LOCATION
DATA
PRIVACY
GUIDELINES, ASSESSMENT & RECOMMENDATIONS
MAY 1, 2013 VERSION 2
1
© 2013 THE LOCATION FORUM. ALL RIGHTS RESERVED
| HTTP://WWW.THELOCATIONFORUM.ORG
| +1-770-663-8898
Contributors
PAUL BARRETT
Senior Manager Accenture Interactive
Paul has extensive experience in marketing, technology, and finance as a strategic consultant with
Fortune 100, mid-market and start-up organizations. In his role at Accenture, he is focused on the
intersection of location technologies and location intelligence with big data, web analytics, digital
advertising, social media and mobile.
ARTHUR BERRILL
Vice President Technology, DMTI Spatial
Arthur Berrill is the Vice President of Technology for Canada’s leading provider of Location
Intelligence solutions, DMTI Spatial. Arthur has over 30 years of experience managing the architecture, design and development of enterprise spatial systems. Prior to DMTI, Arthur was with Pitney
Bowes Inc. managing the Advanced Concepts and Technology team. Arthur came to Pitney Bowes
through the acquisition of MapInfo where he managed their Advanced Development Department.
GARY GALE
Director Global Community Programs, HERE at Nokia
Gary is an experienced mapping, location and geographic information professional. In his role
at Nokia he helps people create maps around the world to suit their needs. He is the co-founder
of WhereCamp EU, the conference chair of AGI W3G and sits on the Association for Geographic
Information Executive and Council. He is a Fellow of the Royal Geographical Society and frequent
conference speaker.
KIPP JONES
Vice President Products, Skyhook
Kipp oversees the product group at Skyhook. As VP Product, he is deeply engaged in all aspects of
the business, customers, policies and technology in the fast moving mobile location and location
intelligence markets. Kipp received his BS in Computer Science from the University of Nebraska as
well as an MS and ABD in CS from Georgia Tech.
NATASHA LEGER
Editor LBx Journal; President, The Location Forum
Natasha is Editor of LBx Journal and President of the Location Forum. Natasha is also founder and
President of ITF Advisors, LLC, a strategy advisory firm with a focus on communications, media,
technology and geospatial companies and the convergence of digital media technologies. Natasha is
a strategist with a corporate, legal, and policy background.
2
DANA LONERGAN
VP Commercial and Legal Affairs, Traxxitt
Dana serves as General Counsel and Corporate Secretary for Traxxit, a start-up in the personal and
asset tracking market. With significant legal and business experience, he is responsible for office
operations in addition to representing clients in Administrative and Court hearings. He also represents
Traxxit in numerous professional, civic and community associations.
JIM WARNER
COO, The Location Forum
Jim is the President of The Westport Group, a global innovation and market strategy consultancy
and serves as the Forum’s COO. He has a background in telecom, media and information services as
well as managing industry consortia. He is a frequent speaker and writer on business transformation,
digital services and cloud computing.
PETER WOODGATE
CEO, Cooperative Research Centre for Spatial Information
Peter is CEO of Cooperative Research Centre for Spatial Information. He is also Chair of the Global
Spatial Network as well as a Member of the International Expert Committee, of the Institute of Remote
Sensing and Digital Earth. He is a Member of the Executive Committee, International Society for
Digital Earth and a Board Member of the Terrestrial Ecosystems Research Network. He serves as a
Board member at AUSCOPE and Chairs the Virtual Australia and New Zealand Initiative.
MARLENE ZIOBROWSKI
Senior Data Manager, DMTI Spatial
Marlene is Senior Manager, Data Research and Governance for DMTI Spatial Inc. While engaged in
doctoral work at York University, she was a teacher and lecturer. Thereafter, she owned Lucitech
Communication, a technical writing and editing business before becoming Data Director for
Mapmobility Corp.
About the Location Forum
The Location Forum is a non-profit, global industry consortium that provides leadership for businesses looking to capitalize on the advantages that location-based services, technologies and applications offer. Our focus on location data privacy, locationomics and location intelligence enables
decision makers to better understand how they can apply location strategies across their enterprise.
www.thelocationforum.org
The Location Privacy Council is the primary driver behind the Forum’s Location Data Privacy Initiative.
The 11-member Council operates in a virtual fashion hosting monthly Executive Roundtables where
members and invited experts discuss, debate and share knowledge on specific aspects of Location
Data Privacy.
Disclaimer: The contributors have shared their collective wisdom over their years of experience with location-based technologies,
services and applications, and across multiple industry verticals. The opinions referenced are the sole opinions of the contributors
an not necessarily the opinions of their current employers.
3
4
Table of Contents
5
ABOUT THIS GUIDE
6
EXECUTIVE SUMMARY
12
PART 1 – OVERVIEW: THE STATE OF LOCATION DATA PRIVACY
19
PART 2 –GUIDING PRINCIPLES & CONSIDERATIONS
21
PART 3 – GUIDELINES & RECOMMENDATIONS FOR THE MANAGEMENT OF LOCATION DATA
39
PART 4 – LOCATION DATA PRIVACY RISK & TRANSPARENCY ASSESSMENT
49
APPENDIX – GLOSSARY OF TERMS
About This Guide
Location knowledge varies widely from some people (and companies) having considerable expertise
to others who are just exploring how to apply it in their business, to everything in between. The same
variation exists with the topic of privacy as a whole. As such, this Guide was written for as wide an
audience as possible. Depending on your background, experience and objectives, you may find certain sections more useful and applicable than others.
These Guidelines were developed for those on the front lines of location data product and services
development. They bring attention to critical issues, and provide a framework for developers, managers, marketers, and executives to follow.
If you are an IT professional or Software Developer, these Guidelines will help you to understand the potential risk areas, while the Risk Assessment Scorecard will help you to determine if
you have the proper practices in place for effective location data management.
If you are a Marketing professional, these Guidelines will help you to identify risks in your communication and interaction with your customers relative to disclosing how you collect, use, and
share location data.
If you are a Product Development Manager, these Guidelines, Risk Assessment, and
Transparency recommendations will help you evaluate end-to-end issues and risks that should
be considered in rolling out new location-based products and services either internally or in the
open market.
If you are an Executive, these Guidelines, Risk Assessment, and Transparency recommendations
provide a comprehensive overview of the business, technology, and user issues associated with
handling location data.
For additional detail or background, please go to the Location Forum’s online library
www.thelocationforum.org/privacy/materials-documents
Please keep in mind that these Guidelines are also a work in progress as the technology is constantly
evolving.
These Guidelines do not address remote location data collection through traffic and surveillance
cameras, facial and gait recognition software and other means where the user is not able to
consent to such collection (no ability to opt-in or opt-out). These issues need to be addressed at
a broader legal and public policy level.
There is also more work to be done in the areas of transparency, notification, consent, risk profiles and the use of metatags to facilitate the development of automated processes and ensure
consistent implementation. These issues will be addressed in the next version of this Guide.
5
Executive Summary
Location-based services and applications have become more than a technology or feature; they are
an integral part of our lives. People define themselves not just by who they are, but where they are.
Location data is now everywhere, easily accessible, and collected at an unprecedented scale. In the
Information Economy we live in, personal data and similar forms of information are the new currencies. Location data is the universal link between all data, because everything and everyone is
somewhere.
For businesses, location information can transform virtually every facet of an enterprise from operations to sales and marketing, to customer care and even product development – all with a goal of
having a positive impact on the bottom line. It is therefore rapidly becoming the newest “information
weapon” used by CIOs, CMOs, COOs and digital strategists to gain a competitive advantage.
The problem with location data today is that it changes as it weaves through various hands—applications, vendors, developers, government, companies, data providers, and individual users. Another
complication is the diversity of legal protections across countries and states that make developing a
consistent privacy policy a moving target. All this is set against a business atmosphere of continuous
pressure to develop innovative location-based products and services.
The power, benefits, and risks associated with location data are in its capacity to infer more personally identifiable information than the face value of the original information. While consumers and
businesses are deriving great value from location-based services, targeted advertising and other
applications, significant questions persist around location data privacy. In particular, how is location
data being shared and who has access to it?
The Location Data Privacy, Assessment and Guidelines (hereinafter Guidelines) were developed for
those on the front lines of location data product and services development, as well as those who hold
corporate, legal or fiduciary responsibilities. They bring attention to issues that many organizations
and companies have chosen to ignore, due to lack of legal certainty around requirements, and provides a framework of location data practices for developers, managers, marketers, and executives.
Part 1 provides an overview of the current location environment with an emphasis on the complex issues, trends and risks companies must contend with and that ultimately drive the need for
these Guidelines.
Part 2 highlights the Guiding Principles underpinning the document.
Part 3 provides specific Recommendations, Policies and Practices that any business can use to
reduce risk and potential liability while improving customer communication.
Part 4 builds on Part 3 with a detailed Risk and Transparency Assessment that is used to gauge
how well you and your company are implementing these Recommendations.
In short, these Guidelines offer practical, ready to implement proactive measures that are ahead of
government regulation and the current state of law and policy on the issue of location data privacy.
Yet it is in line with market concerns. Companies who embrace these Guidelines will be sending a
clear market message to their direct and indirect customers that they take location data seriously, see
it as a competitive advantage, and respect the individual users right to personal privacy.
6
Introduction
WHY – THE NEED
Location-based applications are now ubiquitous. Any application, whether for business or consumer
purposes, that provides location awareness or location intelligence must use location data that is
acquired either directly or indirectly from an individual or organization. As a result, location data
privacy is of increasing concern to all involved in the location ecosystem, consumer advocates, and
lawmakers.
For the purposes of these Guidelines, location data is any data with an implicit or explicit geographic
or geospatial reference, including any data derived from GPS, GIS, cell-tower or other radio signalbased triangulation, assisted-GPS positioning devices, systems and processes, geo-tagged images,
video, audio and text documents, satellite and aerial imagery, computerized, digitized and paper
maps, IP address location, public documents, public or private databases, video, audio, text and
image files, location-based applications. In short, location data is any form of information that has a
geographic position associated with it.
Location data is attached to everything we do as individuals and organizations on a daily basis. Now it
can be collected, sliced and diced in a centralized, systematic and scalable fashion. That changes our
relationship with location data—especially how we value it… and the value we place on protecting
location data privacy.
The importance of location data privacy has increased as an issue due to the scale at which location
data is being collected, aggregated, and shared without the individual’s clear understanding of the
value of the information, the collection and distribution process, or the ramifications of disclosing
location data. Location data privacy is the right to not be subjected to unsanctioned collection,
aggregation, distribution or selling of an individual or organization’s location or location profile
derived from location data. It is the ability of an individual, group, or organization to conceal information of their whereabouts, which can be derived from location data - sometimes stated as “the right
to be left alone” and not reveal one’s location. For more comprehensive information on location data
terms see the Glossary in the Appendix, along with our Executive Guide to Location Data Privacy, and
Location Data Primer publications.
