FTC vs. Data Brokers: Redefining the Rules of Location Data Privacy
December 12, 2024
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s consider some recent moves by the Federal Trade Commission (FTC) against data brokers for mishandling “sensitive location data.”
The Lessons of Four Cases:
In 2024, the FTC brought claims against four different data brokers over their improper collection and sale of granular “sensitive location data.” These cases revealed these concerning practices:
· Collection, use and sale of granular location data without user consent;
· Continued usage after discovering lack of informed consent; and
· Absence of policies to filter out sensitive location data before sale.
The violations were particularly troubling. One broker analyzed racial backgrounds and travel patterns of George Floyd protestors. Others sold data revealing health decisions, political activities, and religious views based on location tracking. Some even marketed data precise enough to identify residential addresses. Much of this data came through real-time bidding exchanges and third-party aggregators, obscuring the consent trail.
The FTC's response was decisive:
All location data is “categorically” “sensitive personal information”, and should be “protected carefully”; and
Certain sensitive location data should never be used or sold, including location data associated with:
· medical facilities,
· religious organizations,
· correctional facilities,
· labor union offices,
· locations providing services to LGBTQ+ individuals,
· locations of political demonstrations,
· locations providing education or childcare to minors,
· racial or ethnic organizations,
· locations providing shelter or social services, and
· military installations, offices, or buildings.
This comes from the FTC’s recently published guidance and takeaways from these cases, which you can (and should) read by clicking the following:
Our Thoughts:
While the FTC's categorical approach is practical for enforcement, privacy preferences are deeply personal. Some people zealously guard their privacy while others broadcast their daily lives. Most people fall somewhere in between, making case-by-case privacy decisions based on context and circumstances.
Consider location data: While knowing someone shops at a particular supermarket might seem harmless, knowledge about their regular movement patterns can become a security risk. A routine medical visit might be innocuous, but location data related to visits to specialized clinics could reveal sensitive information. Similarly, attendance at certain religious services might attract unwanted attention.
Current technology cannot yet accommodate privacy settings at a granular, individual level. For now, we must rely on broad categories of sensitive data with enhanced protections, and super-sensitive categories that are entirely off-limits for commercial use.
Looking ahead, maybe one day, we’ll have an “adjust privacy settings” overlay to our lives with technology enabling dynamic privacy protections that adjust based on individual preferences, patterns, and vulnerabilities. Until then, we must work within these categorical constraints: location data is sensitive, and some location data demands even greater protection.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.