“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard B. Newman, internet marketing attorney at Hinch Newman.
Geofencing is becoming increasingly popular as a means by which to deliver hypertargeted advertising content.
At the same time, today’s data privacy regulatory environment is increasingly aggressive and gaining international momentum. Geofencing raises a number of legal concerns that digital marketers must consider to avoid being caught in regulatory crosshairs.
Marketers use geofencing to create virtual boundaries linked to monitor mobile phones and internet-enabled mobile devices that enter or leave a specific area. Once consumers enter that area, marketers can send or display targeted advertisements in open apps or web browsers.
Apps regularly collect the precise whereabouts of consumers during their use. In the process, one or more third parties collect and share that location data to provide their services, which may include targeted advertising.
It would be a mistake for marketers that employ geofencing technologies for collecting and using personal data to assume that no risk exists merely because they are gathering what has traditionally not been considered personally identifiable information.
California’s Consumer Privacy Act of 2018 (CCPA) is, in many ways, more stringent than the EU’s General Data Protection Regulation (GDPR). CCPA defines “personal information” to include browsing and search history, in addition to inferences derived therefrom.
Although GDPR is not clear on the definition of location data, location data can most certainly qualify as personal data whenever it relates to an identifiable individual.
US regulators have already cracked down on the use of locating data. In 2017, the Massachusetts attorney general settled [PDF] a case involving geofencing around women’s reproductive healthcare facilities. Once women crossed the virtual fence, the advertiser sent targeted ads to their mobile devices.
The Massachusetts AG alleged that the advertiser’s use of geofencing violated the Massachusetts Consumer Protection Act because it tracked consumers’ locations and disclosed them to third-party advertisers to target consumers with potentially unwanted advertising based on inferences about their private, sensitive and intimate medical or physical condition.
Last year, the Federal Trade Commission sent letters to marketers of electronic devices and apps that appeared to collect precise geolocation data from children, warning that they may be violating the Children’s Online Privacy Protection Act (COPPA). One letter was directed to a Chinese company that sold a “child’s first cellphone” that included geofencing “safe zones.”
These warning letters are also significant because the recipients were based outside the United States. The FTC stated that “[t]he COPPA Rule applies to foreign-based websites and online services that are involved in commerce in the United States. This would include, among others, foreign-based sites or services that are directed to children in the United States, or that knowingly collect personal information from children in the United States.”
The services failed to provide direct notice of their collection practices and failed to seek verifiable parental consent before collecting, using or disclosing personal information as required by COPPA, according the agency.
European regulators have also taken action on location-based data protection abuses. In 2015, France’s Commission nationale de l’informatique et des libertés censured billboard giant JCDecaux for installing Wi-Fi boxes on their signs that captured the unique media access control addresses that identified passing smartphones without informed consent.
The new golden rule when processing the locations of smart mobile devices for direct marketing is affirmative opt-in consent.
Prominent and comprehensive geofencing notices should be displayed. Even better, clear, conspicuous and special notices should be displayed when the data is collected and prior to collection on the perimeter of coverage areas.
Just-in-time notices should include, without limitation, the purpose of the tracking and how information is used, the entity responsible for the tracking, the information being obtained, the information that is shared with third parties, how the information is secured, how collection can be stopped and how long the information is retained.
Enhanced privacy notices and written information about security policies should always be implemented.
Digital marketers and app developers should deliberately consider all applicable laws, regulations and best practices prior to implementing or developing geofencing or geotracking campaigns and technologies. Data privacy obligations and restrictions may vary by jurisdiction, and regulators will become incrementally more attentive as new technology facilitates cutting-edge marketing methods based on consumers’ personal information.
Follow Richard B. Newman (@FTCLawDefense) and AdExchanger (@adexchanger) on Twitter.