Location data privacy is in somewhat of a “betwixt and between” situation. It shares many characteristics with other more broad-based data privacy initiatives, but also has some unique characteristics
that cause existing privacy efforts to fall short.
Within the location community, most existing privacy activities focus on specific aspects of the
problem such as B2C issues or the interests of specific players such as marketers, advertisers, mobile
operators or social media site platforms. The B2B dimension has not received the amount of attention of its B2C counterpart. Much of the location data privacy debate has been dominated by use of
location data by mobile devices and applications for location-based services (LBS) and consumer
applications.
For example, guidelines such as CTIA’s Best Practices and Guidelines for Location-Based Services,
GSMA’s Privacy Design Guidelines for Mobile Applications, and MMA’s Mobile Application Privacy
Policy Framework all look at privacy within the context of a mobile communications environment.
While the mobile dimension has catapulted location data privacy to center stage, it has not painted
the complete picture. Mobile-focused guidelines are not comprehensive enough to cover the entire
location ecosystem—let alone the pitfalls of location data collection, aggregation, and distribution
across the location data value chain.
7
The implications of location information extend far beyond communications providers, advertisers or
any such classification. The location ecosystem comprises a wide range of vendors, service providers and users arranged in complex value or supply chains, who deliver a broad set of consumer and
enterprise applications. Figure 1 illustrates the key components of the location ecosystem. These
chains are not always neat, linear, hierarchical chains. Instead they act more like a “value web” where
data can be shared, exchanged and used in almost endless permutations making the job of privacy
protection even more difficult.
THE LOCATION ECOSYSTEM
8
FIGURE 1: This location
ecosystem demonstrates the various
technology, data, and
services components
involved in delivering
location-based solutions to the market.
© The Location Forum
In addition, depending on the country or region, there is either an absence of regulations or a
number of territorial laws that make doing business across national boundaries burdensome and
unpredictable.
If progress is to be made in this business-critical area, some degree of common ground has to be
found. The distinctions between B2B, B2C and other transactional relationships are not enough to
warrant separate approaches or to treat them as unique “silos.” Nor should the problems of a certain
type of company or service provider be isolated.
In some cases, finding common ground is simply a matter of language – using the right terminology
(e.g. one that resonates with various groups to express the same concept). There is far more commonality than there are differences within the broader data privacy community, and the few differences there are can be handled by exception or some other pragmatic answer.
The Location Forum has boldly stepped forward to bring together several separate, yet related and
synergistic approaches to data privacy, specifically location data privacy. This collaboration is in an
effort to craft a single, deployable set of policies, practices, guidelines and recommendations for
reducing the risk of location data privacy infringement and fostering an atmosphere of trust within
enterprises, consumers and policymakers.
PURPOSE
This document fills a critical void in the market. It provides guidance to all the players in the location industry in the hope of clarifying many of the key elements impacting location data privacy.
Specifically, it was created to:
Identify the business issues in location
data privacy across B2B, B2C and other
environments where location data is
exchanged;
Bring together separate location data privacy efforts by providing a common view
and terminology;
Fill in gaps and add specificity to previous
treatments of the topic;
Serve as a vehicle for engaging with the
broader data privacy community;
Provide awareness and understanding
of location information as it relates to
privacy rights and concerns;
Provide pragmatic recommendations for
“Location data is attached
to everything we do as
individuals and organizations
on a daily basis. Now it
can be collected, sliced
and diced in a centralized,
systematic and scalable
fashion. That changes our
relationship with location
data—especially how we
value it… and the value we
place on protecting location
data privacy.”
companies and organizations who use
location data or are involved in the creation or handling of location data in some manner; with
the ultimate goal of mitigating risks of privacy infringement and privacy rights violations while
fostering the legitimate and beneficial use of location data; and
Develop a self-governing location industry framework to deter the imposition of onerous regulations that often have unintended consequence that could dampen innovation.
AUDIENCE
This document is intended for the following:
Executives and decision makers in companies and organizations who are part of the location
data ecosystem by virtue of creating, collecting, acquiring, aggregating or distributing location
data whether they are in the B2B, B2C or other aspect of the value chain;
Companies and organizations that use location data in some aspect of their business including
internal operations, sales, marketing or other customer-facing activities or in the development of
products and services; and
9
Public and private sector organizations working to unlock the value of government data - especially those needing guidance on identifying, accessing, and managing location data that is part
of open data and open-government initiatives.
While consumers/individuals (end users) of devices such as mobile devices, GPS units, online maps
and other location aware services are not a direct audience; they too may find these guidelines and
recommendations of benefit.
SCOPE
This document has a very specific purpose:
It is designed to examine the end-to-end treatment and use of location data, including all the
intermediaries in the value chain and all the variations or “mutations” the data might undergo
whether in B2B, B2C or other interactions;
It is designed to address the business aspects and concerns associated with the privacy implications of handling location data. For
example, risk management, competitive
advantage, and brand management. It
is not intended as a technical review of
how location data is created, developed,
acquired or exchanged; and
The Risk Assessment Scorecard is
designed to assist organizations and
professionals in determining potential
vulnerabilities in their current practices
and procedures relative to the handling of
location data.
The intent behind this document is to foster
common (standard) business practices in location data management. It is not intended to set
public policy; although many of the guidelines
and recommendations might prove informative
“The Guidelines were
developed by location
professionals who work with
location data every day and
wrestle regularly with the
cross-border differences
in privacy regulations.
Frustration is probably a
kind term to describe how
these professionals feel
about the current state
of location data privacy
management.”
to policymakers.
OBJECTIVES
The Location Forum’s Privacy Council reviewed existing privacy frameworks and was particularly
influenced by the following:
OECD Fair Information Principles
The Privacy by Design work of Ann Cavoukian, Ph.D., Information & Privacy Commissioner of
Ontario, Canada
The GSMA’s application of Privacy by Design to Mobile Application Development
The White House Consumer Privacy Bill of Rights
Sprint’s Risk Utility Model for Sharing of Location Data
Paul Ohm’s Law Review Article on Broken Promises of Anonymization
10
In developing these Guidelines, we had several objectives in addition to the Purposes outlined above.
Our main objective was to provide a comprehensive perspective reflective of the dynamics of the
entire location ecosystem that would reveal a new way to think about and approach location data privacy. We sought to build upon existing guidance, yet offer something fresh and unique to the industry
that strikes the balance between managing risk and innovation. This resulted in:
1.
Practical and actionable measures that anyone can use to mitigate potential location data
privacy infringement. The Guidelines were developed by location professionals who work
with location data every day and wrestle regularly with the cross-border differences in privacy
regulations. Frustration is probably a kind term to describe how these professionals feel about
the current state of location data privacy management. In particular, the risk assessment and
Location Privacy Index Scorecard were designed to be easily adopted by managers in their dayto-day workflow of assessing risks and evaluating vendors associated with the gathering and
use of location information.
2.
Distinguishing between internal risk management and external communications to customers,
partners, regulators, employees, and the market regarding policies and procedures on the handling of location data.
3.
Distinguishing between B2C and B2B issues, especially with respect to communicating policies
and procedures to each audience as each have different needs and objectives.
4.
Bringing attention to the B2I issues where the Bring Your Own Device (BYOD) environment,
along with location tracking of employer provided devices, even though the employee may be
“off the clock”, raises privacy concerns.
Our long-term objective is that the Guidelines, Assessment and Recommendations serve as a foundation for an Industry framework that includes a seal of responsible location data management, a
location data audit, a clearinghouse of responsible location data service providers, and an application
that allows individuals to match their location data risk tolerance with the risk profiles of location data
service providers.
11
Part 1 – Overview: The State of Location Data Privacy
In today’s connected world, location is more than just a technology or feature; it’s part of our personality. People define themselves not just by who they are, but where they are. For businesses, location
information can transform virtually every facet of an enterprise whether it is improving operational
efficiency, enhancing the effectiveness of sales and marketing or providing customers with new levels
of service. It can drive the development of new products, the push into new markets and add a new
dimension to business intelligence all of which can have a positive impact on the bottom line. It is
therefore rapidly becoming the newest “information weapon” used by CIOs, CMOs, COOs and digital
strategists to gain a competitive advantage.
But it is also confusing for both businesses and users. What are the costs and benefits? What is legal
and ethical? Where is the line between adding value and privacy infringement? What should users
expect and what should businesses avoid? These are but a few of the issues that must be addressed if
the use of location information is to be widely accepted by both businesses as well as consumers.
More importantly, in today’s Social-Mobile-Location world, will the risks of having one’s location constantly tracked, analyzed and shared overshadow the benefits location data can offer? Can potential
abuses grow to where the only alternative is regulatory intervention, which potentially dampens innovation? These and many other questions arise daily as companies develop and deploy new locationbased products and services.
All of these questions and concerns roll up to four major issues related to Location Data:
1.
The majority of the public does not fully understand location data;
2.
The majority of businesses need to know more about location data management;
3.
The location ecosystem and location data are complicated; and
4.
The current policy and legal environment is not aligned with the current state of the technology.
BACKGROUND
Location data has been collected for years but until recently, it was collected manually, for specific
purposes and by organizations that were not selling location-based products and services. Many of
these companies operate within industries that are regulated, such as healthcare, financial services,
telecommunications and utilities. Because of that, there are strict boundaries imposed on these companies in the ways they can use personally identifiable information, including location data. However,
many of these companies are under increasing internal pressure to find ways to monetize the data
they have been using for operational purposes.
Unregulated industries and businesses such as advertising, software, consumer electronics, data services and others are a different story. With the advent of “freemium” services and affordable computing horsepower, whole businesses and industries exist for the sole purpose of collecting and selling
personal data, including location data. This is made easier by the rise of connected devices that are
GPS enabled, Big Data analytics, social media applications, plus local, state, and federal government
initiatives including surveillance devices.
Complicating matters is the fact that most people do not understand the value of location information
the way they understand the value of personal financial or medical information. Location information
is valuable because of its versatility. It is a storyteller, a powerful enabler, a lifesaver and more. It is
also complex – full of unintended consequences, and privacy risks because it can reveal more information about an individual or organization than contemplated by the original collection of location data.
Information this powerful carries with it some inherent risks – chief among them location data privacy.
12
WHY LOCATION DATA PRIVACY MANAGEMENT IS CHALLENGING
Growing Complexity:
Access: As location technologies increasingly become a feature of new products and services across multiple industries, the number of players and people that touch location data
on a daily basis increases exponentially. The number of players in the location ecosystem
from mobile carriers to application providers, data creators and sources to location service
providers, governments, enterprises and individuals continues to expand.
Technology: Location technology is so embedded into devices and applications that
location is explicitly or implicitly being collected, aggregated and distributed without the
individual’s full knowledge.
Business models: A wide range of business models are being used to monetize location
and personal data that often mask the intended use or purpose behind the collection,
aggregation, or distribution of location data.
