Anyone who's opened a new app lately has seen a location- tracking pop-up that reads something like, "Allow app to access this device's location?" Most people tap "Allow" on the assumption that it's necessary for the app to do its thing—to hail a ride, find nearby restaurants or forecast the weather. And then they forget about it.
In reality, the app might not need location data in order to work. But its business partners do, and so do its partners' partners. In fact, making money off otherwise unnecessary location tracking may be the main reason that the app was developed in the first place. And many companies treat consumers' initial "Allow" as a blanket opt-in for a range of later data uses.
"That's the question: How many degrees does your opt-in extend?" asked Cree Lawson, CEO and founder of Arrivalist, a firm that relies on location data.
"The consumer may feel as if they're being asked whether they want to use that app or not. The consumer may not perceive that they're opting in to sharing location with the app developer's partners' partners."
The widening chasm between consumer consent and what happens next could invite a backlash against the booming business of applying location to marketing. The uses of consumers' movements have already gone beyond consumers' expectations. But not even the practitioners of the craft always know exactly where their data originates, or how.
Marketers, ad exchanges, data aggregators and ad service providers are generally aware that some location data comes directly or indirectly from mobile apps, but an attempt to trace the connections back to specific apps exposes an increasing lack of control coupled with willful ignorance.
"It's such a hodgepodge of different business models and practices, and that creates risk because you don't know what your partners are doing," said Jules Polonetsky, CEO of the Future of Privacy Forum, a Washington, D.C., think tank primarily funded by companies such as AT&T, Facebook and Bank of America. The organization develops guidelines for industry self-regulation and has an ad-and-location practices working group that meets monthly.
The Twitter-management app UberSocial and the charity-donation app Give2Charity are among countless apps whose publishers harvest and distribute location data on their users. Many more location-data dealings happen in the shadows, and most of the app publishers and the companies they provide data to are reluctant to reveal those relationships.
While most mobile app publishers gathering location data require user consent to pass muster in the App Store and Google Play Store, there typically is no notification that the location information is being transferred—albeit in anonymized forms—to hundreds of virtually invisible tech partners. Today there are no regulations or laws in the U.S. requiring these notifications.
"In terms of this increasingly complex ecosystem that's being built around geolocation data and marketing services, consumers are usually left in the dark about them," said Claire Gartland, consumer protection counsel at the Electronic Privacy Information Center.
Consumers' movements find their way into marketers' work over a variety of routes, usually starting with mobile apps. With certain exceptions, however, the third-party firms interviewed for this story would not or could not name the apps from which that data comes.
Two location-data firms, UberMedia and Placed, would identify a few: the ones they own and operate. UberMedia provides mobile ad targeting, ad attribution services and market intelligence reports. It gets data from its Twitter-management apps such as UberSocial and Echofon and undisclosed app publishers as well as another kind of source: ad exchanges.
When an app puts out a call to a mobile ad exchange to fill an ad space, it describes its available inventory with data points that can include latitudinal and longitudinal coordinates, or even more precise locations.
The legal permissions for using that data "are between the app owners and the exchange," said Michael Hayes, chief revenue and marketing officer at UberMedia.
Mr. Lawson's Arrivalist gauges mobile ad effectiveness by determining whether mobile devices present in a given locale were previously served tourism ads for it. Arrivalist gets the location data from a variety of firms, such as Digital Element, a company that compiles data from sources including mobile ad exchanges such as Google AdX. Like most players in the location-data realm, the company would not name specific apps at the root of the data it uses.
AdX guidelines state that firms with ad buyer licenses such as Arrivalist are permitted to use data showing a precise device location solely for purposes related to enabling that ad. Mr. Lawson said Arrivalist only uses city- and state-level data from Google, not precise location information.
Placed operates charity-donation app Give2Charity and Panel App, which gives premium in-app features, gift cards or charity donations to users in exchange for responding to surveys. Placed also compiles location data from its apps and those of mobile app partners to measure the impact of ad campaigns on consumer store visits.
And a company called NinthDecimal builds audiences for ad targeting using location data bought from mobile apps and develops user profiles based on locations associated with mobile ad exchange bid requests. Though the company said it derives data from 40,000 apps, it would not name any of them. "There is not one that makes a better example than another," said Todd Rose, senior VP-business and corporate development at NinthDecimal.
It's common for third-party ad services and data firms to get location data via ad exchanges, but it's less common for them to discuss the practice or reveal the app origins of the data. Why? Sometimes they simply have no way of knowing where the information comes from. For one thing, agreements with app publishers may require that specific apps not be named. Also, data compilers often do not include the names of apps in the location-data feeds they send to third parties.
"The way the data is structured, it's not that they have to go out of their way to obscure this data," said a mobile data exec who asked not to be named. "Rather, they would have to intentionally choose to include it and none of them feel compelled to."
And it's a business risk for data compilers to reveal app publisher partners, said the anonymous source. "If the location-data licensee knew the name of the app then they could conceivably go direct and cut out the intermediary," he said.
In the end, companies that pull location data secondhand from ad exchange bids are reluctant to admit it, in part because they fear that exchanges might begin concealing those data points.
Like most of its competitors, NinthDecimal labels the audience profiles it creates with individual IDs and removes personal information. According to Mr. Rose, the company's ability to store data to build profiles is dependent on the rights it negotiates with each of its partners.
"Where the industry can go further is clarity on the fact that location data that's being collected is also being shared with third parties," said Mr. Rose.
The opt-out conundrum
NinthDecimal requires its app publisher partners to include information about data sharing in their privacy policies and encourages them to display it when the apps are first opened. "I believe there are those [NinthDecimal partners] that are doing that, but I couldn't tell you what percentage," said Mr. Rose.
