Geolocation API: What Websites Know About Your Location and How to Stay Private

What Is the Geolocation API?

The Geolocation API is a browser standard that allows websites to request your precise geographic location. When a site uses this API, your browser displays a permission prompt asking whether you want to share your location. Unlike most browser fingerprinting techniques, the Geolocation API requires explicit user permission — making it one of the more transparent tracking mechanisms available to web developers.

When permission is granted, the API can return your latitude and longitude coordinates with varying precision depending on what data sources are available. On mobile devices with GPS, accuracy is typically within a few meters. On desktop computers without GPS, location is estimated from WiFi network information or IP address, with accuracy ranging from hundreds of meters to several kilometers.

How the Geolocation API Works

The Geolocation API combines multiple data sources to determine your location, using whichever sources are available in order of precision.

GPS (Global Positioning System) is the most accurate source, used on mobile devices with GPS hardware. It provides location accurate to within a few meters under clear sky conditions. GPS requires the device to receive signals from multiple satellites and takes longer to acquire a fix than other methods.

WiFi positioning uses a database of known WiFi access point locations. When your device detects nearby WiFi networks, the browser sends their identifiers to a positioning service (Google, Apple, or Mozilla location services) that returns your estimated position based on where those networks are known to be located. This is faster than GPS and works indoors but is accurate to roughly 10 to 50 meters in urban areas.

Cell tower positioning is used when WiFi is unavailable. It estimates location based on which cellular towers are visible and their signal strength. Accuracy ranges from a few hundred meters to a few kilometers depending on tower density.

IP geolocation is the fallback when no other sources are available. It estimates location from your IP address using commercial geolocation databases, with accuracy typically at the city level rather than the street level.

What Geolocation Data Reveals

Precise geolocation data is among the most sensitive information a browser can share. Your location at specific times reveals your home address, work address, daily routine, religious practices, political activities, medical appointments, and personal relationships. This data, combined over time, creates a detailed profile of your life that is far more sensitive than your browsing history alone.

Even approximate location data reveals your city and neighborhood, which is sufficient to correlate with census data, property records, and socioeconomic information. Marketers use location data to infer income level, family status, and purchasing behavior.

Browser Permission Model and Its Limitations

The Geolocation API requires explicit permission, which seems like strong protection. However, the permission model has several limitations in practice.

Permissions can be set to "always allow" for specific sites, meaning a site you granted permission to once continues to receive your location without further prompts. Many users grant location permission without reading which sites they are granting it to, particularly on mobile devices where permission prompts appear frequently.

Once permission is granted, the site can request your location repeatedly during a session. A site that shows you "local weather" on the front page can continue checking your location as you browse through the site.

Permission decisions are stored per site but are not easily auditable. Most users do not regularly review which sites they have granted location access to.

What SpeedIQ's Geolocation Tool Tests

SpeedIQ's Geolocation tool requests your location when you click to run the test. If you grant permission, it displays your coordinates and the accuracy radius of the location estimate. If you deny permission, it confirms that GPS access is blocked and your location is protected.

The tool also displays the accuracy value returned by the API, which indicates how precise the location measurement is. A small accuracy value (under 100 meters) indicates GPS or WiFi-based positioning. A large value (over 1 kilometer) indicates cell tower or IP-based positioning.

Running this test helps you understand what location data you are sharing when you grant location permission to websites, and whether your browser is appropriately requesting permission before sharing it.

How to Control Geolocation Access

All major browsers allow you to manage geolocation permissions at both the browser level and the per-site level. In Chrome, Firefox, Safari, and Edge, you can find location settings under Privacy and Security in the browser settings. You can revoke location permission for specific sites, block all sites from requesting location, or require that sites always ask before accessing location.

On mobile operating systems, location permission is managed at the app level in the system settings. You can set each browser to "never," "while using the app," or "always." For privacy, "while using the app" or "never" is recommended for browser location access.

A privacy-protective approach is to deny location permission by default and only grant it explicitly when needed — for example, when using a navigation application or checking local business hours. Granting location to general websites that use it for advertising is rarely necessary and significantly expands your data exposure.

Frequently Asked Questions

Can websites see my location without asking?

Without using the Geolocation API, websites can only estimate your location from your IP address — typically accurate to the city level. This does not require permission because IP addresses are transmitted as part of every connection. The Geolocation API provides much more precise data but requires explicit permission.

Does a VPN prevent geolocation tracking?

A VPN changes your IP address, which affects IP-based location estimates. However, if you grant location permission to a website, the browser still provides GPS or WiFi-derived coordinates to the site — regardless of VPN usage. VPNs do not affect hardware GPS or WiFi positioning data collected by the browser.

Is location sharing required for any legitimate website function?

Some website functions genuinely require location, such as navigation and mapping services, local weather applications, and "near me" search functions. For these use cases, location permission is appropriate. The concern is with websites that request location for advertising purposes without providing any location-dependent functionality in return.

How often does the browser update location when permission is granted?

By default, the Geolocation API returns a single location reading per request. However, sites can use the watchPosition method to receive continuous location updates as long as the page is open. This is appropriate for navigation apps but unnecessary and potentially privacy-invasive for most other use cases.