Data: The aggregation of location data is occurring at such a scale and fast pace that many
technology and application providers do not have the proper controls in place to effectively manage the data from a privacy perspective.
Uniquely Sensitive:
Inference: Location data possesses a unique capacity for linking disparate datasets, inferring and revealing personally identifiable information. As such, it can be a missing link in
understanding relationships between data and human activity.
Completeness: This ability to “connect the dots” almost automatically results in a much
more complete profile of an individual or organization than the base data reveals.
Hidden Details: The result is an entirely new level of “enriched” data that can essentially
create a new body of knowledge or information which is causing increased privacy concerns.
Legal Differences:
Unclear Precedence: Location is unchartered legal territory in the broader privacy debate
with piecemeal and narrow precedence to guide the policies and procedures of providers
and users of location data.
Unclear Similarities: Many privacy advocates, attorneys, regulators, and location providers seek to adapt or extend the existing privacy frameworks to location data. While there is
much that can (and should) be borrowed from these existing frameworks, location data’s
differences could trigger a privacy infringement scenario not covered or anticipated in
other regimes and therefore requires its own treatment.
13
UNDERSTANDING LOCATION DATA: WHY IT IS COMPLEX, SENSITIVE AND DIFFERENT
Financial, medical, and location information are the “Big 3” personal data categories. The risks of the
unsanctioned disclosure of financial and medical records are well known. However, the value and
risks associated with location data are still poorly understood. Relative to medical and financial data,
treating location data as personal information is a new concept.
Individual interaction with location data is largely around convenience—getting directions, locating a
restaurant, looking for real estate, finding friends, etc. People truly find it useful. It is also still a relatively
new phenomenon for many individuals, driven largely by smartphones and ubiquitous broadband.
As such, there is a certain degree of novelty or casualness about its use, and people are therefore not as
conscious of the scale at which location data is being collected, aggregated, and distributed. Add in that
many times people are unaware their data is being captured. At best they may get an innocuous “this
app would like to use your location” alert, which masks a lot of what is really taking place and what that
ultimately means from a personal privacy perspective. Individuals have not been educated on the value
of location information beyond personal convenience, which explains why it is so misunderstood.
Many businesses do not understand location data management because it is rarely collectively managed within an organization. In many cases it is a new dataset for many departments that comes with
hidden complexities. Business interaction with location data is largely around operations, customer
experience, real estate and facilities management, and workforce management. Location data privacy
management is challenging because location data is growing in complexity, is uniquely sensitive
because it acts as a common denominator linking multiple data sets, and it is subject to a diversity of
legal and policy frameworks.
UNDERSTANDING LOCATION DATA: MARKET TRENDS, CONTEXT AND ENVIRONMENT
Technology has enabled location data to be created and used like never before and social trends have
fueled growing acceptance of sharing one’s location. These drive additional conditions and requirements
that companies need to factor into their privacy planning and that impacted our recommendations:
Expanding Universe of Users and Providers: Location data used to be the domain of cartographers and experts in geospatial information because it dealt with specific geographic data and
standards. As such it was a relatively closed field of players and users. It was also considered
big and clunky to use because of technical challenges in distributing the data. Today location
data is used daily by tens of thousands of software developers, thousands of companies, and
billions of users.
Explosive Creation of Big Data: Location information is being created at an unprecedented
rate by wireless networks, GPS devices, applications, websites, cameras, RFID chips, satellites,
swipe cards and other connected devices and technologies.* And much of it is in real-time.
Almost any activity that involves digital interaction or verification results in location data being
generated. As with any Big Data source that has significant volume, velocity and variety, location data has become far more difficult to manage and trace as it is moves throughout a complex value chain of transactions and social media platforms.
*See Location Data in Glossary for a more complete list of Location Data sources.
14
Inference: Because a lot can be inferred by knowing someone’s location, location data can serve
as the connective tissue between disparate pieces of information to build a more complete “picture” about a person or event than most people realize. This in turn creates widespread opportunity for increased and highly detailed data mining on people, assets and places.
Companies may want to use location information about their employees, suppliers, and customers for a variety of human resource, operational, supply chain management, health and safety
and market intelligence purposes. Regardless of how benign the intended use of the data might
be, any time such information can reveal personally identifiable information, producers and
users of location information could be at risk for privacy infringement either legally or morally.
Automated Creation, Collection & Aggregation: While there are numerous sources of location
data present today, there are few guidelines or laws on what constitutes a legitimate way to collect, aggregate, manage and explore it. Those that do exist, such as various privacy frameworks,
are inconsistent, narrow in scope, or ineffective resulting in uncertainty around the management of
location data. Therefore, the risks associated with handling location data are often misunderstood
from individuals to businesses to regulators, and are creating a sense of angst within the industry.
Roles, Relationships and Responsibilities: The issue of split personalities - when is someone
an “employee” or an “individual” – is increasingly becoming a problem in today’s BYOD world.
Using a smartphone on the job, or blogging and maintaining social media presence on behalf of
a company either implicitly or explicitly makes the distinction between employee and individual
extremely vague and blurry in both B2I and Individual-to-Individual (I2I) situations. What are the
responsibilities of employers in organizations to these individuals? What are the responsibilities of
individuals to other individuals? What are the responsibilities of applications to individuals when
location information is shared between applications and platforms?
Incomplete Protection Requirements: The value of location information, and the potential
knowledge that can subsequently be derived from it is not well understood. Because location
information reveals more than you think, it can lead to identity theft and the disclosure of sensitive, confidential information. As information becomes increasingly decentralized in mobile,
cloud-based, and BYOD IT environments, businesses need to focus on safeguarding the privacy
of this data from competitors, hackers and others or face serious consequences ranging from
public embarrassment to legal and financial penalties or worse.
Currently, location privacy attributes or characteristics are not end-to-end assured. In other words,
a particular piece of location data may have privacy “rules” associated with it but those rules do
not always remain attached to that data as it gets shared between applications, across organizational boundaries or as derivative works are created. This lack of “stickiness” can result in overt
(opted-in) or default privacy settings being discarded. So even if the user has taken action to protect her privacy, it is not permanent. For example imagine having an unlisted phone number that
becomes publicly searchable after a few months. Therefore, current privacy protection policies
and mechanisms must be reviewed and evaluated within the context of the scale at which location
data is being collected, aggregated, and shared to mitigate potential privacy breaches.
Inconsistent Sharing and Acceptable Use Boundaries: The definition of what constitutes acceptable use of location information varies from person to person and situation to situation. This
creates uncertainty and raises the risk of businesses crossing an invisible line, damaging their
strategy and even harming the very situation they were trying to improve by using location data.
Even when individuals are asked to consent to utilizing their location information, they may not
fully comprehend the implications of such disclosure in an area with such rapidly advancing
15
and highly synchronized technologies.
Understanding how the information may
ultimately be used may be difficult for the
everyday user. In addition, the legalese of
Terms of Use are often ambiguously drafted
to protect the location applications or service
provider, and are not focused on informing
the user on how organizations may use the
information. As a result, location information
may be shared and accessed without the
individual’s or organization’s knowledge.
Lack of Legal, Social and Business
Standards: The collection, aggregation,
analysis and distribution of location data
has grown and evolved absent clear legal,
social and business standards. This lack of
guidance has contributed to inconsistent
policies and a “wild west” attitude towards
location-based applications product and
service development with little regard for
privacy (except where existing regulations
are in place with respect to specific industries
or law enforcement requirements). While
“Currently, location privacy
attributes or characteristics
are not end-to-end
assured. In other words, a
particular piece of location
data may have privacy
“rules” associated with
it but those rules do not
always remain attached to
that data as it gets shared
between applications,
across organizational
boundaries or as derivative
works are created. This
lack of “stickiness” can
result in overt (opted-in)
or default privacy settings
being discarded.”
privacy protection is now a mature body of
law and policy, the role and application of location data within it remains immature, because many
privacy and intellectual property attorneys are not familiar with the nuances of location information and technologies.
Law Enforcement Use: Compliance with law enforcement requirements, while not the subject
of this document, is a critical element of providing location-based services, technologies, and
applications. Numerous laws and regulations exist for record retention and law enforcement
purposes that may result in companies, upon a subpoena or search warrant, releasing personally identifiable location data. However, unfortunately there are many companies that turn over
information to government authorities even when the proper warrants are not provided.
16
UNDERSTANDING THE LOCATION ECOSYSTEM AND HOW LOCATION DATA WORKS
The location ecosystem is comprised of numerous types of enterprises, individuals, products, services and data. Collectively they act as “value chains” that provide or deliver location-based information between companies, people or systems. Table 1 describes the industry landscape and its various
categories and areas.
Table 1. Location Ecosystem
CATEGORIES
DESCRIPTION
Customer
Enterprise Business, Individual (Consumer)
Hardware/Devices
GPS chips, GPS Device, Smartphones, Desktop, Servers, Sensors, Routers,
In-vehicle devices, Drones
Services
Professional Services, Integration, Planning, Development, Location-based
services, Financial Services, Legal, Location-based social media
Applications
Asset Management/Tracking, Business Intelligence, Supply Chain,
GeoMarketing, Advertising, Market Research, Communications, Geofencing,
Augmented Reality, Mobile Resource Management, Navigation, e-Health,
Engineering, Precision Agriculture, Gaming
Location Data
External: Demographics, Econometrics, Weather, Business Listings, Social
(3rd Party Geo-
Networks, Mobile
referenceable data)
Internal: Business Intelligence Data, Customer Data, Employee Data,
Operational Data, Partner and Supplier Data
Geographic Data
Map Digitizing, Remote Sensing, Rectification and Photogrammetry,
Geological, Topographical, Thematic, Cartographic and Contour GIS Mapping
Data Sets
Location
Lat/Long; Geocode, Cell ID, GPS, A-GPS, Bluetooth, IP Address, WiFi GIS,
Infrastructure
PlaceNames, Geographic Reference, Mobile Devices, IP Addresses, Aerial
& Satellite Imagery, Business Data, Video, Telco, Cable, Satellite and Mobile
Networks, Sensors, Standards—KML, GML, Location Platforms, Storage,
Databases, Middleware, ETL, Visualization
An important subset of the entire location ecosystem is the Location-Based Services (LBS) ecosystem. There is enormous growth in the LBS area, and in most cases is how most users consume location. Table 2 outlines organizations involved in delivering LBS services and applications.
Table 2. LBS Ecosystem
WHO HAS ACCESS
TO LOCATION
EXAMPLES
Mobile Carriers
AT&T, Orange, Telstra Mobile
Platforms
Apple, Google, Facebook
Device Manufacturers
Nokia, Google (Motorola), Apple
Location Service Providers
Skyhook, Apple, Google, Locaid
Applications
Foursquare, Weather.com, Loopt, AP News, Google Maps, Flickr,
Urban Airship
Mapping Data Providers
Navteq (Nokia), TeleAtlas (TomTom), Open Street Maps
Imagery Providers
DigitalGlobe, Microsoft, Google
Data Providers
Urban Mapping, DataSift, Factual, Sense Networks
Advertisers/Enterprise
Honda, Budweiser, MGM, Cisco, Ekahau etc.
