The IT Law Wiki


Location data (also called location information) is

data on the geospatial location of an electronic device or the person or vehicle carrying that device.
[i]nformation that identifies the geographical location of a user's device, which may include Cell ID, GPS, Wifi or other less granular information such as village or town.[1]


Mobile industry companies determine location information through various methods, such as cell tower signal-based technologies, Wi-Fi Internet access point technology, crowd-sourced positioning, and GPS technology. Assisted-GPS (A-GPS), a hybrid technology that uses more than one data collection methodology, is also widely used. Figure 2 below illustrates these technologies.


Reasons for mobile data collection[]

There are three main reasons that mobile industry companies collect and share location data: 1) to provide and improve services, 2) to increase advertising revenue, and 3) to comply with court orders.

Provide and improve services[]

Mobile industry companies use location data to provide and improve services. A carrier needs to know a device's location to provide basic mobile telephone services. In addition, carriers and application developers offer a diverse array of services that make use of location information, such as services providing navigation, the ability to keep track of family members, local weather forecasts, the ability to identify and locate nearby businesses, and social networking services that are linked to users' locations. To provide these services, carriers and developers need the ability to quickly and accurately determine location. Location data can also be used to enhance the functionality of other services that do not need to know the user's location to operate. Search engines, for example, can use location data as a frame of reference to return results that might be more relevant. For instance, if a user were to search for a pizza restaurant using a location-aware search engine, the top result may be a map of nearby pizza restaurants instead of the homepage of a national chain.

Increase advertising revenue[]

Companies also collect and examine location information in conjunction with other diagnostic usage data to analyze and improve their interactions with customers. By examining the location patterns of dropped calls, for example, carriers can identify network problems and address cell connectivity issues without having to rely on customer complaints.

Furthermore, companies may use location data to provide public services. For example, carriers are responsible for providing law enforcement and other first responders with the location data of people who dial 911 from their mobile devices. This service is referred to as E911 and it is mandated by law.[2] In addition, companies may provide location information to municipalities to improve city traffic management or facilitate city planning. Location data can also be used to help find missing children through mobile America's Missing: Broadcast Emergency Response (AMBER) alerts,[3] which can be sent to devices that have requested AMBER alerts, when the devices are located within a specified radius of a reported incident.

Companies can use location data to target the advertising that users receive through mobile devices. Doing so may make an advertisement more relevant to a user than a non-targeted advertisement, boosting advertising revenue. Advertising is particularly important to application developers, as many developers give their products away free and rely on advertising for revenue. Advertisements for a certain business may be triggered if a user's device is located within a predetermined distance from that business. Any application, regardless of its function, may collect and use location data for advertising purposes.

Furthermore, application developers, operating system developers, and mobile carriers may aggregate and store individual user data to create user profiles. Profiles can be used to tailor marketing or service performance to an individual's preferences. In addition to capturing and using the location data of individual users, companies such as application developers and mobile carriers sell large amounts of de-identified location data to third parties. When data are de-identified, they are stripped of personally identifiable information. In addition to de-identification, user data are often aggregated, which means that the data of many users are combined. Aggregation also makes it more difficult to distinguish the data of individuals. De-identified and aggregated data can be used for a variety of purposes, including marketing and research.

Comply with court orders[]

Mobile industry companies are legally required to share user location data in response to a court order if a court finds that the information is warranted for law enforcement purposes. Because users generally carry their mobile devices with them, law enforcement can use device location data to determine the user's location. Because of this correlation, location data are valuable to law enforcement for tracking the movements of criminal suspects. Of particular use are the location data either housed in mobile carrier databases or obtained through GPS technology. Mobile carriers are required to comply with court orders directing the disclosure of historical location data (i.e., where the device was in the past) and in certain circumstances, real-time location data (i.e., where the device is now).

