COVID-19 raises the stakes for location tracking
The COVID-19 crisis led some governments to launch phone apps with geolocation tracking to trace an individual’s contacts, and to determine whether they are complying with quarantine and social-distancing directives. Tracking individuals has helped some countries limit the spread of the virus, but a Guardsquare security analysis of 17 government tracking apps found the “vast majority” are easy for hackers to breach.⁴
Human rights groups are concerned these apps are too invasive and could be used beyond the pandemic. For example, Norway’s Data Protection Agency banned its country’s tracking app after determining it collected far more data than needed.⁵
Businesses are also exploring new technologies to protect the health of their employees, using smartphone apps, cameras or wearable Bluetooth devices to monitor employee movement at work. If an employee tests positive for COVID-19, the company can quickly identify employees who came close to the infected worker. While many countries allow employers to track employees during work hours, privacy advocates fear surveillance could be extended around the clock and continue long after the crisis ends.
The pandemic has also raised privacy concerns around employee health data. A survey by the published in May 2020 found nearly a quarter of businesses have taken their employees’ temperatures and 60% keep records of those diagnosed with COVID-19. Nearly one in five provided the names of COVID-19-positive employees to other staff or government authorities, contrary to the advice from the European Data Protection Board.⁶
Privacy regulations aim to control location tracking
The rising interest in protecting privacy has led to new regulations around the world. One of the most influential statutes, the EU’s General Data Protection Regulation (GDPR), treats location data as personal data. This means users must specifically and freely agree to location tracking, rather than opting out.
Location tracking is also addressed by the California Consumer Privacy Act (CCPA), which the state began enforcing in July 2020. Under the CCPA, California residents can opt out of having their personal information, including geolocation data, sold to third parties. While the law covers only state residents, many large firms are extending its rights to all Americans. California’s Attorney General estimates businesses will spend more than US$55 billion to comply with the CCPA.⁷
Addressing privacy risks from location tracking requires cross-functional collaboration
Addressing privacy risks related to location tracking goes beyond the scope of legal and compliance departments. It requires flexibility and agility as organizations respond to fast-evolving technological and regulatory environments. Cross-functional collaboration is essential.
Legal and compliance professionals should take the lead in working with other functions — particularly IT departments — to help them identify, monitor and mitigate risks. Talent management should focus on employee education and communication so that, when used, location tracking doesn’t compromise employees’ privacy and its objective is well-understood by employees. Information security and technology professionals need to stay on top of the rapidly evolving technologies to understand their impact and potential risks. Above all, privacy by design should be woven into the organizational culture.
Businesses need to keep privacy concerns in the forefront as they develop products or services that involve location tracking features. If not managed well, location tracking can become a huge liability that runs the risk of regulatory noncompliance, lawsuit, reputation damage, employee discontent and revenue loss. If managed well, location tracking can enhance product capability, boost service delivery, and protect employees and the organization.
Key takeaways
Location tracking is becoming an important privacy concern, as it is increasingly used in many software applications that dominate our daily personal and business lives. The COVID-19 pandemic has heightened the issue as governments and organizations race to contain the spread of the virus. Businesses that hastily made operational changes during the pandemic, such as tracking employee movements or sharing personal health data, need to carefully evaluate their impact on privacy.
Compliance professionals should work collaboratively across the enterprise to mitigate risks around location tracking, whether the business markets data to other businesses or the organization performs location tracking on employees for internal purposes. These risks can result in regulatory and legal actions, data breach, diminished employee morale and privacy concerns, as well as damage to the brand.
Adhering to data privacy regulations can be expensive and challenging. But businesses that manage location tracking activities transparently and securely will discover a competitive advantage as privacy protection becomes more important for both consumers and employees. We may love our phones, but we don’t want them spilling our secrets.