Recent Enforcement Actions Signal FTC Focus on Protecting Location Data

Recent Enforcement Actions Signal FTC Focus on Protecting Location Data

Blog WilmerHale Privacy and Cybersecurity Law

On January 9, 2024, the Federal Trade Commission (FTC) issued its first ever prohibition on the use, sale and disclosure of sensitive location data against X- Mode Social and Outlogic (“X-Mode”), a location data broker. Only 9 days later, the FTC announced another similar enforcement action against data broker InMarket Media (“InMarket”) for its allegedly illegal collection, use, and processing of consumer location data. The FTC’s case against X-Mode focuses primarily on misrepresentations and the use, sale, and disclosure of sensitive locations, while the case against InMarket emphasizes the need for transparency, proper notice, and consent from consumers regarding the processing of their sensitive location data. Although distinct, the enforcement actions against X- Mode and InMarket (collectively, the “Companies”), illustrate the FTC’s continued focus on consumer harm related to location data potentially revealing sensitive information about an individual, such as their medical history or information about their religious affiliation.

These enforcement actions should not come as a surprise. In a July 2022 speech, the FTC’s Acting Associate Director of the Division of Privacy & Identity Protection specified “location” as a subcategory of sensitive information that the agency would be “committed to fully enforcing the law against illegal use and sharing.” Location data was also the topic of an FTC blog post earlier in January about the FTC’s actions to safeguard sensitive location data generated by mobile apps.

The FTC just made progress in similar allegations about sensitive geolocation data against data broker Kochava. Last week, the district court denied Kochava’s motion to dismiss, rolling back a previous decision that favored the company. This newest development indicates the FTC’s amended complaint successfully defended its allegations that Kochava’s data privacy practices could cause a “substantial injury” to consumers (the standard needed for an enforcement action under Section 5 of the FTC Act). The case will now continue through the district court as both parties continue with litigation.

As these enforcement actions indicate, the FTC is looking carefully at whether it believes consumers have a full understanding of how their sensitive location data is used and whether companies have provided informed consent for these use cases. In the X-Mode and InMarket cases specifically, the agency stated that the Companies should have informed the app developers that utilize their software development kits (SDKs) that collected location data would be used for targeted advertising. Further, the FTC indicates that the Companies should have verified that these third-party apps were obtaining proper consumer consent for this specific use. Data brokers should pay close attention to the elements of these enforcement actions, including the requirement that X-Mode implement an SDK Supplier Assessment Program that requires tracking and recording the consent agreements from the third-party applications and assess whether their current policies and procedures are aligned with regulatory expectations.

In this post, we summarize both the complaints and the orders from the FTC’s enforcement actions involving X-Mode and InMarket, as well as highlight key takeaways from those decisions. We are happy to answer any questions you might have about your company’s data compliance programs. To keep up-to-date on the FTC’s latest privacy enforcement activities, be sure to subscribe to the WilmerHale Cybersecurity and Privacy Law Blog.

Summary of the Complaints

The X-Mode and InMarket complaints center around the Companies’ privacy program and practices regarding the collection, processing, and disclosure of sensitive location data, and the lack of transparency around all of these processes. Accordingly, FTC alleges that X-Mode and InMarket violated Section 5 of the FTC Act by engaging in unfair or deceptive acts or practices, including:

1. Inadequate Disclosure of Use and Purpose to Consumers. The FTC critiqued the Companies for their inadequate privacy disclosures, which failed to provide consumers with full information regarding the Companies’ usage and purpose for collection of location data through their own mobile apps. In the X-Mode complaint, the FTC emphasized that companies are required to provide consumers within the app a privacy disclosure that includes a request for consumers’ consent to collect location data and provides an explanation for the purposes for using such information. X-Mode’s disclosures also allegedly failed to disclose certain commercial uses such as selling of location data to government contractors for national security purposes, which the FTC contended was material information for consumers to provide informed consent.

Similarly, the FTC claims that InMarket failed to notify consumers that their location data was being used for targeted advertising purposes. Allegedly, the apps’ “allow location permissions” consent screens only stated that the location would be used for the app’s functionality. Further, the consent screens did not include details about how the consumer’s precise location would be tracked “often multiple times per hour,” nor that it would be aggregated with other data points about the user for specific user profiling.