There are various methods in which mobile location data can be obtained, including, but not limited to:

  • Warrant: A warrant allows law enforcement to obtain prospective mobile location data generated by GPS or similar technologies (i.e., where the device is currently located).[4] To obtain a warrant for these data, the government must establish probable cause to believe that the data sought will aid in a particular apprehension or conviction. This method requires the highest standard of evidence of all methods outlined below.
  • Section 2703(d) Court Order: A 2703(d) order allows law enforcement officials to obtain certain kinds of historical mobile location data (i.e., where the device was located in the past) that providers collect for business purposes.[5] To obtain this order, the government must offer specific and articulable facts showing that there are reasonable grounds to believe that the data are relevant and material to an ongoing criminal investigation.
  • Hybrid Order: The Department of Justice has routinely acquired, since at least 2005, certain categories of prospective mobile location data generated by cell tower information through the combination of two court orders, the Pen/Trap court order[6] and the 2703(d) order. The combination order is known as a "hybrid order." To obtain this order, law enforcement officials must affirm that the information likely to be obtained is relevant to an ongoing criminal investigation and further demonstrate specific and articulable facts showing that there are reasonable grounds to believe that the information sought is relevant and material to an ongoing criminal investigation. This order is used because the Communications Assistance for Law Enforcement Act of 1994 precludes law enforcement officials from relying solely on the authority of the Pen/Trap statute to obtain cell tower data for a mobile customer.[7]
  • 'Section 2702 Voluntary Disclosure: Communications providers are permitted by law to voluntarily disclose information to law enforcement if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency.[8]

FCC regulations[]

"[D]ue to a combination of market forces and the implementation of the Federal Communications Commission's ("FCC's") Emergency-911 requirements, virtually all mobile devices transmit signals that enable mobile carriers or others to determine the devices' approximate locations at any time."[9]

"In the case of mobile carriers, the secondary usage of location data obtained for mobile telephone service is regulated by FCC's CPNI rules, which state that, unless a disclosure is required by law or approved by the customer, telecommunications companies may use, disclose, or permit access to CPNI in order to support their telecommunications services. 47 C.F.R. § 64.2005."[10]

Privacy risks[]

Industry-recommended practices state that companies should protect the privacy of location data by providing (1) disclosures to consumers about data collection, use, and sharing; (2) controls over location data; (3) data safeguards and explanations of retention practices; and (4) accountability for protecting consumers' data. The recommended practices are not required, but rather provide a framework for understanding the extent to which these companies protect the privacy of consumers' location data.[11]

By allowing companies to access their location data, users expose themselves to privacy risks. These risks include, but are not limited to, disclosure to unknown third parties for unspecified uses, consumer tracking, identity theft, threats to physical safety, and surveillance.

Disclosure to unknown third parties for unspecified uses[]

According to privacy advocates, when a user agrees to use a service that accesses location data, the user is unlikely to know how his or her location data may be used in ways beyond enabling the service itself. The secondary uses of location data are generally not transparent to the consumer.[12] Therefore, location data may be shared with third parties unknown to the consumer. Generally speaking, once location data are shared with a non-carrier, consumers have a limited ability to know about or influence the data's use.

Third parties that receive shared location information may vary in the levels of security protection they provide. If any of these entities has weak system protections, there is an increased likelihood that the information may be compromised. According to the congressional testimony, privacy notices rarely differentiate between first- and third-party data uses and generally do not reveal specific business partners such as advertising networks, thus making it difficult for consumers to understand privacy risks. Because consumers do not know who these entities are or how they are using consumers' data, consumers may be unable to make meaningful choices and judge whether they are disclosing their data to trustworthy entities.

Tracking consumer behavior[]

When mobile location data are collected and shared, users may be tracked for marketing purposes without their consent. Since users often carry their mobile devices with them and can use them for various purposes, location data along with data collected on the device may be used to form a comprehensive record of an individual's activities. Amassing such data over time allows for the creation of a richly detailed profile of individual behavior, including habits, preferences, and routines — private information that could be exploited. Furthermore, since non-carriers' use of location data is unregulated, these companies do not have to disclose how they are using and sharing these profiles. Consumers may believe that using these personal profiles for purposes other than providing a location-based service constitutes an invasion of privacy, particularly if the use is seen as contrary to consumers' expectations and results in unwanted solicitations or other nuisances.

