AB 322 requires businesses that collect precise geolocation information to give a prominent on‑collection notice describing what is collected, why, and who may receive it. The notice must identify the collector, provide phone and web contact points, describe the precision of the location data, the goods or services tied to the collection, and third parties that may receive the data.
The bill limits how much precise location data a business may collect and how long it may be kept, allows a narrow security exception with a 30‑day retention cap, prohibits selling or leasing precise geolocation information, and bars disclosure to state or local agencies (and to federal agencies except where federal law mandates disclosure) absent specific court orders that meet California’s legal standards. The measure reshapes operational requirements for apps, advertisers, and service providers that use fine‑grained location data.
At a Glance
What It Does
Requires a prominently displayed notice at the moment precise geolocation is collected listing six specific items (collector identity, contact info, precision, purpose, processing description, potential third‑party recipients). It imposes data minimization, caps retention to necessary periods or one year after the consumer’s last intentional interaction, restricts government disclosure, and bans sale, trade, or lease of precise geolocation data.
Who It Affects
Mobile apps, location‑based services, advertisers, data brokers, and any California businesses that collect or process precise latitude/longitude level location data about consumers. Cloud and analytics providers that store or process that data will also face compliance obligations.
Why It Matters
Precise geolocation is uniquely sensitive because it can reveal home, work, medical visits, and associations. AB 322 creates operational limits that will require product changes, contract edits with processors and advertisers, and new notice and data governance controls for any organization handling high‑precision location data in California.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 322 focuses narrowly on "precise geolocation information" collection and places three categories of obligations on businesses: disclosure to consumers at the time of collection, limits on collection and retention, and restrictions on disclosure and sale. At collection, the business must prominently display a notice that does more than tell users location is being captured: it must name the business, give a telephone number and website for more information, state the precision of the data being collected, explain which goods or services the consumer requested that justify the collection and how the business will process the data to deliver those services, and identify third parties who could receive the precise location information.
On limits, the bill requires businesses to collect only the amount of precise location data necessary to provide the requested goods or services, subject to a safety valve: businesses may collect or process additional precise location information when responding to security incidents, fraud, harassment, malicious or deceptive activity, or other illegal acts targeted at the controller or processor. That security exception is time‑bounded: location data gathered under the exception cannot be retained beyond 30 days.
Outside that exception, the bill bars retaining precise geolocation information beyond what is necessary for the consumer’s requested service or beyond one year after the consumer’s last intentional interaction with the business, whichever comes earlier.AB 322 also forbids selling, trading, or leasing precise geolocation information. It restricts government access tightly: businesses may not disclose precise location to a state or local agency or official unless served with a valid California court order or an out‑of‑state court order that complies with California law, explicitly referencing protections such as the Reproductive Privacy Act and a defined foreign penal civil action.
Disclosure to federal agencies is barred unless federal law requires it. The text included here does not define enforcement mechanisms, penalties, or the statute’s interplay with other California privacy laws, nor does it define ‘‘precise geolocation information’’ within the excerpt provided, which raises practical implementation questions.
The Five Things You Need to Know
Notice must be "prominently displayed" at the time precise geolocation information is collected and must include six elements: the fact of collection, collector name, a telephone number and website, the type and precision of data, the goods/services tied to collection plus how the data will be processed, and third‑party recipients.
The bill requires data minimization: businesses may not collect or process more precise location data than necessary to provide the consumer’s requested goods or services, with a narrowly tailored security exception.
Security exception: businesses may collect/process extra precise geolocation information to respond to security incidents, fraud, harassment, malicious/deceptive activities, or illegal acts involving the controller or processor, but such data cannot be retained beyond 30 days.
Retention cap outside the exception: businesses may not retain precise geolocation information longer than necessary to provide the requested goods or services or longer than one year after the consumer’s last intentional interaction, whichever is earlier.
The bill prohibits selling, trading, or leasing precise geolocation information, and bars disclosure to state/local agencies unless served with a California court order consistent with California law (including the Reproductive Privacy Act) and to federal agencies only when federal law requires disclosure.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Prominent consumer notice — six required elements
This subsection mandates that businesses display a clear notice at the moment precise geolocation is being collected. The notice must do more than identify the practice: it must include the collector’s identity, phone and web contact points for more information, the type and precision of location data, the goods/services that justify collection and an explanation of how the data will be processed to deliver those services, and the third parties who could receive the data. Practically, this requires UI changes for apps and websites, updates to privacy disclosures, and clear mapping between product features and the notice language.