The sway that location-data compilers have over their sources varies. When NinthDecimal receives bulk data feeds through direct relationships with app publishers, "that becomes an easier scenario to push for and agree on those notification procedures," said Mr. Rose. On the other hand, when the firm gets data through ad exchanges, NinthDecimal is one of multiple demand-side partners that could end up with the location data, and thus has less control.
When it comes to consumer-facing apps, people can alter their location-tracking permissions in their device settings, often able to choose among never allowing it, allowing it while the app is in use and allowing it around the clock. There are those apps that need to locate consumers to work, but most don't absolutely need location access all the time.
They just want it.
"Allow Foursquare to access your location even when you are not using the app?'" consumers are asked when they open that app for the first time. "Foursquare needs your location to help you find nearby places you'll love."
Those who agree are told they can change their answer at any time in Settings.
The company's apps partly use so-called background location-data collection to better understand the types of places users frequent in order to produce more relevant suggestions for nearby places to visit, said Foursquare President Steven Rosenblatt. "You're not extracting the value of it if you're not allowing that persistent data collection," he added.
Foursquare also just introduced an ad attribution service that employs both the data from direct user check-ins at physical locations and location data gathered passively from people who tap "Allow" in that first dialog box.
As with most firms offering location-based data services, the information used by Foursquare for ad targeting and ad attribution measurement is anonymized and used in aggregate as opposed to being personally identifiable. Foursquare does not share the data with third parties.
Unlike Foursquare, the bulk of location-data harvesters are faceless companies that consumers have never heard of, such as Arrivalist, NinthDecimal, Placed and countless others. It's not so obvious to consumers that they can opt out from tracking, data collection, ad targeting and ad measurement by these lesser-known firms.
People can opt out from NinthDecimal via the AdChoices icon included in all its ads. Opting out means the company purges data associated with a user's device from its system and will no longer use data from that device. While the process also includes notifying NinthDecimal's app partners about the opt-out, it does not alter how those apps share or use data related to that device with other third-party partners.
Most mobile app privacy policies only make "very oblique reference to third parties," said Ms. Gartland of the Electronic Privacy Information Center. She and other staff at EPIC "really believe that the default settings should be requiring consumers to opt in to all this data collection and sharing," she said.
While UberMedia has a specific link at the bottom of its website to opt out from app-related tracking, that page tells mobile device users to go to the Apple or Android website and follow directions to limit ad tracking, rather than allowing them to opt out directly from the company site.
A variety of other means for tracking and collecting location data via mobile apps have become prevalent. Beacons and proximity sensors are multiplying in physical locations such as shopping malls and sports arenas across the globe. Retailers and other businesses use the sensors to track customer footpaths, measure whether people lingered in a certain department or near specific products, gauge how long fast-food restaurant wait times are, and track whether people who saw sports auditorium sponsor messages visited that sponsor's location.
According to a report this summer from proximity sensor research provider Proxbook, based on self-reporting by companies in the location business, the number of proximity sensors placed in physical spaces worldwide rose to about 8.3 million, up 33% from a report just three months prior.
Beacons and similar sensors connect with mobile devices through apps that feature technology that can communicate with those sensors. As these proximity detectors proliferate, there is a growing number of apps that speak to them. However, as with other forms of mobile app location-data collection, notification to consumers is limited. There are no regulations in the U.S. requiring businesses to post signs notifying customers of the presence of proximity sensors.
"I think it would be a surprise for consumers to understand the wide range of ways their location is being used for a wide range of purposes," said Mr. Polonetsky, CEO of the Future of Privacy Forum.
The Future of Privacy Forum operates an opt-out system for companies gathering location data via Wi-Fi and proximity sensors, but it's laborious for consumers. People who visit Smart-Places.org must enter the Wi-Fi and Bluetooth MAC addresses associated with their devices to opt out from tracking by participants. And even though Proxbook counts more than 300 "proximity solution providers," the Future of Privacy Forum lists just 11 firms participating in its opt-out program.
Last year, the Federal Trade Commission announced a settlement with Nomi Technologies, a small New York firm that was acquired by retail analytics company Brickstream in 2014. Nomi gathered mobile-device IDs through merchants' Wi-Fi networks or proximity sensors as people entered stores. The agency alleged that Nomi misled people by saying they could opt out from its tracking technology in stores when no opt-out tool was actually available.
"It's become increasingly clear that the FTC requires opt-in consent for the tracking of location data and I hope to see them taking that and applying it to beacon technology," said Ms. Gartland from EPIC.
The precision that proximity sensors and beacons can deliver "should be much more clear to consumers," she added, "because I don't think many at all understand that that's happening."
Earlier this year the FTC sent another signal to location-data trackers that it could continue pressuring the industry. The commission said mobile ad firm InMobi had followed device locations even when people, sometimes children using apps geared toward kids, disabled tracking or never consented via a particular app in the first place. The FTC alleged that InMobi violated the Children's Online Privacy Protection Act by tracking IDs of devices associated with children, which are considered to be personal information according to a 2013 COPPA rule update.
"We could be legislated out of business so we have to be super careful about COPPA compliance," said David Dague, CMO at Gravy Analytics, a location-data firm backed by funding from Gannett.
The $950,000 FTC settlement with InMobi "should be a real wake-up call to the industry," said Mr. Polonetsky.
The commission has bolstered its technology staff dedicated to researching potential violators of privacy regulations, he added. "The FTC now has a pretty detailed tech lab that has dozens of forensic tools," he said.