2. Inadequate protections and policies for sensitive data. The complaints critique the Companies’ policies and procedures around sensitive data. For example, the X-Mode complaint alleges that until May 2023, X-Mode did not restrict the collection of location data from sensitive locations such as healthcare facilities, churches, and schools. In particular, the company did not have any policies in place to remove sensitive locations from raw location data before selling such data. In addition to data minimization policies, the FTC also looked at retention policies and found InMarket’s 5-year retention period for its location data to be “longer than reasonably necessary to accomplish the purpose for which the information was collected.” The complaint against InMarket asserts that an unnecessarily long retention period increases the risk to the consumer that their sensitive data could be exposed, misused, or linked back to the individual.

3. Failure to honor consumer’s privacy choices. The complaint against X-Mode highlighted the company’s failure to honor consumers’ affirmative privacy preferences. For example, since 2013, Android devices have provided consumers with privacy controls including the ability to “opt out of ads personalization.” The X-mode complaint alleges that since 2018, the company failed to employ the necessary technical safeguards and oversight to ensure that consumers preferences were honored, resulting in the collection of MAIDs and mobile location data of all consumers including the information of consumers who had opted out of ad personalization and such sharing. During this time period, the complaint notes that consumers were unaware of the company’s disregard for consumers privacy choices.

4. Lack of third-party oversight and management. Although the FTC asserted claims against both companies for their allegedly irresponsible oversight of the SDK app developers, X-Mode faces additional restrictions. That complaint alleges that X-Mode did not implement reasonable safeguards to prevent against downstream misuse of precise location data by third parties. In particular, the FTC highlights that although not the primary source of collection, X-Mode collected location data through app publishers’ use of the companies’ SDKs and that oversight over these third parties was insufficient at all stages of the engagement. The FTC contends that X-Mode provided sample consumer notices to third-party app publishers that used the company’s SDKs, which at the outset primed app publishers to mislead consumers about the purposes for which their location data may be used by failing to note that their location data would be provided to government contractors. 

An allegation present in both complaints is that the Companies failed to verify whether third-party apps that incorporated their SDK’s had obtained informed consent for the location data collection. In its action against InMarket, the FTC argues that even if the third-party app developers wanted to obtain meaningful consent, they would not be able to because the contract contained limited information about InMarket’s data practices and did not share that the location data would be cross-referenced and analyzed for inferences to construct a specific consumer user profile.

Summary of the Proposed Orders

The FTC has imposed several key requirements on X-Mode and InMarket, including:

1.  Limit the future use, sale, or disclosure of sensitive location data.  Notably, both Companies face restrictions around the use of location data. For example, InMarket has been banned from either directly or indirectly selling or licensing location data and can otherwise only collect and use consumer location for internal purposes if the app obtains a consumer’s affirmative and express consent. X-Mode’s ability to directly or indirectly, sell, license, transfer, share, disclose, or otherwise use sensitive location data in any products or services is strictly limited. X-Mode may continue to conduct narrow activities with such data provided that the data is converted into non-sensitive data or X-Mode has a (1) a direct relationship with the consumer, (2) the consumer has provided affirmative consent, and (3) the data is used to provide a service directly requested by the consumer.

2.  Implement a Sensitive Location Data Program.  As in many FTC enforcement actions that allege inadequate privacy disclosure practices, the orders require the Companies implement adequate privacy practices and procedures. Here, both Companies must implement a sensitive location data program. As a part of this program, the Companies must develop and maintain a comprehensive list of sensitive locations and ensure that measures are in place to prevent a violation of the prohibition on the use, sale, or disclosure of sensitive location data. The programs must include documentation of the plan’s implementation and maintenance, appointment of a senior officer to be responsible for the program, conduct bi-monthly assessments of the program, establish board or executive oversight, and delete all sensitive location data or render such data non-sensitive within 90 days of initiation, among other requirements. 

3.  Develop a supplier assessment program.  The orders also require that the Companies develop supplier assessment programs to ensure that the third parties transmitting location data through the Companies’ SDKs are obtaining informed consent from consumers for the collection, use, and sale of the data. For example, InMarket cannot use consumer’s location data unless they provide affirmative express consent via the third-party apps and this consent is captured in consent records maintained by InMarket.

4.  Prohibits the association of location data with sensitive locations.  The FTC also requires X-Mode to implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people, locations of public gatherings of individuals during political or social demonstrations, marches, or protests, or individuals residences. Notably, this list does not expressly include locations where individuals may seek medical services.

