FTC Cracks Down on Data Broker Sale of Sensitive Location Data

January 18, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s highlight the Federal Trade Commission’s (FTC) recent settlement with data broker X-Mode Social, Inc. and its successor Outlogic, LLC. This is the FTC's first settlement with a data broker concerning the collection and sale of sensitive location information, an it includes a ban on the sharing or selling of such data.

The Complaint:

The FTC filed a complaint against X-Mode Social and Outlogic, alleging violations of Section 5 of the FTC Act.  The Complaint focused on their sale of consumer location data to various clients, including real estate, finance, and private government contractors. 

The FTC alleged that X-Mode/Outlogic collected such data through third-party apps incorporating their software development kit (SDK) and also purchased data from other data brokers and aggregators. Because their raw location data included a Mobile Advertiser ID (MAID) along with the device’s latitude, longitude, and timestamp, it was possible to identify the mobile device’s user or owner, revealing the consumers' visits to sensitive locations.

The FTC also took issue with X-Mode/Outlogic’s alleged efforts to categorize consumers into “audience segments” based on sensitive characteristics for marketing purposes. Such “audience segments” included  “Size Inclusive Clothing Stores,” “Firehouses,” “Military Bases,” and “Veterans of Foreign Wars.”

Based on these practices, the FTC alleged violations of the FTC Act in the form of unfair sale of sensitive data, failure to honor consumer privacy choices, deceptive failure to disclose the use of location data, and providing means for others to engage in deception.

A link to the complaint follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-Complaint.pdf

The Proposed Order:

The Proposed Order focuses on “Sensitive Location Data,” which is a term of art, synthesized by reference to the Order’s broad definitions of “Location Data” and “Sensitive Locations.” Those terms are defined as follows:

Location Data - any data that may reveal a mobile device' s or consumer's precise location, including but not limited to Global Positioning System (GPS) coordinates, Cell tower information, or precise location information inferred from basic service set identifiers (BSSIDs), WiFi Service Set Identifiers (SSID) information, or Bluetooth receiver information, and any unique persistent identifier combined with any such data, such as a mobile advertising identifier (MAID) or identifier for advertisers (IDFA). Data that reveals only a mobile device or consumer' s coarse location (e.g ., zip code or census block location with a radius of at least 1,850 feet) or that is collected outside the United States and used for (a) Security Purposes or (b) National Security purposes conducted by federal agencies or other federal entities is not Location Data.

Sensitive Locations -

(1)   medical facilities (e.g., family planning centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals);

(2)   religious organizations;

(3)   correctional facilities;

(4)   labor union offices;

(5)   locations of entities held out to the public as predominantly providing education or childcare services to minors;

(6)   associations held out to the public as predominantly providing services based on racial or ethnic origin; or

(7)    locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants.

The Proposed Order prohibits both misrepresentations and the sharing or selling Sensitive Location Data. To ensure compliance, the Order provides that X-Mode/Outlogic must implement a comprehensive list of Sensitive Locations and ensure that data associated with these locations is not shared without consumer Affirmative Express Consent, which may only be obtained by a consumer’s interaction with a stand-alone notice, and which itself is another term of art defined in the Order as follows:

Affirmative Express Consent – any freely given, specific, informed, and

unambiguous indication of an individual consumer' s wishes demonstrating agreement by the individual, such as by an affirmative action, following a Clear and Conspicuous Disclosure to the individual of: (1) the categories of information that will be collected; (2) the purpose(s) for which the information is being collected, used, or disclosed; (3) the hyperlink to a document that describes the types of entities to whom the Covered Information is disclosed; and ( 4) the hyperlink to a simple, easily-located means by which the consumer can withdraw consent and that Clearly and Conspicuously describes any limitations on the consumer's ability to withdraw consent. The Clear and Conspicuous Disclosure must be separate from any "privacy policy," "terms of service, "terms of use," or other similar document.

The following does not constitute Affirmative Express Consent:

1.      Inferring consent from the hovering over, muting, pausing, or closing of a given piece of content by the consumer; or

2. Obtaining consent through a user interface that has the effect of subverting or impairing user autonomy, decision-making, or choice.

In addition, the Proposed Order requires X-Mode/Outlogic to:

  • + Delete or destroy all “Historic Location Data” (location data previously collected without consumers’ Affirmative Express Consent) and any “Data Products” (models, algorithms or derived data produced from this data) unless they obtain consumer consent or ensure the data has been de-identified or rendered non-sensitive;

  • + Create a Sensitive Location Data Program to prevent the use, selling, licensing, transferring or sharing of products and services that categorize or target consumers based on “Sensitive Location Data” (with annual written evaluations provided to the board of directors, governing body or CEO (if no board or governing body exists));

  • + Develop a supplier assessment program to verify that suppliers providing location data to X-Mode/Outlogic secure informed consent from consumers for collecting, using, and selling their data, or cease using such data;

  • + Contractually restrict the resale, transfer or disclosure of location data, and implement marking techniques, such as seeding, or salting, to detect non-compliance with contractual restrictions against the resale or relicense of such data, as well as terminate contracts upon discovery of non-compliance;

  • + Provide a method for consumers to withdraw their consent to the collection and use of their location data and for the deletion of any location data that was previously collected;

  • + Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data; and

  • + Establish and implement a comprehensive privacy program and create a data retention schedule.

A link to the Proposed Order follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-D%26O.pdf

The FTC’s Press Release on the subject may be found by clicking on the following link:

https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data

Our Thoughts:

This settlement fits snuggly among the FTC's recent aggressive enforcement actions, reflecting the agency’s heightened commitment to protecting consumer digital privacy, particularly concerning the handling and sale of sensitive location data. The settlement may provide some leverage in the FTC’s action against Kochava, another data broker, who has been sued by the FTC for its alleged sale of sensitive location data. More information about the Kochava case is available on the FTC’s website, which is linked as follows:

https://www.ftc.gov/legal-library/browse/cases-proceedings/ftc-v-kochava-inc

The Proposed Order in this case contains sweeping requirements—to erase or anonymize previously collected data, verify supplier compliance, contract appropriately, and prevent data misuse by others, as well as establish a comprehensive privacy program, and a sensitive location program overseen by the board!  The Order certainly underscores the FTC's rigorous approach to protecting consumer rights in the digital age.

We do wonder if the Order’s stringent directives may be the second-best regulatory approach. By regulating by enforcement under Section 5 rather than rulemaking (where the FTC primarily uses enforcement actions (and settlements) to govern industry behavior rather than clear, upfront guidelines that have been publicized and commented on), the FTC risks imposing heavy operational and financial burdens on companies who are already trying to navigate increasing numbers of disparate state privacy and related laws. The FTC’s aggressive enforcement stance is clearly trying to protect consumer privacy, but businesses – and consumers – might benefit more from a similar focus with less uncertainty and episodic enforcement.

--- 

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.

Previous
Previous

Understanding the New Data Broker Registration Laws

Next
Next

The SEC's Twitter Account Compromise: Lessons and the Threat of SIM Swap Attacks