Privacy-friendly geolocation technologies for Ad tech companies

Privacy-friendly geolocation technologies for Ad tech companies

BigDataCloud February 28, 2022


Big tech, or more precisely Ad tech, companies have been heavily criticised for exploiting users’ personal data to serve targetted ads for promoting brands, services and products. The rampant buying and selling of users’ personal data and excessive use of the data have degraded the reputation of big tech companies. For example, the total GDPR fines imposed in Q3 2021 were 20 times greater than for Q1 and Q2 2021 combined reaching nearly €1 billion. The companies included Google, Amazon, Facebook, Whatsapp and others.

Furthermore, the use of personal data to target and promote misinformation and fraud has led to more stringent user privacy rules and regulations. The general public is increasingly becoming aware of their personal data and is looking for ways to avoid being tracked online or having their data stolen. Who can we trust and how can we protect ourselves? Adblocking tools, VPN services and many other tools are increasingly gaining popularity among savvy internet users who want to hide their identity on the Internet.

This has led tech giants such as Apple to make user privacy their main agenda. In fact, their severe restrictions on the availability of personal data have impacted digital platforms and ad tech providers (including Facebook). Based on the research by Location Science, this change has resulted in a 24% decrease in GPS data post iOS 13. As a result, the reliance on IP geolocation data is nearly doubling among the ad tech platforms. 

This signals a shift in location data quality priorities in the face of privacy concerns. 



Sources of Precise Location Data

The availability of GPS modules in our smartphones and extensive mapping of WiFi/Cellular networks across the world have enabled technologies to locate individuals with pinpoint accuracy. However, the technology is not always accurate and has limitations, which we have covered in detail in our blog post about the reliability of location-based services. This is why sometimes Google or Apple maps will show you the wrong location. In areas where there is no satellite, Wi-Fi or cellular networks, it is impossible to have pinpoint accuracy.

Furthermore, this location data is only available on request. On mobile devices, the location settings allow users to choose with whom they would like to share their location and how. On desktops, modern browsers have access to HTML 5 geolocation API to retrieve users’ geocoordinates by triangulating the Wi-Fi access points. Almost every e-commerce and media site is using this API to prompt the users to share this location data. Often, these requests are ignored by the users which force businesses to use other methods. 

The role of IP Geolocation in the age of privacy 

An alternative method to identifying your website or app users’ location is with their IP address. But first, let’s address some myths about  IP addresses. First,  people believe that exposing their IP address will allow hackers to steal their data and cybercriminals have been exploiting this paranoia to carry out fraud. It has become common to receive suspicious voicemail claiming to know your IP address threatening to steal your data.  Let’s address this concern by looking more closely at what an IP address is.

An IP address is a unique ID assigned to a device that wants to connect to the global internet. By default, this ID is exposed to any other devices in the network that you would like to communicate with. The moment you visit any website, the site can easily retrieve your IP address. But, an IP address doesn’t contain any location information by itself. It is instead derived from various other data sources and complex algorithms. You can read a detailed article about this in our blog post - IP Geolocation Demystified.

Furthermore, not all IP addresses are the same, hence their impact on user privacy varies. For example, an IP address assigned by a cellular network changes frequently and is served across a wide geographical area, compared to an IP address assigned by your local ISP providers at home which changes less frequently. Hence, the accuracy and precision of location data from these IP addresses differ. On the other hand, if you are using a fixed static IP address at your household, then the location retrieved from the IP address can pinpoint your address with remarkable accuracy. The same is true for businesses that use fixed IP addresses. In fact, this is how B2B lead generation tools are able to detect the company visiting your website and help the sales team improve their outreach campaigns. 

Despite the wide variations in the accuracy of IP geolocation, it is the only unintrusive method of identifying your visitor's location without violating user privacy laws such as The General Data Protection Regulation (GDRP) and The California Consumer Privacy Act (CCPA). As the IP geolocation technology rarely pinpoints a precise location of a user, and it doesn’t directly link to a particular consumer or household, it is quite safe from the scrutiny of the GDRP and the CCPA. 

The actual legality of violating the GDRP and the CCPA with the use of IP addresses is vague, as explained in this article. However, the use of IP geolocation technology to identify the location of the visitor and serve them customised content doesn’t directly violate the law because it doesn’t connect an IP address to an individual household. This makes it best suited for Ad network platforms that allow businesses to run location-specific ads and campaigns.

IP Geolocation provides more than a location for an Ad platform

Based on the MarTech 2021 report, there was a global loss of $35 billion from ad fraud in 2020 and 1 in 5 ad-serving websites were visited exclusively by fraud bots. In the fight against click fraud and other cybercrimes, IP geolocation intelligence has a major role to play, as it is more than just a location identifier.

An IP address is not just used by an end-user who would like to surf the internet. When your web analytics tool shows that there is a visitor on your website from a certain country, it doesn’t always mean that there is an actual person behind the client browsing your website. It could be a google bot crawling your site for SEO purposes, any other third-party bots scraping your website content, or a spam bot fishing for personal information like phone numbers, emails and so on.

The situation is the same for ad impressions and clicks. When you view your ad report on the Google Ads platform or Facebook Ad platform, not every impression and click is from actual humans. They can be spambots, fraud bots and just random machines crawling your site. This is where IP geolocation technology can make a huge difference.

