Skip to main content

GDPR and location data

By [email protected] - 9th May 2018 - 09:28

Now coming into play, GDPR is the biggest change to data protection in two decades. But with so many changes in both regulation and public understanding occurring in the realm of data processing and privacy, what does it mean for location data?

Uncharted territory

First of all, it’s important to understand that for all the hype, this is still a bit of a grey area. Under the GDPR there is no set definition for location data. What we do know is that location data can be classified as personal data when the location data can be used to identify a person, but this is not always the case.

Chris Archibald, Managing Director of GDPR Design1, weighs-in on how to treat location data in this uncharted territory, “Treat location data like any other data when trying to decide how you manage it in relation to data protection law (e.g. PECR, GDPR). Assess the likelihood of being able to identify an individual from the data, if there is a reasonable likelihood, then consider it as personal data and manage it as such”.

Until further guidance under GDPR is released or precedents are set, adhering to the Privacy and Electronic Communications Regulations (PECR)2 that govern location data, would be best practice. In most cases, if an organisation is PECR-compliant then it would also be GDPR-compliant as PECR already has stringent rules regarding the protection of users’ data.

Shaping opinion

To understand why businesses collect location data, individuals should be aware of the value of location data to modern businesses. In a report by the Location Based Marketing Association (LBMA), 50% of brands are using location data to target customers in their advertising3.

Location data is extremely useful in increasing the effectiveness of advertising and, therefore, extremely valuable for companies such as Facebook. In April, sensitive Facebook data relating to some 87 million users was improperly shared - without awareness or consent – and used to influence political opinion via targeted advertising. Even with the knowledge of this occurring, it is incredibly difficult for users to avoid giving away this data while using digital services, as advertising distributors such as Facebook and Google continue to collect it hrough countless third-party apps.

Location data might not currently be worth a lot to the individual, but when aggregated and processed with respect to other personal data, it significantly improves the service providing the largest revenue stream for many companies - Facebook alone collected US$39 billion in ad revenue in 2017.

Though Google and Facebook are the two companies most often in the spotlight, it is not just the tech giants taking advantage of location data; countless other apps, such as weather apps and games, can and do send location data to third party content-delivery firms as their sole revenue stream, many doing this even when location data is switched off. GDPR recognises this huge financial incentive for businesses to exploit user location data and makes a stand to prevent it from being collected without explicit consent while holding businesses accountable for their actions in doing so.

Taking control

A start-up that also understands the importance of location data privacy is Coposition4, borne from the premise that location data is private and valuable and should, therefore, belong to the individual. Developed with respect to people’s need to have more control of their location data, Coposition gives:

* users and app developer tools to protect consumer data while receiving or delivering location-based services.

* consumers ownership of location data which is not shared with third parties.

* Consumers choose how and when to share their data with specific users or Coposition-enabled applications and can modify the data itself before it is shared.

By embodying the ‘Control, Alter, Delete’ mantra, Coposition offers a novel solution for developers to be GDPR compliant while still offering the same services.

Doubtless there will be a number of GDPR-related cases in the first few months of it being enforced and sooner, rather than later, precedents will be set for location data. In the meantime, companies should take data protection seriously by considering the need to store historic location data, and if so, how they process and where they store it - for all users and not just those in the EU.






Stephanie Schultz is Digital Marketing Manager at Earlymarket LLP (, a London-based family office that invests in and supports early-stage businesses, as well as developing its own, generally with an aviation or geolocation flavour. Coposition is an Earlymarket business.

Download a PDF of this article