Legal Insight: Compliance with California's Standards for Geolocation Data Collection and Protection

The California Privacy Regulators have made it clear that they are focused on data collection and privacy practices such as sharing consumer’s data. Recently, the California Attorney General issued a press release stating that they are currently focused on location data that is being collected through websites and mobile apps. As a reminder, geolocation is considered sensitive information under California privacy laws. It is very important to check your current websites and apps to make sure your data collection aligns with what your disclosures are telling your customers. This includes the information in your terms of use or privacy policy. If your disclosures do not match what you are doing, even if you are not in violation of privacy laws, it is considered a deceptive business practice and you still face potential liability. 

Other concerns that California regulators have disclosed that your business needs to be concerned with: 

1. You can’t solely rely on the excuse you are using a service provider to manage privacy compliance. You should be getting indemnity for violations as a matter of protecting yourself from the risk, but the California regulators have made it clear that they are also examining whether you are doing your own due diligence with those service providers. You will likely not escape liability by enforcement authorities by trying to delegate your privacy compliance to a third party. 
2. GPC signals. Global Privacy Control (GPC) is a web browser signal that allows users to select their privacy preferences, such as whether they will allow their data to be sold or shared. They are designed to be a universal opt-out mechanism. Regulators have disclosed they are testing websites and seeing if your opt out mechanisms are operative. You need to be testing your websites to make sure that it can recognize opt out signals. This is especially so if you’ve put in your disclosures that your websites or app recognizes those signals. 

Assuring that your privacy practices are current and compliant is crucial to avoid liability, as is assuring that your disclosures accurately reflect your practices.