Location Data Privacy: Legal and Compliance Considerations

Location data privacy sits at the intersection of Fourth Amendment jurisprudence, sectoral federal statutes, and a rapidly expanding patchwork of state privacy laws — making it one of the most legally contested categories of personal data in the United States. This page covers the definition and regulatory scope of location data, how it is collected and processed, the primary industry scenarios where compliance obligations arise, and the threshold questions that determine which legal frameworks apply. Privacy professionals, legal counsel, and compliance officers navigating this sector will find structured reference to the applicable statutes, enforcement agencies, and classification distinctions that govern location data handling.

Definition and scope

Location data refers to any information that identifies or can be used to infer the geographic position of a person, device, or vehicle at a point in time or over a period. The Federal Trade Commission (FTC) treats precise geolocation as a category of sensitive personal information warranting heightened protection, a position articulated in its 2022 policy statement on commercial surveillance.

Location data is classified along two primary axes:

1. Precision level — Coarse location (ZIP code, city) versus precise location (GPS coordinates accurate to within meters, or cell-tower triangulation accurate to within hundreds of meters).
2. Temporal dimension — Point-in-time location versus persistent or historical location trails that reveal patterns of movement, home address, workplace, medical visits, or religious attendance.

The distinction between these categories is operationally significant. Persistent precise location data can constitute sensitive data under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA). All three statutes require opt-in consent prior to processing sensitive personal data, including precise geolocation (California Attorney General, CPRA text).

The Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq., and the Stored Communications Act impose additional constraints on government access to location data held by telecommunications carriers. The Supreme Court's 2018 decision in Carpenter v. United States, 585 U.S. 296 (2018), held that the warrantless acquisition of seven or more days of cell-site location information violates the Fourth Amendment, establishing a constitutional floor for law enforcement access independent of any statutory framework.

How it works

Location data is generated through six primary technical mechanisms, each carrying distinct regulatory implications:

1. GPS signals — Device-reported coordinates transmitted by apps with location permission.
2. Cell-site location information (CSLI) — Tower triangulation data held by mobile network operators.
3. Wi-Fi and Bluetooth proximity — Passive signals detected by retail or venue infrastructure.
4. IP address geolocation — Coarse-precision inference from network routing data.
5. Transactional inference — Location deduced from point-of-sale data, loyalty programs, or financial transactions.
6. Third-party data brokers — Aggregated location profiles assembled from app SDKs and resold commercially.

Data brokers represent a particular compliance risk surface. The FTC's 2023 enforcement actions against Kochava, Inc. alleged that the company sold precise geolocation data that could expose visits to abortion clinics, addiction treatment centers, and places of worship — citing Section 5 of the FTC Act (FTC v. Kochava, Case No. 2:22-cv-00349, D. Idaho). This case operationalized the FTC's broader view that location data revealing sensitive inferences about individuals is an unfair trade practice under existing federal authority, even absent a comprehensive federal privacy statute.

Consent management frameworks are the primary compliance mechanism at the collection layer. The CPRA requires that businesses disclose whether they sell or share precise geolocation data and that they provide opt-out mechanisms. The data minimization principle — codified in Colorado's CPA at C.R.S. § 6-1-1308 and incorporated by reference in the NIST Privacy Framework (NIST Privacy Framework v1.0) — requires that location data collection be limited to what is adequate, relevant, and necessary for the specified processing purpose.

Common scenarios

Mobile application analytics — Apps that collect background location for advertising targeting must obtain explicit opt-in under iOS App Tracking Transparency rules (Apple, App Store Review Guidelines §5.1.1) and satisfy state law consent requirements. The CPRA's opt-in requirement for sensitive geolocation applies to California residents regardless of where the app operator is incorporated.

Healthcare navigation and facility visits — Location data inferring visits to healthcare providers falls under the FTC's expanded interpretation of health-adjacent data. Where a HIPAA-covered entity is involved, the HIPAA Privacy Rule (45 C.F.R. §§ 160, 164) controls — but location data held by non-covered entities, such as period-tracking apps or hospital navigation apps, remains outside HIPAA jurisdiction and falls instead under FTC Section 5 authority and applicable state laws. This gap is detailed further at Health Data Privacy Beyond HIPAA.

Employer monitoring of remote workers — GPS tracking of employees using company-issued devices or vehicles intersects employee privacy rights under state statutes. Connecticut, New York, and Delaware require advance written notice before employers deploy electronic monitoring, including location tracking. Failure to provide notice carries civil penalties under N.Y. Civil Rights Law § 52-c (effective May 2022).

Internet of Things devices — Connected vehicles, smart home assistants, and wearables continuously generate location-adjacent data. The FTC's IoT guidance and NIST's NIST IR 8228 establish baseline considerations for IoT privacy that apply to location-emitting devices. Additional coverage of this sector is available at IoT Device Privacy Standards.

Decision boundaries

Determining which legal framework governs a specific location data practice requires resolving four threshold questions:

1. Is the entity a HIPAA-covered entity or business associate? If yes, the Privacy Rule governs health-related location data. If no, the FTC Act and state consumer privacy laws apply.

2. Does state law impose a specific geolocation consent requirement? As of 2024, the consumer privacy statutes of California, Colorado, Virginia, Connecticut, Texas, Montana, Oregon, and Florida each classify precise geolocation as sensitive data requiring opt-in consent. The State Privacy Laws Comparison page provides a structured cross-reference.

3. Does the data constitute CSLI subject to Carpenter? If law enforcement is the requesting party, the constitutional warrant requirement applies to persistent CSLI regardless of the third-party doctrine.

4. Is the data being sold or shared with third parties? Sale or sharing of precise geolocation data triggers disclosure, opt-out, and in some states opt-in obligations under CCPA/CPRA. Third-party data sharing rules cover the contractual and flow-mapping requirements that attach when location data is transferred to vendors or data brokers.

Entities that aggregate location data for secondary analytics purposes — without a direct relationship to the individual — face the highest enforcement exposure under current FTC and state AG doctrine, because the individual typically has no notice that the data exists, cannot exercise deletion rights they are unaware of, and the data has often been re-identified from nominally anonymized datasets. De-identification and anonymization standards address the conditions under which location data may be treated as outside the scope of personal data regulation, including the NIST standard for de-identification of personally identifiable information (NIST SP 800-188).

References

• Federal Trade Commission — Commercial Surveillance and Data Security Rulemaking
• FTC v. Kochava, Case No. 2:22-cv-00349 (D. Idaho 2022)
• California Attorney General — CCPA/CPRA Full Text
• Colorado Privacy Act, C.R.S. § 6-1-1301 et seq. — Colorado General Assembly
• U.S. Supreme Court — Carpenter v. United States, 585 U.S. 296 (2018)
• Electronic Communications Privacy Act, 18 U.S.C. § 2510 — House Office of the Law Revision Counsel
• NIST Privacy Framework v1.0
• NIST IR 8228 — Considerations for Managing IoT Cybersecurity and Privacy Risks
• HHS — HIPAA Privacy Rule, 45 C.F.R. Parts 160 and 164
• [New York Civil