Thoughts about location data privacy and consent
Lucas Martins, Incognia CSO, shares insights and perspectives on ensuring data protection and privacy for data collected for fraud prevention
If a mobile app collects user location data specifically to protect the user against fraud, does it require user consent?
First of all, it is important to go over basic concepts and differences between consent, legitimate interest, and location permission. Consent for data collection is different from location permission by the user. Consent is connected to laws and regulations, and that comes first. Location permission comes second, and it is connected to the operating system, usually iOS and Android, and the mobile app requesting the data.
Consent is a legal basis to collect and process data. It is part of a regulation that was created to protect the user and build a common basis around data privacy. Companies that are obliged by the regulations to ask for user consent should:
- Have proof of such explicit and clear request and proof of free user consent
- Make it easy for users to opt-out
When a company requests data based on consent, they are still responsible for the data collected regardless of user consent. It is a common misconception that the user is responsible for their shared data and companies are covered by users giving their consent. Based on this incorrect view, they often request and collect a lot more data than needed, since users are accustomed to not reading long policies, and checking boxes as fast as possible when registering at a new service. In this context, the companies must adopt measures to guarantee the transparent processing of personal data and respect all the corresponding obligations to processing data based on consent.
Legitimate interest is another legal basis to collect user data and does not require consent. So if the purpose for data collection falls under legitimate interest, user consent is void. Incognia clients are not required to ask for user consent to collect their data, since under GDPR fraud prevention is considered to be in the users’ best interest, or as described in the regulation, legitimate interest.
At a first glance for the untrained eye, it may seem legitimate interest is fragile in terms of privacy and makes the user the weaker link, but that is not the case. Legitimate interest makes the data collector/controller responsible for the user data, and there is a lot of responsibility in that. Companies in which the data collection purpose falls under legitimate interest will have to justify to authorities which user data they are collecting and why. They should provide a Legitimate Interest Assessment (LIA) to confirm if this legal basis is the best to justify the data processing as well as to ensure that the data subject’s fundamental rights and liberties are not infringed upon.
They must also provide a Data Protection Impact Assessment (DPIA), which identifies and minimizes risks for users and also explains the importance of the data collection and the protections the company has for user data.
Usually, companies that are under legitimate interest pass through audit processes that are more rigorous than companies with user consent.
Many companies design products that go beyond the regulatory requirements to protect user privacy. This is the case not only for Incognia, but also for operating systems such as iOS and Android. Even if under the regulation, data such as location, could be collected without user permission, both operating systems still prevent user location data to be shared without their permission, since by design, mobile apps operating in those platforms will only collect location data if the user gives permission. Furthermore, it is important to highlight that the location permission is a matter of transparency and not of consent, since the legal basis that justifies this data processing is legitimate interest and not consent.
So, regardless of legitimate interest, location permission will have to be given by the user to collect location data. The user has to choose to share their location data because of the way mobile operating systems are built.
If mobile operating systems give users the choice to not share their location, how does Incognia work for fraud prevention when location is not shared? How does Incognia collect data if a fraudster does not share it?
Incognia works well when location is shared in foreground but even better when shared in background. But even if the location is not shared, because of legitimate interest, Incognia still uses other pieces of data from the device which will help in Incognia’s risk assessment. This data includes whether the mobile device has been jailbroken or is running an emulator, which can be indicators of a higher risk of fraud.
But also, it is important to note Incognia does not collect any type of data. To understand why, it is important that I talk about a clear distinction between two stakeholders in the process, according to GDPR: The data controller and data processor.
The data controller is responsible for how and why the data is going to be collected and used. The data is the responsibility of the data controller, even if a third party (a data processor) works with the data.
The data processor processes data in the name of the controller. The processor does not collect or own the user data and it also cannot use the data for another purpose than it has been collected for. So, if by legitimate interest a data controller gathered user data for fraud prevention purposes, the processor can use that data solely for fraud prevention purposes.
Since Incognia is the data processor, our clients are the ones collecting data and act as data controllers. We only operate that data and learn about their users so we are able to make our risk assessment, which helps make their legitimate users safe.
Transparency is essential to protecting user data and ensuring compliance with regulations. In this context, considering that location permission is a tool to achieve this transparency, what are the best practices to acquiring user location permission?
The best practices below are our recommendations for our clients, the ones actually collecting the data. These recommendations not only favor the user, since it makes it easier for them to learn more about the data they are sharing, and also favors the companies collecting data, so they abide by the regulations and also get a higher number of users permissions to share their data because they are interested in doing so.
- Explain as clearly as possible, in the location permission screen what data you are asking for and what you will do with the data
- Mobile apps should request location permission at the moment the user will use functionality in which the data request is relevant, such as a ride-hailing app asking for location data at the exact moment the user requests a ride. It makes sense for the user at that specific moment, since they want to be found by the driver. If it makes sense to the user, not only it is in the user’s best interest to share that information, but also, it increases the chance they choose to share it. In the case of a mobile app using Incognia with zero-factor authentication for fraud prevention, it would be most beneficial to the user for the location permission request to be at the time of the first login. In the case of using Incognia for international address validation, the request should be during the onboarding process right after the user fills a field with their home address.
How does Incognia protect user privacy and PII?
Location data is user information and it is by definition Personal Identifiable Information (PII), since, when connected with other information, it could be used to identify a user.
At Incognia we make sure location data is isolated from any other types of PII. The only PII we have in our database is location, nothing more. We intentionally do not collect any other PII. While our clients may store user PII, at Incognia we make no connection between the location data we collect and any other user PII. Not only do we not know who the users of our customers are, but we make sure it is not possible to connect the location data we collect of such users to other PII.
To be able to share results with our clients, we generate an ID, which is a number for the device connected with the location data. This ID is used only for matching the risk results with a device and we can't reverse this ID to identify the customer. To protect that ID, Incognia also applies techniques of pseudo-anonymization, cryptography, and hashes. We study and create our own techniques of anonymization and pseudonymization and follow the highest industry standards as well.
Since privacy is a central part of our mission and culture since the company was founded, we go beyond privacy regulations and our product team employs the privacy-by-design approach. Not only are we focused on protecting user privacy, but we also created our product with privacy intrinsic to its design.