Privacy Regulators Target the Location Data Industry

On March 10, 2025, California Attorney General Rob Bonta (AG) announced an “ongoing investigative sweep” into the use of consumer location data by mobile app providers, advertising networks and data brokers. The AG sent inquiry letters to covered businesses, informing them that they may be violating the California Consumer Privacy Act (CCPA) and requesting additional information regarding their collection, use, and sharing or selling of geolocation data. The AG has announced similar “sweeps” in the past, targeting streaming services, online retailers and consumer loyalty programs, for example.  

The announcement specifically notes three CCPA requirements: that a business may not sell or share geolocation information after receiving an opt-out request from a consumer, unless it receives affirmative reauthorization from the consumer; that businesses must wait at least 12 months before asking the consumer to opt back in; and that mobile apps must contain links or settings that allow users to opt out of sharing location data. The announcement also notes that the CCPA classifies “precise geolocation” — data that places an individual within an 1,850-foot radius — as “sensitive personal information” in which a consumer has the right to limit the use to purposes defined as “necessary” to providing requested goods or services.

This sweep comes amid a heightened regulatory interest in location data in both Sacramento, CA, and Washington, DC.

In 2024, the Federal Trade Commission (FTC) consent orders with four data brokers and aggregators that allegedly misused sensitive location data. Based on FTC Chairman Andrew Ferguson’s record of support for such actions, we can expect at least some continuation of this enforcement activity.

February saw the introduction of the California Location Privacy Act, AB 1355, which would dramatically expand and strengthen the regulation of consumers’ location data. The bill would define “location information” more broadly than “precise geolocation,” and would encompass IP addresses, GPS coordinates, cellular tower location information, and information or images captured by automatic license plate readers and facial recognition technology. The bill would prohibit covered entities from collecting, using or retaining such information except as necessary to provide the goods or services requested by the consumer, and then only with the express prior consent of the consumer. It would also impose an outright ban on selling, renting, trading or leasing location information to third parties; disclosing or helping to disclose location information to third parties unless necessary to provide the requested goods or services; and drawing inferences from location data unless necessary to provide the requested goods or services. As written, AB 1355 would be enforced by state and local prosecutors, with a three-year statute of limitations. Penalties would include $25,000 in damages per violation, injunctive relief and attorney’s fees.

We will continue to monitor these and other developments related to privacy and data security. Please reach out to Kramer Levin’s Privacy, Cybersecurity and Data Innovation group for more information.