Proposed NYC law would ban sharing of location data within the city

  •   July 26, 2019

Third party data is increasingly under threat. As one case-in-point, a bill introduced this week would amend the New York City administrative code to prohibit the transfer or sharing of consumer location data with third parties within city limits.

In other words, the party that collects or captures the data, even with opt-in consent or not, could not share it with another entity. It appears to be a very bright line.

Would not impact first parties. The proposed law would not eliminate use of location for ad targeting and offline attribution; first party platforms and publishers could still do these things. But it would impact data brokers, MarTech platforms, agencies and the programmatic ecosystem, which relies on the free flow of third party data.

The bill is explicitly directed at telecom companies and mobile apps that capture or have access to user location. It’s designed to protect consumers who may not be aware their location data is being shared. But this law would appear to not make an exception for opt-in consent to sharing.

Each violation worth $1,000. Violations would bring $1,000 in penalties per incident, up to a maximum of $10,000 per day. New York City’s Department of Information Technology would enforce the law but individuals would also have a right to sue and collect damages.

The bill provides for a number of exceptions, including for selected law enforcement use cases and for other first responders. It would take effect 120 days after being signed into law.

Passage not guaranteed. The bill still faces a number of hurdles and its passage is not a forgone conclusion. Technology and advertising interests will probably seek to block or dilute the bill before passage. And even if passed, it would almost certainly face legal challenges. But the genie is out of the bottle. We may see similar rules proposed in cities — and potentially states — across the country in the coming months.

Google and Facebook won’t be impacted. Google and Facebook would not be affected because they can collect and use location data for targeting and attribution within the closed environments of their platforms. They are first parties.

Just as they have not really be harmed by GDPR, Google and Facebook would fare better than other entities that rely on the third party data ecosystem. Indeed, programmatic ad networks would probably be prevented from targeting ads any more precisely than New York City. It’s unclear if even that level of user location targeting would be allowed.

Why we should care. Assuming the law passes, there are some unanswered questions. Among them, will advertisers or agencies (or tools used by agencies) be blocked from accessing location data regardless of the ad platform? In other words, Google and Facebook could use location but would reporting that out to customers violate the law?

The more local and state rules there are that seek to govern privacy and data security the more these jurisdictions make the case for a uniform federal law and preemption. Paradoxically, these local laws are appearing precisely because there’s no new privacy rules at a national level. And it’s unlikely we’ll see any before the 2020 elections.