Government
Police, FBI, Department of Defense
17
Location data is collected on individuals and organizations through a variety of means including:
Mobile and GPS-equipped devices
Video, audio, text and image files
Sensors and M2M networks
Satellite and aerial imagery
GIS systems
Computerized and digitized maps
Location-based services and applications
IP addresses
Cell-tower and other radio signal-based
Public documents
triangulation
Public and private databases
Geo-tagged images
The data is collected for a variety of purposes from delivery of services, to emergency response, to
product registrations, to applications for government or utility services, and more. Once the data is
collected, it can be aggregated and blended with other datasets, and shared with a variety of third
parties depending on the company’s policies on the use of location data. Figure 2 illustrates how location data is collected, produced, and used from a mobile user perspective.
LOCATION USES & PRIVACY: A MOBILE USER PERSPECTIVE
BUSINESS & SOCIETAL OBJECTIVES
ISSUES
Law Enforcement
Public Health & Safety
Ownership
e
ri s
erp
t
ce P
rs
n
ro vid ers $ E
re
tai
tu
lM
fac
u
a ll s
n
/ D e vic e M a
WHO USES IT
on
Enh
a n ce
d O ff e r s 2 S o c i a l
FOR WHAT PURPOSE
e
2 P
n
rso
A d v e r ti s i n g 2
eted
Tar
g
t 2
en
nt/ M
Consent
Privacy
Stalking
nt
HOW COLLECTED
/
me
Big Data
Co
ty
ti
ca
Lo
s
$
it e
s
u n i c i p a li ti e
p in
bS
g&
e
W
D ata
Providers $
rn
Re
rs
Se
0
e
0 C e ll To w
rvi
GP
S S a t e llit e
Bl
W
era
on
Sec
uri
ty
2
11
E-9
s 2
ice
rv
Se
fe
Asset & Resource Management
a ti
ss
$
Sa
ap
2
C
rs
Go
2
Business Optimization
Lo
c
LOCATION DATA
0
$
ve
M
2
MOBILE
USER
am
ns
ato
ion
Improved Services
th 2 QR C
od
Too
e
ue
2 IP Addr
e
iFi
NFC
A p p li c a ti o
p er
izat
Advertising
En
ha
nc
e
Government
MOBILE
USER
N et w ork O
Security
2 E n t er p r i s e O p ti m
Linked Data
e
nc
ie
en
d
New Products
Co
nv
Emergency Response
Real-time information
Usage Rights
First Responders
a li
ze
d
Disclosure
Proprietary Information
Source: Skyhook
FIGURE 2: The four rings of the diagram demonstrates how location data moves from and between the mobile user
and the various location data collection methods and the users of location data and the ultimate purpose for using
location data. It is important to note how the individual mobile user is both a producer and consumer of location
data. The law enforcement wedge reaches into all levels this ecosystem. This illustration also identifies the complexity of the business and social objectives sought from the use of location data and the legal, policy, regulatory
and business issues that arise from the collection, aggregation, and distribution of location data.
18
Part 2 –Guiding Principles & Considerations
The first step in developing effective location data management best practices is a thorough understanding of the data itself including its sources, uses, context and more. In short, location data and
its surrounding environment need to be well defined, in order to develop effective best practices and
guidelines. If you are new to location data, please be sure to read Part I if you have not done so already.
Following extensive reviews of various privacy frameworks and the issues associated with location
information, the Location Forum’s Privacy Council quickly recognized that a viable proactive industry solution to location privacy concerns had to not only involve both the location provider and the
individual user of location information, but the entire end to end chain of location information from
the originator of the data all the way to the ultimate user of the data and all the intermediate actors in
between. Plus it had to be practical to implement.
The public is primarily concerned with the lack of transparency and choice associated with giving up
location information as well as a lack of understanding about how valuable such data truly is. In many
cases, individuals may be unaware when such
information is being divulged or collected.
Companies can experience the same situation
given how much sensitive corporate information can be revealed by the mobile and semantic activities of employees.
This situation requires a two-part solution in
which; 1) the individual user has some control
over the information and a means for evaluating her choices and, 2) the provider clearly
discloses how and why location information is
being collected, aggregated, and distributed.
In addition individuals need an opportunity to
redress any errors in their data.
In a B2B situation, the value chain for delivering
location technologies, services and applications is more complicated. For instance, how
do you know the privacy practices of the various players in the chain? How does a company
“The Privacy Council
determined that what is
missing in the location
industry, especially within
the context of Big Data, is a
sense of trustworthiness of
the applications, services,
and devices that collect,
aggregate and distribute
location information. This
lack of trustworthiness
could only be addressed
by inserting greater
transparency into the
equation.”
know if their usage rights are being respected
in downstream applications? How do business models create risk or assurance in regards to respecting personal privacy?
The Privacy Council determined that what is missing in the location industry, especially within the
context of Big Data, is a sense of trustworthiness of the applications, services, and devices that
collect, aggregate and distribute location information. This lack of trustworthiness could only be
addressed by inserting greater transparency into the equation.
Taking these requirements into account, these Guidelines are based upon a few key, overriding principles:
Practical implementation: The Guidelines have to be easy for both location providers to adopt
and implement, and easy for individual and business users to understand and act upon. While
many large companies have the luxury of large legal staffs that can work with product development teams, the smaller companies often lack such resources. Therefore the Guidelines needed
19
to be pragmatic and not consume significant resources so that entrepreneurs can continue
developing new innovative products and services. The Guidelines must be stated in simple
and clear terms that could easily be integrated into existing workflows. The Guidelines were
designed to offer the greatest reward with the least burden to both providers and users of location data.
Transparency and Disclosure: It is the lack of transparency in the location data market that
breeds suspicion and distrust. The Guidelines needed to help companies craft policies and
notices that state in clear and unambiguous terms, how they will use, collect, aggregate and
share specific location data. Visibility into the business models and financial motivations of
companies in the use of personal data including location data is a critical component of transparency. The ability to audit and trace usage rights is also an element of transparency.
Choice and Informed Consent: In the B2C environment, a robust Informed Consent policy
is needed, which is a key element in transparency and building trust. Informed Consent is
more than a mere notification or request to use one’s location information. For example, a
mobile application’s simplistic request to “use your present location” is insufficient. Informed
consent gives the user a clear understanding of how the data may be used, aggregated and
shared. Permission to use the data without this level of understanding is not informed consent.
This requires a usage-based opt-in policy with potentially more than a simple yes/no choice.
Informed consent is what provides real individual choice.
These guiding principles and considerations led us to structure the Guidelines as follows:
1.
Guidelines and Recommendations for the Management of Location Data (Part 3). This includes
internal management practices and external customer facing practices for standardized communication with the marketplace and customers on how their location data is used.
2.
Location Data Privacy Risk and Transparency Assessment to gauge strengths and weaknesses
relative to privacy policies and procedures (Part 4).
We are also developing an online Location Data Privacy “Scorecard” which is a detailed tool that
produces a Location Data Privacy Index (LDPI) score based on the answers to in-depth questions. The
LDPI score can be used to benchmark against peers, and to communicate an organization’s state of
location data privacy management to the market. Whereas the Location Data Privacy Review in Part 4
provides a high-level (High, Medium, Low) indication of current risk exposure, the online assessment
provides an actual score and recommendations to improve the score, and therefore location data
privacy management.
20
Part 3 – Guidelines & Recommendations
for the Management of Location Data
Ask most people about sources of location data and they will quickly think of some of the more
common ones such as the ubiquitous “this app would like to use your location” notice on a mobile
phone, a mapping application or even a credit card transaction. But these are just the tip of the iceberg. A lot of location data collection happens “below the surface” where people are likely unaware it
is even taking place. Table 3 shows examples of the different ways location is tracked and gathered.
Table 3. Sources of Location Data
CATEGORY
EXAMPLES
Retail
Product Tagging
Consumer
Loyalty Programs
Products
Contests
Product Warranty / Registration
Mobile
Mobile Network (Cell Towers)
Communications /
Mobile Device Usage (GPS)
Location-Based
WiFi (Retail Hotspots, Hotels, Airports, in-Flight, clothing)
Apps
Mapping Apps
Social Media Correspondence
Email
Social
Location Specific Apps (FourSquare, Loopt etc.)
Media
Chat (Facebook, Twitter, etc.)
Photo Tagging (InstaGram, Flickr, etc.)
Financial
e-Commerce Transactions
Transactions
Credit Card Use
Online Banking & Bill Paying
Online transactions (PayPal)
Enterprise /
Customer Data (Ex: Disney customer experience bracelet)
Organization
Employee data (emails, social media, work schedules, mobile phone use,
Data
personnel files)
Forms, registrations, surveys
Open Data/Publicly available data
IP Address
Healthcare
Remote Vital Signs Monitoring (Blood Pressure Meters, Heart Monitors, etc.)
Electronic Health Records
Emergency Room Check-In
E-Health apps (exercise, running, diet, nutrition, etc.)
Security
Cameras
Turnstiles
Personal tracking devices
Travel
Mobile-Enabled Check-in (Airlines, Hotels, Rental Cars)
WiFi Hotspots (Hotels, In-Flight, Restaurants)
Toll Pass Cards
Train/Bus Passes
Other
Web Traffic and Searches, Local Search
21
Establishing a set of recommendations that address the diversity of applications and guard against abuse
while fostering innovation is crucial. Transparency is key. Individuals must also have confidence that the
businesses who collect their location data will be good stewards – using it in beneficial ways while safeguarding and respecting their privacy.
The following recommendations collectively form a set of ‘good practices’ any business should
follow. They include recommendations for internal policies and procedures that can mitigate risks
of privacy infringement. They also include recommendations on sharing the risk with individuals by
enabling the individual to make informed choices. Recommendations that pertain more to certain
types of companies or situations are appropriately noted.
Questions of harm and infringement are still unresolved legal and policy issues. When does location
privacy infringement occur? At the collection level? At the aggregation level? At the distribution level?
Does location data collected that is not shared cause harm? Should an individual whose location
information is being collected have the right to choose whether the information is collected and how
it can be used?
These recommendations assume that harm and infringement turn on the intended and actual use of
the location data. As such the recommendations focus on transparency and disclosure so that providers act as good stewards of sensitive location information and individuals are provided the option to
protect their location privacy or to knowingly give up their privacy in exchange for a service.
Most of the recommendations in this section apply to specific situations or areas. However there are a few
overall guidelines that pertain across the board regardless of whether the issue is one of policy, notice and
consent, permission or usage. Our recommendation for implementing the Guidelines is to:
Keep it Simple: Make it easy to understand. Use “everyday” language not jargon or legalese and
keep it brief.
Make it Clear: Be “crisp”. No fine print or various stipulations. Make use of graphics, charts and
icons wherever possible.
