Overturning Roe could change how digital advertisers use location data. Can they regulate themselves?

Over the years, the digital ad industry has been resistant to restricting use of location data. But that may be changing.

Map with location service

Over the years, the digital ad industry has been resistant to restrictions on the use of location data. But that may be changing.

Illustration: Christopher T. Fong/Protocol

When the Supreme Court overturned Roe v. Wade on Friday, the likelihood for location data to be used against people suddenly shifted from a mostly hypothetical scenario to a realistic threat. Although location data has a variety of purposes — from helping municipalities assess how people move around cities to giving reliable driving directions — it’s the voracious appetite of digital advertisers for location information that has fueled the creation and growth of a sector selling data showing who visited specific points on the map, when, what places they came from and where they went afterwards.

Over the years, the digital ad industry has been resistant to restrictions on the use of location data. But that may be changing. The overturning of Roe not only puts the wide availability of location data for advertising in the spotlight, it could serve as a turning point compelling the digital ad industry to take action to limit data associated with sensitive places before the government does.

Friday’s Supreme Court decision has heightened the significance of risks associated with location data reflecting sensitive places, said Grace Briscoe, senior vice president of Client Development at digital ad company Basis Technologies.

It appears that the industry organizations have been slow to act, and I do think there's opportunity for them to tighten the location data policies.

“It wasn't as sensitive a month ago as it suddenly is now,” Briscoe said. “It appears that the industry organizations have been slow to act, and I do think there's opportunity for them to tighten the location data policies, and prohibiting collection of certain types of sensitive location data and putting some consistent industry-wide guidance around that would be really valuable.”

There is moderate movement in this direction already. The Network Advertising Initiative, a digital ad industry trade group, last week announced a new set of voluntary guidelines prohibiting member companies that adopt them from using, selling or sharing any information about device or user activity associated with locations deemed sensitive, such as fertility or abortion clinics, mental health treatment facilities, places of religious worship, correctional facilities, addiction treatment centers, immigration centers, military bases or payday loan institutions.

The NAI wants to preempt an outright ban on location data, said David LeDuc, vice president of Public Policy at the NAI. “The notion that all the data should just be eliminated — I just don’t think it passes the test. It’s really fair how concerned people are, but we just don’t think throwing all the data away is where we should end up,” he said.

Pharmaceutical makers or other advertisers do use location data associated with health care facilities, Briscoe said. “Finding people who are at the hospital every day — that is actually a really good way to identify people who work in health care or frontline workers,” she said. Briscoe said she was not aware of industry-imposed restrictions on use of location data associated with health or medical facilities, although there are some limits on location data reflecting school locations or places of worship.

The NAI’s standards did not come together in response to last week’s Supreme Court decision, of course. They had been in the works for months, propelled in part by news last July that mobile app records obtained by Catholic news outlet The Pillar showed a Wisconsin priest visited gay bars and private residences while using location-based hookup app Grindr. The publication’s investigation led to his resignation.

“We as an industry need to take proactive steps to make sure we are being more responsible and raising the bar and preventing this type of data leakage,” said LeDuc, noting that the NAI wanted to help prevent bounty hunters or law enforcement from obtaining data associated with sensitive locations that could be used to out or penalize people.

“We recognize that self-regulation hasn’t solved all the problems and we can do more and we need to do more — and that’s where this came from,” LeDuc said regarding the voluntary standards.

But there are gaps in this self-regulatory regime.

Only three member companies have publicly agreed to implement the principles, including Foursquare. Google, an NAI member, did not sign on publicly to adopt the standards. After a draft Supreme Court opinion presaging the eventual overturning of Roe v. Wade was leaked in May, legislators wrote to Google urging the company to “stop unnecessarily collecting and retaining customer location data, to prevent that information from being used by right-wing prosecutors to identify people who have obtained abortions.” Google declined to comment for this story.

The NAI does not categorize Google as a precise location information solution provider, the narrow category the group carved out for applying the new standard. “We didn’t seek to include Google because it’s a different business model,” said LeDuc. He added that “it’s fair” to ask why Google or other companies outside the narrow location provider category have not adopted the standards.

Other NAI member companies selling or using location data including Place Exchange and Ubimo also did not publicly agree to the standards.

Fodder for abortion bounty hunters

As industry introduces new self-regulatory limits on data reflecting sensitive locations, pressure from actual regulators is mounting.

Senators recently demanded that location data providers SafeGraph and Placer.ai give details about their data collection practices related to abortion clinics. After it was reported in May that SafeGraph sold information showing where groups of people visiting family planning and abortion clinics had traveled from, how long they stayed and where they traveled, the company said it would stop selling data associated with family planning center locations.

After Roe was overturned last week, lawmakers signaled their intentions to establish new laws that could affect data use in their states. When announcing his plan to push for a constitutional amendment to protect abortion rights in Washington state on Saturday, Governor Jay Inslee said, “We are going to be very alert to plug any gaps in our privacy laws, so that no one can expose private information from a Washington citizen or a citizen of a different state, who comes here for services. We are not going to allow that data to get back to Texas or Missouri or Idaho.”

It’s not just Google, Apple or mobile carriers that have been subject to law enforcement demands for location data. “We have received subpoenas in the past, and we’ve had to provide information,” said Elizabeth Hein, associate general counsel of privacy, product and compliance and global data protection officer at Foursquare. “We do only respond when we have the appropriate legal documentation; they would have to have a subpoena or a court order,” Hein said.

