Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
USA: New geofence technology laws
Currently, no federal standard exists for regulating the collection, use, or disclosure of geofence technology data in the US. However, in 2023, five states – Utah, Washington, Nevada, New York, and Connecticut – enacted geofence technology laws. Meghan O'Connor and Ashleigh V. Giovannini, from Quarles & Brady LLP, discuss what geofence technology is and how it is used, as well as existing legislation in the US.
What is geofence technology?
Geofence technology enables users to set up a virtual perimeter around a specific geographic location. Through radio frequency identification (RFID), Wi-Fi, GPS, Bluetooth, and cellular data, applications and software programs can track when a consumer enters and exits the virtual perimeter. For example, the Washington My Health My Data Act (WMHMDA) defines a 'geofence' as 'technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary that is 2,000 feet or less from the perimeter of a physical location.' Definitions tend to align across laws with slight variations (e.g., virtual boundaries range from 1,750 to 2,000 feet). Please consult the chart below comparing active state geofence regulations for additional details.
How is geofence technology used?
Geofence technology is used for a variety of purposes, including sending targeted advertising to consumers via text, push notification, and social media posts or triggering smart home devices to turn on lights or adjust thermostats when a person enters the virtual perimeter. Geofence technology may also be used to track a person's location, for setting up a wireless pet fence, or searching for a misplaced phone. Some states require licensed gambling and sports betting services providers to erect geofences to ensure wagers are made only by individuals physically located in that state1.
While most uses of geofence technology are relatively innocuous, some are more controversial. For example, employers have begun using geofencing to monitor attendance, location, and working hours. In 2020, a local government agency obtained geofence-derived location data and subsequently levied fines for violating COVID-19 public gathering restrictions2. Since 2016, law enforcement has used 'geofence warrants' or 'reverse-location information warrants' to obtain geofencing data collected from users by large technology companies to inform criminal investigations. During the first six months of 2020, a search engine received 19,783 search warrants from domestic law enforcement agencies, and 83% of those warrants resulted in the disclosure of user information, including data obtained from geofencing activities.
Why are geofencing warrants controversial?
The Fourth Amendment of the U.S. Constitution protects the right of individuals to be secure in their 'persons, houses, papers, and effects' against unreasonable searches and seizures, namely by law enforcement. Except in limited situations, law enforcement must have a warrant to execute a constitutionally valid search. To obtain a warrant, the Fourth Amendment requires law enforcement to show probable cause and describe in detail the place to be searched and the person and items to be seized. A neutral, disinterested magistrate must review the information provided by law enforcement to issue a warrant3.
Obtaining identifying information from geofence technologies often decreases government investigative efforts and resource allocation to apprehend alleged criminals. Criminal defense attorneys, however, push back on the constitutionality of these warrants under the Fourth Amendment, asserting that law enforcement cannot state with particularity what persons or items should be seized when requesting information identifying individuals who have visited a particular virtual perimeter.
Law enforcement must also demonstrate probable cause to obtain and execute a geofence warrant. 'Probable cause' means 'a fair probability that contraband or evidence of a crime will be found within a particular place.' Probable cause is a flexible standard. Privacy advocates argue that geofence warrants lack necessary particularity and are insufficient to raise a fair probability that evidence of a crime exists at a particular location because probing device data obtained within a particular geofence will potentially yield millions of results. Indeed, the likelihood of finding some evidence of a crime within a particular geofence is higher than if law enforcement were required to only search data relevant to the crime being investigated. Further, advocates argue, that issuing geofence warrants empowers law enforcement to proactively target individuals present within a particular virtual perimeter at a given time for prosecution.
Pursuant to a valid geofence warrant, law enforcement will usually:
- Seek 'anonymized' numerical identifiers along with time-stamped precise geolocation coordinates for each device within a given geofence at a specific time. The technology company receiving the request queries its databases to produce the requested information.
- Parse the data using various investigative techniques. Law enforcement submits requests for more information regarding certain device accounts and broader location history outside the confines of the original geofence. To justify such a request, law enforcement commonly sites the need to 'eliminate false positives or otherwise determine whether that device is actually relevant to the investigation' currently being conducted.
- If anything of interest is discovered, request additional identifying information for a narrow list of users.
