Case Study

Delivery Hero brands secure over 7X ROI and significant fraud savings with Incognia | Read the case study >>
Thoughts about location data privacy and consent Featured Image

Thoughts about location data privacy and consent

Lucas Martins, Incognia CSO, shares insights and perspectives on ensuring data protection and privacy for data collected for fraud prevention

January 26, 2022 by Lucas Martins

If a mobile app collects user location data specifically to protect the user against fraud, does it require user consent?

First of all, it is important to go over basic concepts and differences between consent, legitimate interest, and location permission. Consent for data collection is different from location permission by the user. Consent is connected to laws and regulations, and that comes first. Location permission comes second, and it is connected to the operating system, usually iOS and Android, and the mobile app requesting the data.

Consent

Consent is a legal basis to collect and process data. It is part of a regulation that was created to protect the user and build a common basis around data privacy. Companies that are obliged by the regulations to ask for user consent should:

  • Have proof of such explicit and clear request and proof of free user consent
  • Make it easy for users to opt-out

When a company requests data based on consent, they are still responsible for the data collected regardless of user consent. It is a common misconception that the user is responsible for their shared data and companies are covered by users giving their consent. Based on this incorrect view, they often request and collect a lot more data than needed, since users are accustomed to not reading long policies, and checking boxes as fast as possible when registering at a new service. In this context, the companies must adopt measures to guarantee the transparent processing of personal data and respect all the corresponding obligations to processing data based on consent.

Legitimate interest

Legitimate interest is another legal basis to collect user data and does not require consent. So if the purpose for data collection falls under legitimate interest, user consent is void. Incognia clients are not required to ask for user consent to collect their data, since under GDPR fraud prevention is considered to be in the users’ best interest, or as described in the regulation, legitimate interest.

At a first glance for the untrained eye, it may seem legitimate interest is fragile in terms of privacy and makes the user the weaker link, but that is not the case. Legitimate interest makes the data collector/controller responsible for the user data, and there is a lot of responsibility in that. Companies in which the data collection purpose falls under legitimate interest will have to justify to authorities which user data they are collecting and why. They should provide a Legitimate Interest Assessment (LIA) to confirm if this legal basis is the best to justify the data processing as well as to ensure that the data subject’s fundamental rights and liberties are not infringed upon.

They must also provide a Data Protection Impact Assessment (DPIA), which identifies and minimizes risks for users and also explains the importance of the data collection and the protections the company has for user data.

Usually, companies that are under legitimate interest pass through audit processes that are more rigorous than companies with user consent.

Location permission

Many companies design products that go beyond the regulatory requirements to protect user privacy. This is the case not only for Incognia, but also for operating systems such as iOS and Android. Even if under the regulation, data such as location, could be collected without user permission, both operating systems still prevent user location data to be shared without their permission, since by design, mobile apps operating in those platforms will only collect location data if the user gives permission. Furthermore, it is important to highlight that the location permission is a matter of transparency and not of consent, since the legal basis that justifies this data processing is legitimate interest and not consent.

So, regardless of legitimate interest, location permission will have to be given by the user to collect location data. The user has to choose to share their location data because of the way mobile operating systems are built.

If mobile operating systems give users the choice to not share their location, how does  Incognia work for fraud prevention when location is not shared? How does Incognia collect data if a fraudster does not share it?

Incognia works well when location is shared in foreground but even better when shared in background. But even if the location is not shared, because of legitimate interest, Incognia still uses other pieces of data from the device which will help in Incognia’s risk assessment. This data includes whether the mobile device has been jailbroken or is running an emulator, which can be indicators of a higher risk of fraud.

But also, it is important to note that Incognia processes data on behalf of its clients

The data processor processes data in the name of the controller. The processor does not determine the purposes and means of processing and does not use the data for its own independent purposes.

Since Incognia is the data processor, our clients act as data controllers and collect data through their Apps. We only process those data so we are able to make our risk assessment, which helps make their legitimate users safe.

The best practices below are our recommendations for our clients, the data controllers.

Transparency is essential to protecting user data and ensuring compliance with regulations. In this context, considering that location permission is a tool to achieve this transparency, what are the best practices to acquiring user location permission?

[banner_1]

The best practices below are our recommendations for our clients, the ones actually collecting the data. These recommendations not only favor the user, since it makes it easier for them to learn more about the data they are sharing, and also favors the companies collecting data, so they abide by the regulations and also get a higher number of users permissions to share their data because they are interested in doing so.

  • Explain as clearly as possible, in the location permission screen what data you are asking for and what you will do with the data
  • Mobile apps should request location permission at the moment the user will use functionality in which the data request is relevant, such as a ride-hailing app asking for location data at the exact moment the user requests a ride. It makes sense for the user at that specific moment, since they want to be found by the driver. If it makes sense to the user, not only it is in the user’s best interest to share that information, but also, it increases the chance they choose to share it. In the case of a mobile app using Incognia with zero-factor authentication for fraud prevention, it would be most beneficial to the user for the location permission request to be at the time of the first login. In the case of using Incognia for international address validation, the request should be during the onboarding process right after the user fills a field with their home address.
  • Privacy policy: It should be simple, short, clear. It should state clearly what data is collected and why. Most folks will not read privacy policies because of their length and difficult language. Being aware of that, we should work to make the policy as accessible as possible, so people actually read it.

How does Incognia protect user privacy and PII?

Location data can be considered PII because, when combined with other data, it may contribute to identifying an individual. At Incognia, our standard solution is designed to process location signals without associating them with direct identification data, such as a user’s name, email address, or phone number. While our clients, as data controllers, may process user-identifying information within their own systems, Incognia operates as a data processor and does not establish a direct link between location behavior and direct identification by design. The data we process is collected to support risk assessment and fraud prevention without enabling direct identification of the end user. This approach allows Incognia to deliver accurate risk anlysis while  in line with privacy-by-design principles and applicable privacy regulations.

Since privacy is a central part of our mission and culture since the company was founded, we go beyond privacy regulations and our product team employs the privacy-by-design approach. Not only are we focused on protecting user privacy, but we also created our product with privacy intrinsic to its design.
Lucas Martins

Lucas Martins

Incognia co-founder and CSO
Subscribe

Most recent

Featured image for How Marketplaces Can Outsmart Seller Fraud in 2026 resource

How Marketplaces Can Outsmart Seller Fraud in 2026

Discover how to combat sophisticated seller fraud in 2026 with layered defenses, early detection, and strategic friction to protect your marketplace from...
Featured image for Episode 4: How Rapido Balances Driver Supply with Fighting Fraud resource

Episode 4: How Rapido Balances Driver Supply with Fighting Fraud

Learn how Rapido balances driver supply and fraud prevention, ensuring platform integrity with innovative strategies and automation.
Featured image for How App Cloners are Becoming a One-Stop-Shop for Fraudsters resource

How App Cloners are Becoming a One-Stop-Shop for Fraudsters

Take a deep dive into the rise of app cloners and what makes them a concern for fraud prevention.