Use Common Methods: Use tools and techniques people are familiar with and accustomed to
using such as pop-up screens, tick boxes and such. There should be no learning curve.
Each recommendation has three components:
1
General Guideline which acts as an overarching principle;
2
Specific Recommendation which illustrates how to implement the general guideline; and
3
Example which describes a business scenario, use case or good practice.
22
RECOMMENDATIONS FOR ACQUISITION, USAGE & HANDLING
1. Minimize the Type and Quantity of Data Collected and Retained
GENERAL GUIDELINE:
Do not collect, aggregate, or store data you do not need. As a result of advances in computer science,
in particular deanonymization techniques, which enables personally identifiable information to be
derived from anonymous data, all information collected from individuals should be treated with the
highest degree of due care and respect. This begins with minimizing data acquisition and retention to
reduce risk.
SPECIFIC RECOMMENDATION:
Reduce the specificity or granularity of location data collected when geographic precision is not necessary. It is important to collect location data at the right level of detail or granularity for the application.
Location data can be accurate yet not geographically precise. Depending on your use or application, it
is important to know the level necessary in order to deliver the service or to do your required analysis. In some cases, the exact latitude/longitude is a requirement while in other instances, a zip code or
area within a city or state will suffice.
EXAMPLE:
Keeping Data: A company is computing traffic flow to identify traffic jams based on mobile
device reports. Does the location data need to be associated with a specific device/user or is
it sufficient to obtain non-identified data? Even if an ID is available and used for authentication,
does it need to be stored?
Using Part of the Data: A mobile book company is interested in providing information about
popular books being read at different locations. Is precise location required? Can you reduce the
level of precision of the data and still
satisfy the requirement without affecting the accuracy?
THE PITFALLS OF MORE DATA IS BETTER
When organizations look to collect data, many
Replacing Sensitive Data: The same
times they take a “more is better” approach and
mobile book company could con-
ask for information they really don’t need or have
sider exchanging precise latitude and
no immediate plans to use. Sometimes there
longitude information with postal
is a valid reason (future analysis, a new product
code or city, DMA, or other regional
offering) but often it is done “just in case we need
identifiers if that meets the business
it.” The more data that is collected, especially
requirements.
personally identifiable data, the more risk it cre-
In all of the above examples, there are
additional data minimization questions that
should be asked, such as:
How long do I need to keep this data?
Who should have access to this data?
Does it need to be linked to
individuals?
ates for the organization. In addition to the privacy
risks associated with collecting unnecessary data,
there are economic and infrastructure concerns:
The data must be stored and the records
maintained
The data must be secured
The information becomes out of date and
marginally useful
23
2. Create a Privacy Checklist to Guide Application Development
GENERAL GUIDELINE:
Software developers, engineers, product managers and others involved in the application/product
development cycle, need a structured reference guide so that they consider the potential privacy
implications of the way a particular application or service handles location data.
SPECIFIC RECOMMENDATION:
Anyone involved in some aspect of the development cycle - whether the application is being developed
for internal use (operations), external use (targeted marketing), or as a product/service sold by the company - needs to have keen awareness of how the application is coded and the location data is handled.
Often times, software developers take the most expedient path to requesting and transferring data.
This approach is generally taken to meet aggressive product development timelines. Developers
should be rewarded for taking privacy protections just as they are rewarded for meeting aggressive
product development schedules.
The ability to reward software developers for developing with privacy considerations in mind starts
with their understanding of the privacy issues related to their software engineering responsibilities
and a checklist to guide their behavior.
EXAMPLE:
The following issues should be the foundation of your checklist:
Is the location data collected, aggregated or shared without the user’s knowledge? If so, what is
the rationale for not informing them?
If location data is being collected that is not necessary for the performance of the application,
product or service, ask why it is being collected and if it is necessary to do so.
For any location data collected, understand how it will be stored, retained and archived.
Ensure the legal and marketing departments have been brought into the loop to make sure no
critical lines are being crossed in the way the application, product or service is being developed
that could later cause problems for the company.
For all location-based applications, ensure informed notice and consent is embedded in the
software and activated upon launch of an application, provisioning of a new device or communications service.
Be sure the location data chain and usage rights can be traced on all applications that make use
of location data. See Recommendation 12 for additional details.
24
3. Create a Checklist for Others Who Use and Handle Location Data
GENERAL GUIDELINE:
Numerous teams and departments may make use of location data to perform key tasks. It is critical
that these people have access to a similar set of guidelines to ensure privacy regimens are understood and followed so that the data is protected.
SPECIFIC RECOMMENDATION:
As a strategic asset, location data is an integral part of many business processes and functions including operations (e.g. boost efficiency), asset tracking (fleet management), targeted marketing (mobile
ads) and customer service (loyalty programs) to name a few. While many of them are not involved in
the actual acquisition of the data they all make use of the data and interact with the systems and databases where the information is housed.
This raises many of the same issues regarding privacy integrity including the potential for misusing the
data, altering it, revealing it, not securing it or compromising an individual’s privacy in some manner.
Anyone making use of location data, regardless of their role or where they are in the acquisition and
handling “chain”, needs a structured reference guide to follow to ensure privacy implications of using
location data are carefully considered.
EXAMPLE:
The following issues should be the foundation of this checklist:
Is the location data being collected and used without the user’s knowledge? If so, what is the
rationale for not informing them?
Is location data being collected (or made available) that is not necessary for the task or function?
If so, why is this data being collected or made available when it’s not necessary?
Do the people using the data have access to more information than they need for their job (i.e.
the database contains street addresses when only postal codes are needed)?
Does everyone with access to location data understand how it will be stored, retained, archived,
and shared?
Do they understand which critical lines cannot be crossed because it could later cause problems
for the company?
Do they understand the implications including legal and public image if location data privacy is
compromised?
25
4. Develop Processes and Systems to Automate Usage and Handling Management
GENERAL GUIDELINE:
While establishing location data privacy policies and guidelines are a critical step, the sheer volume
of data being collected along with the complexity of the environment makes it virtually impossible
to adequately manage manually. It is imperative that enterprises implement a comprehensive set of
management processes and systems to automate the task of governance compliance. In addition,
regular privacy audits should be performed and the appointment of a Location Intelligence Officer is
highly recommended.
SPECIFIC RECOMMENDATION:
In today’s era of Big Data, the amount of location data enterprises deal with is staggering and constantly
growing because of the frequency and speed with which new or modified location data is collected. Data
aggregation and linkage introduce additional levels of complexity because it extends privacy compliance
and governance beyond a single transaction or piece of discrete data to include all the “connected” data
sets. The net result produces a situation that is almost unmanageable using manual methods.
To properly mitigate risk, an enterprise must create a precise and comprehensive set of business
processes which can then be implemented (or embedded) in systems in order to automate governance management. These processes and systems need to be able to authenticate users, manage
data rights and create alerts whenever data usage violates privacy or contractual obligations. They
also need to be able to detect changes in policy and alert the appropriate people internally as well as
external partners and users (see Recommendation 8 for more on change notification).
This goes far beyond basic monitoring. These systems need to be able to validate every transaction
and bit of data to ensure compliance with governance policies. This means being able to probe into
aggregated data sets as well as linked data to verify these are also compliant.
In addition, the Location Forum recommends that all organizations that use and manage location data
across the enterprise implement some form of regular location data governance audit process. These
audits not only verify adherence to governance policies, they also point out where policies may need
to be modified.
Lastly, the Forum strongly encourages companies that rely on location data to appoint a Location
Intelligence Officer or equivalent to oversee and manage the integration of the data with all the applications that access and use this data (see Recommendation 13).
EXAMPLE:
See Recommendation 12 for an Example and additional details on Governance. Part 4 of this document also addresses specific issues related to a robust auditing regimen.
26
RECOMMENDATIONS FOR OPENNESS, NOTICE & CONSENT
5. Require Informed Consent From Customers and Users
GENERAL GUIDELINE:
The individual must be told how the location provider, application, service or device intends to use
her data and they must agree via some common opt-in or user agreement mechanism, such as a
pop-up screen. (Applies only if you are collecting information directly from an end user. Does not
apply to remotely collected information, for example satellite imagery or surveillance cameras).
SPECIFIC RECOMMENDATION:
Always be upfront. Whenever possible, the informed consent should take the form of a pop up screen
when the application launches, the device is turned on or configured, or the service is provisioned. It
should also be incorporated in the location data privacy policy.
EXAMPLE:
A new subscriber to a location-based service might see this notice before completing the transaction
for the service.
27
6. Match the Notice to the Service
GENERAL GUIDELINE:
Location services vary greatly in terms of the sources of location data and types of service and
functionality, the device being used, and numerous other characteristics (see Table 3 for the various
sources of location data and types of location-based applications). When determining how to communicate with users, it is important that the Notice and Consent is tailored to conform to all of these
variations.
SPECIFIC RECOMMENDATION:
When implementing Notice and Consent, careful attention to format and wording – even when the
notice should appear – are key considerations and vary depending on several conditions. Context
plays an important factor. This is not a one-size-fits-all situation and today’s catchall notice [e.g. “this
app would like to use your location”] is inadequate on several levels. It tells the user nothing about
what happens to her information and in some cases, why the app is even asking for it.
A balance needs to be struck between providing enough information so someone can make an
informed choice without lapsing into too many details and fine print that people will not read or
understand it. Clearly that is asking a lot, especially if the notice is on a mobile device where screen
size may be limited.
EXAMPLE:
The following checklist illustrates some of the key parameters to consider when creating an appropriate notice for an app or service:
Is the device itself a limiting factor (screen size, etc.)?
Does the environment where the app/service is likely to be used pose limitations (public area,
while moving, etc.)
Is the need to provide location data obvious to users (i.e. obtain directions)?
When should the notice appear, for example when the app/service is first installed or provisioned, each time it launches, only when the users makes a request?
Should the app/service allow users to set an “always provide” option so they don’t have to reply
each time?
28
7. B2B Disclosure
GENERAL GUIDELINE:
In addition to communicating with end users, companies in the location data chain should advise their
B2B customers of their location data privacy policies in an industry-accepted manner.
SPECIFIC RECOMMENDATION:
1.
A B2B location data privacy disclosure form should be shared with all prospective and existing
B2B customers. This disclosure form should communicate the key aspects of your company
location data privacy policy and resemble (or be the equivalent of) the simplified example presented in Recommendation 9.
2.
Likewise, any company involved in the sharing of location data with potential or existing vendors and partners should request to see their LDPI score. The LPDI is the resulting score from
the Location Forum’s online “Scorecard” (see Recommendation 10 and also Part 4 for details).
EXAMPLE:
There are several parallels between the B2B Disclosure Form and your overall privacy policy. Use the
Location Data Privacy Policy example on page 32 (Recommendation 9) as a guide to creating your
Disclosure Form.