Sparked by the U.S. Supreme Court's 2022 decision in Dobbs v. Jackson, effectively overturning Roe v. Wade, legislatures in states where abortion care services are legal have intensified efforts to protect the data of individuals receiving those services. Of note, law enforcement may request geofence warrants for geofences located outside that agency's borders. Following the Dobbs decision, Texas state government officials signaled intent to prosecute anyone leaving the state for abortion care. The Texas legislature also passed a civil statute permitting lawsuits against abortion care providers and others who aid or abet 'the performance or inducement of abortion.' Notably, the civil statute does not restrict the right to sue to actions performed within the state.
Conflicts of law principles require the court to engage in fact-specific analyses. Rather than wait for lawsuits and criminal investigations, five state legislatures have opted to regulate geofences and geofence warrants as matters of consumer privacy law and criminal procedure.
State geofencing laws
Consumer privacy law
Unlike state laws regarding the collection and use of other sensitive data categories, existing state laws do not include exceptions that would permit businesses to erect a geofence with consumer consent.
Connecticut
The Connecticut Act Concerning Online Privacy, Data, and Safety Protections (Connecticut's Online Privacy Act), effective July 1, 2023, expands the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), making it unlawful to use a geofence to establish a virtual boundary within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, or collecting data from or sending any notification to a consumer regarding the consumer's health data4.
New York
A budget bill, effective July 2, 2023, made it unlawful to establish a geofence or similar virtual boundary around any healthcare facility (other than their own healthcare facility) to deliver digital advertisements or build consumer profiles, or infer health status, medical condition, or medical treatment of any person at or within a particular medical facility5.
Washington
Effective July 22, 2023, the WMHMDA makes it unlawful for any person to implement a geofence around an entity providing in-person healthcare services to: (i) identify or track consumers seeking healthcare services; (ii) collect consumer health data from consumers; or (iii) send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services6.
Nevada
Effective March 31, 2024, the Nevada Consumer Health Data Privacy Law, takes a page from the WMHMDA and prohibits geofences within 1,750 feet of any medical facility, facility for the dependent, or any other person or entity that provides in-person health care services or products7.
Criminal procedure
Utah
Rather than regulating the establishment of geofences, the Utah legislature added a provision to the Utah Code of Criminal Procedure8 effective May 3, 2023, prohibiting law enforcement from obtaining reverse-location information for electronic devices within a geofence unless:
- the law enforcement agency obtains a search warrant; and
- (i) the investigation or prosecution involves a felony, class A misdemeanor, a class B misdemeanor, or involves harm or risk of harm to a person, the unlawful taking of protected wildlife, or is part of a pattern of criminal activity, or (ii) the law enforcement agency can demonstrate an imminent, ongoing threat to public safety.
To get a search warrant, law enforcement must:
- include a map or other visual depiction that represents the requested geofence;
- include specific notice language9 in a warrant application identifying the request for judicial authorization for reverse-location information; and
- establish probable cause that evidence of a crime will be found within the geofence and within a specified period of time.
Utah allows limited exceptions to the warrant requirements for reverse-location information for: (i) locating the device user in an emergency; and (ii) instances where judicially recognized warrant exceptions apply.
Interestingly, a court granting a geofence warrant must require the technology company responding to the warrant to anonymize10 all electronic device data before disclosing reverse-location information to the requesting law enforcement agency.
To further impede the unfettered use of geofence warrants, Utah prohibits law enforcement agencies from using, copying, or disclosing reverse-location information obtained pursuant to a geofence warrant (e.g., unrelated crimes)11. This provision aims to prevent the targeted prosecution activities concerning privacy advocates. As such, Utah's warrant restrictions may become the gold standard among the states.
Restrictions on geofence technology in consumer health data context
State law effective date | Who must comply? | Geofence restriction/prohibition | Relevant definitions |
Washington WMHMDA
Effective: July 22, 2023 | No 'person' may erect a geofence.
A 'person' is a natural person, corporation, trust, unincorporated associate, or partnership. Notably, this prohibition extends to persons and entities that do not qualify as a 'regulated entity' under the remainder of WMHMDA.
