did require companies to get consent from people before collecting and sharing precise location data “or obtain reasonable assurances that the app developer or owner has obtained consent to that data collection.” However, at the time, the DAA and ad industry at large lobbiedagainst federal privacy legislation, arguing that their own self-regulatory approaches were preferable.
Two years after that hearing, the Interactive Advertising Bureau, the digital ad industry’s most prominent trade group and a member of the DAA, actively encouraged its digital publisher members to take advantage of monetizing mobile location data, which it called “a treasure trove in the marketing world.” A 2016 IAB guide said publishers could generate ad revenue of 20% to 30% more when location data is used to target ads.
Without mentioning anything about the potential to exploit data associated with visits to places people may consider sensitive or private, the guide told publishers how to sell location data through licensing agreements. Partnerships between mobile location data providers and the mobile app publishers they gather location data from typically are shielded from the public by non-disclosure agreements, making it near impossible to know which entities actually supply the data. The IAB guide did note that publishers should consult the DAA’s self-regulatory principles and the NAI’s code of conduct when considering how to get user permission for location data collection.
The guide also explained that location data was available for the taking through ad requests in open ad exchanges or through the software development kits plugged into mobile apps, a process sometimes referred to as bidstream siphoning. That process is often downplayed by the ad industry and location data providers because it allows data to be used without explicit consent. To this day, location data is available for collecting from ad bidding systems.
Last month, the Irish Council for Civil Liberties called the exposure of location data in the real-time bidding systems that run the digital ad market “the biggest data breach.” It reported, “On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry.”
Since the DAA testified about location data before Congress in 2014, a slew of state privacy laws have been established, prompting industry groups including the DAA and IAB to change their tunes on a federal privacy law. The groups now argue that one federal law that would supersede state laws would be better than the jumble of differing requirements and restrictions they face today.
A post-Roe window cracks open to industry change
Today the DAA, IAB and NAI support a framework for federal privacy legislation that would prohibit companies from obtaining geolocation information without obtaining people’s express consent. However, it does not create specific rules for data associated with sensitive locations.
When asked why the IAB does not have self-regulatory standards encouraging member companies to adopt the principles in the framework, Lartease Tiffith, executive vice president for Public Policy at IAB, told Protocol, “We don’t come out with a proposal if we don't think that that's what our members need to do and they ought to do and we have the support to do. I think it's actually pretty clear that we are doing those things; we just don't have everything in the public sphere for you to sort of pull down off our websites.”
However, the IAB did make a statement on its website Monday about providing employees with access to reproductive health care.
“For women employees who live in states that are restricting access to reproductive healthcare, IAB will fund travel to locations that provide it,” the group wrote. “The U.S. Supreme Court’s decision to overturn Roe v. Wade permits states to significantly restrict women’s ability to support their families, make crucial healthcare choices, and continue to participate in the economy and society. Furthermore, this ruling directly and disproportionately harms poor women and communities of color.”
Now, the IAB is promising there’s more to come. “We actually are looking at what additional things could we do beyond pushing for this in legislation and regulation. [A lot] of people are, so we don't want to stop there, but we want to make sure that we're taking the right approach,” said Tiffith.
“There’s openness in the industry to taking action around this,” Briscoe said. “The moment gives us some real specifics to address and some momentum around making sure that we solve for some of these potential abuses of the data that's been created.”
Correction: This story was updated to reflect the fact that Factual has adopted the NAI’s sensitive location data standards because it was acquired by Foursquare and is no longer a standalone company. This update was made June 29, 2022.