29
8. Notification of Changes to Policies, Procedures or Business Practices
GENERAL GUIDELINE:
Any time a change is made to how an organization collects, uses, aggregates, distributes, or shares
location data the user must be notified and given the option to again opt-out or opt-in. This applies
equally to organizations that obtain data from third parties including public sources.
SPECIFIC RECOMMENDATION:
The processes and systems from Recommendation 4, should detect changes in policies, procedures or
business practices. Using this information, the systems can generate and send the appropriate internal
and external notices. The location data governance and audit system (see Recommendation 12) should
automatically alert software developers, product and solutions managers and front-line support personnel to these changes, and users should be afforded the opportunity to opt-out or opt-in again.
EXAMPLE:
The notification process need not be an onerous and cumbersome task. A simple pop-up screen similar to what was originally shown the user will suffice.
30
B2C Example
B2B Example
RECOMMENDATIONS FOR POLICY, TRACEABILITY & ACCOUNTABILITY
9. Develop and Publish a Location Data Privacy Policy
GENERAL GUIDELINES:
A location data privacy policy is the cornerstone of any privacy regimen. It should be comprehensive,
easy to find, written in straightforward language and clearly inform the user or individual of how her
location data will be used. It should also be easily accessible by employees who are tasked with working on location-based products and services.
SPECIFIC RECOMMENDATION:
Your location data policy is like a contract or agreement between your organization and the individuals
or other organizations whose data you intend to acquire and use. It is not something to hide behind so
it is important that it be clear, concise and comprehensive so that anyone involved – from the user to
employees and partners – know the type of data you gather, how you plan to obtain it, what you use it
for and more. It also needs to address any plans you have to sell, share or distribute it in any way.
The policy needs to address these key elements:
Visibility: Is the policy visible and easily accessible by employees, partners and users?
Collection and Usage: Does the policy clearly explain how the location data is collected, used
and shared?
Governance: Does the policy describe how you maintain a consistent program of oversight
including executive responsibility and external audits?
Notice and Consent: When people use your application or service
o Does the policy succinctly and clearly inform users of your location data practices and what
you intend to do with their location data?
o Does the policy make it easy for people to opt-in and opt-out of using your service or application?
Redressability: Do you have user-friendly controls in place for people to change, correct or
delete incorrect information you have on file?
Specifically the policy should include things such as:
The source of the data and how permission to use it is obtained;
How the data was collected, and whether it was collected with consent;
How it will be used - for internal purposes (research, operations, etc.), for developing or delivering products & services or other uses;
Are there are any limitations on the use and distribution of the data;
Whether the data is anonymized so an individual cannot be identified;
Whether the data is aggregated or combined with other data;
Whether or not the data is sold or shared with other third parties for any reason (including law
enforcement requests for information);
The type of audit system for monitoring licenses and usage rights you employ; and
Whether the data is retained and if so, how, where and what safeguards are in place to prevent
unauthorized access.
31
EXAMPLE:
A simple yet effective approach to developing and publishing a policy that does not require an army
of lawyers is a table format. Checking the appropriate boxes in the following table allows everyone to
understand your intentions:
COMPANY X LOCATION DATA PRIVACY POLICY*
EFFECTIVE AS OF: [DATE]
We collect location data only with user consent
We collect location data without user consent
We collect location from a variety of sources including:
Mobile phone
Data providers
IP Address
Digital transactions
GPS enabled device
Cameras—including satellites
Forms, Surveys, or Applications
Sensors
for services
We acquire location data from sources that require user consent
We acquire location data from sources that do not require user consent
We acquire location data from open sources and do not know the data acquisition procedures
We aggregate location without user consent
We acquire anonymized data
We anonymize location data prior to aggregation and distribution
We share location data with third parties only with user consent (includes selling, renting of data)
We share location data with third parties without user consent (includes selling, renting of
data, and compliance with law enforcement)
We reduce the accuracy of the geographic coordinates to prevent personally identifying
the individual
We do not reduce the accuracy of the geographic coordinates to prevent personally identifying the individual
We correlate location data with other data
We de-anonymize anonymized data and use this de-anonymized data in our aggregation models
The location data has license restrictions
The location data does not have license restrictions
We retain all location data collected, and aggregated whether anonoymized or non-identifiable indefinitely
We retain all location data collected and aggregated whether anonymized or non-identifable for a specified duration
*When completed, unchecked items should be removed to avoid confusion. All checked items become your location data
privacy policy.
32
10. Conduct Periodic Risk Assessment
GENERAL GUIDELINE:
Business conditions and technology are constantly changing. Product managers, marketers, software
developers, IT professionals, and executives responsible for location-based products and services
should assess their level of location data privacy risk at least twice a year.
SPECIFIC RECOMMENDATION:
Because of changing market and regulatory conditions along with the sheer volume of data being
collected, it is important that organizations regularly assess their business drivers relative to location data and their operational and transparency risk relative to managing location data (just like they
regularly assess their financial state).
1.
To assess business drivers, companies should facilitate bi-annual meetings with leaders of all
organizational departments to review the business, technology and environmental changes that
impact the use of location data within the organization.
2.
To assess operational and transparency risk, the Location Forum recommends taking the Location
Data Privacy Risk and Transparency Review (see Part 4) twice a year. A risk assessment “Scorecard”
is coming soon and will be available online at http://www.thelocationforum.org/privacy. However,
the Review worksheet in Part 4 will provide you with a high-level snapshot of your risk profile.
The ”Scorecard” will calculate your Location Data Privacy Index (LDPI) which indicates the areas that
require attention and enables you to proactively make the necessary policy, operational or IT changes
needed to ensure risk and transparency are managed within corporate guidelines. The LDPI score can also
be used to advise your existing and prospective customers, partners and regulators of your thoroughness
and trustworthiness. The Location Forum recommends assessing your LDPI score once a year.
EXAMPLE:
For assessing changes in business and technology, the organization’s Location Intelligence Officer or equivalent can use the table below as a framework to assess where changes have occurred in the organization, or
with vendors and partners, and the impact these changes have on managing your location data risk.
BUSINESS
TECHNOLOGY
ENVIRONMENT
Functional/
Where is location data
Is location technology
Has the organization’s
Organizational Areas
used?
embedded in new or
use of location data
upgraded technology
changed in this area?
currently in use or
(Yes/No)
How relevant is it to
this area? (fill in)
Partners & Channels
Products & Services
Customer Experience
Programs
Marketing &
Advertising
Operations
Logistics
Human Resources
IT
proposed? (Yes/No)
33
11. Allow Control Over Location Profile
GENERAL GUIDELINE:
If location information is attached to an individual, that individual should have the right to inspect,
change, and possibly remove her data.
SPECIFIC RECOMMENDATION:
Often times, despite best efforts, personal data collected on individuals is incorrect. The user should
have the ability to view her location profile and correct any incorrect information. The Provider should
make the ability to view one’s location profile easy to find, and easy to amend. The Provider should
also provide a contact person or redressability process so that users can address their concerns.
The user should be able to access information on how to control her location information from multiple points, so that finding the information is intuitive. For example, the user should be able to find
the information on an application or website in the following areas:
Customer Support
FAQ (frequently asked questions)
Account Management
Privacy Management
Options to control location data should not be buried in terms and conditions or system preferences.
EXAMPLE:
Just like computer users have the ability to delete cookies, individual location users should have the
ability to delete their location history. This also means that users should have the ability to prevent
certain providers from utilizing their location data.
In addition, much like credit bureaus remind people to check their credit reports once a year to monitor any
potential fraudulent activity or errors, companies who collect location information and provide locationbased services should remind people to review their location data profile and privacy selections periodically.
34
12. Create a Location Data Governance and Audit Program
GENERAL GUIDELINE:
All companies that acquire, utilize, or produce location data should establish a location data governance program to trace the sources of location data, the restrictions on the data, how the data
is ultimately used, and how data is retained and deleted. It is important to note that data tends to
continuously flow through an organization because it is used repeatedly across multiple applications
and products. A location governance program tracks this continuous flow, while an audit is only a
snapshot in time.
SPECIFIC RECOMMENDATION:
When acquiring location data from individuals, third party or government sources, acquiring companies agree to a variety of terms and conditions, licensing arrangements and rights to use. Every organization should have a system for recording these contractual and privacy obligations and for alerting
staff to how that information can or cannot be used (See Recommendations 4 & 8).
While small numbers of files may be possible to track over short periods of time held in documents,
spreadsheets, or the work-flow notes of conscientious data handlers, larger numbers of files (or any
number of files over longer periods of time) require a formal cataloging system.
In particular, companies that use location data in the development of derivative products and services
should establish an automated governance and audit system that can systematically and programmatically search, manage, monitor, and audit the relationship between the location data that comes in
the door and the licensing, privacy and other restrictions that govern the terms of use of that data.
In some instances existing data governance systems can be modified to incorporate privacy considerations. In other instances where such systems are not in place, the Location Forum recommends utilizing the soon to be released Location Data Governance and Audit Framework Model, which includes:
1.
A source code: a permanent, numerical identifier to all pieces of in-coming (and, depending on
your use cases, to all engineered or derivative) data.
2.
A two-way search mechanism: When you have the data in front of you, the catalogue should
lead you to the data restrictions and when you have the licensing or source of the data in front
of you, the catalogue should lead you to the data.
3.
Verification: Establish business or software rules to check source codes when data is incorporated into products and services. This creates alerts as to prohibited uses.
EXAMPLE:
You acquire location data that comes from Company A, who has provided it under a license agreement. That agreement permits the zip code/postal code portion of the address information in that
dataset to be integrated into your product, but not the street addresses because they contain personally identifiable information. A source record is created when your company receives the data.
The “zipcode” field is tagged with a number “1” to indicate that integration of zipcodes is permitted
without restriction into products and services. The “street address” field is tagged with a number “4”
to indicate that integration of street addresses into any product or service is prohibited.
Should your company and Company A decide to change the licensing agreement to develop a product that incorporates street addresses, the source record can be amended to reflect this change.
For example, the “street address” would be tagged with a number “5” to indicate that integration is
permitted only for defined products and services.
35
13. Appoint a Location Intelligence Officer
GENERAL GUIDELINE:
The Location Forum recommends that all organizations that use and manage location data across the
enterprise should appoint a Location Intelligence Officer (LIO) or equivalent to oversee and manage
the integration of the data along with various applications utilized by the organization to aggregate,
analyze, visualize, and distribute location data.
SPECIFIC GUIDELINE:
With location data having tentacles throughout an enterprise and with security and privacy a critical
business priority, the task of keeping up and managing all of the policies, practices and uses associated with location data requires full-time attention. The appointment of a LIO is a necessity.
Depending on the company structure, the LIO can function as a standalone role or be under the CIO,
the strategic planning unit, or Chief Security/Risk Officer.
