Privacy

Don’t Get Lost Finding Your Customers: New Rules For Mobile Geo-Targeting

Published: Aug. 12, 2015

Updated: Oct. 05, 2020

Precise geolocation data is increasingly being used to “geo-target” consumers’ devices, to serve ads relevant to either where they are at a given moment, or where they tend to be during a given time frame. This is nearly always done on an anonymous basis through apps that pass to third-party mobile ad networks and data providers a user’s GPS-level geolocation data, usually in the form of latitude and longitude, e.g., 40.749931, -73.981856.

Conceptually, this data is in many ways analogous to anonymous web-browsing data. For instance, for user profiling purposes, the fact that an anonymous user’s device has gone to a particular department store is in many ways analogous to the fact that an anonymous user’s browser has gone to Amazon.com. Yet despite this, stricter self-regulatory rules are emerging for geo-targeted audience targeting than exist for web-based audience targeting, and ad and data platforms, as well as marketers, should take note of those rules.

In particular, the NAI, the principal self-regulatory and trade organization whose privacy-centered Code of Conduct governs third party online ad and data platforms, has recently provided detailed guidance regarding how its members should work with precise geolocation data. Because the NAI’s roughly 100 members include most significant supply and demand side networks and data management platforms, the NAI Code often has the practical effect of law. Below, we provide a synopsis of the NAI’s recent guidance on geo-targeting and related observations.

The NAI Code Provisions On Geo-Targeting

A May 2015 update to the NAI Code established a dichotomy: in some situations, consumer opt-in consent would be required for geo-targeting, but in other situations, it would not. “Opt-in Consent” is not precisely defined, except that a consumer must “take[] some affirmative action that manifests the intent to opt in”—and it’s generally assumed that, for instance, a mere platform-based notice that location data will be collected, without an explanation that it will be used for third party geo-targeting, doesn’t fit this definition.

The May 15, 2015 NAI Code Update

Under the rules set out in the “2015 Update to the NAI Code of Conduct” (posted online at www.networkadvertising.org), the NAI determined that Opt-in Consent isn’t required in the following scenarios:

  • The location data isn’t “precise” – if the “actual physical location” can’t be determined “with reasonable specificity,”
  • The ad network “converts a precise location . . . to a general category,” rather than storing the geo-coordinate data. For instance (in the example the NAI gives), if a device shows up at a coffee shop at a specific address, and the ad network merely assigns a general “coffee shop” category to the device as opposed to that particular coffee shop or its latitude/longitude, that doesn’t require Opt-in Consent, or
  • Geolocation is used for real-time “geo-fencing,” where ads are sent based on real-time interactions, and the coordinates aren’t stored.

Geo-targeting solutions—whether they involve the retention of geo-coordinates or the conversion of them to categories—generally provide a way to target more relevant offer to more people than geo-fencing does, because geo-targeted ads are not real-time dependent. But geo-targeting solutions also of course require the retention of more information.

What The FTC Has Required

The FTC’s jurisprudence on the issue of disclosures related to geo-targeting is principally limited to its December 2013 settlement with the company distributing the popular “Brightest Flashlight App.”

In its Complaint, the FTC alleged that the app had transmitted geo-location data (tied to device IDs) to ad networks, without proper disclosure. That is, the app developer disclosed in its Privacy Policy only that:

The developer will “collect, maintain, process and use diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you related to the Goldenshores Technologies Software, and to verify compliance with the terms of the License. Goldenshores Technologies may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you.

The FTC determined that this did not “adequately disclose to consumers that the Brightest Flashlight App transmits or allows the transmission of device data, including precise geolocation along with persistent device identifiers, to third parties, including advertising networks” – and (even more important) that this omission was “material to users in their decision to install the application.”

Even though the allegations were based only on the privacy policy disclosures and omissions, in the resulting Consent Decree, the FTC required the app developer to get affirmative, express opt-in consent from consumers. The Order prohibits it from transmitting precise geolocation information to ad networks unless it (a) informs users what data is being collected, how it will be used, and (generally) by whom and (b) gets “affirmative express consent” from the user.

(The FTC had telegraphed its interest in geo-targeting disclosures in a February 2013 Report on mobile disclosures, titled “Mobile Privacy Disclosures: Building Trust Through Transparency,” in which it said this (at p. 3): “[M]obile devices can reveal precise information about a user’s location that could be used to build detailed profiles of consumer movements over time and in ways not anticipated by consumers. Indeed, companies can use a mobile device to collect data over time and reveal[] the habits and patterns that mark the distinction between a day in the life and a way of life. Even if a company does not intend to use data in this way, if the data falls in the wrong hands, the data can be misused and subject consumers to harms such as stalking or identity theft.”) Our previous blog post provides more information.

The Dilemma

The instant dilemma of course is that app developers generally do not get the type of opt-in consent envisioned by either the FTC’s “Flashlight” Order or the NAI’s Code update, nor is that level of opt-in consent built into device-based notices. In some cases, third-party networks distribute SDKs that provide specifically crafted language, but those apps are the small minority. Moreover, because the geo-targeting data and resulting segments (e.g., “Goes to Bob’s Home Furnishing’s in San Bruno”) are anonymous, the geo-targeting model has been seen by many as conceptually analogous to online behavioral data and segments (e.g., “Goes to www.bobshomefurnishings.com”)—which, with few exceptions, do not require opt-in consent under self-regulatory codes.

The NAI’s July 2015 Guidance

Providing a quick (at least, partial) fix, the NAI recently offered guidance for “Determining Whether Location is Imprecise,” which provides more paths toward compliance for geo-targeting platforms. Specifically, it sets out a 4-factor balancing test for its Members to consider in deciding whether geolocation data is “precise” and thus whether Opt-In Consent is required. Those four factors (which I’ve set out below, verbatim) are:

  • The area of the identified location (e.g., how many decimal places were used in the location coordinates?);
  • The population density of the located area (e.g., is the location of a crowded stadium or a country road?);
  • The accuracy of the data (e.g., were extra decimal places in the coordinates added arbitrarily, such as trailing zeros?); and
  • The presence and detail of the location’s timestamp (e.g., does the location describe a user’s location at a specific millisecond or specific month?).

Thus, geo-targeting networks that follow these factors might design their products by evaluating what relative efficiencies or product deficits are created by, say, avoiding targeting to low-density populations (for instance, in Wyoming, the density per square mile is under 6 people, or 1-2 households), as opposed to, say, retaining time-stamp (for instance, “Device Goes to Bob’s Burgers on weekends” as opposed to “Device Went to Bob’s Burgers yesterday at 5:30”).

The Last Word

Effective (and privacy-sensitive) geo-targeting is very important to the Internet and mobile economy. As consumers’ attention is increasingly focused on media delivered to smaller screens—apps, videos, games, and other media—with fewer advertising opportunities, it’s increasingly important for advertisers to be ever more relevant, in terms of both content and location. To help fuel the online, media and app economies, and the (often free) entertainment choices that come with them, it’s also important to allow brick-and-mortar companies who wish to advertise to reach users in a timely and effective way. Because geo-targeting offers that, it’s crucial that the regulatory and self-regulatory ecosystems provide multiple paths for innovative targeting. The NAI’s July guidance is a very useful step in that direction.