Businesses that track the geolocation of individuals—whether for fleet management, sales and promotion, logistics, risk mitigation, or other reasons—should closely monitor the progress of California Assembly Bill 1355 (AB 1355), also known as the California Location Privacy Act. If passed, this bill would impose significant restrictions on the collection and use of geolocation data, requiring many businesses to overhaul their location tracking policies and procedures.

California has long been at the forefront of data privacy regulation, particularly in the area of location tracking. Section 637.7 of the California Penal Code, for example, provides that no person or entity in California may use an electronic tracking device to determine the location or movement of a person. Notably the law does not apply when the registered owner, lessor, or lessee of a vehicle has consented to the use such a device with respect to that vehicle.

More recently, the California Consumer Privacy Act of 2018 (CCPA) established a comprehensive privacy and security framework for personal information of California consumers, which includes granting consumers rights over their personal information. Under the CCPA, consumers have the right, subject to some exceptions, to limit the use of their “sensitive personal information,” a defined term which includes geolocation data. The California Privacy Rights Act of 2020 (CPRA) amended the CCPA, further strengthening these protections by enhancing consumer rights and enforcement mechanisms.

Importantly, employees and contractors are considered “consumers” under the CCPA.

Key Provisions of AB 1355

If enacted, AB 1355 would place strict limits on how businesses collect, use, and retain location information. Here are the major takeaways for businesses that track geolocation data.

Who Does the Law Apply To? The law would apply to any business (referred to as a “covered entity”) that collects or uses location data from individuals in California, although there is an exception for the location information of patients if the information is protected by HIPAA or similar laws. Government agencies are not considered covered entities but are prohibited from monetizing location information.

The bill defines “individual” as a “natural person located within the State of California.” So, it looks like the individual need not be a California resident. In addition, the collection or use of location data must be necessary to provide goods or services requested by that individual. It is unclear how this provision would apply in the employment context.

Express Opt-In Requirement. Individuals would be required to expressly opt in before their location data could be collected; businesses would not be permitted to infer consent or use pre-checked boxes.

Prohibited Actions. Businesses would not be permitted to:

• Collect more precise location data than is necessary.
• Retain location data longer than necessary.
• Sell, rent, trade, or lease location data to third parties.
• Infer additional data from collected location information beyond what is necessary.
• Disclose location data to government agencies without a valid court order issued by a California court.

Notice and Policy Requirement. Under AB 1355, businesses would be required to provide clear, prominent notice at the point where location data is collected. The notice would need to include the name of the covered entity and service provider collecting the information, and a phone number and an internet website where the individual can obtain more information. Companies also would need to maintain a location privacy policy detailing, among other things:

• What location data is collected.
• The retention and deletion policies.
• Whether the data is used for targeted advertising.
• The identities of third parties or service providers with access to the data.

Any changes to this policy would require at least 20 days’ notice and renewed consent.

Enforcement and Legal Remedies. If enacted, AB 1355 would permit the California Attorney General, district attorneys, and other public prosecutors to bring lawsuits against non-compliant businesses. Remedies could include all of the following:

• Actual damages suffered by affected individuals.
• A civil penalty of $25,000.
• Court-ordered injunctions and attorney’s fees for prevailing plaintiffs.

Implications for Businesses Engaged in Location Tracking

This bill represents a major shift in how businesses must approach location tracking. If enacted, businesses relying on geolocation data for purposes such as monitoring employees, connecting with customers, improving logistics, or managing risk must:

• Implement new opt-in procedures before collecting location data.
• Reevaluate their data retention policies to ensure compliance.
• Review agreements with third-party vendors that process location data.
• Update their privacy policies and internal procedures to align with the new legal requirements.

In addition to monitoring the path of this legislation, businesses also should consider revisiting their current electronic monitoring and tracking activities. Data privacy and security laws have expanded in recent years, with geolocation data being one of the more sensitive categories of personal information protected.