FTC Lessons in Handling Sensitive Location Data

 June 6, 2024

Privacy Plus+

Privacy, Technology and Perspective

This week, let’s look at the Federal Trade Commission’s continued focus on sensitive location data, and what can be learned from its latest actions. We’ll also provide a related thought on how irony emerges when considering local governments' widespread adoption of Smart City technologies.

Background

XMode: In January of 2024, we highlighted the FTC’s first settlement with a data broker, which specifically proposed banning the sale of sensitive geolocation data and contained sweeping requirements—to erase or anonymize previously collected data, verify supplier compliance, contract appropriately, and prevent data misuse by others, among other things. You can revisit our post on the FTC’s settlement with X-Mode Social, Inc. and its successor Outlogic, LLC by clicking on the following link:

https://www.hoschmorris.com/privacy-plus-news/ftc-cracks-down-on-data-broker

InMarket Media: In May, the FTC sharpened its focus on the collection, use, sale, and licensing of precise location data, settling its case against the digital marketing platform and data aggregator, InMarket Media. The FTC had filed a complaint against InMarket around the same time it settled with X-Mode and Outlogic. Generally, the complaint charged InMarket with collecting “large swaths of personal data on consumers--including information about their movements over time tracked on their mobile devices as well as their purchasing history and demographic and socioeconomic backgrounds.” According to the FTC, InMarket used that data for targeted advertising purposes, categorizing consumers into “advertising audiences,” like single parents or empty-nesters, “healthy and wealthy” and “wealthy and not healthy,” among other groups. It then used predictive technology and precise location information to make predictions about consumers based on their behavior and also to push ads to particular consumers, depending on their location.

 A link to the complaint follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/InMarketMedia-Complaint.pdf

In this case and as a first for the FTC, the proposed order bans the selling or licensing of precise location data, among other things.  A link to the Proposed Order follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/InMarketMedia-DecisionandOrder.pdf

 The FTC’s Press Release on the subject may be found by clicking on the following link:

https://www.ftc.gov/news-events/news/press-releases/2024/05/ftc-finalizes-order-inmarket-prohibiting-it-selling-or-sharing-precise-location-data

Lessons

To draw lessons from these two cases, we highlight the requirements of each order:

• + Ban on the sale and licensing of “Location Data” [InMarket]

• + Ban on the use, sale, licensing, and sharing of products and services that categorize or target consumers based on “Sensitive Location Data” associated with certain locations [InMarket]

• + Deletion or destruction of all “Historic Location Data” (location data previously collected without consumers’ Affirmative Express Consent) [InMarket and XMode]

• + Deletion or destruction of any “Data Products” (models, algorithms, or derived data produced from this data) unless they obtain consumer consent or ensure the data has been de-identified or rendered non-sensitive [XMode]

• + Contractually restrict the resale, transfer, or disclosure of location data, and implement marking techniques, such as seeding, or salting, to detect non-compliance with contractual restrictions against the resale or relicense of such data, as well as terminate contracts upon discovery of non-compliance [XMode]

• + Creation of a Sensitive Location Data Program to prevent the use, selling, licensing, transferring, or sharing of products and services that categorize or target consumers based on “Sensitive Location Data” [InMarket and XMode]

• + Provide the board of directors, governing body, or CEO (if no board or governing body exists) with annual written evaluations of the Sensitive Location Data Program [InMarket and XMode]

• + Document consumers’ “Express Affirmative Consent” to collect, use, maintain, or disclose “Location Data” and deliver “Clear and Conspicuous” reminders to consumers about the collection and use of their data at least every six (6) months [InMarket]

• + Develop a supplier assessment program to verify that suppliers who provide location data first secure informed consent from consumers for collecting, using, and selling their data, or cease using such data [InMarket and XMode]

• + Cease collecting Location Data if consent is withdrawn [InMarket - within seven (7) days, and XMode – within fifteen (15) days]

• + Provide a method for consumers to withdraw their consent to the collection and use of their location data and for the deletion of any location data that was previously collected within thirty (30) days [InMarket and XMode]

• + Establish and publicly post data retention schedules [InMarket and XMode]

• + Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data [XMode]

• + Establish and implement a comprehensive privacy program [InMarket and XMode]

Our Thoughts

The FTC’s recent actions against XMode and InMarket Media demonstrate a significant shift toward more stringent regulation of sensitive location data. The agency’s willingness to ban specific data practices and mandate data and derivative data product destruction, and in such detail, underscores its proactive stance. However, these episodic enforcement actions do not establish a consistent legal framework akin to agency rules or even the common law. As such, businesses relying on sensitive location data should consider adherence to the FTC’s latest consent orders as a matter of best practices that may help mitigate legal risks. Additionally, boards of directors should take note that the FTC has them in mind.

We will note one irony based on experience:

Many local governments have adopted Smart City technologies, which involve the collection of vast amounts of data, including the location data of their citizens. Local governments may not be fully aware that by adopting Smart City technologies, they are effectively licensing citizens’ data to private companies. Further, many private companies use that data to serve targeted advertising to those citizens, and few mechanisms exist to obtain citizens’ informed consent. This situation highlights a significant gap in the regulatory framework and underscores the need for more consistent and comprehensive legal standards to protect citizens' privacy and ensure responsible data practices.

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.