• What is the Location Shield Act?
  • Why is this protection necessary?
  • What does the Act propose?
  • Future steps and broader privacy reforms
  • What is the Location Shield Act?
  • Why is this protection necessary?
  • What does the Act propose?
  • Future steps and broader privacy reforms

ExpressVPN's testimony at the Location Shield Act hearing

ExpressVPN news 27.06.2023 9 mins
ExpressVPN
Written by ExpressVPN
Location symbol with an eye on a phone.

Massachusetts is taking a bold step towards protecting its residents’ privacy by considering the passage of the Location Shield Act, which aims to ban the sale of personal location data obtained from mobile phones. With the rise of unregulated data brokers who profit from buying and selling this sensitive information, the need for legislation to safeguard privacy, safety, and access to essential healthcare has become paramount.

ExpressVPN recently testified in support of this Act, highlighting the urgent need to safeguard individuals’ privacy in the digital age. Here is the full text of the testimony.

Members of the Joint Committee on Consumer Protection and Professional Licensure, 

Thank you for the opportunity to voice our support for the Location Shield Act. As staunch advocates for digital privacy as a fundamental human right, particularly in this online era, we want to strongly emphasize the importance of safeguarding individual privacy and autonomy. This is why we are writing today to underscore the importance of the Location Shield Act.

At ExpressVPN, we have witnessed firsthand the pervasive exploitation of location data, which undermines our fundamental rights—both as individuals and as a society. It is disconcerting to realize that just a glimpse into someone's location data reveals a wealth of personal information, from their place of residence, social connections, and interests, to political affiliations, sexual orientation, and even intimate preferences. This valuable personal data is treated as a commodity and exploited by corporations, government entities, and malicious individuals alike. 

ExpressVPN’s 2021 research revealed alarming extent of location tracking

In 2021, the ExpressVPN Digital Security Lab embarked on a research initiative known as Investigation Xoth, which brought to light the alarming extent of location data tracking by multiple smartphone applications. Our findings highlight the urgent necessity for regulatory measures.

Through our investigation, we made the unsettling discovery of location tracker software development kits (SDKs) employed by entities such as X-Mode, OneAudience, Quadrant, OpenSignal, Foursquare (Placed), and others. These SDKs were embedded within 450 applications, amassing an astonishing 1.7 billion downloads. We found the SDKs were used in 28 different app categories that you would never expect to gather location-tracking information—including audio, religious, and even keyboard apps. 

Our research also found the presence of location trackers in 42 messaging apps with at least 187 million total downloads—including apps masquerading as popular services such as Telegram, Facebook Messenger, and WeChat. These apps imitate the look and feel of popular brands or even copy their names. 

The implications go beyond deception: The data harvested by these location-tracking services is aggregated and packaged for sale by data brokers, all without consumers' knowledge or informed consent. This flagrant disregard for privacy rights is deeply concerning and demands our immediate attention.

ExpressVPN’s study into opioid recovery technology—more evidence of location data exploitation

In addition to our investigation into location tracking, we also conducted a focused study on ten smartphone apps specifically designed to support individuals in their journey of opioid recovery. This study was conducted in collaboration with esteemed partners such as the Opioid Policy Institute (OPI) and the Defensive Lab Agency, who all agree that the findings indicate troubling and conspicuous signs of privacy and, potentially, security issues. 

A notable finding from our study is that many of the apps examined actively collect location information through a combination of GPS, mobile network/cell radio, and Bluetooth technology. This location data, particularly when correlated with unique identifiers, significantly amplifies the capability to track individuals, exposing their daily habits and behaviors and even enabling the identification of their friends and family members.

Seven of the ten apps we analyzed requested permission to establish Bluetooth connections, demonstrating a common trend in their functionality. Additionally, seven apps accessed location data whenever available, with three explicitly requesting permission to determine coarse and fine location details based on GPS and/or mobile network information. These findings highlight the potential risks faced by vulnerable communities, particularly in contexts such as healthcare, where individuals seeking support for opioid recovery have their privacy compromised. 

Individual protections help but are not enough—we need regulation to protect privacy

While some individuals proactively take measures to protect their privacy, such as utilizing safeguards like virtual private networks (VPNs) to obfuscate their IP addresses and shield themselves from internet service providers, the responsibility can not and should not rest solely on consumers. Policymakers and technology stakeholders also play a critical role in safeguarding privacy rights. Regulatory measures must be implemented to address the proliferation of location trackers, in order to protect individuals' sensitive information and preserve their fundamental right to privacy.