Identity theft[]

Identity theft occurs when someone uses another person's personal or financial information to commit fraud or other crimes. When sensitive information such as location data is disclosed, particularly when it is combined with other personal information, criminals can use this information to steal identities. The risk of identity theft grows whenever entities begin to collect data profiles, especially if the information is not maintained securely. By illicitly gaining access to these profiles, criminals acquire information such as a user's name, address, interests, and friends' and co-workers' names. In addition, a combination of data elements — even elements that do not by themselves identify anyone, such as individual points of location data — could potentially be used in aggregate to discern the identity of an individual. Furthermore, keeping data long-term, particularly if it is in an identifiable profile, increases the likelihood of identity theft.

Personal security[]

When mobile location data are collected and shared, users could be put at risk for personal threats if the data are intercepted by people who mean them harm. This is a potential concern for those people who do not want specific individuals to know where they are or how to find them, such as victims of domestic violence. Location data may be used to form a comprehensive record of an individual's movements and activities. If disclosed or posted, location data may be used by criminals to identify an individual's present or probable future location, particularly if the data also contain other personally identifiable information. This knowledge may then be used to cause harm to the individual or his property through, for instance, stalking or theft. Access to location information also raises child safety concerns as more and more children access mobile devices and location-based services. According to the American Civil Liberties Union (ACLU), location updates that users provide through social media have been linked to robberies, and GPS technology has been involved in stalking cases.


Law enforcement agencies can obtain location data via court order, and such data can be used as evidence. However, according to a report by the ACLU, law enforcement agents could potentially track innocent people, such as those who happened to be in the vicinity of a crime or disturbance.[13] For example, the ACLU reported in 2010 that Federal Bureau of Investigation agents investigating a series of bank robberies sought the records of every mobile phone that was near each bank when it was robbed. Furthermore, law enforcement agencies access location data frequently, access that could add to concerns about the potential for misuse. For example, in May 2012, Sprint-Nextel reported that it had received over 196,000 court orders for location information over the last 5 years.

Users generally do not know when law enforcement agencies access their location data. In addition to information related to a crime, the location data collected by law enforcement may reveal potentially sensitive destinations, such as medical clinics, religious institutions, courts, political rallies, or union meetings.


  1. Mobile and Privacy: Privacy Design Guidelines for Mobile Application Development, at 2.
  2. Pub. L. No. 106-81 (Oct. 26, 1999).
  3. The AMBER alert system broadcasts details about local child abductions over area television and radio stations, on highway signage, and, potentially, through other channels. The goal of the system is to enlist the public's help in child recovery efforts.
  4. Fed. R. Crim. P. 41.
  5. 18 U.S.C. §§2701-12.
  6. 18 U.S.C. § 3121. The Pen Register and Trap and Trace Statute allows law enforcement to obtain prospective non-content information associated with communications.
  7. Pub. L. No. 103-414 (Oct. 25, 1994).
  8. 18 U.S.C. § 2702.
  9. Beyond Voice: Mapping the Mobile Marketplace, at 15.
  10. Mobile Device Location Data: Additional Federal Actions Could Help Protect Consumer Privacy]], at 18 n.21.
  11. In-car Location-based Services: Companies Are Taking Steps to Protect Privacy, but Some Risks May Not Be Clear to Consumers, at 12.
  12. In the case of mobile carriers, the secondary usage of location data obtained for mobile telephone service is regulated by the FCC's CPNI rules, which state that, unless a disclosure is required by law or approved by the customer, telecommunications companies may use, disclose, or permit access to CPNI in order to support their telecommunications services. 47 C.F.R. §64.2005.
  13. Location-Based Services: Time for a Privacy Check-In.