Foursquare has limited its use of information associated with sensitive places for the past few years. Today Hein said the company includes 1.5 million locations throughout the U.S. in its list of sensitive places.

Foursquare already self-imposes the limitations put in place by the NAI’s voluntary standards. In practice, that means that while a Foursquare app user can still “check in” at a sensitive place – say a church or doctor’s office or gay bar – Foursquare does not ingest check-in information associated with places on the sensitive list into its system. It also prevents partners that use its location data and services in their apps from getting that information. That means ads cannot be targeted using that information, and customers can’t use it to measure the performance of their ads.

“This information is just too sensitive to be sharing or using in products downstream,” Hein said.

A history of fighting regulation while pushing for more location data collection

The recent Supreme Court decision may have made the harmful implications of location data more palpable, but the ad industry has faced pressure from lawmakers for more than a decade to put better protections and limits on the location data flowing through its ad systems.

“Location information is extremely sensitive. But it’s not being protected the way it should be,” said Minnesota Democratic Sen. Al Franken in 2014 , when he pushed for passage of his Location Privacy Protection Act, originally introduced in 2011, during a Senate Judiciary Committee hearing. The goal of the bill was to protect people from stalking facilitated by location-tracking apps.

During the hearing, Lou Mastria, then executive director of the Digital Ad Alliance, a consortium of advertising trade associations, emphasized that existing industry self-regulation “is not intended to prevent criminal activity.” He added, “The DAA does not believe that such new legislation is needed at this time.”

Even then, the DAA did require companies to get consent from people before collecting and sharing precise location data “or obtain reasonable assurances that the app developer or owner has obtained consent to that data collection.” However, at the time, the DAA and ad industry at large lobbied against federal privacy legislation , arguing that their own self-regulatory approaches were preferable.

Two years after that hearing, the Interactive Advertising Bureau, the digital ad industry’s most prominent trade group and a member of the DAA, actively encouraged its digital publisher members to take advantage of monetizing mobile location data , which it called “a treasure trove in the marketing world.” A 2016 IAB guide said publishers could generate ad revenue of 20% to 30% more when location data is used to target ads.

Without mentioning anything about the potential to exploit data associated with visits to places people may consider sensitive or private, the guide told publishers how to sell location data through licensing agreements. Partnerships between mobile location data providers and the mobile app publishers they gather location data from typically are shielded from the public by non-disclosure agreements, making it near impossible to know which entities actually supply the data. The IAB guide did note that publishers should consult the DAA’s self-regulatory principles and the NAI’s code of conduct when considering how to get user permission for location data collection.

The guide also explained that location data was available for the taking through ad requests in open ad exchanges or through the software development kits plugged into mobile apps, a process sometimes referred to as bidstream siphoning . That process is often downplayed by the ad industry and location data providers because it allows data to be used without explicit consent. To this day, location data is available for collecting from ad bidding systems.

Last month, the Irish Council for Civil Liberties called the exposure of location data in the real-time bidding systems that run the digital ad market “the biggest data breach.” It reported, “On average, a person in the U.S. has their online activity and location exposed 747 times every day by the RTB industry.”

Since the DAA testified about location data before Congress in 2014, a slew of state privacy laws have been established, prompting industry groups including the DAA and IAB to change their tunes on a federal privacy law. The groups now argue that one federal law that would supersede state laws would be better than the jumble of differing requirements and restrictions they face today.

A post-Roe window cracks open to industry change

Today the DAA, IAB and NAI support a framework for federal privacy legislation that would prohibit companies from obtaining geolocation information without obtaining people’s express consent. However, it does not create specific rules for data associated with sensitive locations.

When asked why the IAB does not have self-regulatory standards encouraging member companies to adopt the principles in the framework, Lartease Tiffith, executive vice president for Public Policy at IAB, told Protocol, “We don’t come out with a proposal if we don't think that that's what our members need to do and they ought to do and we have the support to do. I think it's actually pretty clear that we are doing those things; we just don't have everything in the public sphere for you to sort of pull down off our websites.”

However, the IAB did make a statement on its website Monday about providing employees with access to reproductive health care.

“For women employees who live in states that are restricting access to reproductive healthcare, IAB will fund travel to locations that provide it,” the group wrote. “The U.S. Supreme Court’s decision to overturn Roe v. Wade permits states to significantly restrict women’s ability to support their families, make crucial healthcare choices, and continue to participate in the economy and society. Furthermore, this ruling directly and disproportionately harms poor women and communities of color.”

Now, the IAB is promising there’s more to come. “We actually are looking at what additional things could we do beyond pushing for this in legislation and regulation. [A lot] of people are, so we don't want to stop there, but we want to make sure that we're taking the right approach,” said Tiffith.

“There’s openness in the industry to taking action around this,” Briscoe said. “The moment gives us some real specifics to address and some momentum around making sure that we solve for some of these potential abuses of the data that's been created.”

Correction: This story was updated to reflect the fact that Factual has adopted the NAI’s sensitive location data standards because it was acquired by Foursquare and is no longer a standalone company. This update was made June 29, 2022.


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep Reading Show less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more .

Keep Reading Show less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep Reading Show less
Donna Goodison

Donna Goodison ( @dgoodison ) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep Reading Show less
Bennett Richardson

Bennett Richardson ( @bennettrich ) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories