California Attorney General Rob Bonta has announced an investigative sweep targeting the location data industry, emphasizing compliance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act. This announcement follows the California Legislature proposing a bill that, if passed, would impose restrictions on the collection and use of geolocation data.
Concerns about geolocation tracking are not limited to California and include: 1) a notice requirement in New Jersey and 2) consent requirements in multiple states.
The California attorney general’s investigation involved sending letters to advertising networks, mobile app providers, and data brokers that appeared to be in violation of the CCPA. These letters notified recipients of potential violations and requested additional information regarding their business practices. The focus was on how businesses offer and effectuate consumers’ rights to stop the sale and sharing of personal information and to limit the use of sensitive personal information, including geolocation data.
To avoid enforcement actions, businesses in the location data industry must ensure compliance with the CCPA by:
- Understanding Consumer Rights: The CCPA grants California consumers several rights, including the right to know what personal information is being collected, the right to opt out of the sale or sharing of their personal information, and the right to delete their personal information. Because precise geolocation data is “sensitive personal information” under the CCPA, consumer rights also include the right to limit the use or disclosure of such information. Businesses must clearly communicate these rights to consumers (including their employees).
- Implementing Opt-Out or Limitation Mechanisms: Businesses must provide consumers with the ability to opt out of the sale and sharing of their personal information and to limit the use or disclosure of sensitive personal information. This includes implementing clear and accessible opt-out or limitation request mechanisms on websites and mobile apps. Once a consumer opts out, businesses cannot sell or share their personal information unless they receive authorization to do so again.
- Ensuring Transparency and Accountability: Businesses must be transparent about their data collection and disclosure practices. This includes providing detailed privacy policies that explain what data is collected, how it is used, and the categories of third parties to whom it is disclosed. Additionally, businesses should be prepared to respond to inquiries from the Attorney General’s Office and provide documentation of their compliance efforts.
Joseph J. Lazzarotti is an attorney with Jackson Lewis in Tampa, Fla. © 2025 Jackson Lewis. All rights reserved. Reposted with permission.
Was this resource helpful?
Validate your HR expertise
Earning your SHRM-CP credential makes you a recognized expert and leader in the HR field.
Related Content
Learn how Marsh McLennan successfully boosts staff well-being with digital tools, improving productivity and work satisfaction for more than 20,000 employees.
The proliferation of artificial intelligence in the workplace, and the ensuing expected increase in productivity and efficiency, could help usher in the four-day workweek, some experts predict.
As artificial intelligence technology continues to develop, the demand for workers with the ability to work alongside and manage AI systems will increase. This means that workers who are not able to adapt and learn these new skills will be left behind in the job market.