1

LOCATION DATA PRIVACY GUIDELINES, ASSESSMENT & RECOMMENDATIONSMAY 1, 2013 VERSION 2

©  2013 THE LOCATION FORUM. ALL RIGHTS RESERVED | HTTP://WWW.THELOCATIONFORUM.ORG | +1-770-663-8898

2

Contributors

PAUL BARRETTSenior Manager Accenture InteractivePaul has extensive experience in marketing, technology, and finance as a strategic consultant with Fortune 100, mid-market and start-up organizations. In his role at Accenture, he is focused on the intersection of location technologies and location intelligence with big data, web analytics, digital advertising, social media and mobile.

ARTHUR BERRILL Vice President Technology, DMTI SpatialArthur Berrill is the Vice President of Technology for Canada’s leading provider of Location Intelligence solutions, DMTI Spatial. Arthur has over 30 years of experience managing the architec-ture, design and development of enterprise spatial systems. Prior to DMTI, Arthur was with Pitney Bowes Inc. managing the Advanced Concepts and Technology team. Arthur came to Pitney Bowes through the acquisition of MapInfo where he managed their Advanced Development Department.

GARY GALE Director Global Community Programs, HERE at NokiaGary is an experienced mapping, location and geographic information professional. In his role at Nokia he helps people create maps around the world to suit their needs. He is the co-founder of WhereCamp EU, the conference chair of AGI W3G and sits on the Association for Geographic Information Executive and Council. He is a Fellow of the Royal Geographical Society and frequent conference speaker.

KIPP JONES Vice President Products, Skyhook Kipp oversees the product group at Skyhook. As VP Product, he is deeply engaged in all aspects of the business, customers, policies and technology in the fast moving mobile location and location intelligence markets. Kipp received his BS in Computer Science from the University of Nebraska as well as an MS and ABD in CS from Georgia Tech.

NATASHA LEGER Editor LBx Journal; President, The Location ForumNatasha is Editor of LBx Journal and President of the Location Forum. Natasha is also founder and President of ITF Advisors, LLC, a strategy advisory firm with a focus on communications, media, technology and geospatial companies and the convergence of digital media technologies. Natasha is a strategist with a corporate, legal, and policy background.

3

DANA LONERGANVP Commercial and Legal Affairs, TraxxittDana serves as General Counsel and Corporate Secretary for Traxxit, a start-up in the personal and asset tracking market. With significant legal and business experience, he is responsible for office operations in addition to representing clients in Administrative and Court hearings. He also represents Traxxit in numerous professional, civic and community associations.

JIM WARNERCOO, The Location ForumJim is the President of The Westport Group, a global innovation and market strategy consultancy and serves as the Forum’s COO. He has a background in telecom, media and information services as well as managing industry consortia. He is a frequent speaker and writer on business transformation, digital services and cloud computing.

PETER WOODGATECEO, Cooperative Research Centre for Spatial InformationPeter is CEO of Cooperative Research Centre for Spatial Information. He is also Chair of the Global Spatial Network as well as a Member of the International Expert Committee, of the Institute of Remote Sensing and Digital Earth. He is a Member of the Executive Committee, International Society for Digital Earth and a Board Member of the Terrestrial Ecosystems Research Network. He serves as a Board member at AUSCOPE and Chairs the Virtual Australia and New Zealand Initiative.

MARLENE ZIOBROWSKISenior Data Manager, DMTI SpatialMarlene is Senior Manager, Data Research and Governance for DMTI Spatial Inc. While engaged in doctoral work at York University, she was a teacher and lecturer. Thereafter, she owned Lucitech Communication, a technical writing and editing business before becoming Data Director for Mapmobility Corp.

About the Location ForumThe Location Forum is a non-profit, global industry consortium that provides leadership for busi-nesses looking to capitalize on the advantages that location-based services, technologies and appli-cations offer. Our focus on location data privacy, locationomics and location intelligence enables decision makers to better understand how they can apply location strategies across their enterprise. www.thelocationforum.org

The Location Privacy Council is the primary driver behind the Forum’s Location Data Privacy Initiative. The 11-member Council operates in a virtual fashion hosting monthly Executive Roundtables where members and invited experts discuss, debate and share knowledge on specific aspects of Location Data Privacy.

Disclaimer: The contributors have shared their collective wisdom over their years of experience with location-based technologies, services and applications, and across multiple industry verticals. The opinions referenced are the sole opinions of the contributors an not necessarily the opinions of their current employers.

4

Table of Contents5 ABOUT THIS GUIDE

6 EXECUTIVE SUMMARY

12 PART 1 – OVERVIEW: THE STATE OF LOCATION DATA PRIVACY

19 PART 2 –GUIDING PRINCIPLES & CONSIDERATIONS

21 PART 3 – GUIDELINES & RECOMMENDATIONS FOR THE MANAGEMENT OF LOCATION DATA

39 PART 4 – LOCATION DATA PRIVACY RISK & TRANSPARENCY ASSESSMENT

49 APPENDIX – GLOSSARY OF TERMS

5

About This GuideLocation knowledge varies widely from some people (and companies) having considerable expertise to others who are just exploring how to apply it in their business, to everything in between. The same variation exists with the topic of privacy as a whole. As such, this Guide was written for as wide an audience as possible. Depending on your background, experience and objectives, you may find cer-tain sections more useful and applicable than others.

These Guidelines were developed for those on the front lines of location data product and services development. They bring attention to critical issues, and provide a framework for developers, manag-ers, marketers, and executives to follow.

If you are an IT professional or Software Developer, these Guidelines will help you to under-stand the potential risk areas, while the Risk Assessment Scorecard will help you to determine if you have the proper practices in place for effective location data management.

If you are a Marketing professional, these Guidelines will help you to identify risks in your com-munication and interaction with your customers relative to disclosing how you collect, use, and share location data.

If you are a Product Development Manager, these Guidelines, Risk Assessment, and Transparency recommendations will help you evaluate end-to-end issues and risks that should be considered in rolling out new location-based products and services either internally or in the open market.

If you are an Executive, these Guidelines, Risk Assessment, and Transparency recommendations provide a comprehensive overview of the business, technology, and user issues associated with handling location data.

For additional detail or background, please go to the Location Forum’s online library www.thelocationforum.org/privacy/materials-documents

Please keep in mind that these Guidelines are also a work in progress as the technology is constantly evolving.

These Guidelines do not address remote location data collection through traffic and surveillance cameras, facial and gait recognition software and other means where the user is not able to consent to such collection (no ability to opt-in or opt-out). These issues need to be addressed at a broader legal and public policy level.

There is also more work to be done in the areas of transparency, notification, consent, risk pro-files and the use of metatags to facilitate the development of automated processes and ensure consistent implementation. These issues will be addressed in the next version of this Guide.

6

Executive SummaryLocation-based services and applications have become more than a technology or feature; they are an integral part of our lives. People define themselves not just by who they are, but where they are.

Location data is now everywhere, easily accessible, and collected at an unprecedented scale. In the Information Economy we live in, personal data and similar forms of information are the new cur-rencies. Location data is the universal link between all data, because everything and everyone is somewhere.

For businesses, location information can transform virtually every facet of an enterprise from opera-tions to sales and marketing, to customer care and even product development – all with a goal of having a positive impact on the bottom line. It is therefore rapidly becoming the newest “information weapon” used by CIOs, CMOs, COOs and digital strategists to gain a competitive advantage.

The problem with location data today is that it changes as it weaves through various hands—applica-tions, vendors, developers, government, companies, data providers, and individual users. Another complication is the diversity of legal protections across countries and states that make developing a consistent privacy policy a moving target. All this is set against a business atmosphere of continuous pressure to develop innovative location-based products and services.

The power, benefits, and risks associated with location data are in its capacity to infer more person-ally identifiable information than the face value of the original information. While consumers and businesses are deriving great value from location-based services, targeted advertising and other applications, significant questions persist around location data privacy. In particular, how is location data being shared and who has access to it?

The Location Data Privacy, Assessment and Guidelines (hereinafter Guidelines) were developed for those on the front lines of location data product and services development, as well as those who hold corporate, legal or fiduciary responsibilities. They bring attention to issues that many organizations and companies have chosen to ignore, due to lack of legal certainty around requirements, and pro-vides a framework of location data practices for developers, managers, marketers, and executives.

Part 1 provides an overview of the current location environment with an emphasis on the com-plex issues, trends and risks companies must contend with and that ultimately drive the need for these Guidelines.

Part 2 highlights the Guiding Principles underpinning the document.

Part 3 provides specific Recommendations, Policies and Practices that any business can use to reduce risk and potential liability while improving customer communication.

Part 4 builds on Part 3 with a detailed Risk and Transparency Assessment that is used to gauge how well you and your company are implementing these Recommendations.

In short, these Guidelines offer practical, ready to implement proactive measures that are ahead of government regulation and the current state of law and policy on the issue of location data privacy. Yet it is in line with market concerns. Companies who embrace these Guidelines will be sending a clear market message to their direct and indirect customers that they take location data seriously, see it as a competitive advantage, and respect the individual users right to personal privacy.

7

Introduction WHY – THE NEEDLocation-based applications are now ubiquitous. Any application, whether for business or consumer purposes, that provides location awareness or location intelligence must use location data that is acquired either directly or indirectly from an individual or organization. As a result, location data privacy is of increasing concern to all involved in the location ecosystem, consumer advocates, and lawmakers.

For the purposes of these Guidelines, location data is any data with an implicit or explicit geographic or geospatial reference, including any data derived from GPS, GIS, cell-tower or other radio signal-based triangulation, assisted-GPS positioning devices, systems and processes, geo-tagged images, video, audio and text documents, satellite and aerial imagery, computerized, digitized and paper maps, IP address location, public documents, public or private databases, video, audio, text and image files, location-based applications. In short, location data is any form of information that has a geographic position associated with it.

Location data is attached to everything we do as individuals and organizations on a daily basis. Now it can be collected, sliced and diced in a centralized, systematic and scalable fashion. That changes our relationship with location data—especially how we value it… and the value we place on protecting location data privacy.

The importance of location data privacy has increased as an issue due to the scale at which location data is being collected, aggregated, and shared without the individual’s clear understanding of the value of the information, the collection and distribution process, or the ramifications of disclosing location data. Location data privacy is the right to not be subjected to unsanctioned collection, aggregation, distribution or selling of an individual or organization’s location or location profile derived from location data. It is the ability of an individual, group, or organization to conceal informa-tion of their whereabouts, which can be derived from location data - sometimes stated as “the right to be left alone” and not reveal one’s location. For more comprehensive information on location data terms see the Glossary in the Appendix, along with our Executive Guide to Location Data Privacy, and Location Data Primer publications.