EXAMPLE:
LOCATION INTELLIGENCE OFFICER PROFILE
Skills: Budgeting, Project Management, Engineering/Product Development, Operations, Sales
& Marketing and the ability to understand the impact of operational, customer, and marketing
data; risk management and governance
Location Intelligence Experience: Location Data and its procurement, use, and maintenance; Geospatial Technology; Technical Infrastructure and Architecture and Enterprise Data
Integration
Development and execution of business case and ROI for location-based projects:
Demonstrate ability to sell the project internally, and once sold, the ability to deliver it, monitor
it and maintain it. Location information management is an ongoing, evolving technology that
requires regular attention. (This is a recurring problem with the traditional approach to GIS projects; it’s viewed as a one-time project that goes away.)
See Where is the Location Intelligence Officer? for more information on the importance of this role,
and other required skill sets that address other business issues related to location data. http://www.
lbxjournal.com/articles/“where”-location-intelligence-officer/260226
36
CONCLUDING SCENARIOS
While the use of location data may appear simple or intuitive, the Guidelines reveal the complexity
behind it. Recognizing that the use of location data may not always be obvious within an organization, we developed location privacy aware scenarios to illustrate some common, and not so common,
uses of location data by four business functions—Risk Management, Product Development, Customer
Experience, and Marketing. Use them to both inspire you as well as help you ferret out problems
before they manifest themselves.
Privacy Aware Scenarios
Risk
A retail company uses location information differently throughout the organization.
Management
As a result location data winds up being managed by different departments with no
centralized oversight. In some cases the information is acquired, managed and distributed by the GIS department, in other cases it is the marketing department that is
experimenting with mobile location-based services applications, targeted advertising and social media engagement and interaction with customers. The real- estate
and site location department uses information specifically for long-term investment
decisions. The HR and IT departments monitor employees through a variety of
mobile phone and Internet tracking applications. The privacy of employees, customers, suppliers, and partners are all implicated as location data moves around this
organization. But there isn’t a single person responsible for understanding how location data moves through the company’s workflow, how the data is being handled to
ensure privacy protections, and compliance with usage rights.
Product
A news service has instructed its development team to develop a 3D interactive
Development
globe as a new information delivery platform. In an effort to better understand
local and regional interests, the news service wants to capture the location data
of its audience via IP address, GPS coordinates, and cell-phone triangulation.
Through its mobile application, the news service also wants to capture when and
where the user checks his/her news, for example at work, at the coffee shop, in
the car, at home, in the parking lot. Before development begins, the Vice President
of New Services calls a meeting of her development team, marketing, and legal
to review the objectives of the service and the privacy issues associated. Every
developer on the team, and the marketing analysts are provided with a checklist of
required actions to ensure that the company is not blind-sided 6 months later.
37
Customer
A casino, shopping mall, amusement park, or coffee shop offers WiFi (free or oth-
Experience
erwise) as a customer experience service. Oftentimes, these organizations collect
location data of users for the purpose of providing improved services or targeted
advertising. Once the user signs into the WiFi service his/her web behavior is
tracked, and if the user moves around the building their whereabouts are also
being tracked including how long they stayed in a particular location (for example
a store, or gambling table).
The user is generally unaware that the information is being collected and as such
completely in the dark about how that information is really being used, and with
whom it is being shared and for what purpose. Is the information collected anoynimized? Is it aggregated? When shared with a third party, is it de-anonymized so that
personally identifiable information can be determined? How does the user know?
Marketing
A company decides to run a treasure hunt campaign and embeds a location
Campaign
sensor in five product packages. The package clearly states the campaign and
the benefits to the lucky winner--$10,000 in cash and an appearance on the
Lucky Guy show. In addition, in bold letters, not to be missed by a person of
average vision, “This Package May Contain a Location Sensor. If you open it and
are a lucky winner, your location will be immediately tracked and a media crew
will arrive shortly to interview you.”
38
Part 4 – Location Data Privacy Risk
& Transparency Assessment
Almost every aspect of location data privacy can be measured along 2 key metrics – risk and transparency. Good governance involves how your organization manages the data both internally, as well as
externally. Everything from the source of the data and how it is obtained, to how it is used and managed, to how your policies and procedures are communicated to the market, to its impact on companies and individuals have risk and transparency components.
This section allows you to take a high-level pulse of the state of your current governance practices
and the transparency of your communications to customers, partners, regulators, and the market
regarding your policy towards location data privacy.
The following Review serves as a worksheet that is designed to examine your policies and behaviors
associated with location data. It is a first step in creating a snapshot of your Risk and Transparency
levels. It is meant to help identify places where immediate or future attention is required in addition
to where you are doing well. It also serves as a workbook prior to using the Location Forum’s online
“Scorecard” (see LDPI below).
This is not intended to be an exhaustive assessment, but rather a broad review of your location data
privacy stewardship and practices. The result of taking this scorecard assessment will reveal whether
your location data privacy policies and practices place you in a High, Medium, or Low risk category:
RISK AREA
RISK & TRANSPARENCY LEVEL RESULTS
Acquisition, Usage & Handling [Risk]
High
Medium
Low
Openness, Notice & Consent [Transparency]
High
Medium
Low
Policy, Accountability & Traceability [Governance]
High
Medium
Low
RISK LEVEL
ACTION
Take immediate action to correct problems. Re-evaluate as soon as corrective
measures are implemented.
Research root causes, consequences and ways to improve. Re-score after changes
are implemented.
Monitor and re-score every 6 months.
LOCATION DATA PRIVACY INDEX (LDPI)
Once you have an initial snapshot, we recommend that you determine your Location Data Privacy
Index (LPDI) score through the online LDPI Scorecard [coming soon, and available at www.thelocationforum.org/privacy]. This is an interactive tool, which will guide you through specific questions
based on your company profile. Your answers, determine a score or “index” that gauges your level of
risk and transparency against industry norms and best practices and provides a more comprehensive
evaluation of your policies and practices.
The LDPI score can be used to benchmark your organization against competitors and peers and to
communicate transparent policies to the market.
39
LOCATION DATA PRIVACY REVIEW
This Review serves as a way to conduct an initial assessment of your Risk and Transparency levels.
It is meant to help identify places where immediate or future attention is required as well as where
you are currently doing well. It also serves as a workbook prior to using the Location Forum’s online
Scorecard, which is a tool that provides a more comprehensive evaluation of your policies and practices and generates a Location Data Privacy Index (LDPI) rating.
The Review is divided into 4 main sections:
Profile
!TIP - Throughout the
Acquisition, Usage & Handling
Scorecard, look for “!TIP”
Openness, Notice & Consent
which will provide “handy
Policy, Traceability & Accountability
hints” to guide you.
PROFILE
The profile questions provide a context in which to analyze the rest of your answers. There are no
right or wrong answers; they simply enable the questions in the next 3 categories to be scored
against a known backdrop.
Who Are You?
1
Are you a provider of location information technology, data, products or services? Check all that apply:
You provide analytics software platforms or services
You provide location-based services
You are a GIS company
You manufacture hardware, sensors, or chips
You are a third party aggregator of location information
You are a location data services provider
You are not a provider of location information technology, data, products, or services.
2
Do you use location/geospatial data, technologies or services in any aspect of your business?
Yes
No
3
Are you in an industry subject to regulations that limit or prohibit your use of location and personal data? (Ex: telecommunications, healthcare, utilities, etc.)
Yes
No
4
Do you operate in a jurisdiction(s) that have strong individual privacy rights protections?
Yes
No
5
Do you generate revenue from the monetization of location data and/or personal data?
Users pay for your location-based service or application
Your services are available to users for free, and the data collected is sold to a third party,
for example advertisers.
You use location data only for internal purposes, and do not generate revenue from selling
location data in any way
Companies or organizations pay for your location-based services or applications
40
Any use of location data increases the potential for infringing upon personal privacy. It is the nature of
the data. The market, regulatory, and internal business environment in which you operate can serve
to increase or decrease risk. Proceed to the next sections to review your internal policies and procedures and external communications regarding the management of location data.
ACQUISITION, USAGE & HANDLING
This section examines how the location data is obtained and used and for what purpose, who has
access to it, how it is treated, manipulated and managed, and what becomes of it.
NOTES & FLAGGED
1
AREA & PRACTICE
FOR FOLLOW-UP
Do you collect location data directly from individuals? (If you
!TIP – The more sources
answered no to this question please proceed to question 2)
you use, the more complex
the risk becomes and the
more you have to monitor. It
also impacts communications
with your users (see Notice &
Consent section)
Yes
No
If Yes, how do you collect this information?
(check all that apply)
A form (paper or online)
Website or web-based application
A mobile device
A mobile application
A communications network—cable, telephone, wireless, satellite
2
Do you collect location data remotely via satellite, aerial, or terrestrial
technologies?
Yes
No
3
Do you acquire or purchase location data from third party sources?
Yes
No
4
Do you reduce the accuracy of the geographic coordinates collected
to prevent personal identification of the individual?
Yes
No
5
Do you collect or acquire location data even if it is not required or
necessary for the performance of your application or service?
Yes
No
41
NOTES & FLAGGED
AREA & PRACTICE
6
FOR FOLLOW-UP
Do you aggregate location data?
Yes
No
(If No, skip to question 8)
If Yes, please indicate your definition of aggregation. Check all that
apply below:
We aggregate data to a higher level (such as street address to
postal code) for the purpose of masking personal identity.
We aggregate or compile location data from multiple sources for
the purpose of creating a centralized repository.
7
Do you aggregate data that is not needed for the performance of your
application or service?
Yes
No
8
Do you link location data with other datasets?
Yes
No
If Yes, check all that apply:
For internal research and operational purposes
For marketing purposes, including targeted advertising
9
Do you link location data with other datasets, and share, rent, or sell it
to third parties?
Yes
No
10
Do you link location data with other data that is not required for the
performance of your application or service?
Yes
No
11
Do you mine information from the aggregated or linked location data?
Yes
No
12
Is management aware of how the application collects, uses, and distributes location data?
Yes
No
13
Do you treat location data and/or personal data as an asset to be
monetized beyond internal operational use?
Yes
No
42
NOTES & FLAGGED
AREA & PRACTICE
14
FOR FOLLOW-UP
Do you use any location data collected to deliver location-based services to customers?
Yes
No
15
Do you sell (or share) any location data collected with any third party
for any reason?
Yes
No
If Yes, indicate all that apply:
Identifiable data
Anonymous data
16
Do you do anything (collect, use, share) with an individual’s location
data without their knowledge?
Yes
No
17
Do you retain location data?
Yes
No
18
If you answered yes to 17, do you retain (please indicate all that
!TIP – Any retention practice
apply):
– especially one that is open
ended – creates risk. Unlimited
retention should be avoided if
at all possible.
Identifiable data
Anonymous data
For the following period of time:
Indefinitely
A specified period of time
19
Are location technologies and data analytics accessible by anyone
within the organization?
Yes
No
20
Is location data easily accessible by anyone within the organization?
Yes
No
TOTALS YES _______ NO _______
If you answered, “Yes” to 5 or less questions, your acquisition, usage and handling practices put you at a Low risk.
