5 minute read 18 Sep 2020
Woman looking on a mobile phone

How location tracking is raising the stakes on privacy protection

By Meribeth Banaschik

Partner, Forensic & Integrity Services, EY GmbH Wirtschaftsprüfungsgesellschaft; EY Europe West Forensics Discovery & Digital Solutions Lead

Attorney and former litigator. Provides talent and experience in eDiscovery solutions, managed document review, data protection compliance, disputes and contract management.

5 minute read 18 Sep 2020

Show resources

Managing and securing personal data takes more cross-functional collaboration throughout businesses than ever before.

In brief
  • Location tracking is becoming a vital privacy concern, as it is increasingly used in software applications in our personal lives and work.
  • Businesses that are tracking personal health data or employee movements since the COVID-19 pandemic need to carefully evaluate their impact on privacy.
  • To mitigate risks around location tracking, compliance professionals should work collaboratively across the enterprise.

Our attachment to smartphones has made them the perfect devices to track our movements — providing invaluable data to businesses and governments. Little do we know that many apps on our phones allow location data companies to pinpoint how we spend our days. A New York Times investigation was able to use a data set to track the movements of individuals commuting to their offices, picking up their children at school, and even breaking their routines to go on a job interview.1

Rising concern over location tracking is just one example of how protecting privacy is becoming increasingly complex. COVID-19 is exacerbating the issue as governments and businesses experiment with new technologies to track and contain the outbreak. These efforts are saving lives, but they also raise fears about intruding on privacy and exposing personal health data.

Privacy management is often seen as the responsibility of compliance and legal professionals, aided by the cybersecurity team. But more and more organizations are realizing that privacy is impacting stakeholders in just about every corner of the organization. Managing privacy risk brought on by location tracking requires a concerted effort that also includes human resources, operations, information security, communications and investor relations.

Privacy claims for location tracking subject to public and regulatory scrutiny

Did you know that having a weather app on your phone could mean your personal movements are tracked second by second and sold to third parties, even when you’re not using the app? That’s the basis of a 2019 lawsuit filed by the Los Angeles City Attorney’s office. The suit charges that the information on selling data to third parties was hidden in the privacy policy and privacy settings sections of the app, which “the vast majority of users” don’t read.2

Many companies that collect location data claim it doesn’t violate privacy because the data is anonymous, users consent to be tracked, and data is kept securely. But The New York Times investigation shows these claims don’t always hold up to legal or regulatory scrutiny. For example, pings showing a daily route from a house to an office easily identify a person.

While phone apps supply much of the tracking data sold to third parties, cellular companies are also under fire. The four largest US cellphone carriers promised to stop selling location data in 2018, but two years later, the US Federal Communications Commission (FCC) proposed hundreds of millions of dollars in fines because the carriers were found to continue selling customer data and violating agency rules to protect personal information.3

COVID-19 raises the stakes for location tracking

The COVID-19 crisis led some governments to launch phone apps with geolocation tracking to trace an individual’s contacts, and to determine whether they are complying with quarantine and social-distancing directives. Tracking individuals has helped some countries limit the spread of the virus, but a Guardsquare security analysis of 17 government tracking apps found the “vast majority” are easy for hackers to breach.4

Human rights groups are concerned these apps are too invasive and could be used beyond the pandemic. For example, Norway’s Data Protection Agency banned its country’s tracking app after determining it collected far more data than needed.5

Businesses are also exploring new technologies to protect the health of their employees, using smartphone apps, cameras or wearable Bluetooth devices to monitor employee movement at work. If an employee tests positive for COVID-19, the company can quickly identify employees who came close to the infected worker. While many countries allow employers to track employees during work hours, privacy advocates fear surveillance could be extended around the clock and continue long after the crisis ends.

The pandemic has also raised privacy concerns around employee health data. A survey by the published in May 2020 found nearly a quarter of businesses have taken their employees’ temperatures and 60% keep records of those diagnosed with COVID-19. Nearly one in five provided the names of COVID-19-positive employees to other staff or government authorities, contrary to the advice from the European Data Protection Board.6

Privacy regulations aim to control location tracking

The rising interest in protecting privacy has led to new regulations around the world. One of the most influential statutes, the EU’s General Data Protection Regulation (GDPR), treats location data as personal data. This means users must specifically and freely agree to location tracking, rather than opting out.