'Person' does not include government agencies, tribal nations, or contracted service providers when processing consumer health data on behalf of a government agency.
| It is unlawful for any person to implement a geofence around an entity that provides in-person healthcare services where such geofence is used to: (i) identify or track consumers seeking healthcare services; (ii) collect consumer health data from consumers; or (iii) send notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services.
| 'Geofence' means technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of spatial or location detection to establish a virtual boundary around a specific physical location, or to locate a consumer within a virtual boundary. For the purposes of this definition, 'geofence' means a virtual boundary that is 2,000 feet or less from the perimeter of the physical location.
'Collect' means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
'Consumer' means: (i) a natural person who is a Washington resident; or (ii) a natural person whose consumer health data is collected in Washington. 'Consumer' does not include individuals acting in an employment context.
'Consumer Health Data' means personal information that is linked or reasonably linkable to a consumer and that identifies the consumer's past, present, or future physical or mental health status. 'Physical or mental health status' includes, but is not limited to, precise location information that could reasonably indicate a consumer's attempt to acquire or receive health services or supplies.
'Health care service' means any service provided to a person to assess, measure, improve, or learn about a person's mental or physical health, including but not limited to:
'Precise location information' means information derived from technology including, but not limited to, GPS level latitude and longitude coordinates or other mechanisms, that directly identify the specific location of an individual with precision and accuracy within a radius of 1,750 feet. |
Nevada
Nevada Consumer Health Data Privacy Law
Effective: March 31, 2024 | The Nevada Consumer Health Data Privacy Law does not define 'Person.' However, we can assume the term 'person' to mean any natural person or corporate entity.
A 'regulated entity' is any person who conducts business in Nevada or produces or provides products or services that are targeted to consumers in Nevada and alone or with others, determines the purpose and means of processing, sharing, or selling consumer health data. As is the case under the WMHMDA, Nevada's prohibition also extends to persons and entities that do not qualify as a 'regulated entity.' | A person shall not implement a geofence within 1,750 feet of any medical facility, facility for the dependent, or any other person or entity that provides in-person healthcare services or products for the purpose of: (i) identifying or tracking consumers seeking in-person healthcare services or products; (ii) collecting consumer health data; or (iii) sending notifications, messages, or advertisements to consumers related to their consumer health data or healthcare services or products. | 'Geofencing' means technology that uses coordinates for GPS, connectivity to cellular towers, cellular data, radio frequency identification, wireless internet data, or any other form of detecting the physical location of a person to establish a virtual boundary with a radius of 1,750 feet or less around a specific physical location.
'Collect' means to buy, rent, access, retain, receive, acquire, infer, derive, or otherwise process consumer health data in any manner.
'Consumer' means a natural person who has requested a product or service from a regulated entity and who resides in Nevada or whose consumer health data is collected in Nevada. The term does not include a natural person acting in an employment context or as an agent of a governmental entity.
'Consumer health data' means personally identifiable information that is linked or reasonably capable of being linked to a consumer and that a regulated entity uses to identify the past, present, or future health status of the consumer. The term includes, without limitation, information related to the precise geolocation information of a consumer that a regulated entity uses to indicate an attempt by a consumer to receive health care services or products.
'Health care services or product' means any service or product provided to a person to assess, measure, improve, or learn about the health of a person. The term includes, without limitation:
'Precise geolocation information' means information derived from technology, including, without limitation, latitude, and longitude coordinates at the level of detail typically provided by a global positioning system, that directly identifies the specific location of a natural person with precision and accuracy within a radius of 1,750 feet. |
New York
N.Y. Gen. Bus. Law § 394-G
Effective: July 2, 2023 | This prohibition applies to a person, corporation, partnership, or association. | It shall be unlawful for any person, corporation, partnership, or association to establish a geofence or similar virtual boundary around any healthcare facility, other than their own healthcare facility, as defined pursuant to paragraph c of subdivision one of this section, for the purpose of delivering by electronic means a digital advertisement to a user, for the purpose of building consumer profiles, or to infer health status, medical condition, or medical treatment of any person at or within such healthcare facility, and it shall be unlawful for any person, corporation, partnership, or association to deliver by electronic means any digital advertisement to a user at or within any such healthcare facility, other than their own healthcare facility, through the use of geofencing or similar virtual boundary. | 'Geofencing' means a technology that uses GPS coordinates, cell tower connectivity, cellular data, radio frequency identification, Wi-Fi data, and/or any other form of location detection, to establish a virtual boundary of 1,850 feet radius or less or 'geofence' around a particular location that allows a digital advertiser to track the location of an individual user and electronically deliver targeted digital advertisements directly to such user's mobile device upon such user's entry into the geofenced area. This shall also include the process of identifying whether a device enters, exits, or is present within a geographic area through the use of any information stored, transmitted, or received by the device, including but not limited to latitude, longitude, internet protocol address, wireless internet access information, cell tower connectivity, device identification information and/or other forms of location data.