Our research demonstrates that as a society, we cannot rely on technology makers, social media platforms, ISPs, or advertising platforms to meaningfully self-regulate, because that might require them to prioritize privacy rather than profit. There should be no reason for the sale of user location data to third parties.

That said, location data has many critical technology uses and so access and collection cannot be banned outright. We strongly advocate for the implementation of reasonable regulatory protections. We propose transparent and responsible management, handling, and protection of user data. By setting reasonable location data collection standards, Massachusetts can lead the way in ensuring privacy rights are upheld while still allowing for the operation of vital online services.

The time to act is now—let Massachusetts lead the way

Fundamentally, location tracking enables the creation of detailed profiles of individuals, granting an unprecedented level of insight into their personal lives. Not only does this erosion of privacy undermine the fundamental rights of individuals, but it also infringes upon their autonomy and personal freedom. We must take action now to protect our citizens' privacy and secure their digital rights.

The Location Shield Act represents an opportunity for the Massachusetts Legislature to demonstrate its commitment to safeguarding the privacy and autonomy of its residents. It is within your power to enact robust regulation and establish reasonable constraints and guidelines that will set the crucial foundation for a collaborative solution that safeguards the rights of individuals and promotes responsible data practices. 

In conclusion, ExpressVPN urges you to support and swiftly pass the Location Shield Act. By doing so, Massachusetts can become a champion for privacy rights and set an example for other jurisdictions to follow to protect individuals' privacy, autonomy, and freedom in the digital age.

Thank you for your attention to this critical matter.

Sincerely,
Lauren Hendry Parsons, Privacy Advocate,
on behalf of ExpressVPN

What is the Location Shield Act?

Our smartphones have become constant companions, tracking our movements and storing sensitive information about our lives. While this data serves valuable purposes like navigation, fitness tracking, and traffic updates, it also presents risks, exposing users to potential exploitation.

At present, data brokers operate without any legal restrictions, freely purchasing personal location data, repackaging it, and selling it to anyone willing to pay. This unregulated practice raises serious concerns about the privacy and security of individuals.

To tackle this growing issue, Massachusetts is contemplating a legislation called the Location Shield Act. This Act aims to put a stop to the sale of personal location information obtained from phones, recognizing the need for stronger privacy protections.

On June 26, 2023, lawmakers met to hear testimonies for the bill. While a final decision on the Act will come at a later date, Committee member Rep. Mary Keefe said she found the testimonies “really valuable,” “in terms of a picture of risk and harm.”

Why is this protection necessary?

The Location Shield Act is crucial because, without it, personal location data remains vulnerable. For example, reports have exposed data brokers providing information on abortion clinic locations to anti-choice groups. 

Another worrying example is when a Catholic group bought data from apps used by homosexual people to find priests using these apps. This shows how unregulated access to personal information can be really dangerous.

The Location Shield Act is necessary to stop these data brokers from collecting and selling your location data without your permission. It's not just about protecting individuals, but also about safeguarding our privacy rights as a society. We need laws in place to make sure our personal information, especially our location, is kept private and doesn't fall into the wrong hands.

What does the Act propose?

The Location Shield Act aims to safeguard individuals’ privacy and prevent the misuse of personal location data. It seeks to ban the sale, lease, trade, or rent of location data without explicit consent from the individuals involved. The act emphasizes the importance of obtaining consent before collecting or processing personal location data.

However, it does allow for the collection and processing of location data with user consent for legitimate purposes, including providing requested services, responding to emergencies, and complying with state and federal law.

Key elements of the act include:

  1. Opt-in consent: Requiring explicit consent from individuals before data brokers collect or share their location information.
  2. Data broker registry: Establishing a registry that compels data brokers to register with the state, providing transparency and accountability in their operations.
  3. Data breach notifications: Mandating data brokers to promptly notify individuals in the event of a data breach, allowing affected individuals to take necessary precautions.
  4. Right to know: Granting individuals the right to access and know the types of personal information data brokers have collected and shared about them.
  5. Right to delete: Enabling individuals to request the deletion of their personal information held by data brokers.

The act extends its protection to all individuals in Massachusetts, regardless of their state of residence. This provision is particularly relevant for individuals traveling from states with restrictive abortion laws, as it ensures the confidentiality and security of their lphone location data.