Data minimization with a limited security exception
The bill requires businesses to limit collection and processing to what is necessary for the consumer’s requested service. It creates an explicit exception allowing additional collection/processing to address security incidents, fraud, harassment, malicious or deceptive activity, or other illegal acts targeting the controller/processor. The exception is constrained by a strict retention limit: location data collected under that exception must be deleted within 30 days. Implementers must design detection and retention workflows to segregate exception data and enforce the 30‑day deletion clock.
Retention limits and ban on commercial transfer
Outside the security exception, businesses cannot keep precise geolocation data longer than needed to provide the requested goods or services, and in any event not beyond one year after the consumer’s last intentional interaction with the business. The statute also bars selling, trading, or leasing precise geolocation information. Organizations will need retention policies tied to product lifecycles and to identify what counts as an ‘‘intentional interaction’’ for calculating the one‑year cutoff; they will also need contractual controls to stop third‑party monetization of such data.
Tight limits on government access
The bill prevents disclosure of precise geolocation information to state or local agencies or officials unless the business is served with a valid California court order or an out‑of‑state order that is consistent with California law, with specific callouts including the Reproductive Privacy Act and a defined foreign penal civil action. Disclosure to federal agencies is prohibited except where federal law requires it. This imposes a high bar for public‑sector access and forces businesses to scrutinize incoming legal process and to seek judicial review where orders conflict with California standards.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- California consumers who use location‑enabled services — they gain clearer, on‑collection notice and stronger limits on how long detailed location traces about them can be stored or sold.
- Individuals seeking reproductive, medical, or related sensitive services — the court‑order requirement tied to California law (including the Reproductive Privacy Act) reduces the risk that precise location data will be disclosed to state/local actors without judicial review.
- Privacy‑focused service providers and app makers — firms that already minimize and avoid monetizing location data gain a competitive compliance advantage and clearer guardrails for product design.
- Civil liberties and privacy advocacy organizations — the statutory constraints on sale and government access create durable protections that these groups can enforce or promote.
Who Bears the Cost
- App developers and consumer‑facing businesses that use high‑precision location — they must redesign UX to present the required notice, implement minimization, and build retention workflows (including 30‑day deletion for exception data).
- Advertisers and data brokers that monetize precise location — the explicit ban on selling, trading, or leasing precise geolocation undercuts existing business models and requires new revenue strategies or contractual changes.
- Cloud, analytics, and processor vendors — these providers must support segregation, short retention windows, and deletion workflows and face contract renegotiations to comply with controller obligations.
- Legal and compliance teams — businesses will need counsel to interpret ‘‘necessary to provide services,’’ to vet court orders (especially out‑of‑state requests), and to respond to potentially conflicting federal demands.
- Law enforcement and government investigators — the statute raises the procedural bar to obtain precise geolocation data from companies, which may slow investigations that rely on commercial location records.
Key Issues
The Core Tension
The bill pits the legitimate privacy interest in shielding fine‑grained location traces — which can reveal highly sensitive personal details — against the operational, security, and investigative needs of businesses and public authorities; strong protections reduce misuse and commercial exploitation of location data but raise implementation complexity, potential conflicts with other legal process, and costs for firms that rely on precise location for core services.
AB 322 tackles a sensitive privacy vector but leaves several practical and legal questions unresolved. The statutory excerpt does not define ‘‘precise geolocation information’’ or "intentional interaction," which are central to applying minimization and the one‑year retention rule; implementers will need authoritative definitions (from regulations, guidance, or subsequent statutory language) to operationalize obligations.
The 30‑day limit on security exception retention is strict and sensible for privacy, but it may be too short for some forensic or legal investigations; organizations will need clear procedures to segregate and delete exception data while preserving legally required evidence under court orders.
The government disclosure rules create a high procedural barrier by conditioning disclosure on court orders consistent with California law and by referencing the Reproductive Privacy Act and foreign penal civil actions. That approach protects sensitive conduct but may create routine friction when out‑of‑state or federal authorities seek location records; it also invites litigation over whether particular orders meet California’s standards.
The text excerpt provides no enforcement mechanism or penalty regime, and it does not explain how this statute interacts with existing California privacy laws (like the CCPA/CPRA) or with federal compulsory process—raising preemption and compliance sequencing questions for counsel and compliance teams.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.