On March 10, California Attorney General (AG) Rob Bonta announced an investigative sweep of the location data industry for potential noncompliance with the California Consumer Privacy Act (CCPA).
The investigation centers on mobile application providers that collect consumers’ location data and sell or share the information with advertising networks and data brokers, who further sell and share such data with third parties. The AG is focused on whether covered businesses are properly effectuating consumer rights requests under the CCPA as related to selling, sharing, and utilizing sensitive personal information. Pursuant to the CCPA, “sensitive personal information” includes geolocation data.
As part of the sweep, the AG has issued letters requesting information of the business practices of those advertising networks and data brokers potentially in violation of CCPA requirements.
Under the CCPA, a consumer may request that a business stop selling or sharing their personal information, which, once received, prevents the business from further sharing and selling unless the consumer later affirmatively consents to such. The business must then wait at least 12 months until asking the consumer to consent to opting back in to the sale or sharing of their personal information. Furthermore, businesses must provide “reasonable methods” for effectuating such opt-out requests. This includes allowing for opt-out on mobile devices and through links or settings available in their apps.
Geolocation data can be used to track and identify individuals’ movements, which may include sensitive locations such as where they reside. This allows for individual identification that presents potential security risks when the data is sold, shared, or potentially misused without an individual’s knowledge. Businesses must therefore be aware of their responsibilities under the CCPA and implement defensible measures to protect geolocation data.
Notably, Bonta has ramped up enforcement under the CCPA, and indeed this is not his first investigative sweep pursuant to the law. In early 2023, he announced a sweep of businesses with mobile applications for allegedly failing to comply with the CCPA. The sweep targeted popular mobile applications in the retail, travel, and food service industries that fail to offer a mechanism for consumers to opt out of data sales or that fail to process consumer opt-out requests, including requests submitted via an authorized agent. In January 2024, he announced a sweep of streaming services pursuant to the CCPA. And in late 2024, he launched an investigative sweep of streaming services’ compliance with consumers’ right to “opt out” of the sale of their personal data under the CCPA. According to Bonta, this right should involve minimal steps and should be “easy” for a consumer to accomplish.
To further highlight the potential regulatory risk for businesses collecting geolocation and other personal information, the AG has reached several settlements over the past three years for alleged violations of the CCPA, including with Sephora for allegedly failing to notify consumers of the sale of their data and to process opt-out requests, DoorDash for allegedly failing to notify consumers of the sale of their data, Glow for failing to properly secure a fertility tracking application, and most recently in June, Tilting Point Media for allegedly sharing children’s data collected from a SpongeBob application without parental consent. The breadth of Bonta’s sweeps serves as notice that no industry or business is immune from regulatory scrutiny.
While consumers can limit the sharing of location through their mobile device settings, and by disabling Wi-Fi and Bluetooth settings in certain situations, businesses collecting such data must also ensure they have implemented fulsome measures to protect such data as required by the CCPA. This includes promptly and effectively processing opt-out requests, conspicuously posting notice of the sale or sharing of personal information, maintaining and disclosing robust privacy policies, and implementing proper cybersecurity measures to protect collected information. Businesses controlling geolocation and other sensitive personal information must also enact policies, procedures, and agreements that ensure that service providers and third parties handling such data are also in compliance with CCPA requirements.
California is just one of 19 states that have enacted comprehensive consumer privacy laws, with several more considering similar legislation. To successfully navigate this patchwork of ever-changing state law and mitigate regulatory risk, businesses must constantly evaluate their legal compliance measures and consult competent outside counsel.
Troutman Pepper Locke State Attorneys General Team
 |
Ashley Taylor – Co-leader and Firm Vice Chair Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation. |
 |
Clay Friedman – Co-leader Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation. |
 |
Chris Carlson Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies. |
 |
Lauren Fincher Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes. |
 |
Stephen Piepgrass Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education. |
 |
Michael Yaghi Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation. |
 |
Samuel E. “Gene” Fishel Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests. |
 |
Jay Myers Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs. |
 |
Chuck Slemp Chuck advises clients on a wide range of complex issues that frequently involve government actions, including investigations, inquiries, regulatory matters, and litigation. With a distinguished background in the law and public service, he served as chief deputy attorney general of Virginia before joining the firm. In addition to overseeing the Department of Law and Division of Debt Collection, Chuck managed a team of attorneys who handle complex litigation and investigations. He also directed the attorney general’s legislative affairs and represented the attorney general in various capacities. |
 |
Jessica Birdsong Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology. |
 |
Blake R. Christopher Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries. |
 |
Nick Gouverneur Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy. |
 |
Troy Homesley Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals. |
 |
Natalia Jacobo Natalia is an associate in the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) practice, based on the West Coast. She routinely counsels clients on a variety of state and federal regulatory matters, with a particular emphasis on consumer protection and data privacy matters. |
 |
Namrata Kang Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting. |
 |
Michael Lafleur Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general. |
 |
Lane Page Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues. |
 |
Dascher Pasco Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities. |
 |
Kyara Rivera Rivera Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review. |
 |
Trey Smith Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues. |
 |
Daniel Waltz Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals. |
 |
Cole White Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general. |
 |
Stephanie Kozol Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department. |