Geolocation API: What Websites Know About Your Location and How to Stay Private

What Is the Geolocation API?

The Geolocation API is a browser standard that allows websites to request your precise geographic location. When a site uses this API, your browser displays a permission prompt asking whether you want to share your location. Unlike most browser fingerprinting techniques, the Geolocation API requires explicit user permission — making it one of the more transparent tracking mechanisms available to web developers. For the strategic overview of where geolocation fits alongside DNS, WebRTC, IPv6, and IP-based privacy threats, see our complete privacy tools guide.

When permission is granted, the API can return your latitude and longitude coordinates with varying precision depending on what data sources are available. On mobile devices with GPS, accuracy is typically within a few meters. On desktop computers without GPS, location is estimated from WiFi network information or IP address, with accuracy ranging from hundreds of meters to several kilometers.

How the Geolocation API Works

The Geolocation API combines multiple data sources to determine your location, using whichever sources are available in order of precision.

GPS (Global Positioning System) is the most accurate source, used on mobile devices with GPS hardware. It provides location accurate to within a few meters under clear sky conditions. GPS requires the device to receive signals from multiple satellites and takes longer to acquire a fix than other methods.

WiFi positioning uses a database of known WiFi access point locations. When your device detects nearby WiFi networks, the browser sends their identifiers to a positioning service (Google, Apple, or Mozilla location services) that returns your estimated position based on where those networks are known to be located. This is faster than GPS and works indoors but is accurate to roughly 10 to 50 meters in urban areas.

Cell tower positioning is used when WiFi is unavailable. It estimates location based on which cellular towers are visible and their signal strength. Accuracy ranges from a few hundred meters to a few kilometers depending on tower density.

IP geolocation is the fallback when no other sources are available. It estimates location from your IP address using commercial geolocation databases, with accuracy typically at the city level rather than the street level. See our IP address lookup guide for the detailed breakdown of what IP-based location reveals.

What Geolocation Data Reveals

Precise geolocation data is among the most sensitive information a browser can share. Your location at specific times reveals your home address, work address, daily routine, religious practices, political activities, medical appointments, and personal relationships. This data, combined over time, creates a detailed profile of your life that is far more sensitive than your browsing history alone.

Even approximate location data reveals your city and neighborhood, which is sufficient to correlate with census data, property records, and socioeconomic information. Marketers use location data to infer income level, family status, and purchasing behavior.

Browser Permission Model and Its Limitations

The Geolocation API requires explicit permission, which seems like strong protection. However, the permission model has several limitations in practice.

Permissions can be set to "always allow" for specific sites, meaning a site you granted permission to once continues to receive your location without further prompts. Many users grant location permission without reading which sites they are granting it to, particularly on mobile devices where permission prompts appear frequently.

Once permission is granted, the site can request your location repeatedly during a session. A site that shows you "local weather" on the front page can continue checking your location as you browse through the site.

Permission decisions are stored per site but are not easily auditable. Most users do not regularly review which sites they have granted location access to.

What SpeedIQ's Geolocation Tool Tests

SpeedIQ's Geolocation tool requests your location when you click to run the test. If you grant permission, it displays your coordinates and the accuracy radius of the location estimate. If you deny permission, it confirms that GPS access is blocked and your location is protected.

The tool also displays the accuracy value returned by the API, which indicates how precise the location measurement is. A small accuracy value (under 100 meters) indicates GPS or WiFi-based positioning. A large value (over 1 kilometer) indicates cell tower or IP-based positioning.

Running this test helps you understand what location data you are sharing when you grant location permission to websites, and whether your browser is appropriately requesting permission before sharing it.

How to Control Geolocation Access

All major browsers allow you to manage geolocation permissions at both the browser level and the per-site level. In Chrome, Firefox, Safari, and Edge, you can find location settings under Privacy and Security in the browser settings. You can revoke location permission for specific sites, block all sites from requesting location, or require that sites always ask before accessing location.

On mobile operating systems, location permission is managed at the app level in the system settings. You can set each browser to "never," "while using the app," or "always." For privacy, "while using the app" or "never" is recommended for browser location access.

A privacy-protective approach is to deny location permission by default and only grant it explicitly when needed — for example, when using a navigation application or checking local business hours. Granting location to general websites that use it for advertising is rarely necessary and significantly expands your data exposure.

Why VPN-Only Solutions Don't Hide Your Location

Many privacy-conscious users believe that connecting through a VPN hides their location. This belief is only partially correct — and the gap between the protection users think they have and the protection they actually have is one of the most common privacy failures.

A VPN changes your visible IP address, which means IP-based geolocation will show the VPN's location rather than your real one. This is real protection: a website that only uses IP-based location estimation will see you as coming from wherever your VPN endpoint is. But it does not hide your location from sites that use the Geolocation API. If you have granted location permission to a site, your browser provides GPS or WiFi-derived coordinates directly to the page — and those coordinates show your real physical location, regardless of which IP address your traffic appears to come from.

This means a user connected to a VPN in Switzerland can still be located in their actual home in Munich the moment they grant location permission to any site. The site sees a Swiss IP but Munich coordinates — a clear mismatch that itself signals VPN usage. Some commercial geolocation services explicitly flag this kind of mismatch as a probable VPN connection, defeating the privacy claim entirely.

The defense is operational: never grant geolocation permission to sites that don't require it for the user-visible functionality you're using. Pair this with DNS leak testing, WebRTC leak testing, and IPv6 leak testing to close the other VPN-bypass channels. And combine all of this with browser fingerprint defense, because a unique fingerprint plus a real location plus a VPN IP is a tracking profile, not anonymity.

Auditing Your Existing Permissions

Most users have granted geolocation permission to far more sites than they remember. The audit takes two minutes and is worth doing every few months.

In Firefox, go to about:preferences#privacy, scroll to "Permissions" and click "Settings" next to "Location". You'll see a list of every site that has either been granted or denied geolocation access. Review the list and remove permissions for any site that no longer needs your location. In Chrome, the equivalent path is chrome://settings/content/location. In Safari, open Settings → Websites → Location.

Take particular note of permissions you can't justify. A news site that asked for location to "show local headlines" rarely needs persistent access. A retailer that asked to find your nearest store has no business retaining permission after that single visit. The audit reveals how aggressively sites cultivate location permissions — and how easy it is to revoke them.

Frequently Asked Questions

Can websites see my location without asking?

Without using the Geolocation API, websites can only estimate your location from your IP address — typically accurate to the city level. This does not require permission because IP addresses are transmitted as part of every connection. The Geolocation API provides much more precise data but requires explicit permission.

Does a VPN prevent geolocation tracking?

A VPN changes your IP address, which affects IP-based location estimates. However, if you grant location permission to a website, the browser still provides GPS or WiFi-derived coordinates to the site — regardless of VPN usage. VPNs do not affect hardware GPS or WiFi positioning data collected by the browser. For broader VPN context, see our VPN speed test guide.

Is location sharing required for any legitimate website function?

Some website functions genuinely require location, such as navigation and mapping services, local weather applications, and "near me" search functions. For these use cases, location permission is appropriate. The concern is with websites that request location for advertising purposes without providing any location-dependent functionality in return.

How often does the browser update location when permission is granted?

By default, the Geolocation API returns a single location reading per request. However, sites can use the watchPosition method to receive continuous location updates as long as the page is open. This is appropriate for navigation apps but unnecessary and potentially privacy-invasive for most other use cases.