If you answered, “Yes” to 6-10 questions, your acquisition, usage and handling practices put you at a Medium risk.
If you answered, “Yes” to 11 or more questions, your acquisition, usage and handling practices put you at a High risk.
Mark your level in the table at the beginning of this section for reference and follow-up action.
Take the Location Forum’s online Location Data Privacy Risk Assessment [coming soon and available at www.thelocationforum.org/
privacy] to determine your actual LDPI score and identify recommendations on how to reduce your risk.
43
OPENNESS, NOTICE & CONSENT
This section measures your operational transparency - how open you are with business partners and
individuals. How much control do users/customers have over their location data? Are you open about
the type of location data you collect and what you do with it? Do your partners and customers have
the ability to opt-in and opt-out?
NOTES & FLAGGED
AREA & PRACTICE
21 Is your location data policy visible and can people easily find it?
Yes
No
Visible to: [check all that apply]
Employees
FOR FOLLOW-UP
!TIP – Err on the side of
posting your policy in as many
places as practical especially
if you ticked several boxes in
Question 1. Generally more
communications is better
unless it interferes with the
user experience.
Average User /Customer
Vendors/Partners
Where (check all that apply):
On the download page of the application
Within the app store where the app is found
During installation of the application or service
Within the application
On your website
On any forms used to collect location information
44
Within proposals or RFP
Within product or service agreements
On a shared or virtualized drive (cloud)
In a knowledge management system
Employee manual
22 Do you publish the sources from which you collect location data?
Yes
No
Is your supply chain of location data providers visible and can people
easily find it?
Yes
No
Where (check all that apply):
On the download page of the application
Within the app store where the app is found
During installation of the application or service
Within the application
On your website
On any forms used to collect location information
Within proposals or RFP
Within product or service agreements
On a shared drive (cloud), in a knowledge management system
!TIP – Err on the side of
posting your policy in as many
places as practical especially
if you ticked several boxes in
Question 1. Generally more
communications is better
unless it interferes with the
user experience.
NOTES & FLAGGED
AREA & PRACTICE
23 Can an individual (including employees) easily locate and view their
location profile on your website, application, or mobile device menu?
FOR FOLLOW-UP
!TIP – The more options
provided to the user, the more
transparent you will appear.
Yes
No
If Yes, check all that apply:
You have a redressability policy that enables a user to correct
any information in their profile that is incorrect or out of date
Users can eliminate certain pieces of location data in their
profile they believe are confidential and do not want divulged
under any circumstances
An individual can delete her location history?
You have a designated contact person to handle individual
concerns related to any aspect of their profile
24 Do you provide users with informed notice and consent regarding
how you collect, use, aggregate, manage, and distribute location
data?
Yes
No
See Recommendation 4 in Part for definition of informed consent.
45
25 Can a user easily Opt-In or Opt-Out of your service or application?
Yes to both
Only Opt-In
Only Opt-Out
No to both
26 If you answered, “Yes” to question 25 where is the opt-in or opt-out
option visible or provided? Check all that apply:
Launch of your application
Initializing your device
Provisioning of your service
On your website
On a form
27 Can an individual prevent the distribution of her location data to certain third parties?
Yes
No
!TIP – The more options
provided to the user, the more
transparent you will appear,
provided it doesn’t become a
nuisance that interferes with
the user experience.
NOTES & FLAGGED
AREA & PRACTICE
FOR FOLLOW-UP
28 Can a company assess your location data management practices?
Yes
No
If Yes, check all that apply:
A benchmark
!TIP –The opaqueness of the
current location data supply
chain creates risk for everyone
in the chain. The more transparent the chain, the greater
likelihood that industry selfregulation will work.
A LDPI score
A B2B disclosure form
An outside company does not have a means of assessing
our practices
TOTALS YES _______ NO _______
If you answered “Yes” to 1 or fewer question, you provide a Low or No levels of transparency.
If you answered “Yes” to 3 or more questions, you provide a Medium level of transparency.
If you answered “Yes” to 5 or more questions, you provide a High level of transparency.
Mark your level in the table at the beginning of this section for reference and follow-up action.
Take the Location Forum online Location Data Privacy Risk Assessment [coming soon and available at www.thelocationforum.org/
privacy] to determine your actual LDPI score and identify recommendations on how to reduce your risk.
46
POLICY, ACCOUNTABILITY & TRACEABILITY
This section examines your overall approach to location data privacy – the types of policies you have
in place, oversight, accessibility and more. How anonymous or personalized is the data and is there
an audit trail from source to destination?
NOTES & FLAGGED
AREA & PRACTICE
FOR FOLLOW-UP
29 Have you developed and published a location data privacy policy?
Yes
No
See Part 3 of the Location Data Privacy Guidelines for recommended framework
30 Does your location data policy state how you collect, aggregate, distribute, use, and manage location data?
!TIP – A comprehensive
policy addresses all aspects of
handling location data.
Yes
No
Check all that are referenced in your policy:
Collection
Aggregation
Distribution
Usage
Data Management
47
31 Is your location data policy visible and can people easily find it?
Yes
No
See Recommendations for Openness Notice and Consent in Part 3 for details
32 Do you maintain a consistent program of oversight including executive
responsibility and external location data audits within your organization?
Yes
!TIP – Good location data
privacy governance requires
the right people, tools, and
technologies.
No
Check all that apply:
A key executive is responsible for location data privacy
Periodic external privacy or security audits are performed
A Location Data Governance and Audit System is in place
33 Do you know and track the source(s) of your location data?
Yes
No
Check all that apply:
You know how it was collected
You know if the location data was collected with consent of
individuals from which the data was derived
You have overt permission to use the data
You know if there are any limitations on the use and distribution
of aggregated data products
!TIP – Know Your Data to
reduce your risks.
NOTES & FLAGGED
AREA & PRACTICE
FOR FOLLOW-UP
34 Do you ensure that personally identifiable information is not
attached to your location data?
Yes
No
Check all that apply:
You anonymize all location data collected
You de-anonymize data
35 Can the location data chain, usage and usage rights be traced either
by some unique identifier, an embedded audit trail or some other
method?
Yes
No
36 Does your organization practice Privacy by Design?
Yes
No
For details see http://privacybydesign.ca/
37 Are the following people made explicitly aware of the privacy
!TIP – Everyone should be
implications of designing, developing or coding applications and
“in the know.”
services that use location data? (Indicate all that apply):
48
Software Developers
IT/Business Intelligence Managers
Operational Managers
Marketing Managers
Product Managers
Management Executives
38 Do you coordinate with legal or marketing to make sure you are
not violating any rules, procedures, laws or policies in the way the
location-based application is designed, coded or implemented?
Yes
No
39 Do you require a valid court order or warrant before disseminating
location data to law enforcement?
Yes
No
TOTALS YES _______ NO _______
If you answered Yes to 7 or more questions, you have a High level of location data management governance
If you answered Yes to 4-6 questions, you have a Medium level of location data management governance.
If you answered Yes to 1-3 questions, you have a Low level of location data management governance.
Mark your level in the table at the beginning of this section for reference and follow-up action.
Take the Location Forum online Location Data Privacy Risk Assessment [coming soon and available at www.thelocationforum.org/
privacy] to determine your actual LDPI score and identify recommendations on how to reduce your risk.
Appendix – Glossary of Terms
Aggregation: Data aggregation is the process of combining data from different sources and transactions to create a new “aggregated” dataset. By linking data with multiple characteristics, new information can be derived from the aggregated dataset that none of the individual pieces of data can yield.
Data aggregation is also the process of rolling data up to a higher level, such as street address to
postal code for the purpose of anonymizing data or masking personal identity.
Anonymization: The act of removing personally identifiable information from data. Anonymized data
should no longer be able to be associated with an individual in any manner.
B2B/ B2C/ B2I and I2I: These all describe relationships between two entities for the purposes of
exchanging information or conducting commerce. B=Business, C=Consumer, and I=Individual. For
example, a B2B relationship is one where two (or more) businesses are either exchanging something
(data, information, knowledge, etc) or having a buyer-seller transaction. A B2C relationship is a direct
relationship between the business and the consumer. In this relationship the consumer is the end
customer. A B2I relationship is one in which a business may have an indirect relationship with an individual as a result of collecting, using, or sharing an individual’s personal information such as location
data. An I2I relationship is one where individuals may share information between each other across a
third-party platform such as social media.
Collection: The act of acquiring location data through explicit, implicit, or passive methods:
Explicit collection occurs when a user is aware and has consented to their location data being
collected.
Implicit collection occurs when a user shares location information voluntarily, but is unaware
that the information is being collected.
Passive collection occurs when network carriers and third party service providers collect location data at the network, device, or applications layer without the user’s knowledge.
Distribution: Location data is distributed when it is shared with or sold to third parties.
Geographic Reference: geographic reference includes address, zip code, placename, point of interest,
area of interest, distance and proximity between places or locations.
Geospatial Data: is any point, line, 2D polygon or 3D volume with a geographic reference whose location can also be marked in time.
Location: is the geographic position of someone or something at any given moment in time.
Location-Based Service: Location Based Services (or “Location Services”) deliver information about
location to people who are using wireless, position-aware devices such as mobile phones, tablets or
other similar devices. A wireless-IP service that uses geographic information to serve a mobile user.
Any application service that exploits the position of a mobile terminal.
Location Data: Is any data with an implicit or explicit geographic or geospatial reference, including
any data derived from GPS, GIS, cell-tower or other radio signal-based triangulation, assisted-GPS
positioning devices, systems and processes, geo-tagged images, video, audio, and text documents,
satellite and aerial imagery, computerized, digitized and paper maps, IP address location, public documents, public or private database, video, audio, text, and image files, location-based applications.
49
Location Data Privacy is:
The right to not be subjected to unsanctioned collection, aggregation, distribution, or selling of
an individual or organization’s location or location profile derived from location data.
The ability of an individual, group, or organization to conceal information of their whereabouts,
which can be derived from location data. Sometimes stated as “the right to be left alone” and
not reveal ones location.
Location-Dependent Service: A service in which the location transactions and location data all form
an integral part of the service.
Location Service: A service that provides the location of a moving or fixed device or individual, and
extracts and extrapolates location data from information voluntarily contributed.
Location Profile is:
Information derived from mobile and location data on where an individual has been and may be
in the future; and
Information on who and what is around a particular location and the activities that surround a
particular location.
Location Transaction: A location transaction is any exchange of location data between devices, systems, applications, networks, and/or databases.
Place: the use of a name or area of interest to describe a location.
Space: the use of geographic coordinates to describe a location.
50
For more information contact:
Natasha Léger
President
Email: nleger@thelocationforum.org
770.663.8898
Jim Warner
COO
Email: jwarner@thelocationforum.org
770.663.8898
Email: info@thelocationforum.org
© 2013 THE LOCATION FORUM. ALL RIGHTS RESERVED
| HTTP://WWW.THELOCATIONFORUM.ORG
| +1-770-663-8898
51