Sending a clear message, the Federal Trade Commission (FTC) announced the settlement of two separate enforcement actions against data brokers for selling precise location data that may be used to reveal sensitive information.
On January 9, the FTC settled with Outlogic, LLC (formerly X-Mode Social) over allegations that it failed to obtain meaningful consent from consumers before collecting and selling data that could be used to track visits to sensitive locations like clinics and places of worship. One week after its milestone settlement with Outlogic, on January 18, the FTC announced a proposed order with data aggregator InMarket Media, settling claims that closely resemble those levied against Outlogic.
Complaint against Outlogic: According to the FTC’s complaint, Outlogic describes itself as the second largest US location data company and uses a variety of means to obtain consumers’ precise geolocation data—advertised to be “70% accurate within 20 meters”— including through its software development kit (SDK) licensed to app developers, through its own mobile apps, and through the purchase of third-party data. The complaint alleges that Outlogic disregards consumers opting out of personalized ads and fails to sufficiently inform app users of the purposes for which it was collecting location data. Outlogic then licenses audience segments, categories of location data based on shared user characteristics, to third parties for their own purposes. Some audience segments are designed around sensitive categories, such as users who sought treatment for specific health conditions based on their location data. The FTC contended that these practices violate Section 5 of the FTC Act, which prohibits unfair or deceptive acts. The proposed Decision and Order would impose numerous restrictive obligations on Outlogic, including that Outlogic will need to: (1) refrain from misrepresentations regarding the extent of the collection, use, disclosure and deletion of location data, and the extent to which location data is de-identified, (2) implement a program to avoid using, selling, licensing, transferring, or otherwise sharing any products or services that categorize or target consumers based on sensitive location data (i.e., data associated with sensitive locations, including medical facilities, religious organizations, correctional facilities, labor union offices, schools and others), (3) implement a program to report customers or other third parties to the FTC if those customers violate privacy terms with the company, (4) securely destroy certain historical location data that was collected without proper notice and consent, (5) install a supplier assessment program to validate its data sources, (6) post a specific retention schedule per category of data online, (6) obtain signed acknowledgements from all principals, officers, directors, and managers and members as to the requirements of the Order, (7) maintain certain recordkeeping for at least five years, and (8) undertake other compliance activities. The order will remain in effect from its date of issuance or any subsequent FTC complaint for 20 years, and non-compliance can be subject to penalties and consequences up to approximately $50,000 per violation.
Complaint against InMarket: The facts underlying the FTC’s complaint against InMarket are similar to those against Outlogic. Like Outlogic, InMarket allegedly collected consumer location data from both an SDK licensed to third party apps, as well as through its own apps, without sufficient notice that consumer data was being collected for the purpose of targeted advertising. InMarket purportedly used this location data to create audience segments—from “low-income millennials” to “Christian church goers”—based on app users’ visits to points of interest, and these audience segments were combined with other known attributes and used to select ads to display on a user’s device. As with Outlogic, the FTC argued that InMarket’s conduct violates Section 5 of the FTC Act. The settlement order imposes a similar set of compliance obligations as in the Outlogic case.
These recent developments indicate the FTC considers the potential misuse of geolocation data to be a significant enforcement priority and comes amid increased regulatory scrutiny on tracking technologies and the selling and sharing of data. Last October, California introduced significant new restrictions on companies that sell data with its California Delete Act. Under the new California law, brokers will have enhanced disclosure, audit and registration obligations (including an obligation to disclose whether they collect geolocation data) and will need to process California consumer deletion requests through a single centralized system.
Although the respondents in these FTC cases were data brokers, all businesses that engage in digital marketing, especially combined with geolocation data, either as sellers or buyers of advertising, should take note. Below is actionable guidance in light of these new enforcement actions:
- Carefully review privacy programs to ensure you understand data flows and data sources;
- Conduct risk and impact assessments when collecting, using or sharing sensitive location data and if such data is collected, ensure appropriate notices and consents are provided;
- Confirm disclosures regarding location data and other online advertising are transparent and not misleading under the FTC’s interpretation of Section 5 of the FTC Act and other applicable laws; and
- Take into account recent state laws (Nevada, Washington) that prohibit geofencing to send advertisement to consumers within a certain distance from in person medical/health facilities.