Besides geolocation data, IP geolocation technology can provide rich information about an IP address. Let’s look at some of the key security parameters provided by BigDataCloud’s IP geolocation API:

  1. TorServer Detection: A Tor server is a popular service used by people to hide their digital footprint by anonymising their IP addresses. It is quite popular among activists and journalists who want to access geo-blocked content. 
  2. VPN and Proxy Detection: This is the most popular method of hiding your IP address. Used mostly by the general public to access geo-blocked media content on platforms like Netflix, Disney+ and Prime video. However, it is also quite popular among cybercriminals for sending spam and conducting fraudulent activities.
  3. Blacklisted IP Detection: There are many public records of IP addresses that have been detected to be used for malicious activities. This list of IP addresses is maintained by various organisations and groups for security purposes.
  4. Mail Server Detection: This will detect if the requested IP address is known as utilised by an SMTP mail server.
  5. Public Router Detection: This will detect if the requested IP address is known as utilised by a public router.
  6. Bogon Detection: Bogons are IP addresses that are yet to be assigned or allocated by the authorities. Hence, if you receive traffic from such an IP address, it indicates malicious intention as these are often misused by hackers.
  7. Unreachable: Unlike Bogons, these are IP addresses that aren’t reachable on the public internet. 
  8. Hosting Likelihood: This is a score between 1-10 generated using BigDataCloud’s proprietary algorithm that detects if an IP address is likely to belong to a hosting environment.
  9. Hosting ASN: This determines whether the requested IP address was announced by an autonomous system that is likely to publish hosting networks.
  10. Cellular Detection: This determines if the requested IP address is utilised by a cellular network.


As can be seen from the above metrics, IP geolocation APIs can provide insights that can be used to make better decisions on displaying and measuring ad content. This can enhance and increase ad conversion rates and reduce fraud. With the help of privacy-friendly IP geolocation data, businesses can have a better understanding of their visitors and at the same time protect themselves from fraud.

IP Geolocation API versus IP Database

It is very common for larger organisations to purchase IP geolocation data instead of subscribing to API services. Traditionally, it made sense for businesses to have their own API server to deliver IP data. It provided more control and flexibility. However, with the advancement of API services and the emergence of a variety of API platforms, it is no longer necessary to invest in your own infrastructure since you can lease it at an affordable cost and get similar or better services. 

Today, digital platforms like e-commerce sites and Saas platforms are directly or indirectly dependent on several third-party API services. For commerce, you have Stripe, for identity management you have Auth0, for communication you have Twillio and for automating business workflows you have Zapier. An entire digital platform can be broken down into layers of microservices. 

Furthermore, IP data are always changing which makes it difficult to have your database up-to-date with the recent changes. Therefore, it makes more sense to use API services for this purpose, as the API server provider takes the entire responsibility of maintaining and upgrading their data regularly. 

For instance, BigDataCloud Geolocation data are partially updated every 2 hours and fully updated at least once a day and BGP data are updated every 2 hours. Moreover, unlike other data vendors, BigDataCloud doesn’t use blocks because it truly supports up to a single IP address resolution. Hence, we are talking around Terabytes of data plus multiple variations for different languages. It is impossible for data service providers like BigDataCloud to provide a downloadable data service without heavily compromising on the accuracy and features of the data sets. Furthermore, BigDataCloud has multiple servers across the globe delivering the data at a submillisecond speed. The upside of using this API service instead of a database is much higher for any organisation that does not want to compromise on the speed and accuracy of IP data. 

Another concern over the use of an API versus a database is data privacy. Often, when an organisation is procuring a cloud-based solution they are interested in knowing where the data is stored. And, often, a similar logic is applied to IP geolocation API services. However, IP geolocation data is different from your CRM data. In the case of IP geolocation data, a business is only requesting data owned by the IP geolocation data providers. It is a simple request of geolocation data associated with an IP address. What a business decides to do with the data retrieved is never a concern for an IP geolocation service provider. Therefore, the argument against using an API due to a concern about user privacy isn’t very strong. 

To illustrate further, let us take an example of a simple ad network that serves ads based on the user’s location. When a user visits a website that has an ad, the ad server will retrieve the user’s IP address and request geolocation data associated with the IP address from an IP geolocation API. When the ad server receives the location information, based on their internal business logic, they will serve the right content. In this entire process, an IP geolocation service only has access to an IP address without any other contextual data associated with it. Hence, an IP geolocation service provider cannot associate the IP address with an individual household or personal data. It can only associate this with the data it already has. 

A hybrid approach

A better approach for resolving a user’s location is to use a hybrid of both a GPS dataset and an IP data set. By mixing a permission-based approach and unintrusive methods, you can increase your chances of getting highly accurate data for your ad network. 

BigDataCloud has a special purpose API that perfectly implements this hybrid method, it is called free client-side reverse geocoding API. The API can only be implemented on a client-side providing the opportunity for a business to become more privacy-friendly. By using the API, a business can avoid sending the coordinates to its data server; instead, it can convert the coordinates to a readable address on the client-side and only store the locality information like suburb, city, country etc, instead of the precise geocoordinates of the user. This avoids storing unnecessary personal data that can be scrutinised by the law, when all that is required is a city or a country name.

Furthermore, if the user decides not to share their location, then the API will automatically fall back to BigDataCloud’s advanced IP geolocation data. This eliminates the entire process of calling for multiple additional API requests and increases your response time. The data format return for a coordinate or an IP address is the same so no change in the code is required. 

This hybrid approach provides the best of both worlds to ad platforms and other business platforms to deliver personalised and customised messages without violating user privacy laws.

The main purpose of having user privacy laws is to protect users from online fraud and data theft. Therefore, as long as the businesses are ethically using the data in the favour of the public, there are much higher upsides of the use of personal data than downsides.