Location data privacy is in somewhat of a “betwixt and between” situation. It shares many character-istics with other more broad-based data privacy initiatives, but also has some unique characteristics that cause existing privacy efforts to fall short.

Within the location community, most existing privacy activities focus on specific aspects of the problem such as B2C issues or the interests of specific players such as marketers, advertisers, mobile operators or social media site platforms. The B2B dimension has not received the amount of atten-tion of its B2C counterpart. Much of the location data privacy debate has been dominated by use of location data by mobile devices and applications for location-based services (LBS) and consumer applications.

For example, guidelines such as CTIA’s Best Practices and Guidelines for Location-Based Services, GSMA’s Privacy Design Guidelines for Mobile Applications, and MMA’s Mobile Application Privacy Policy Framework all look at privacy within the context of a mobile communications environment. While the mobile dimension has catapulted location data privacy to center stage, it has not painted the complete picture. Mobile-focused guidelines are not comprehensive enough to cover the entire location ecosystem—let alone the pitfalls of location data collection, aggregation, and distribution across the location data value chain.

8

The implications of location information extend far beyond communications providers, advertisers or any such classification. The location ecosystem comprises a wide range of vendors, service provid-ers and users arranged in complex value or supply chains, who deliver a broad set of consumer and enterprise applications. Figure 1 illustrates the key components of the location ecosystem. These chains are not always neat, linear, hierarchical chains. Instead they act more like a “value web” where data can be shared, exchanged and used in almost endless permutations making the job of privacy protection even more difficult.

In addition, depending on the country or region, there is either an absence of regulations or a number of territorial laws that make doing business across national boundaries burdensome and unpredictable.

If progress is to be made in this business-critical area, some degree of common ground has to be found. The distinctions between B2B, B2C and other transactional relationships are not enough to warrant separate approaches or to treat them as unique “silos.” Nor should the problems of a certain type of company or service provider be isolated.

THE LOCATION ECOSYSTEM

© The Location Forum

FIGURE 1: This location ecosystem demon-strates the various technology, data, and services components involved in delivering location-based solu-tions to the market.

9

In some cases, finding common ground is simply a matter of language – using the right terminology (e.g. one that resonates with various groups to express the same concept). There is far more com-monality than there are differences within the broader data privacy community, and the few differ-ences there are can be handled by exception or some other pragmatic answer.

The Location Forum has boldly stepped forward to bring together several separate, yet related and synergistic approaches to data privacy, specifically location data privacy. This collaboration is in an effort to craft a single, deployable set of policies, practices, guidelines and recommendations for reducing the risk of location data privacy infringement and fostering an atmosphere of trust within enterprises, consumers and policymakers.

PURPOSEThis document fills a critical void in the market. It provides guidance to all the players in the loca-tion industry in the hope of clarifying many of the key elements impacting location data privacy. Specifically, it was created to:

Identify the business issues in location data privacy across B2B, B2C and other environments where location data is exchanged;

Bring together separate location data pri-vacy efforts by providing a common view and terminology;

Fill in gaps and add specificity to previous treatments of the topic;

Serve as a vehicle for engaging with the broader data privacy community;

Provide awareness and understanding of location information as it relates to privacy rights and concerns;

Provide pragmatic recommendations for companies and organizations who use location data or are involved in the creation or handling of location data in some manner; with the ultimate goal of mitigating risks of privacy infringement and privacy rights violations while fostering the legitimate and beneficial use of location data; and

Develop a self-governing location industry framework to deter the imposition of onerous regula-tions that often have unintended consequence that could dampen innovation.

AUDIENCEThis document is intended for the following:

Executives and decision makers in companies and organizations who are part of the location data ecosystem by virtue of creating, collecting, acquiring, aggregating or distributing location data whether they are in the B2B, B2C or other aspect of the value chain;

Companies and organizations that use location data in some aspect of their business including internal operations, sales, marketing or other customer-facing activities or in the development of products and services; and

“Location data is attached to everything we do as

individuals and organizations on a daily basis. Now it can be collected, sliced

and diced in a centralized, systematic and scalable

fashion. That changes our relationship with location data—especially how we

value it… and the value we place on protecting location

data privacy.”

10

Public and private sector organizations working to unlock the value of government data - espe-cially those needing guidance on identifying, accessing, and managing location data that is part of open data and open-government initiatives.

While consumers/individuals (end users) of devices such as mobile devices, GPS units, online maps and other location aware services are not a direct audience; they too may find these guidelines and recommendations of benefit.

SCOPEThis document has a very specific purpose:

It is designed to examine the end-to-end treatment and use of location data, including all the intermediaries in the value chain and all the variations or “mutations” the data might undergo whether in B2B, B2C or other interactions;

It is designed to address the business aspects and concerns associated with the privacy impli-cations of handling location data. For example, risk management, competitive advantage, and brand management. It is not intended as a technical review of how location data is created, developed, acquired or exchanged; and

The Risk Assessment Scorecard is designed to assist organizations and professionals in determining potential vulnerabilities in their current practices and procedures relative to the handling of location data.

The intent behind this document is to foster common (standard) business practices in loca-tion data management. It is not intended to set public policy; although many of the guidelines and recommendations might prove informative to policymakers.

OBJECTIVESThe Location Forum’s Privacy Council reviewed existing privacy frameworks and was particularly influenced by the following:

OECD Fair Information Principles

The Privacy by Design work of Ann Cavoukian, Ph.D., Information & Privacy Commissioner of Ontario, Canada

The GSMA’s application of Privacy by Design to Mobile Application Development

The White House Consumer Privacy Bill of Rights

Sprint’s Risk Utility Model for Sharing of Location Data

Paul Ohm’s Law Review Article on Broken Promises of Anonymization

“The Guidelines were developed by location

professionals who work with location data every day and

wrestle regularly with the cross-border differences

in privacy regulations. Frustration is probably a

kind term to describe how these professionals feel

about the current state of location data privacy

management.”

11

In developing these Guidelines, we had several objectives in addition to the Purposes outlined above. Our main objective was to provide a comprehensive perspective reflective of the dynamics of the entire location ecosystem that would reveal a new way to think about and approach location data pri-vacy. We sought to build upon existing guidance, yet offer something fresh and unique to the industry that strikes the balance between managing risk and innovation. This resulted in:

1. Practical and actionable measures that anyone can use to mitigate potential location data privacy infringement. The Guidelines were developed by location professionals who work with location data every day and wrestle regularly with the cross-border differences in privacy regulations. Frustration is probably a kind term to describe how these professionals feel about the current state of location data privacy management. In particular, the risk assessment and Location Privacy Index Scorecard were designed to be easily adopted by managers in their day-to-day workflow of assessing risks and evaluating vendors associated with the gathering and use of location information.

2. Distinguishing between internal risk management and external communications to customers, partners, regulators, employees, and the market regarding policies and procedures on the han-dling of location data.

3. Distinguishing between B2C and B2B issues, especially with respect to communicating policies and procedures to each audience as each have different needs and objectives.

4. Bringing attention to the B2I issues where the Bring Your Own Device (BYOD) environment, along with location tracking of employer provided devices, even though the employee may be “off the clock”, raises privacy concerns.

Our long-term objective is that the Guidelines, Assessment and Recommendations serve as a foun-dation for an Industry framework that includes a seal of responsible location data management, a location data audit, a clearinghouse of responsible location data service providers, and an application that allows individuals to match their location data risk tolerance with the risk profiles of location data service providers.

12

Part 1 – Overview: The State of Location Data PrivacyIn today’s connected world, location is more than just a technology or feature; it’s part of our person-ality. People define themselves not just by who they are, but where they are. For businesses, location information can transform virtually every facet of an enterprise whether it is improving operational efficiency, enhancing the effectiveness of sales and marketing or providing customers with new levels of service. It can drive the development of new products, the push into new markets and add a new dimension to business intelligence all of which can have a positive impact on the bottom line. It is therefore rapidly becoming the newest “information weapon” used by CIOs, CMOs, COOs and digital strategists to gain a competitive advantage.

But it is also confusing for both businesses and users. What are the costs and benefits? What is legal and ethical? Where is the line between adding value and privacy infringement? What should users expect and what should businesses avoid? These are but a few of the issues that must be addressed if the use of location information is to be widely accepted by both businesses as well as consumers.

More importantly, in today’s Social-Mobile-Location world, will the risks of having one’s location con-stantly tracked, analyzed and shared overshadow the benefits location data can offer? Can potential abuses grow to where the only alternative is regulatory intervention, which potentially dampens inno-vation? These and many other questions arise daily as companies develop and deploy new location-based products and services.

All of these questions and concerns roll up to four major issues related to Location Data:

1. The majority of the public does not fully understand location data;

2. The majority of businesses need to know more about location data management;

3. The location ecosystem and location data are complicated; and

4. The current policy and legal environment is not aligned with the current state of the technology.

BACKGROUNDLocation data has been collected for years but until recently, it was collected manually, for specific purposes and by organizations that were not selling location-based products and services. Many of these companies operate within industries that are regulated, such as healthcare, financial services, telecommunications and utilities. Because of that, there are strict boundaries imposed on these com-panies in the ways they can use personally identifiable information, including location data. However, many of these companies are under increasing internal pressure to find ways to monetize the data they have been using for operational purposes.

Unregulated industries and businesses such as advertising, software, consumer electronics, data ser-vices and others are a different story. With the advent of “freemium” services and affordable comput-ing horsepower, whole businesses and industries exist for the sole purpose of collecting and selling personal data, including location data. This is made easier by the rise of connected devices that are GPS enabled, Big Data analytics, social media applications, plus local, state, and federal government initiatives including surveillance devices.

Complicating matters is the fact that most people do not understand the value of location information the way they understand the value of personal financial or medical information. Location information is valuable because of its versatility. It is a storyteller, a powerful enabler, a lifesaver and more. It is also complex – full of unintended consequences, and privacy risks because it can reveal more informa-tion about an individual or organization than contemplated by the original collection of location data. Information this powerful carries with it some inherent risks – chief among them location data privacy.

13

WHY LOCATION DATA PRIVACY MANAGEMENT IS CHALLENGING Growing Complexity:

Access: As location technologies increasingly become a feature of new products and ser-vices across multiple industries, the number of players and people that touch location data on a daily basis increases exponentially. The number of players in the location ecosystem from mobile carriers to application providers, data creators and sources to location service providers, governments, enterprises and individuals continues to expand.

Technology: Location technology is so embedded into devices and applications that location is explicitly or implicitly being collected, aggregated and distributed without the individual’s full knowledge.