Public sentiment in Massachusetts strongly supports legislation to prohibit the sale of personal location data. The majority of voters, approximately 92%, believe that the state has a responsibility to protect individuals' privacy regarding their location data. The prohibition of selling phone location information is seen as a sensible privacy reform that can serve as a model for other states.

Future steps and broader privacy reforms

The Location Shield Act, if passed, would mark an important milestone in safeguarding privacy in Massachusetts. However, it’s essential to view it as a stepping stone towards broader privacy reforms at the state and federal levels.

As technology continues to advance, policymakers must keep pace with emerging privacy concerns. Building upon the foundation laid by the Location Shield Act, legislators should explore comprehensive privacy laws that address the intricacies of data collection, usage, and consent across all industries. These reforms should strike a delicate balance between protecting individual privacy rights and fostering innovation and economic growth.

ExpressVPN firmly supports the Location Shield Act, which is why we provided testimony during the hearing held by the Joint Committee on Consumer Protection & Professional Licensure on June 26, 2023. While a final decision on whether Massachusetts will adopt this act is pending, our testimony presented compelling evidence showcasing the exploitation of location data. This evidence serves as a reminder of the pressing need to pass the proposed law in order to safeguard individuals' privacy.

Take the first step to protect yourself online. Try ExpressVPN risk-free.

Get ExpressVPN
Content Promo ExpressVPN for Teams
ExpressVPN

ExpressVPN

ExpressVPN is dedicated to your online security and privacy. Posts from this account will focus on company news or significant privacy and security stories.

  • RELATED POST
  • More from the author
The AI era requires a new way to control your VPN. So we built it.
The AI era requires a new way to control your VPN. So we built it.
Sonja Raath 05.03.2026 6 mins
ExpressVPN launches industry's first VPN MCP server, bringing secure network connect to AI agents
ExpressVPN launches industry's first VPN MCP server, bringing secure network connect to AI agents
Marnie Spicer 05.03.2026 2 mins
How we engineered a way to restrict child sexual abuse material without looking at your data
How we engineered a way to restrict child sexual abuse material without looking at your data
Sonja Raath 04.03.2026 3 mins
Not on My Network: ExpressVPN restricts IWF-identified child sexual abuse domains
Not on My Network: ExpressVPN restricts IWF-identified child sexual abuse domains
Marnie Spicer 04.03.2026 3 mins
Introducing the Identity Defender app: New features, one dedicated home
Introducing the Identity Defender app: New features, one dedicated home
Sonja Raath 26.02.2026 6 mins
ExpressVPN partners with Meta Quest, introduces industry-first hybrid VPN browser extension
ExpressVPN partners with Meta Quest, introduces industry-first hybrid VPN browser extension
Marnie Spicer 19.02.2026 2 mins
Say goodbye to the old ExpressVPN: Get the new, improved apps by 31 March 2026
Say goodbye to the old ExpressVPN: Get the new, improved apps by 31 March 2026
ExpressVPN 23.01.2026 5 mins
VPNs, Firewalls, Endpoint Security: What Does Your Team Really Need? 
VPNs, Firewalls, Endpoint Security: What Does Your Team Really Need? 
ExpressVPN 05.12.2025 3 mins
ExpressVPN joins forces with the Brooklyn Nets as an Official Digital Privacy Partner
ExpressVPN joins forces with the Brooklyn Nets as an Official Digital Privacy Partner
ExpressVPN 13.11.2025 1 mins
Why Smart Teams Choose VPNs: The Case For Secure Remote Work
Why Smart Teams Choose VPNs: The Case For Secure Remote Work
ExpressVPN 30.10.2025 3 mins
ExpressVPN partners with MoneyBack to offer special rewards with subscriptions in Hong Kong
ExpressVPN partners with MoneyBack to offer special rewards with subscriptions in Hong Kong
ExpressVPN 22.09.2025 1 mins
After a tip, ExpressVPN updates its Windows app to strengthen protections
After a tip, ExpressVPN updates its Windows app to strengthen protections
ExpressVPN 18.07.2025 3 mins
Digital Privacy in 2025: Americans Are Fed Up With Online Censorship, AI Surveillance, and Data Exploitation
Digital Privacy in 2025: Americans Are Fed Up With Online Censorship, AI Surveillance, and Data Exploitation
ExpressVPN 26.06.2025 3 mins
3rd KPMG audit supports ExpressVPN's privacy commitments
3rd KPMG audit supports ExpressVPN's privacy commitments
ExpressVPN 25.06.2025 2 mins

ExpressVPN is proudly supporting

Get Started