Geolocation Privacy in the Age of MODPA: What You Need to Know

Increased privacy protection is coming for geolocation data. The Maryland Online Data Privacy Act (MODPA), which takes effect October 1, is a recent example of increasingly comprehensive protections for mishandling mobility data derived from a third or fourth party further up the data supply chain.

As the primary source and processor of mobility data, Altitude by Geotab is paying close attention to this and other industry regulations. We derive our mobility insights from actual anonymized and aggregated vehicle data, not inferred movements, so we are particularly sensitive to protecting the rights of the more than five million commercial vehicles we work with. 

To make sure your suppliers are in compliance with Maryland and other regulations, here we summarize three main focus areas to explore with your primary mobility data partner. 

Why MODPA and geolocation privacy matter 

Going into effect on October 1, 2025, MODPA has three main themes for “regulating the manner in which a controller or a processor in possession of a consumer’s personal data may process the consumer’s personal data.” Those center around:

• What data is collected
• How it is processed
• Ways consumers can access or control it 

Although the Maryland law does not hold organizations liable for supplier data mishandling, other state laws do, and new ones could lean in that direction. Liable or not, no company wants to be associated publicly (or even privately) with lax privacy data handling. 

Documenting a discussion about these three general topics with your data supplier can put your mind at ease, and also demonstrate appropriate due diligence for numerous laws about mobility data privacy.

Online data collection methods

MODPA specifically limits data collection to “what is reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer to whom the data pertains.” 

In other words, a warehouse manager analyzing potential locations for a new logistics center probably only needs insights derived from freight mobility data, not data that includes individual commuter vehicle travel. Gathering and including commuter vehicle movements in that data set is not only unnecessary, processing and including it introduces more risk of exposure. 

But if that same warehouse manager is looking at potential locations in Texas, they could justify including access to expanded freight mobility data from other states. This could include Origin and Destination metrics to reveal insights about freight round-trips. 

The issue to explore with your data provider is whether or not the insights they deliver are derived from just the relevant data set, or from an expanded data set that includes information not “reasonably necessary” for your needs. 

Data processing for privacy

Data handling is, of course, a top concern in Maryland and other states with privacy laws. MODPA specifies that data processors must “establish, implement, and maintain reasonable administrative, technical, and physical security practices to protect the confidentiality, integrity, and accessibility of personal data.” 

So, what does this mean for non-technical data users? 

Reliable data providers will have a publicly-available privacy statement outlining compliance with multiple existing regulations. It’s easy for data users to gloss over the technical jargon in these statements, so instead look for details on how companies maintain privacy practices.  

For example, do they have internal legal and security departments? Do they follow all state and national data privacy regulations or just the state in which they operate? How often do they perform internal audits? Read through the privacy information for non-buzzwordy terms and real-world explanations, and ask for clarification if necessary.

Privacy data access for consumers

In Maryland, data providers must now make sure it’s just as easy for consumers to opt out from data collection as it was for them to opt in. Compliance in this area can be difficult to evaluate in a sea of lengthy and complicated consumer-facing privacy policies and “unsubscribe” procedures. 

In general, mobility data derived from mobile devices and online apps carries a high risk of noncompliance. That’s because finding specific opt-out actions on mobile devices can be challenging for consumers, and many mobile apps make opt-in mandatory for app usage. Consumers rarely read lengthy onboarding language to find and click on privacy information links. One could argue that these complications hardly make opt-out as easy as opting in. 

At Altitude by Geotab, privacy protection happens by design. Every dataset passes through our PII-Safe Layer, which anonymizes and aggregates data before any insights are delivered. This layer applies minimum-count thresholds, spatial and temporal aggregation, and automatic suppression of sparse results—ensuring no individual vehicle, driver, customer or fleet is ever exposed.

Outputs are available only as aggregated, up-to-date historical Commercial Movement Insights at geographic or corridor levels. Encryption and role-based access add further safeguards, while our platform is supported by industry-leading certifications like FedRAMP, FIPS 140-2, and ISO 27001. This approach means you get full analytical value from movement data—without the risk of personally identifiable information being revealed.

Geolocation privacy data at Altitude by Geotab

Customer privacy has always been our top priority, so it’s embedded within every business process we follow. First and foremost, all transportation data we collect is completely anonymized before being presented in aggregate to our customers. 

We follow all local laws and regulations pertaining to data privacy and security, helping to protect personal information. Additionally, all partner companies that work with us must complete a robust security training process to meet our data privacy standards. 

Our Enterprise Data & AI Risk Committee oversees and approves every decision we make, and we regularly conduct risk audits, test for intrusion risk, and test our systems’ resilience. 

The Maryland Online Data Privacy Act doesn’t change any of our practices, but it might change yours. 

Get our eBook to learn more about how we convert data into mobility insights responsibly.