Business models: A wide range of business models are being used to monetize location and personal data that often mask the intended use or purpose behind the collection, aggregation, or distribution of location data.

Data: The aggregation of location data is occurring at such a scale and fast pace that many technology and application providers do not have the proper controls in place to effec-tively manage the data from a privacy perspective.

Uniquely Sensitive: Inference: Location data possesses a unique capacity for linking disparate datasets, infer-

ring and revealing personally identifiable information. As such, it can be a missing link in understanding relationships between data and human activity.

Completeness: This ability to “connect the dots” almost automatically results in a much more complete profile of an individual or organization than the base data reveals.

Hidden Details: The result is an entirely new level of “enriched” data that can essentially create a new body of knowledge or information which is causing increased privacy concerns.

Legal Differences: Unclear Precedence: Location is unchartered legal territory in the broader privacy debate

with piecemeal and narrow precedence to guide the policies and procedures of providers and users of location data.

Unclear Similarities: Many privacy advocates, attorneys, regulators, and location provid-ers seek to adapt or extend the existing privacy frameworks to location data. While there is much that can (and should) be borrowed from these existing frameworks, location data’s differences could trigger a privacy infringement scenario not covered or anticipated in other regimes and therefore requires its own treatment.

14

UNDERSTANDING LOCATION DATA: WHY IT IS COMPLEX, SENSITIVE AND DIFFERENT Financial, medical, and location information are the “Big 3” personal data categories. The risks of the unsanctioned disclosure of financial and medical records are well known. However, the value and risks associated with location data are still poorly understood. Relative to medical and financial data, treating location data as personal information is a new concept.

Individual interaction with location data is largely around convenience—getting directions, locating a restaurant, looking for real estate, finding friends, etc. People truly find it useful. It is also still a relatively new phenomenon for many individuals, driven largely by smartphones and ubiquitous broadband.

As such, there is a certain degree of novelty or casualness about its use, and people are therefore not as conscious of the scale at which location data is being collected, aggregated, and distributed. Add in that many times people are unaware their data is being captured. At best they may get an innocuous “this app would like to use your location” alert, which masks a lot of what is really taking place and what that ultimately means from a personal privacy perspective. Individuals have not been educated on the value of location information beyond personal convenience, which explains why it is so misunderstood.

Many businesses do not understand location data management because it is rarely collectively man-aged within an organization. In many cases it is a new dataset for many departments that comes with hidden complexities. Business interaction with location data is largely around operations, customer experience, real estate and facilities management, and workforce management. Location data privacy management is challenging because location data is growing in complexity, is uniquely sensitive because it acts as a common denominator linking multiple data sets, and it is subject to a diversity of legal and policy frameworks.

UNDERSTANDING LOCATION DATA: MARKET TRENDS, CONTEXT AND ENVIRONMENT Technology has enabled location data to be created and used like never before and social trends have fueled growing acceptance of sharing one’s location. These drive additional conditions and requirements that companies need to factor into their privacy planning and that impacted our recommendations:

Expanding Universe of Users and Providers: Location data used to be the domain of cartogra-phers and experts in geospatial information because it dealt with specific geographic data and standards. As such it was a relatively closed field of players and users. It was also considered big and clunky to use because of technical challenges in distributing the data. Today location data is used daily by tens of thousands of software developers, thousands of companies, and billions of users.

Explosive Creation of Big Data: Location information is being created at an unprecedented rate by wireless networks, GPS devices, applications, websites, cameras, RFID chips, satellites, swipe cards and other connected devices and technologies.* And much of it is in real-time. Almost any activity that involves digital interaction or verification results in location data being generated. As with any Big Data source that has significant volume, velocity and variety, loca-tion data has become far more difficult to manage and trace as it is moves throughout a com-plex value chain of transactions and social media platforms.

*See Location Data in Glossary for a more complete list of Location Data sources.

15

Inference: Because a lot can be inferred by knowing someone’s location, location data can serve as the connective tissue between disparate pieces of information to build a more complete “pic-ture” about a person or event than most people realize. This in turn creates widespread opportu-nity for increased and highly detailed data mining on people, assets and places.

Companies may want to use location information about their employees, suppliers, and custom-ers for a variety of human resource, operational, supply chain management, health and safety and market intelligence purposes. Regardless of how benign the intended use of the data might be, any time such information can reveal personally identifiable information, producers and users of location information could be at risk for privacy infringement either legally or morally.

Automated Creation, Collection & Aggregation: While there are numerous sources of location data present today, there are few guidelines or laws on what constitutes a legitimate way to col-lect, aggregate, manage and explore it. Those that do exist, such as various privacy frameworks, are inconsistent, narrow in scope, or ineffective resulting in uncertainty around the management of location data. Therefore, the risks associated with handling location data are often misunderstood from individuals to businesses to regulators, and are creating a sense of angst within the industry.

Roles, Relationships and Responsibilities: The issue of split personalities - when is someone an “employee” or an “individual” – is increasingly becoming a problem in today’s BYOD world. Using a smartphone on the job, or blogging and maintaining social media presence on behalf of a company either implicitly or explicitly makes the distinction between employee and individual extremely vague and blurry in both B2I and Individual-to-Individual (I2I) situations. What are the responsibilities of employers in organizations to these individuals? What are the responsibilities of individuals to other individuals? What are the responsibilities of applications to individuals when location information is shared between applications and platforms?

Incomplete Protection Requirements: The value of location information, and the potential knowledge that can subsequently be derived from it is not well understood. Because location information reveals more than you think, it can lead to identity theft and the disclosure of sensi-tive, confidential information. As information becomes increasingly decentralized in mobile, cloud-based, and BYOD IT environments, businesses need to focus on safeguarding the privacy of this data from competitors, hackers and others or face serious consequences ranging from public embarrassment to legal and financial penalties or worse.

Currently, location privacy attributes or characteristics are not end-to-end assured. In other words, a particular piece of location data may have privacy “rules” associated with it but those rules do not always remain attached to that data as it gets shared between applications, across organiza-tional boundaries or as derivative works are created. This lack of “stickiness” can result in overt (opted-in) or default privacy settings being discarded. So even if the user has taken action to pro-tect her privacy, it is not permanent. For example imagine having an unlisted phone number that becomes publicly searchable after a few months. Therefore, current privacy protection policies and mechanisms must be reviewed and evaluated within the context of the scale at which location data is being collected, aggregated, and shared to mitigate potential privacy breaches.

Inconsistent Sharing and Acceptable Use Boundaries: The definition of what constitutes accept-able use of location information varies from person to person and situation to situation. This creates uncertainty and raises the risk of businesses crossing an invisible line, damaging their strategy and even harming the very situation they were trying to improve by using location data. Even when individuals are asked to consent to utilizing their location information, they may not fully comprehend the implications of such disclosure in an area with such rapidly advancing

16

and highly synchronized technologies. Understanding how the information may ultimately be used may be difficult for the everyday user. In addition, the legalese of Terms of Use are often ambiguously drafted to protect the location applications or service provider, and are not focused on informing the user on how organizations may use the information. As a result, location information may be shared and accessed without the individual’s or organization’s knowledge.

Lack of Legal, Social and Business Standards: The collection, aggregation, analysis and distribution of location data has grown and evolved absent clear legal, social and business standards. This lack of guidance has contributed to inconsistent policies and a “wild west” attitude towards location-based applications product and service development with little regard for privacy (except where existing regulations are in place with respect to specific industries or law enforcement requirements). While privacy protection is now a mature body of law and policy, the role and application of location data within it remains immature, because many privacy and intellectual property attorneys are not familiar with the nuances of location informa-tion and technologies.

Law Enforcement Use: Compliance with law enforcement requirements, while not the subject of this document, is a critical element of providing location-based services, technologies, and applications. Numerous laws and regulations exist for record retention and law enforcement purposes that may result in companies, upon a subpoena or search warrant, releasing person-ally identifiable location data. However, unfortunately there are many companies that turn over information to government authorities even when the proper warrants are not provided.

“Currently, location privacy attributes or characteristics

are not end-to-end assured. In other words, a particular piece of location

data may have privacy “rules” associated with

it but those rules do not always remain attached to that data as it gets shared

between applications, across organizational

boundaries or as derivative works are created. This lack of “stickiness” can

result in overt (opted-in) or default privacy settings

being discarded.”

17

UNDERSTANDING THE LOCATION ECOSYSTEM AND HOW LOCATION DATA WORKSThe location ecosystem is comprised of numerous types of enterprises, individuals, products, ser-vices and data. Collectively they act as “value chains” that provide or deliver location-based informa-tion between companies, people or systems. Table 1 describes the industry landscape and its various categories and areas.

Table 1. Location Ecosystem

CATEGORIES DESCRIPTION

Customer Enterprise Business, Individual (Consumer)

Hardware/Devices GPS chips, GPS Device, Smartphones, Desktop, Servers, Sensors, Routers, In-vehicle devices, Drones

Services Professional Services, Integration, Planning, Development, Location-based services, Financial Services, Legal, Location-based social media

Applications Asset Management/Tracking, Business Intelligence, Supply Chain, GeoMarketing, Advertising, Market Research, Communications, Geofencing, Augmented Reality, Mobile Resource Management, Navigation, e-Health, Engineering, Precision Agriculture, Gaming

Location Data (3rd Party Geo-referenceable data)

External: Demographics, Econometrics, Weather, Business Listings, Social Networks, Mobile Internal: Business Intelligence Data, Customer Data, Employee Data, Operational Data, Partner and Supplier Data

Geographic Data Map Digitizing, Remote Sensing, Rectification and Photogrammetry, Geological, Topographical, Thematic, Cartographic and Contour GIS Mapping Data Sets

Location Infrastructure

Lat/Long; Geocode, Cell ID, GPS, A-GPS, Bluetooth, IP Address, WiFi GIS, PlaceNames, Geographic Reference, Mobile Devices, IP Addresses, Aerial & Satellite Imagery, Business Data, Video, Telco, Cable, Satellite and Mobile Networks, Sensors, Standards—KML, GML, Location Platforms, Storage, Databases, Middleware, ETL, Visualization

An important subset of the entire location ecosystem is the Location-Based Services (LBS) ecosys-tem. There is enormous growth in the LBS area, and in most cases is how most users consume loca-tion. Table 2 outlines organizations involved in delivering LBS services and applications.