5.  Obtain consumer’s affirmative express consent prior to collection and push 6-month reminders.  Both actions require that the Companies collect affirmative express consent. However, consent remained a focus in the action against InMarket, which highlighted the importance of providing full and honest information (in a clear and conspicuous way) to mobile app users about how their data is actually processed and why their data is collected. In the consent order, the FTC mandates that InMarket must not only obtain consent for this location data collection and processing, but it also must remind the consumer at least every 6 months if their location data is being collected. 

6.  Provide a method for withholding and withdrawing consent.  The orders require that the Companies provide a clear and conspicuous means for consumers to withdraw consent, this method can include a notice or link to a technical mechanism that automatically opts-out of the use of mobile device information. Similarly, the Companies must provide an easy manner to request the deletion of their personal location data from the commercial databases of all recipients of the data. 

Key Takeaways

Companies should be aware of the following takeaways in relation to these decisions:

  • Maintain oversight of third-party data collection practices if your company processes that data.  All companies should be aware that the FTC’s focus on the mishandling of sensitive location data goes beyond a company’s direct customer or client relationships. Companies that utilize SDKs or other services to facilitate the collection of sensitive location data should ensure that they implement policies and procedures that will allow the company to identify, correct, and document the mishandling of sensitive location data by third parties. Further, companies, such as data brokers, are responsible for ensuring that the information that they collect from third parties, including other data brokers or app publishers, has been obtained through proper consent channels.
  • Provide clear and accurate disclosures to third parties regarding the collection of sensitive location data.  Businesses should take care to provide third-party vendors with clear and accurate information about how data passed through their SDKs will later be processed or used. This will facilitate third-party app publishers to obtain proper consent before collection and transfer of the consumer’s data back to the data broker or other entity. In line with the FTC’s focus on documentation of these policies and procedures, companies should ensure that such information is documented, including in sample privacy notices or other documentation provided to third parties. 
  • Uses for location data should be commensurate to the potential risk of harm associated with sensitive data.  The consent order for InMarket prohibits the “[selling] or licensing [their] location data,” while X-Mode is prohibited from the “use, sale, or disclosure of sensitive location data.” The FTC’s treatment of the two data brokers is notable: InMarket can still use their location data for internal use while X-Mode cannot use their sensitive location data for anything. The key difference is that X-Mode consistently collects and handles “sensitive location data,” especially health and healthcare-related data, more frequently, so the risk of harm to the consumer is higher. Companies that handle sensitive location data, in particular in these heightened risk areas, should be aware that heightened risk of harm informs the level of severity in the FTC’s prohibitions.
  • Custom audience segments should not be based on sensitive characteristics.  Another comparison of these two actions reveals that X-Mode’s creation of custom audience segments that factors in sensitive location data (like medical office locations, etc.) constituted an “unfair categorization of consumers based on sensitive characteristics for marketing purposes” violation. By comparison, InMarket’s creation of custom audience segments (that didn’t explicitly use sensitive location data) assumingly did not violate Section 5 of the FTC Act because the FTC did not include this as a count against InMarket. Therefore, businesses should be aware that they can still use their location data internally to develop extensive user profiles for targeted ads, however, they should proceed with caution where sensitive characteristics are impacted. 
  • Obtain informed consent that addresses all uses of consumer data.  Consumers need to understand (or at least be given the opportunity to understand) how and why their data is collected and processed. Tucked into the InMarket complaint is a powerful illustration of how the FTC thinks about consumers and risk of harm in the ad tech ecosystem: “The consumer would never know that, by granting location permission to a photo-editing app, she actually set into motion a string of data collections that enabled InMarket, a third-party she likely never heard of, to amass a mountain of sensitive data about her without her knowledge.” If a company utilizes data collected via SDKs in third-party apps, they should also ensure that these apps fully inform the consumer about the specifics of how their data is collected, transferred, and used.
  • Assess how data policies for collection, retention, and deletion advance the purposes of the data use.  The FTC considers the purposes behind a company’s data collection and use when assessing the company’s policies around collection, retention, and deletion. Accordingly, the FTC will focus on instances where there is a misalignment and mandate practices such as data minimization or limiting a data retention period. Specifically for sensitive location data, the FTC considers a 5-year retention period to be too long for the purposes of targeted advertisements, as discussed in the InMarket complaint. 

Authors

More from this series