'Digital advertisement' means any communication delivered by electronic means that is intended to be used for the purposes of marketing, solicitation, or dissemination of information related, directly or indirectly, to goods or services provided by the digital advertiser or a third party.
'Health care facility' means any governmental or private entity that provides medical care or related services, including but not limited to, those who provide such care pursuant to Article 28 of the Public Health Law or licensed under Articles 16, 31, or 32 of the Mental Hygiene Law, including the building or structure in which the facility is located.
'Use' means a natural person who owns or uses a mobile device or any other connected electronic device capable of receiving digital advertisements. |
Connecticut
Connecticut Online Privacy Act
2023 Conn. Pub. Acts 22-15.
Effective: July 1, 2023 | These restrictions apply to persons that conduct business in Connecticut and persons that produce products or services that are targeted to residents of Connecticut.
'Person' means an individual, association, company, limited liability company, corporation, partnership, sole proprietorship, trust, or other legal entity.
| No person shall use a geofence to establish a virtual boundary that is within 1,750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data. | 'Geofence' means any technology that uses GPS coordinates, cell tower connectivity, cellular data, radio frequency identification, wireless fidelity technology data or any other form of location detection, or any combination of such coordinates, connectivity, data, identification, or other form of location detection, to establish a virtual boundary.
'Consumer' means an individual who is a resident of Connecticut. 'Consumer' does not include an individual acting in a commercial or employment context.
'Consumer health data' means any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.
'Mental health facility' means any healthcare facility in which at least 70% of the healthcare services provided in such facility are mental health services.
'Reproductive or sexual health care' means any healthcare-related services or products rendered or provided concerning a consumer's reproductive system or sexual well-being, including, but not limited to, any such service or product rendered or provided concerning:
'Reproductive or sexual health data' means any personal data concerning an effort made by a consumer to seek, or a consumer's receipt of, reproductive or sexual healthcare.
'Reproductive or sexual health facility' means any healthcare facility in which at least 70% of the healthcare-related services or products rendered or provided in such facility are reproductive or sexual healthcare. |
Meghan O'Connor Partner
[email protected]
Ashleigh V. Giovannini Associate
[email protected]
Quarles & Brady LLP, Milwaukee
1. See: Indiana Code § 4-29.5-4-2, N.C. Gen. Stat. § 18C-902, La. Rev. Stat. § 47:9102, Tenn. Code Ann. § 4-49-125, Ariz. Rev. Stat. § 5-554.
2. See: Calvary Chapel San Jose, et. al. v. Santa Clara County et. al., N.D. Cal., No. 5:23-cv-04277, complaint filed August 22, 2023.
3. See: Dalia v. United States, 441 U.S. 238, 255 (1979).
4. See: 2023 Conn. Pub. Acts 22-15.
5. See: N.Y. Gen. Bus. § 394-G.
6. See: Wash. Rev. Code 19.373.080(2023).
7. See: Nev. Rev. Stat. § 603A.
8. See: Utah Code § 77-23f-102.
9. Notice language: 'NOTICE: This warrant application seeks judicial authorization for the disclosure of reverse-location information of electronic devices near a crime at or near the time of the crime. If authorized, the warrant allows law enforcement to obtain historical location information of all devices within the area described in the warrant during the specified time from entities in possession of the relevant data. The electronic devices captured in the warrant may be owned or used by both alleged criminal perpetrators and individuals not involved in the commission of a crime. For this reason, any warrant issued must require the anonymization of all devices associated with the reverse-location information.' Utah Code § 77-23f-102(2).
10. Utah Code § 77-23f-107; To 'anonymize” means that “identifying information connected to an electronic device has been rendered anonymous in a manner such that the subject, including an individual, household, device, or Internet protocol address, is not identifiable to a law enforcement agency.' Utah Code § 77-23f-101(1).
11. See: Utah Code 77-23f-107(2)(a).
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