Table 2. LBS Ecosystem

WHO HAS ACCESS TO LOCATION EXAMPLES

Mobile Carriers AT&T, Orange, Telstra Mobile

Platforms Apple, Google, Facebook

Device Manufacturers Nokia, Google (Motorola), Apple

Location Service Providers Skyhook, Apple, Google, Locaid

Applications Foursquare, Weather.com, Loopt, AP News, Google Maps, Flickr, Urban Airship

Mapping Data Providers Navteq (Nokia), TeleAtlas (TomTom), Open Street Maps

Imagery Providers DigitalGlobe, Microsoft, Google

Data Providers Urban Mapping, DataSift, Factual, Sense Networks

Advertisers/Enterprise Honda, Budweiser, MGM, Cisco, Ekahau etc.

Government Police, FBI, Department of Defense

18

Location data is collected on individuals and organizations through a variety of means including:

Mobile and GPS-equipped devices

Sensors and M2M networks

GIS systems

Location-based services and applications

Cell-tower and other radio signal-based triangulation

Geo-tagged images

Video, audio, text and image files

Satellite and aerial imagery

Computerized and digitized maps

IP addresses

Public documents

Public and private databases

The data is collected for a variety of purposes from delivery of services, to emergency response, to product registrations, to applications for government or utility services, and more. Once the data is collected, it can be aggregated and blended with other datasets, and shared with a variety of third parties depending on the company’s policies on the use of location data. Figure 2 illustrates how loca-tion data is collected, produced, and used from a mobile user perspective.

Applications

Government/Municipalities Location

Serv

ice

Prov

ider

s E

nter

prise

Netw

ork Operators

Mapping & Data Providers Web Sites

Ret

ail M

alls

D

evic

e M

anuf

actu

rers

Public Health & Safety

Emergency Response

Real-time information

New Products

Linked Data

Security

Advertising

Improved Services

Business Optimization

Asset & Resource Management

BUSINESS & SOCIETAL OBJECTIVES ISSUES

Usage Rights

Ownership

Big Data

Consent

Privacy

Stalking

Disclosure

Proprietary Information

NFC

Camera Cell Towers

GPS

Sat

ellit

e

Bl

ue Tooth QR Code

W

iFi IP Address

LOCATION DATA

MOBILEUSER

MOBILEUSER

HOW COLLECTED

Secu

rity

Con

venience Enhanced Services

E-911 Enterprise O

ptimization

Safety Location Enhanced Offers Social Personalize

d Con

tent

T

arge

ted

Adv

ertis

ing

Law Enforcement

First Responders

Government

WHO USES IT

FOR WHAT PURPOSE

LOCATION USES & PRIVACY: A MOBILE USER PERSPECTIVE

Source: Skyhook

FIGURE 2: The four rings of the diagram demonstrates how location data moves from and between the mobile user and the various location data collection methods and the users of location data and the ultimate purpose for using location data. It is important to note how the individual mobile user is both a producer and consumer of location data. The law enforcement wedge reaches into all levels this ecosystem. This illustration also identifies the com-plexity of the business and social objectives sought from the use of location data and the legal, policy, regulatory and business issues that arise from the collection, aggregation, and distribution of location data.

19

Part 2 –Guiding Principles & Considerations The first step in developing effective location data management best practices is a thorough under-standing of the data itself including its sources, uses, context and more. In short, location data and its surrounding environment need to be well defined, in order to develop effective best practices and guidelines. If you are new to location data, please be sure to read Part I if you have not done so already.

Following extensive reviews of various privacy frameworks and the issues associated with location information, the Location Forum’s Privacy Council quickly recognized that a viable proactive indus-try solution to location privacy concerns had to not only involve both the location provider and the individual user of location information, but the entire end to end chain of location information from the originator of the data all the way to the ultimate user of the data and all the intermediate actors in between. Plus it had to be practical to implement.

The public is primarily concerned with the lack of transparency and choice associated with giving up location information as well as a lack of understanding about how valuable such data truly is. In many cases, individuals may be unaware when such information is being divulged or collected. Companies can experience the same situation given how much sensitive corporate informa-tion can be revealed by the mobile and seman-tic activities of employees.

This situation requires a two-part solution in which; 1) the individual user has some control over the information and a means for evaluat-ing her choices and, 2) the provider clearly discloses how and why location information is being collected, aggregated, and distributed. In addition individuals need an opportunity to redress any errors in their data.

In a B2B situation, the value chain for delivering location technologies, services and applica-tions is more complicated. For instance, how do you know the privacy practices of the vari-ous players in the chain? How does a company know if their usage rights are being respected in downstream applications? How do business models create risk or assurance in regards to respect-ing personal privacy?

The Privacy Council determined that what is missing in the location industry, especially within the context of Big Data, is a sense of trustworthiness of the applications, services, and devices that collect, aggregate and distribute location information. This lack of trustworthiness could only be addressed by inserting greater transparency into the equation.

Taking these requirements into account, these Guidelines are based upon a few key, overriding principles:

Practical implementation: The Guidelines have to be easy for both location providers to adopt and implement, and easy for individual and business users to understand and act upon. While many large companies have the luxury of large legal staffs that can work with product develop-ment teams, the smaller companies often lack such resources. Therefore the Guidelines needed

“The Privacy Council determined that what is missing in the location

industry, especially within the context of Big Data, is a sense of trustworthiness of

the applications, services, and devices that collect, aggregate and distribute

location information. This lack of trustworthiness

could only be addressed by inserting greater

transparency into the equation.”

20

to be pragmatic and not consume significant resources so that entrepreneurs can continue developing new innovative products and services. The Guidelines must be stated in simple and clear terms that could easily be integrated into existing workflows. The Guidelines were designed to offer the greatest reward with the least burden to both providers and users of loca-tion data.

Transparency and Disclosure: It is the lack of transparency in the location data market that breeds suspicion and distrust. The Guidelines needed to help companies craft policies and notices that state in clear and unambiguous terms, how they will use, collect, aggregate and share specific location data. Visibility into the business models and financial motivations of companies in the use of personal data including location data is a critical component of trans-parency. The ability to audit and trace usage rights is also an element of transparency.

Choice and Informed Consent: In the B2C environment, a robust Informed Consent policy is needed, which is a key element in transparency and building trust. Informed Consent is more than a mere notification or request to use one’s location information. For example, a mobile application’s simplistic request to “use your present location” is insufficient. Informed consent gives the user a clear understanding of how the data may be used, aggregated and shared. Permission to use the data without this level of understanding is not informed consent. This requires a usage-based opt-in policy with potentially more than a simple yes/no choice. Informed consent is what provides real individual choice.

These guiding principles and considerations led us to structure the Guidelines as follows:

1. Guidelines and Recommendations for the Management of Location Data (Part 3). This includes internal management practices and external customer facing practices for standardized commu-nication with the marketplace and customers on how their location data is used.

2. Location Data Privacy Risk and Transparency Assessment to gauge strengths and weaknesses relative to privacy policies and procedures (Part 4).

We are also developing an online Location Data Privacy “Scorecard” which is a detailed tool that produces a Location Data Privacy Index (LDPI) score based on the answers to in-depth questions. The LDPI score can be used to benchmark against peers, and to communicate an organization’s state of location data privacy management to the market. Whereas the Location Data Privacy Review in Part 4 provides a high-level (High, Medium, Low) indication of current risk exposure, the online assessment provides an actual score and recommendations to improve the score, and therefore location data privacy management.

21

Part 3 – Guidelines & Recommendations for the Management of Location Data Ask most people about sources of location data and they will quickly think of some of the more common ones such as the ubiquitous “this app would like to use your location” notice on a mobile phone, a mapping application or even a credit card transaction. But these are just the tip of the ice-berg. A lot of location data collection happens “below the surface” where people are likely unaware it is even taking place. Table 3 shows examples of the different ways location is tracked and gathered.

Table 3. Sources of Location Data

CATEGORY EXAMPLES

Retail Consumer Products

Product Tagging

Loyalty Programs

Contests

Product Warranty / Registration

Mobile Communications / Location-Based Apps

Mobile Network (Cell Towers)

Mobile Device Usage (GPS)

WiFi (Retail Hotspots, Hotels, Airports, in-Flight, clothing)

Mapping Apps

Social Media Correspondence

Email

Social Media

Location Specific Apps (FourSquare, Loopt etc.)

Chat (Facebook, Twitter, etc.)

Photo Tagging (InstaGram, Flickr, etc.)

Financial Transactions

e-Commerce Transactions

Credit Card Use

Online Banking & Bill Paying

Online transactions (PayPal)

Enterprise / Organization Data

Customer Data (Ex: Disney customer experience bracelet)

Employee data (emails, social media, work schedules, mobile phone use, personnel files)

Forms, registrations, surveys

Open Data/Publicly available data

IP Address

Healthcare Remote Vital Signs Monitoring (Blood Pressure Meters, Heart Monitors, etc.)

Electronic Health Records

Emergency Room Check-In

E-Health apps (exercise, running, diet, nutrition, etc.)

Security Cameras

Turnstiles

Personal tracking devices

Travel Mobile-Enabled Check-in (Airlines, Hotels, Rental Cars)

WiFi Hotspots (Hotels, In-Flight, Restaurants)

Toll Pass Cards

Train/Bus Passes

Other Web Traffic and Searches, Local Search

22

Establishing a set of recommendations that address the diversity of applications and guard against abuse while fostering innovation is crucial. Transparency is key. Individuals must also have confidence that the businesses who collect their location data will be good stewards – using it in beneficial ways while safe-guarding and respecting their privacy.

The following recommendations collectively form a set of ‘good practices’ any business should follow. They include recommendations for internal policies and procedures that can mitigate risks of privacy infringement. They also include recommendations on sharing the risk with individuals by enabling the individual to make informed choices. Recommendations that pertain more to certain types of companies or situations are appropriately noted.

Questions of harm and infringement are still unresolved legal and policy issues. When does location privacy infringement occur? At the collection level? At the aggregation level? At the distribution level? Does location data collected that is not shared cause harm? Should an individual whose location information is being collected have the right to choose whether the information is collected and how it can be used?

These recommendations assume that harm and infringement turn on the intended and actual use of the location data. As such the recommendations focus on transparency and disclosure so that provid-ers act as good stewards of sensitive location information and individuals are provided the option to protect their location privacy or to knowingly give up their privacy in exchange for a service.

Most of the recommendations in this section apply to specific situations or areas. However there are a few overall guidelines that pertain across the board regardless of whether the issue is one of policy, notice and consent, permission or usage. Our recommendation for implementing the Guidelines is to:

Keep it Simple: Make it easy to understand. Use “everyday” language not jargon or legalese and keep it brief.

Make it Clear: Be “crisp”. No fine print or various stipulations. Make use of graphics, charts and icons wherever possible.

Use Common Methods: Use tools and techniques people are familiar with and accustomed to using such as pop-up screens, tick boxes and such. There should be no learning curve.

