How Expansive Location Privacy Regulations Could Undermine Retail Innovations – Center for Data Innovation

Governor Jared Polis (D-CO) signed the Colorado Privacy Act into law in July, joining California and Virginia as the third state to create a new law regulating the collection and use of personal data. Among the types of data subject to new rules is geolocation data—information about the precise location of an individual at a certain point in time. Most of this information comes from mobile devices that use a variety of signals from different technologies, including GPS, cell towers, WiFi networks, and Bluetooth, to identify their location. While restrictions on collecting and using geolocation data have a broad and negative impact on many sectors, its impact will be particularly acute in retail where many businesses use this information to not only improve their advertising and marketing, but also enhance consumers’ shopping experience and inform business decisions.  

Retailers small and large use geolocation data from mobile devices to deliver more relevant advertisements to consumers. For example, retailers can use location-based advertising to send ads, promotions, or coupons to consumers when they are near their stores or the stores of a competitor. This practice, known as geofencing, allows advertisers to target customers when they are within a certain boundary through push notifications in apps or paid mobile search results. This type of marketing can be impactful given that four out of five consumers report consulting their phones before making purchases in stores.

Retailers can use Bluetooth beacons to provide hyper-localized services to consumers in real time to enhance the in-store experience. Bluetooth beacons wirelessly broadcast information to nearby devices to trigger events in specific apps. For example, retailers, like Target and Macy’s, use beacons to guide shoppers around the store as they collect items on their shopping list. Other retailers, such as Nike, use beacons to send store associates to consumers who request help through their app. 

Finally, retailers use geolocation data to inform product placements and business decisions. Some stores, like jewelry brand Alex and Ani, use Bluetooth beacons to analyze foot traffic inside of stores and station merchandise accordingly. Others, like department store chain Kohl’s, use geolocation data to gauge the success of in-store promotions. For example, in 2018, the company began accepting Amazon returns in an effort to draw more customers into their storefronts. The move proved successful as geolocation data showed a marked increase in foot traffic in storefronts that accepted returns over storefronts that did not. 

Unfortunately, the growing number of state privacy laws threatens to limit the use of geolocation data in retail. There are two main problems. 

First, some states, like Virginia, require businesses to obtain affirmative consent to collect and use a consumer’s geolocation data. Opt-in requirements force retailers to waste time and resources obtaining consent when most consumers—around 70 percent—are willing to share their location data. A better approach would be to simply let consumers opt-out of sharing location data. Indeed, both Android and iOS mobile operating systems already provide consumers controls to manage their location sharing settings. 

Second, competing state privacy frameworks are creating a patchwork of different, often conflicting and changing, privacy regulations. Virtually every major U.S. retailer has an online presence targeting all 50 states that is enhanced or informed by geolocation data. The interstate nature of online commerce means retailers cannot afford to ignore any state or its regulations in the course of business operations. This fragmented regulatory landscape dampens innovation by forcing businesses to waste time and resources on compliance efforts. Moreover, legal ambiguities about what counts as geolocation data force businesses to limit their use of this information to avoid running afoul of the law.

Expenses for compliance, maintenance, and statutory damages can be significant for businesses. Shortly before it became effective, the California Attorney General’s office estimated that initial compliance costs for the California Consumer Privacy Act would reach $55 billion. As more states adopt privacy laws, these costs multiply. Retailers will either have to take on these expenses, which are passed on to consumers in the form of higher prices, or limit their use of consumer data, which will make them less competitive in the long term. 

Congress can address this problem by enacting a comprehensive national privacy framework that preempts state laws, establishes basic consumer data rights, streamlines regulation, and minimizes the impact on innovation. The new privacy laws in California, Virginia, and Colorado portend an incoming glut of privacy legislation from state policymakers and Congress should act swiftly before the problem gets worse. A narrowly focused federal privacy law would also minimize compliance costs for businesses while still improving consumer data protection. 

Importantly, any new federal framework should not treat all data the same but instead create rules that mirror the sensitivity of the data and the context in which it is collected. This means that while precise location data may be sensitive data, when it is collected in mundane contexts, such as by a grocery store or a movie theater, there is no need for the strictest rules. The risk of consumer harm in such everyday situations is minimal and does not warrant overbearing privacy regulations that would reduce other consumer benefits. By creating a tiered set of rules, businesses can focus on providing consumers the strongest privacy protections where it matters while avoiding unnecessary compliance costs.

Some of these new and proposed state privacy laws would significantly curtail the use of geolocation data in retail. Without reasonable access to identifiable geolocation data, retailers cannot efficiently geotarget advertisements to interested consumers, interact with in-store customers through beacon technology, or use geolocation data to improve business operations. As policymakers develop privacy legislation, they should consider and protect the role of data in retail innovation.