Lawmakers in Massachusetts are considering a bill that would place a near-total ban on the selling, buying, renting or trading of location data from any consumer’s mobile device. Additionally, law-enforcement agencies would need to obtain a warrant to access the information.
If passed, the Location Shield Act would outlaw “selling, leasing, trading, or renting location data” across Massachusetts and would force companies to get consent if they even wanted to collect or process such data. The shield would apply to any individual within the state, whether they are residents or not.
Companies that do not comply with the regulations would face state legal action via the Massachusetts Attorney General’s office and would also open themselves up to class-action litigation.
Tracking user data
Once someone crosses over the Massachusetts state line, even politicians and law-enforcement officials would not be able to track user data without a warrant, or unless they are responding to an imminent threat to human life.
The law would make Massachusetts the first state to completely ban the sale of this sort of data. A few other states (such as Vermont and California) have attempted to regulate the use of that data with laws, but they have been less sweeping – requiring data brokers to obtain a consumer’s consent and to have only restricted data sales.
Since Democrats have a supermajority in Massachusetts’ House and Senate, the bill is considered likely to become law.
As those advocating for the law have stressed, a critical component of the bill is to protect vulnerable people, such as women who travel to Massachusetts for reproductive healthcare, such as abortions, and for people seeking gender-affirming care of any kind.
“Every day, unregulated data brokers buy and sell personal location data from apps on our cellphones, revealing where we live, work, play, and more.”
ACLU of Massachusetts
Ever since federal protections for abortion were abolished at the federal level by the US Supreme Court, the issue of data privacy has been front and center for rights advocates who fear that digital evidence of all sorts (including, potentially, data of the kind that the Shield Act tackles) may be used to prosecute people for breaking such laws.
A number of rights groups, including the ACLU and Planned Parenthood, have advocated for the adoption of the Shield Act, since Massachusetts is a safe haven state for out-of-state patients who travel there for such care and who may inevitably leave some digital footprints behind that could be used against them. (This is possible to do legally since the federal Health Insurance Portability and Accountability Act (HIPAA) privacy law does not cover apps, websites, data brokers, social media companies, and other actors that do not have business relationships with covered entities.)
“Every day, unregulated data brokers buy and sell personal location data from apps on our cellphones, revealing where we live, work, play, and more. To protect our privacy, safety, access to abortion and other essential health care, Massachusetts needs to ban this practice now by passing the Location Shield Act,” the ACLU said in a statement.
Data brokers and the ADPPA
As Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative and research fellow in the Tech, Law & Security Program at American University’s Law School, testified in a congressional hearing on the subject, the unregulated realm on data brokers is a huge privacy threat affecting hundreds of millions of Americans.
US data brokers surreptitiously gather and sell personal information ranging from people’s mental health conditions to their income and credit score, political affiliation, and smartphone locations. For example, data broker Acxiom advertises that it has the ability to help businesses reach over 2.5 billion people worldwide.
Health insurance companies, financial institutions, marketers, law enforcement agencies, and just run-of-the-mill scammers can buy these prepackaged data sets to profile, track, and target the people in them.
In June 2022, the American Data Privacy and Protection Act (ADPPA) was introduced in Congress and received strong bipartisan support, but has been held up in committee since then. Debates about a newly introduced version are ongoing.
The proposed ADPPA has data minimization, individual ownership, and a private right of action as its main principles, and the burden of evaluating each organization’s programs would fall to the organization.