Each recommendation has three components:

1 General Guideline which acts as an overarching principle;

2 Specific Recommendation which illustrates how to implement the general guideline; and

3 Example which describes a business scenario, use case or good practice.

23

RECOMMENDATIONS FOR ACQUISITION, USAGE & HANDLING

1. Minimize the Type and Quantity of Data Collected and Retained

GENERAL GUIDELINE:

Do not collect, aggregate, or store data you do not need. As a result of advances in computer science, in particular deanonymization techniques, which enables personally identifiable information to be derived from anonymous data, all information collected from individuals should be treated with the highest degree of due care and respect. This begins with minimizing data acquisition and retention to reduce risk.

SPECIFIC RECOMMENDATION:

Reduce the specificity or granularity of location data collected when geographic precision is not neces-sary. It is important to collect location data at the right level of detail or granularity for the application.

Location data can be accurate yet not geographically precise. Depending on your use or application, it is important to know the level necessary in order to deliver the service or to do your required analy-sis. In some cases, the exact latitude/longitude is a requirement while in other instances, a zip code or area within a city or state will suffice.

EXAMPLE:

Keeping Data: A company is computing traffic flow to identify traffic jams based on mobile device reports. Does the location data need to be associated with a specific device/user or is it sufficient to obtain non-identified data? Even if an ID is available and used for authentication, does it need to be stored?

Using Part of the Data: A mobile book company is interested in providing information about popular books being read at different locations. Is precise location required? Can you reduce the level of precision of the data and still satisfy the requirement without affect-ing the accuracy?

Replacing Sensitive Data: The same mobile book company could con-sider exchanging precise latitude and longitude information with postal code or city, DMA, or other regional identifiers if that meets the business requirements.

In all of the above examples, there are additional data minimization questions that should be asked, such as:

How long do I need to keep this data?

Who should have access to this data?

Does it need to be linked to individuals?

THE PITFALLS OF MORE DATA IS BETTERWhen organizations look to collect data, many times they take a “more is better” approach and ask for information they really don’t need or have no immediate plans to use. Sometimes there is a valid reason (future analysis, a new product offering) but often it is done “just in case we need it.” The more data that is collected, especially personally identifiable data, the more risk it cre-ates for the organization. In addition to the privacy risks associated with collecting unnecessary data, there are economic and infrastructure concerns:

The data must be stored and the records maintained

The data must be secured

The information becomes out of date and marginally useful

24

2. Create a Privacy Checklist to Guide Application Development

GENERAL GUIDELINE:

Software developers, engineers, product managers and others involved in the application/product development cycle, need a structured reference guide so that they consider the potential privacy implications of the way a particular application or service handles location data.

SPECIFIC RECOMMENDATION:

Anyone involved in some aspect of the development cycle - whether the application is being developed for internal use (operations), external use (targeted marketing), or as a product/service sold by the com-pany - needs to have keen awareness of how the application is coded and the location data is handled.

Often times, software developers take the most expedient path to requesting and transferring data. This approach is generally taken to meet aggressive product development timelines. Developers should be rewarded for taking privacy protections just as they are rewarded for meeting aggressive product development schedules.

The ability to reward software developers for developing with privacy considerations in mind starts with their understanding of the privacy issues related to their software engineering responsibilities and a checklist to guide their behavior.

EXAMPLE:

The following issues should be the foundation of your checklist:

Is the location data collected, aggregated or shared without the user’s knowledge? If so, what is the rationale for not informing them?

If location data is being collected that is not necessary for the performance of the application, product or service, ask why it is being collected and if it is necessary to do so.

For any location data collected, understand how it will be stored, retained and archived.

Ensure the legal and marketing departments have been brought into the loop to make sure no critical lines are being crossed in the way the application, product or service is being developed that could later cause problems for the company.

For all location-based applications, ensure informed notice and consent is embedded in the software and activated upon launch of an application, provisioning of a new device or communi-cations service.

Be sure the location data chain and usage rights can be traced on all applications that make use of location data. See Recommendation 12 for additional details.

25

3. Create a Checklist for Others Who Use and Handle Location Data

GENERAL GUIDELINE:

Numerous teams and departments may make use of location data to perform key tasks. It is critical that these people have access to a similar set of guidelines to ensure privacy regimens are under-stood and followed so that the data is protected.

SPECIFIC RECOMMENDATION:

As a strategic asset, location data is an integral part of many business processes and functions includ-ing operations (e.g. boost efficiency), asset tracking (fleet management), targeted marketing (mobile ads) and customer service (loyalty programs) to name a few. While many of them are not involved in the actual acquisition of the data they all make use of the data and interact with the systems and data-bases where the information is housed.

This raises many of the same issues regarding privacy integrity including the potential for misusing the data, altering it, revealing it, not securing it or compromising an individual’s privacy in some manner.

Anyone making use of location data, regardless of their role or where they are in the acquisition and handling “chain”, needs a structured reference guide to follow to ensure privacy implications of using location data are carefully considered.

EXAMPLE:

The following issues should be the foundation of this checklist:

Is the location data being collected and used without the user’s knowledge? If so, what is the rationale for not informing them?

Is location data being collected (or made available) that is not necessary for the task or function? If so, why is this data being collected or made available when it’s not necessary?

Do the people using the data have access to more information than they need for their job (i.e. the database contains street addresses when only postal codes are needed)?

Does everyone with access to location data understand how it will be stored, retained, archived, and shared?

Do they understand which critical lines cannot be crossed because it could later cause problems for the company?

Do they understand the implications including legal and public image if location data privacy is compromised?

26

4. Develop Processes and Systems to Automate Usage and Handling Management

GENERAL GUIDELINE:

While establishing location data privacy policies and guidelines are a critical step, the sheer volume of data being collected along with the complexity of the environment makes it virtually impossible to adequately manage manually. It is imperative that enterprises implement a comprehensive set of management processes and systems to automate the task of governance compliance. In addition, regular privacy audits should be performed and the appointment of a Location Intelligence Officer is highly recommended.

SPECIFIC RECOMMENDATION:

In today’s era of Big Data, the amount of location data enterprises deal with is staggering and constantly growing because of the frequency and speed with which new or modified location data is collected. Data aggregation and linkage introduce additional levels of complexity because it extends privacy compliance and governance beyond a single transaction or piece of discrete data to include all the “connected” data sets. The net result produces a situation that is almost unmanageable using manual methods.

To properly mitigate risk, an enterprise must create a precise and comprehensive set of business processes which can then be implemented (or embedded) in systems in order to automate gover-nance management. These processes and systems need to be able to authenticate users, manage data rights and create alerts whenever data usage violates privacy or contractual obligations. They also need to be able to detect changes in policy and alert the appropriate people internally as well as external partners and users (see Recommendation 8 for more on change notification).

This goes far beyond basic monitoring. These systems need to be able to validate every transaction and bit of data to ensure compliance with governance policies. This means being able to probe into aggregated data sets as well as linked data to verify these are also compliant.

In addition, the Location Forum recommends that all organizations that use and manage location data across the enterprise implement some form of regular location data governance audit process. These audits not only verify adherence to governance policies, they also point out where policies may need to be modified.

Lastly, the Forum strongly encourages companies that rely on location data to appoint a Location Intelligence Officer or equivalent to oversee and manage the integration of the data with all the appli-cations that access and use this data (see Recommendation 13).

EXAMPLE:

See Recommendation 12 for an Example and additional details on Governance. Part 4 of this docu-ment also addresses specific issues related to a robust auditing regimen.

27

RECOMMENDATIONS FOR OPENNESS, NOTICE & CONSENT

5. Require Informed Consent From Customers and Users

GENERAL GUIDELINE:

The individual must be told how the location provider, application, service or device intends to use her data and they must agree via some common opt-in or user agreement mechanism, such as a pop-up screen. (Applies only if you are collecting information directly from an end user. Does not apply to remotely collected information, for example satellite imagery or surveillance cameras).

SPECIFIC RECOMMENDATION:

Always be upfront. Whenever possible, the informed consent should take the form of a pop up screen when the application launches, the device is turned on or configured, or the service is provisioned. It should also be incorporated in the location data privacy policy.

EXAMPLE:

A new subscriber to a location-based service might see this notice before completing the transaction for the service.

28

6. Match the Notice to the Service

GENERAL GUIDELINE:

Location services vary greatly in terms of the sources of location data and types of service and functionality, the device being used, and numerous other characteristics (see Table 3 for the various sources of location data and types of location-based applications). When determining how to com-municate with users, it is important that the Notice and Consent is tailored to conform to all of these variations.

SPECIFIC RECOMMENDATION:

When implementing Notice and Consent, careful attention to format and wording – even when the notice should appear – are key considerations and vary depending on several conditions. Context plays an important factor. This is not a one-size-fits-all situation and today’s catchall notice [e.g. “this app would like to use your location”] is inadequate on several levels. It tells the user nothing about what happens to her information and in some cases, why the app is even asking for it.

A balance needs to be struck between providing enough information so someone can make an informed choice without lapsing into too many details and fine print that people will not read or understand it. Clearly that is asking a lot, especially if the notice is on a mobile device where screen size may be limited.

EXAMPLE:

The following checklist illustrates some of the key parameters to consider when creating an appropri-ate notice for an app or service:

Is the device itself a limiting factor (screen size, etc.)?

Does the environment where the app/service is likely to be used pose limitations (public area, while moving, etc.)

Is the need to provide location data obvious to users (i.e. obtain directions)?

When should the notice appear, for example when the app/service is first installed or provi-sioned, each time it launches, only when the users makes a request?

Should the app/service allow users to set an “always provide” option so they don’t have to reply each time?

29

7. B2B Disclosure

GENERAL GUIDELINE:

In addition to communicating with end users, companies in the location data chain should advise their B2B customers of their location data privacy policies in an industry-accepted manner.

SPECIFIC RECOMMENDATION:

1. A B2B location data privacy disclosure form should be shared with all prospective and existing B2B customers. This disclosure form should communicate the key aspects of your company location data privacy policy and resemble (or be the equivalent of) the simplified example pre-sented in Recommendation 9.

2. Likewise, any company involved in the sharing of location data with potential or existing ven-dors and partners should request to see their LDPI score. The LPDI is the resulting score from the Location Forum’s online “Scorecard” (see Recommendation 10 and also Part 4 for details).

EXAMPLE:

There are several parallels between the B2B Disclosure Form and your overall privacy policy. Use the Location Data Privacy Policy example on page 32 (Recommendation 9) as a guide to creating your Disclosure Form.

30

8. Notification of Changes to Policies, Procedures or Business Practices

GENERAL GUIDELINE:

Any time a change is made to how an organization collects, uses, aggregates, distributes, or shares location data the user must be notified and given the option to again opt-out or opt-in. This applies equally to organizations that obtain data from third parties including public sources.

SPECIFIC RECOMMENDATION:

The processes and systems from Recommendation 4, should detect changes in policies, procedures or business practices. Using this information, the systems can generate and send the appropriate internal and external notices. The location data governance and audit system (see Recommendation 12) should automatically alert software developers, product and solutions managers and front-line support person-nel to these changes, and users should be afforded the opportunity to opt-out or opt-in again.

EXAMPLE:

The notification process need not be an onerous and cumbersome task. A simple pop-up screen simi-lar to what was originally shown the user will suffice.

B2C Example B2B Example

31

RECOMMENDATIONS FOR POLICY, TRACEABILITY & ACCOUNTABILITY

9. Develop and Publish a Location Data Privacy Policy

GENERAL GUIDELINES:

A location data privacy policy is the cornerstone of any privacy regimen. It should be comprehensive, easy to find, written in straightforward language and clearly inform the user or individual of how her location data will be used. It should also be easily accessible by employees who are tasked with work-ing on location-based products and services.

SPECIFIC RECOMMENDATION:

Your location data policy is like a contract or agreement between your organization and the individuals or other organizations whose data you intend to acquire and use. It is not something to hide behind so it is important that it be clear, concise and comprehensive so that anyone involved – from the user to employees and partners – know the type of data you gather, how you plan to obtain it, what you use it for and more. It also needs to address any plans you have to sell, share or distribute it in any way.

The policy needs to address these key elements:

Visibility: Is the policy visible and easily accessible by employees, partners and users?

Collection and Usage: Does the policy clearly explain how the location data is collected, used and shared?

Governance: Does the policy describe how you maintain a consistent program of oversight including executive responsibility and external audits?

Notice and Consent: When people use your application or serviceo Does the policy succinctly and clearly inform users of your location data practices and what

you intend to do with their location data?o Does the policy make it easy for people to opt-in and opt-out of using your service or application?

Redressability: Do you have user-friendly controls in place for people to change, correct or delete incorrect information you have on file?

Specifically the policy should include things such as:

The source of the data and how permission to use it is obtained;

How the data was collected, and whether it was collected with consent;

How it will be used - for internal purposes (research, operations, etc.), for developing or deliver-ing products & services or other uses;

Are there are any limitations on the use and distribution of the data;

Whether the data is anonymized so an individual cannot be identified;

Whether the data is aggregated or combined with other data;

Whether or not the data is sold or shared with other third parties for any reason (including law enforcement requests for information);

The type of audit system for monitoring licenses and usage rights you employ; and

Whether the data is retained and if so, how, where and what safeguards are in place to prevent unauthorized access.

32

EXAMPLE:

A simple yet effective approach to developing and publishing a policy that does not require an army of lawyers is a table format. Checking the appropriate boxes in the following table allows everyone to understand your intentions:

COMPANY X LOCATION DATA PRIVACY POLICY*

EFFECTIVE AS OF: [DATE]

We collect location data only with user consent

We collect location data without user consent

We collect location from a variety of sources including:

We acquire location data from sources that require user consent

We acquire location data from sources that do not require user consent

We acquire location data from open sources and do not know the data acquisition procedures

We aggregate location without user consent

We acquire anonymized data

We anonymize location data prior to aggregation and distribution

We share location data with third parties only with user consent (includes selling, renting of data)

We share location data with third parties without user consent (includes selling, renting of data, and compliance with law enforcement)

We reduce the accuracy of the geographic coordinates to prevent personally identifying the individual

We do not reduce the accuracy of the geographic coordinates to prevent personally identi-fying the individual

We correlate location data with other data

We de-anonymize anonymized data and use this de-anonymized data in our aggregation models

The location data has license restrictions

The location data does not have license restrictions

We retain all location data collected, and aggregated whether anonoymized or non-identi-fiable indefinitely

We retain all location data collected and aggregated whether anonymized or non-identifa-ble for a specified duration

Mobile phone IP Address GPS enabled device Forms, Surveys, or Applications for services

Data providers Digital transactions Cameras—including satellites Sensors

*When completed, unchecked items should be removed to avoid confusion. All checked items become your location data privacy policy.

33

10. Conduct Periodic Risk Assessment

GENERAL GUIDELINE:

Business conditions and technology are constantly changing. Product managers, marketers, software developers, IT professionals, and executives responsible for location-based products and services should assess their level of location data privacy risk at least twice a year.

SPECIFIC RECOMMENDATION:

Because of changing market and regulatory conditions along with the sheer volume of data being collected, it is important that organizations regularly assess their business drivers relative to loca-tion data and their operational and transparency risk relative to managing location data (just like they regularly assess their financial state).

1. To assess business drivers, companies should facilitate bi-annual meetings with leaders of all organizational departments to review the business, technology and environmental changes that impact the use of location data within the organization.

2. To assess operational and transparency risk, the Location Forum recommends taking the Location Data Privacy Risk and Transparency Review (see Part 4) twice a year. A risk assessment “Scorecard” is coming soon and will be available online at http://www.thelocationforum.org/privacy. However, the Review worksheet in Part 4 will provide you with a high-level snapshot of your risk profile.

The ”Scorecard” will calculate your Location Data Privacy Index (LDPI) which indicates the areas that require attention and enables you to proactively make the necessary policy, operational or IT changes needed to ensure risk and transparency are managed within corporate guidelines. The LDPI score can also be used to advise your existing and prospective customers, partners and regulators of your thoroughness and trustworthiness. The Location Forum recommends assessing your LDPI score once a year.

EXAMPLE:

For assessing changes in business and technology, the organization’s Location Intelligence Officer or equiva-lent can use the table below as a framework to assess where changes have occurred in the organization, or with vendors and partners, and the impact these changes have on managing your location data risk.

BUSINESS TECHNOLOGY ENVIRONMENT

Functional/Organizational Areas

Where is location data used?

How relevant is it to this area? (fill in)

Is location technology embedded in new or upgraded technology currently in use or proposed? (Yes/No)

Has the organization’s use of location data changed in this area? (Yes/No)

Partners & Channels

Products & Services

Customer Experience Programs

Marketing & Advertising

Operations

Logistics

Human Resources

IT

34

11. Allow Control Over Location Profile

GENERAL GUIDELINE:

If location information is attached to an individual, that individual should have the right to inspect, change, and possibly remove her data.

SPECIFIC RECOMMENDATION:

Often times, despite best efforts, personal data collected on individuals is incorrect. The user should have the ability to view her location profile and correct any incorrect information. The Provider should make the ability to view one’s location profile easy to find, and easy to amend. The Provider should also provide a contact person or redressability process so that users can address their concerns.

The user should be able to access information on how to control her location information from mul-tiple points, so that finding the information is intuitive. For example, the user should be able to find the information on an application or website in the following areas:

Customer Support

FAQ (frequently asked questions)

Account Management

Privacy Management

Options to control location data should not be buried in terms and conditions or system preferences.

EXAMPLE:

Just like computer users have the ability to delete cookies, individual location users should have the ability to delete their location history. This also means that users should have the ability to prevent certain providers from utilizing their location data.

In addition, much like credit bureaus remind people to check their credit reports once a year to monitor any potential fraudulent activity or errors, companies who collect location information and provide location-based services should remind people to review their location data profile and privacy selections periodically.

35

12. Create a Location Data Governance and Audit Program

GENERAL GUIDELINE:

All companies that acquire, utilize, or produce location data should establish a location data gov-ernance program to trace the sources of location data, the restrictions on the data, how the data is ultimately used, and how data is retained and deleted. It is important to note that data tends to continuously flow through an organization because it is used repeatedly across multiple applications and products. A location governance program tracks this continuous flow, while an audit is only a snapshot in time.

SPECIFIC RECOMMENDATION:

When acquiring location data from individuals, third party or government sources, acquiring compa-nies agree to a variety of terms and conditions, licensing arrangements and rights to use. Every orga-nization should have a system for recording these contractual and privacy obligations and for alerting staff to how that information can or cannot be used (See Recommendations 4 & 8).

While small numbers of files may be possible to track over short periods of time held in documents, spreadsheets, or the work-flow notes of conscientious data handlers, larger numbers of files (or any number of files over longer periods of time) require a formal cataloging system.

In particular, companies that use location data in the development of derivative products and services should establish an automated governance and audit system that can systematically and program-matically search, manage, monitor, and audit the relationship between the location data that comes in the door and the licensing, privacy and other restrictions that govern the terms of use of that data.

In some instances existing data governance systems can be modified to incorporate privacy consider-ations. In other instances where such systems are not in place, the Location Forum recommends uti-lizing the soon to be released Location Data Governance and Audit Framework Model, which includes:

1. A source code: a permanent, numerical identifier to all pieces of in-coming (and, depending on your use cases, to all engineered or derivative) data.

2. A two-way search mechanism: When you have the data in front of you, the catalogue should lead you to the data restrictions and when you have the licensing or source of the data in front of you, the catalogue should lead you to the data.

3. Verification: Establish business or software rules to check source codes when data is incorpo-rated into products and services. This creates alerts as to prohibited uses.

EXAMPLE:

You acquire location data that comes from Company A, who has provided it under a license agree-ment. That agreement permits the zip code/postal code portion of the address information in that dataset to be integrated into your product, but not the street addresses because they contain per-sonally identifiable information. A source record is created when your company receives the data. The “zipcode” field is tagged with a number “1” to indicate that integration of zipcodes is permitted without restriction into products and services. The “street address” field is tagged with a number “4” to indicate that integration of street addresses into any product or service is prohibited.

Should your company and Company A decide to change the licensing agreement to develop a prod-uct that incorporates street addresses, the source record can be amended to reflect this change. For example, the “street address” would be tagged with a number “5” to indicate that integration is permitted only for defined products and services.

36

13. Appoint a Location Intelligence Officer

GENERAL GUIDELINE:

The Location Forum recommends that all organizations that use and manage location data across the enterprise should appoint a Location Intelligence Officer (LIO) or equivalent to oversee and manage the integration of the data along with various applications utilized by the organization to aggregate, analyze, visualize, and distribute location data.

SPECIFIC GUIDELINE:

With location data having tentacles throughout an enterprise and with security and privacy a critical business priority, the task of keeping up and managing all of the policies, practices and uses associ-ated with location data requires full-time attention. The appointment of a LIO is a necessity.

Depending on the company structure, the LIO can function as a standalone role or be under the CIO, the strategic planning unit, or Chief Security/Risk Officer.

