Industry Efforts on SPOIs and NAI Summit Key Findings

By Gerald Smith / 9 minutes

← Resource Center Home

The NAI Summit on May 15-16 in New York provided a valuable opportunity for the industry to gather and take stock of all that has changed and what changes are coming in a busy year for privacy legislation and enforcement. Specifically, the wave of states deeming precise geolocation data as ‘sensitive data,’ coupled with the proposed American Privacy Rights Act (APRA) at the Federal level, are top of mind for ad tech companies that collect geolocation data, as well as those upstream and downstream in the data supply chain. Cuebiq was fortunate to participate in a panel entitled “Leading the Way with Location Data,” where we discussed Cuebiq’s participation in the NAI’s efforts to provide safe and workable guidelines that enhance protections around location data.

While the SCOTUS decision in the Dobbs case brought a great deal of attention to the location data industry, that was not the beginning of the study of avoiding data collection from sensitive locations by those companies interested in self-regulatory solutions. Waiting for legislation to address the public concerns raised by Dobbs wasn’t a viable option for companies seeking clarity and to bolster precise location data controls ahead of forthcoming legal requirements. On June 22, 2022, the NAI announced the release of the Precise Location Information Solution Provider Voluntary Enhanced Standards. The Enhanced Standards create restrictions on the use, sale, or transfer of location data correlating to Sensitive Points of Interest, which include places tied to religious worship, sensitive healthcare services, military bases, LGBTQ+ identity, and other places. It also limits the use, sale, or transfer of Precise Location Information for law enforcement, national security, or bounty-hunting purposes except as needed to comply with a valid legal obligation. Participating companies (including Cuebiq, a charter member) have voluntarily committed to go above and beyond the existing legal and industry standards for handling consumer location data.

Currently, only two companies beyond Cuebiq have signed on to the NAI Enhanced Standards. Still, it was apparent at the NAI Summit from both panel discussions and informal side conversations that many other companies are considering joining the Standards as collective efforts to address the sensitive point-of-interest issues reach critical mass. As announced at the Summit, the Enhanced Standards are undergoing further review in 2024 to clarify the path to compliance and encourage more widespread adoption. It is encouraging to see companies along the value chain take notice and want to help improve the industry on this topic. While it impacts precise location data providers most directly, there are no siloes in ad tech. Brands, agencies, and other data consumers have a role to play as well. Ensuring that the location data you or your client works with is sourced ethically and compliant is not just a nice thing to have. Regulators expect less talk and more action, evidenced by recent Federal Trade Commission consent orders in the ad tech industry. In at least two recent instances, the FTC has imposed requirements on data collectors to remove data associated with sensitive locations and implement controls preventing future collection of sensitive location data. A review of those orders next to the Enhanced Standards reveals significant overlap in the categories of locations deemed sensitive. What started as voluntary self-regulation is now being extended into mandatory compliance. This is a hallmark of well-crafted self-regulation in that it addresses the issue head-on rather than attempting to creatively side-step the hard parts of compliance.

Let’s be clear – compliance and data protection don’t stop with the creation of standards and best practices. If anything, self-regulatory standards are a billboard letting the public know how we do things. Each company is responsible for actually executing on its obligations, which means 1) identifying sensitive locations, then 2) restricting data association with those locations and 3) maintaining the system up-to-date. By way of reference, when we say ‘sensitive locations’ in the Enhanced Standards, we are referring to these:

  • Places of religious worship
  • Correctional facilities
  • Places that may be used to infer an LGBTQ+ identification
  • Places that may be used to infer engagement with explicit sexual content, material, or acts
  • Places primarily intended to be occupied by children under 16
  • Domestic abuse shelters, including rape crisis centers
  • Welfare or homeless shelters and halfway houses
  • Dependency or addiction treatment centers
  • Medical facilities that cater predominantly to sensitive conditions, such as cancer centers, HIV/ AIDS, fertility or abortion clinics, mental health treatment facilities, or emergency room trauma centers
  • Places that may be used to infer refugee or immigrant status, such as refugee or immigration centers and immigration services
  • Credit repair, debt services, bankruptcy services, or payday lending institutions
  • Temporary places of assembly such as political rallies, marches, or protests, during the times that such rallies, marches, or protests take place
  • Military bases

The biggest challenge in adopting and complying with a standard like this is not agreeing that it’s the right thing to do – that’s the easy part. The real challenge is identifying these sensitive locations first. Places of business open/move/close daily. While companies that provide location intelligence are typically experts in finding commercial locations that match their clients’ brands or markets, that operation is orders of magnitude different when attempting to identify every location on the map that a device could possibly visit in order to pre-screen the sensitive stops. Much discussion was had at the NAI Summit about how some companies would happily join the Enhanced Standards if an official list of sensitive locations existed that they could leverage. Unfortunately, no such list currently exists, so companies seeking to comply must create their own internal list of locations. While the efforts are valiant, maintaining consistency of compliance across the industry will be exceedingly difficult if each participant is left to create their own list. This is where we would benefit collectively from partnering with stakeholders outside of the ad tech industry to address the issue together.

One approach that many companies currently use as a starting point is the US Census Bureau’s North American Industry Classification System, commonly known as ‘NAICS codes’. This allows a large area to be covered quickly, but the NAICS codes are designed to cast a wide net and do not provide location-by-location granularity for some of the sensitive categories. One particularly difficult example involves medical treatment facilities that are not listed as traditional doctor/medical offices. For example, weight management centers are often run by doctors and provide healthcare services but may not appear on traditional doctor/hospital office lists. In order to confidently comply with restrictions on their association with location data, manual research is necessary.
Since no database exists of ‘sensitive locations’ that the industry can utilize for screening, and any list of that nature would need regular updates as locations change, players in these industries are in the best position to assist with their identification. An example of one way forward is continued In President Biden’s recent Executive Order 14117, where sensitive military locations were highlighted as a category of locations that need to be screened in some circumstances to prevent their transfer to U.S. adversaries. The government has committed to providing a list of sensitive military locations for compliance purposes. This makes sense, as they would have better and fresher information on the nature of these locations. Why shouldn’t this approach be leveraged for all sensitive businesses?

The NAI Enhanced Standards represent a tangible step forward for our industry, as evidenced by citations from journalists and regulators and the many companies that are interested in its adoption. There is a general agreement on what constitutes a sensitive location at a category level that should fit nearly all use cases, but the challenge remains in identifying and maintaining a dynamic list of specific locations. Seeking an agreement with shared accountabilities between regulators and companies on how to build, maintain, and distribute a centralized list of locations seems to be the most effective way forward to rapidly enhance the status quo.

In short:

  1. The NAI Enhanced Standards are seen as a positive step by journalists, regulators, and companies.
  2. There is agreement on the types of sensitive locations (religious sites, healthcare facilities, etc.), but identifying specific locations is a challenge.
  3. Collaboration between regulators and companies to build a central list of sensitive locations is seen as the best solution.

Instead of having location data providers conduct independent fact-finding missions, let’s break new ground together. Cuebiq is committed to responsible data practices and industry collaboration. Contact us today to discuss how we can work with you to develop a privacy-centric location data strategy that protects consumers while empowering your business.

About the Author

Gerald Smith, VP, Privacy

Gerald has been building and leading global privacy and risk-management programs in the financial, automotive, and tech sectors for over a decade. He received his bachelor’s in Economics from the University of North Carolina and his law degree from Chapman University. He is an IAPP Fellow of Information Privacy.