Location tracking is also addressed by the California Consumer Privacy Act (CCPA), which the state began enforcing in July 2020. Under the CCPA, California residents can opt out of having their personal information, including geolocation data, sold to third parties. While the law covers only state residents, many large firms are extending its rights to all Americans. California’s Attorney General estimates businesses will spend more than US$55 billion to comply with the CCPA.7

Addressing privacy risks from location tracking requires cross-functional collaboration

Addressing privacy risks related to location tracking goes beyond the scope of legal and compliance departments. It requires flexibility and agility as organizations respond to fast-evolving technological and regulatory environments. Cross-functional collaboration is essential.

Legal and compliance professionals should take the lead in working with other functions — particularly IT departments — to help them identify, monitor and mitigate risks. Talent management should focus on employee education and communication so that, when used, location tracking doesn’t compromise employees’ privacy and its objective is well-understood by employees. Information security and technology professionals need to stay on top of the rapidly evolving technologies to understand their impact and potential risks. Above all, privacy by design should be woven into the organizational culture.

Businesses need to keep privacy concerns in the forefront as they develop products or services that involve location tracking features. If not managed well, location tracking can become a huge liability that runs the risk of regulatory noncompliance, lawsuit, reputation damage, employee discontent and revenue loss. If managed well, location tracking can enhance product capability, boost service delivery, and protect employees and the organization.

Key takeaways

Location tracking is becoming an important privacy concern, as it is increasingly used in many software applications that dominate our daily personal and business lives. The COVID-19 pandemic has heightened the issue as governments and organizations race to contain the spread of the virus. Businesses that hastily made operational changes during the pandemic, such as tracking employee movements or sharing personal health data, need to carefully evaluate their impact on privacy.

Compliance professionals should work collaboratively across the enterprise to mitigate risks around location tracking, whether the business markets data to other businesses or the organization performs location tracking on employees for internal purposes. These risks can result in regulatory and legal actions, data breach, diminished employee morale and privacy concerns, as well as damage to the brand.

Adhering to data privacy regulations can be expensive and challenging. But businesses that manage location tracking activities transparently and securely will discover a competitive advantage as privacy protection becomes more important for both consumers and employees. We may love our phones, but we don’t want them spilling our secrets.

  • Show article references#Hide article reference

     

    1. Stuart A. Thompson and Charlie Warzel, “Twelve Million Phones, One Dataset, Zero Privacy,” The New York Times, 19 December 2019.
    2. Eriq Gardner, “All the Time and Money on California’s New Privacy Law Waster?” The Hollywood Reporter, 15 June 2020.
    3. Drew FitzGerald and Sarah Krouse, “FCC Probe Finds Mobile Carriers Didn’t Safeguard Customer Location Data,” The Wall Street Journal, 27 February 2020.
    4. Grant Goodes, The Proliferation of COVID-19 Contact Tracing Apps Exposes Significant Security Risks (accessed via www.guardsquare.com), 18 June 2020.
    5. “After Being Ranked Among the World’s Most Privacy-Invasive, Norway Suspends Use of Contact Tracing App,” CPO Magazine, accessed 2 July 2020.
    6. Müge Fazlioglu, Privacy in the Wake of COVID-19: Remote Work, Employee Health Monitoring and Data Sharing, IAPP-EY report, https://iapp.org/resources/article/iapp-ey-report-privacy-in-wake-of-covid19/, accessed May 2020.
    7. Standardized Regulatory Impact Assessment: California Consumer Privacy Act of 2018 Regulations, prepared for California Department of Justice Office of the Attorney General, August 2019.

     

     

Lead through and beyond COVID-19

Get the insights to help you adapt to disruptive forces, build resilience, and reframe your future, now, next and beyond.

Explore

Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.

 

Contact

Summary

Location tracking in software applications used in our work and personal lives not only threatens privacy, but may have legal ramifications. As enterprises rapidly adopt new technology to protect employees and businesses during the COVID-19 pandemic, departments need to collaborate across their normal functions to address and combat the legal, compliance and information security risks.

About this article

By Meribeth Banaschik

Partner, Forensic & Integrity Services, EY GmbH Wirtschaftsprüfungsgesellschaft; EY Europe West Forensics Discovery & Digital Solutions Lead

Attorney and former litigator. Provides talent and experience in eDiscovery solutions, managed document review, data protection compliance, disputes and contract management.