EXAMPLE:

LOCATION INTELLIGENCE OFFICER PROFILESkills: Budgeting, Project Management, Engineering/Product Development, Operations, Sales & Marketing and the ability to understand the impact of operational, customer, and marketing data; risk management and governance

Location Intelligence Experience: Location Data and its procurement, use, and mainte-nance; Geospatial Technology; Technical Infrastructure and Architecture and Enterprise Data Integration

Development and execution of business case and ROI for location-based projects: Demonstrate ability to sell the project internally, and once sold, the ability to deliver it, monitor it and maintain it. Location information management is an ongoing, evolving technology that requires regular attention. (This is a recurring problem with the traditional approach to GIS proj-ects; it’s viewed as a one-time project that goes away.)

See Where is the Location Intelligence Officer? for more information on the importance of this role, and other required skill sets that address other business issues related to location data. http://www.lbxjournal.com/articles/“where”-location-intelligence-officer/260226

37

CONCLUDING SCENARIOSWhile the use of location data may appear simple or intuitive, the Guidelines reveal the complexity behind it. Recognizing that the use of location data may not always be obvious within an organiza-tion, we developed location privacy aware scenarios to illustrate some common, and not so common, uses of location data by four business functions—Risk Management, Product Development, Customer Experience, and Marketing. Use them to both inspire you as well as help you ferret out problems before they manifest themselves.

Privacy Aware Scenarios

Risk Management

A retail company uses location information differently throughout the organization. As a result location data winds up being managed by different departments with no centralized oversight. In some cases the information is acquired, managed and dis-tributed by the GIS department, in other cases it is the marketing department that is experimenting with mobile location-based services applications, targeted advertis-ing and social media engagement and interaction with customers. The real- estate and site location department uses information specifically for long-term investment decisions. The HR and IT departments monitor employees through a variety of mobile phone and Internet tracking applications. The privacy of employees, custom-ers, suppliers, and partners are all implicated as location data moves around this organization. But there isn’t a single person responsible for understanding how loca-tion data moves through the company’s workflow, how the data is being handled to ensure privacy protections, and compliance with usage rights.

Product Development

A news service has instructed its development team to develop a 3D interactive globe as a new information delivery platform. In an effort to better understand local and regional interests, the news service wants to capture the location data of its audience via IP address, GPS coordinates, and cell-phone triangulation. Through its mobile application, the news service also wants to capture when and where the user checks his/her news, for example at work, at the coffee shop, in the car, at home, in the parking lot. Before development begins, the Vice President of New Services calls a meeting of her development team, marketing, and legal to review the objectives of the service and the privacy issues associated. Every developer on the team, and the marketing analysts are provided with a checklist of required actions to ensure that the company is not blind-sided 6 months later.

38

Customer Experience

A casino, shopping mall, amusement park, or coffee shop offers WiFi (free or oth-erwise) as a customer experience service. Oftentimes, these organizations collect location data of users for the purpose of providing improved services or targeted advertising. Once the user signs into the WiFi service his/her web behavior is tracked, and if the user moves around the building their whereabouts are also being tracked including how long they stayed in a particular location (for example a store, or gambling table).

The user is generally unaware that the information is being collected and as such completely in the dark about how that information is really being used, and with whom it is being shared and for what purpose. Is the information collected anoyni-mized? Is it aggregated? When shared with a third party, is it de-anonymized so that personally identifiable information can be determined? How does the user know?

Marketing Campaign

A company decides to run a treasure hunt campaign and embeds a location sensor in five product packages. The package clearly states the campaign and the benefits to the lucky winner--$10,000 in cash and an appearance on the Lucky Guy show. In addition, in bold letters, not to be missed by a person of average vision, “This Package May Contain a Location Sensor. If you open it and are a lucky winner, your location will be immediately tracked and a media crew will arrive shortly to interview you.”

39

Part 4 – Location Data Privacy Risk & Transparency AssessmentAlmost every aspect of location data privacy can be measured along 2 key metrics – risk and transpar-ency. Good governance involves how your organization manages the data both internally, as well as externally. Everything from the source of the data and how it is obtained, to how it is used and man-aged, to how your policies and procedures are communicated to the market, to its impact on compa-nies and individuals have risk and transparency components.

This section allows you to take a high-level pulse of the state of your current governance practices and the transparency of your communications to customers, partners, regulators, and the market regarding your policy towards location data privacy.

The following Review serves as a worksheet that is designed to examine your policies and behaviors associated with location data. It is a first step in creating a snapshot of your Risk and Transparency levels. It is meant to help identify places where immediate or future attention is required in addition to where you are doing well. It also serves as a workbook prior to using the Location Forum’s online “Scorecard” (see LDPI below).

This is not intended to be an exhaustive assessment, but rather a broad review of your location data privacy stewardship and practices. The result of taking this scorecard assessment will reveal whether your location data privacy policies and practices place you in a High, Medium, or Low risk category:

RISK AREA RISK & TRANSPARENCY LEVEL RESULTS

Acquisition, Usage & Handling [Risk] High Medium Low

Openness, Notice & Consent [Transparency] High Medium Low

Policy, Accountability & Traceability [Governance] High Medium Low

RISK LEVEL ACTION

Take immediate action to correct problems. Re-evaluate as soon as corrective measures are implemented.

Research root causes, consequences and ways to improve. Re-score after changes are implemented.

Monitor and re-score every 6 months.

LOCATION DATA PRIVACY INDEX (LDPI) Once you have an initial snapshot, we recommend that you determine your Location Data Privacy Index (LPDI) score through the online LDPI Scorecard [coming soon, and available at www.theloca-tionforum.org/privacy]. This is an interactive tool, which will guide you through specific questions based on your company profile. Your answers, determine a score or “index” that gauges your level of risk and transparency against industry norms and best practices and provides a more comprehensive evaluation of your policies and practices.

The LDPI score can be used to benchmark your organization against competitors and peers and to communicate transparent policies to the market.

40

LOCATION DATA PRIVACY REVIEWThis Review serves as a way to conduct an initial assessment of your Risk and Transparency levels. It is meant to help identify places where immediate or future attention is required as well as where you are currently doing well. It also serves as a workbook prior to using the Location Forum’s online Scorecard, which is a tool that provides a more comprehensive evaluation of your policies and prac-tices and generates a Location Data Privacy Index (LDPI) rating.

The Review is divided into 4 main sections: Profile Acquisition, Usage & Handling Openness, Notice & Consent Policy, Traceability & Accountability

PROFILE The profile questions provide a context in which to analyze the rest of your answers. There are no right or wrong answers; they simply enable the questions in the next 3 categories to be scored against a known backdrop.

Who Are You?1 Are you a provider of location information technology, data, products or services? Check all that apply:

You provide analytics software platforms or services

You provide location-based services

You are a GIS company

You manufacture hardware, sensors, or chips

You are a third party aggregator of location information

You are a location data services provider

You are not a provider of location information technology, data, products, or services.

2 Do you use location/geospatial data, technologies or services in any aspect of your business?

Yes

No

3 Are you in an industry subject to regulations that limit or prohibit your use of location and per-sonal data? (Ex: telecommunications, healthcare, utilities, etc.)

Yes

No

4 Do you operate in a jurisdiction(s) that have strong individual privacy rights protections?

Yes

No

5 Do you generate revenue from the monetization of location data and/or personal data?

Users pay for your location-based service or application

Your services are available to users for free, and the data collected is sold to a third party, for example advertisers.

You use location data only for internal purposes, and do not generate revenue from selling location data in any way

Companies or organizations pay for your location-based services or applications

!TIP - Throughout the Scorecard, look for “!TIP” which will provide “handy hints” to guide you.

41

Any use of location data increases the potential for infringing upon personal privacy. It is the nature of the data. The market, regulatory, and internal business environment in which you operate can serve to increase or decrease risk. Proceed to the next sections to review your internal policies and proce-dures and external communications regarding the management of location data.

ACQUISITION, USAGE & HANDLING This section examines how the location data is obtained and used and for what purpose, who has access to it, how it is treated, manipulated and managed, and what becomes of it.

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

1 Do you collect location data directly from individuals? (If you answered no to this question please proceed to question 2)

!TIP – The more sources you use, the more complex the risk becomes and the more you have to monitor. It also impacts communications with your users (see Notice & Consent section)

Yes

No

If Yes, how do you collect this information? (check all that apply)

A form (paper or online)

Website or web-based application

A mobile device

A mobile application

A communications network—cable, telephone, wireless, satellite

2 Do you collect location data remotely via satellite, aerial, or terrestrial technologies?

Yes

No

3 Do you acquire or purchase location data from third party sources?

Yes

No

4 Do you reduce the accuracy of the geographic coordinates collected to prevent personal identification of the individual?

Yes

No

5 Do you collect or acquire location data even if it is not required or necessary for the performance of your application or service?

Yes

No

42

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

6 Do you aggregate location data?

Yes

No

(If No, skip to question 8)

If Yes, please indicate your definition of aggregation. Check all that apply below:

We aggregate data to a higher level (such as street address to postal code) for the purpose of masking personal identity.

We aggregate or compile location data from multiple sources for the purpose of creating a centralized repository.

7 Do you aggregate data that is not needed for the performance of your application or service?

Yes

No

8 Do you link location data with other datasets?

Yes

No

If Yes, check all that apply:

For internal research and operational purposes

For marketing purposes, including targeted advertising

9 Do you link location data with other datasets, and share, rent, or sell it to third parties?

Yes

No

10 Do you link location data with other data that is not required for the performance of your application or service?

Yes

No

11 Do you mine information from the aggregated or linked location data?

Yes

No

12 Is management aware of how the application collects, uses, and dis-tributes location data?

Yes

No

13 Do you treat location data and/or personal data as an asset to be monetized beyond internal operational use?

Yes

No

43

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

14 Do you use any location data collected to deliver location-based ser-vices to customers?

Yes

No

15 Do you sell (or share) any location data collected with any third party for any reason?

Yes

No

If Yes, indicate all that apply:

Identifiable data

Anonymous data

16 Do you do anything (collect, use, share) with an individual’s location data without their knowledge?

Yes

No

17 Do you retain location data?

Yes

No

18 If you answered yes to 17, do you retain (please indicate all that apply):

!TIP – Any retention practice – especially one that is open ended – creates risk. Unlimited retention should be avoided if at all possible.

Identifiable data

Anonymous data

For the following period of time:

Indefinitely

A specified period of time

19 Are location technologies and data analytics accessible by anyone within the organization?

Yes

No

20 Is location data easily accessible by anyone within the organization?

Yes

No

TOTALS YES _______ NO _______

If you answered, “Yes” to 5 or less questions, your acquisition, usage and handling practices put you at a Low risk.

