Understanding California Assembly Bill 322 on Geolocation Data

California Assembly Bill 322 is currently under consideration by the Senate Appropriations Committee. It seeks to amend the California Privacy Protection Act (CCPA) and aims to provide additional regulations and obligations. Specifically, it seeks to further regulate the the collection and processing of precise geolocation information.

Precise geolocation is defined under CCPA as location data derived from a device that identifies a consumer’s location within a circle with a radius of 1,850 feet. The proposed legislation provides that businesses may not (among other restrictions):

• Collect or process more precise geolocation information than what is necessary to provide the requested goods and services, except as needed to respond to security incidents, fraud, harassment or deception;
• Retain precise geolocation information longer than needed to provide the goods and services or longer than one year after the consumer’s last interaction with the business, whichever is earlier; or
• Sell, trade, or lease precise geolocation information to third parties.

Additionally, businesses would be required to provide certain notices to consumers relating to the collection and use of precise geolocation. They must include a prominently displayed notice when precise geolocation information is being collected. The notice must provide information about the collection and include contact details for the business. The notice must also include the type of precise geolocation information collected. It should state the goods or services it is collected for. The notice must explain how the information will be used for those goods and services.

This bill dovetails with the California’s recent investigative sweep of the Location Data Industry earlier this year. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-investigative-sweep-location-data-industry The enforcement sweep included the issuance of letters to various businesses. These letters notified recipients of potential violation of CCPA requirements. The investigation examined how covered businesses offer and effectuate consumers’ right to stop the sale and sharing of personal information. It also focused on the right to limit the use of their sensitive personal information, which includes geolocation data. The California Attorney General’s office issued a press release in March of 2025. It stated, “The risk posed by the widespread collection and sale of location data has become immediately and particularly relevant. This is due to federal threats to California’s immigrant communities and to reproductive and gender-affirming healthcare.” The focus on location data by California underscores the need for businesses to review their geolocation data collection practices and assess their compliance with applicable privacy laws.

It is important to note that geolocation data collection can occur in various ways, including through Bluetooth enabled devices, public WiFi, through apps, and other device permissions and settings. Utilizing technical and legal experts to fully assess compliance is paramount to understanding the business risks associated with this type of data collection.

In sum, businesses should analyze their collection and use of precise geolocation data to determine whether AB 322 may impact business practices. It is clear that regulators are honed in on geolocation data and the sensitive nature of the information that is associated with the collection and use of that data. It is prudent that companies review their use of geolocation data and understand the risks it poses through various business practices.