If you answered, “Yes” to 6-10 questions, your acquisition, usage and handling practices put you at a Medium risk.

If you answered, “Yes” to 11 or more questions, your acquisition, usage and handling practices put you at a High risk.

Mark your level in the table at the beginning of this section for reference and follow-up action.

Take the Location Forum’s online Location Data Privacy Risk Assessment [coming soon and available at www.thelocationforum.org/privacy] to determine your actual LDPI score and identify recommendations on how to reduce your risk.

44

OPENNESS, NOTICE & CONSENTThis section measures your operational transparency - how open you are with business partners and individuals. How much control do users/customers have over their location data? Are you open about the type of location data you collect and what you do with it? Do your partners and customers have the ability to opt-in and opt-out?

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

21 Is your location data policy visible and can people easily find it? !TIP – Err on the side of posting your policy in as many places as practical especially if you ticked several boxes in Question 1. Generally more communications is better unless it interferes with the user experience.

Yes

No

Visible to: [check all that apply]

Employees

Average User /Customer

Vendors/Partners

Where (check all that apply):

On the download page of the application

Within the app store where the app is found

During installation of the application or service

Within the application

On your website

On any forms used to collect location information

Within proposals or RFP

Within product or service agreements

On a shared or virtualized drive (cloud)

In a knowledge management system

Employee manual

22 Do you publish the sources from which you collect location data? !TIP – Err on the side of posting your policy in as many places as practical especially if you ticked several boxes in Question 1. Generally more communications is better unless it interferes with the user experience.

Yes

No

Is your supply chain of location data providers visible and can people easily find it?

Yes

No

Where (check all that apply):

On the download page of the application

Within the app store where the app is found

During installation of the application or service

Within the application

On your website

On any forms used to collect location information

Within proposals or RFP

Within product or service agreements

On a shared drive (cloud), in a knowledge management system

45

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

23 Can an individual (including employees) easily locate and view their location profile on your website, application, or mobile device menu?

!TIP – The more options provided to the user, the more transparent you will appear.

Yes

No

If Yes, check all that apply:

You have a redressability policy that enables a user to correct any information in their profile that is incorrect or out of date

Users can eliminate certain pieces of location data in their profile they believe are confidential and do not want divulged under any circumstances

An individual can delete her location history?

You have a designated contact person to handle individual concerns related to any aspect of their profile

24 Do you provide users with informed notice and consent regarding how you collect, use, aggregate, manage, and distribute location data?

Yes

No

See Recommendation 4 in Part for definition of informed consent.

25 Can a user easily Opt-In or Opt-Out of your service or application?

Yes to both

Only Opt-In

Only Opt-Out

No to both

26 If you answered, “Yes” to question 25 where is the opt-in or opt-out option visible or provided? Check all that apply:

!TIP – The more options provided to the user, the more transparent you will appear, provided it doesn’t become a nuisance that interferes with the user experience.

Launch of your application

Initializing your device

Provisioning of your service

On your website

On a form

27 Can an individual prevent the distribution of her location data to cer-tain third parties?

Yes

No

46

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

28 Can a company assess your location data management practices? !TIP –The opaqueness of the current location data supply chain creates risk for everyone in the chain. The more trans-parent the chain, the greater likelihood that industry self-regulation will work.

Yes

No

If Yes, check all that apply:

A benchmark

A LDPI score

A B2B disclosure form

An outside company does not have a means of assessing our practices

TOTALS YES _______ NO _______

If you answered “Yes” to 1 or fewer question, you provide a Low or No levels of transparency.

If you answered “Yes” to 3 or more questions, you provide a Medium level of transparency.

If you answered “Yes” to 5 or more questions, you provide a High level of transparency.

Mark your level in the table at the beginning of this section for reference and follow-up action.

Take the Location Forum online Location Data Privacy Risk Assessment [coming soon and available at www.thelocationforum.org/privacy] to determine your actual LDPI score and identify recommendations on how to reduce your risk.

47

POLICY, ACCOUNTABILITY & TRACEABILITY This section examines your overall approach to location data privacy – the types of policies you have in place, oversight, accessibility and more. How anonymous or personalized is the data and is there an audit trail from source to destination?

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

29 Have you developed and published a location data privacy policy?

Yes

No

See Part 3 of the Location Data Privacy Guidelines for recommended framework

30 Does your location data policy state how you collect, aggregate, dis-tribute, use, and manage location data?

!TIP – A comprehensive policy addresses all aspects of handling location data.

Yes

No

Check all that are referenced in your policy:

Collection

Aggregation

Distribution

Usage

Data Management

31 Is your location data policy visible and can people easily find it?

Yes

No

See Recommendations for Openness Notice and Consent in Part 3 for details

32 Do you maintain a consistent program of oversight including executive responsibility and external location data audits within your organization?

!TIP – Good location data privacy governance requires the right people, tools, and technologies. Yes

No

Check all that apply:

A key executive is responsible for location data privacy

Periodic external privacy or security audits are performed

A Location Data Governance and Audit System is in place

33 Do you know and track the source(s) of your location data? !TIP – Know Your Data to reduce your risks.

Yes

No

Check all that apply:

You know how it was collected

You know if the location data was collected with consent of individuals from which the data was derived

You have overt permission to use the data

You know if there are any limitations on the use and distribution of aggregated data products

48

AREA & PRACTICENOTES & FLAGGED FOR FOLLOW-UP

34 Do you ensure that personally identifiable information is not attached to your location data?

Yes

No

Check all that apply:

You anonymize all location data collected

You de-anonymize data

35 Can the location data chain, usage and usage rights be traced either by some unique identifier, an embedded audit trail or some other method?

Yes

No

36 Does your organization practice Privacy by Design?

Yes

No

For details see http://privacybydesign.ca/

37 Are the following people made explicitly aware of the privacy implications of designing, developing or coding applications and services that use location data? (Indicate all that apply):

!TIP – Everyone should be “in the know.”

Software Developers

IT/Business Intelligence Managers

Operational Managers

Marketing Managers

Product Managers

Management Executives

38 Do you coordinate with legal or marketing to make sure you are not violating any rules, procedures, laws or policies in the way the location-based application is designed, coded or implemented?

Yes

No

39 Do you require a valid court order or warrant before disseminating location data to law enforcement?

Yes

No

TOTALS YES _______ NO _______

If you answered Yes to 7 or more questions, you have a High level of location data management governance

If you answered Yes to 4-6 questions, you have a Medium level of location data management governance.

If you answered Yes to 1-3 questions, you have a Low level of location data management governance.

Mark your level in the table at the beginning of this section for reference and follow-up action.

Take the Location Forum online Location Data Privacy Risk Assessment [coming soon and available at www.thelocationforum.org/privacy] to determine your actual LDPI score and identify recommendations on how to reduce your risk.

49

Appendix – Glossary of TermsAggregation: Data aggregation is the process of combining data from different sources and transac-tions to create a new “aggregated” dataset. By linking data with multiple characteristics, new informa-tion can be derived from the aggregated dataset that none of the individual pieces of data can yield. Data aggregation is also the process of rolling data up to a higher level, such as street address to postal code for the purpose of anonymizing data or masking personal identity.

Anonymization: The act of removing personally identifiable information from data. Anonymized data should no longer be able to be associated with an individual in any manner.

B2B/ B2C/ B2I and I2I: These all describe relationships between two entities for the purposes of exchanging information or conducting commerce. B=Business, C=Consumer, and I=Individual. For example, a B2B relationship is one where two (or more) businesses are either exchanging something (data, information, knowledge, etc) or having a buyer-seller transaction. A B2C relationship is a direct relationship between the business and the consumer. In this relationship the consumer is the end customer. A B2I relationship is one in which a business may have an indirect relationship with an indi-vidual as a result of collecting, using, or sharing an individual’s personal information such as location data. An I2I relationship is one where individuals may share information between each other across a third-party platform such as social media.

Collection: The act of acquiring location data through explicit, implicit, or passive methods:

Explicit collection occurs when a user is aware and has consented to their location data being collected.

Implicit collection occurs when a user shares location information voluntarily, but is unaware that the information is being collected.

Passive collection occurs when network carriers and third party service providers collect loca-tion data at the network, device, or applications layer without the user’s knowledge.

Distribution: Location data is distributed when it is shared with or sold to third parties.

Geographic Reference: geographic reference includes address, zip code, placename, point of interest, area of interest, distance and proximity between places or locations.

Geospatial Data: is any point, line, 2D polygon or 3D volume with a geographic reference whose loca-tion can also be marked in time.

Location: is the geographic position of someone or something at any given moment in time.

Location-Based Service: Location Based Services (or “Location Services”) deliver information about location to people who are using wireless, position-aware devices such as mobile phones, tablets or other similar devices. A wireless-IP service that uses geographic information to serve a mobile user. Any application service that exploits the position of a mobile terminal.

Location Data: Is any data with an implicit or explicit geographic or geospatial reference, including any data derived from GPS, GIS, cell-tower or other radio signal-based triangulation, assisted-GPS positioning devices, systems and processes, geo-tagged images, video, audio, and text documents, satellite and aerial imagery, computerized, digitized and paper maps, IP address location, public docu-ments, public or private database, video, audio, text, and image files, location-based applications.

50

Location Data Privacy is:

The right to not be subjected to unsanctioned collection, aggregation, distribution, or selling of an individual or organization’s location or location profile derived from location data.

The ability of an individual, group, or organization to conceal information of their whereabouts, which can be derived from location data. Sometimes stated as “the right to be left alone” and not reveal ones location.

Location-Dependent Service: A service in which the location transactions and location data all form an integral part of the service.

Location Service: A service that provides the location of a moving or fixed device or individual, and extracts and extrapolates location data from information voluntarily contributed.

Location Profile is:

Information derived from mobile and location data on where an individual has been and may be in the future; and

Information on who and what is around a particular location and the activities that surround a particular location.

Location Transaction: A location transaction is any exchange of location data between devices, sys-tems, applications, networks, and/or databases.

Place: the use of a name or area of interest to describe a location.

Space: the use of geographic coordinates to describe a location.

51

©  2013 THE LOCATION FORUM. ALL RIGHTS RESERVED | HTTP://WWW.THELOCATIONFORUM.ORG | +1-770-663-8898

For more information contact: Natasha LégerPresidentEmail: nleger@thelocationforum.org770.663.8898

Jim WarnerCOOEmail: jwarner@thelocationforum.org770.663.8898

Email: info@thelocationforum.org

http://www.thelocationforum.org/