ARTICLE
5 December 2024

Location, Location, Location: FTC Continues Data Broker Enforcement, Signals Policy Shift

FK
Frankfurt Kurnit Klein & Selz

Contributor

Frankfurt Kurnit Klein & Selz logo
Frankfurt Kurnit provides high quality legal services to clients in many industries and disciplines worldwide. With leading practices in entertainment, advertising, IP, technology, litigation, corporate, estate planning, charitable organizations, professional responsibility and other areas — Frankfurt Kurnit helps clients face challenging legal issues and meet their goals with efficient solutions.
On December 3, 2024, the FTC issued two orders against location data brokers, highlighting the agency's continued focus on location data and foreshadowing its approach to privacy enforcement under new leadership.
United States Privacy

On December 3, 2024, the FTC issued two orders against location data brokers, highlighting the agency's continued focus on location data and foreshadowing its approach to privacy enforcement under new leadership. It has increasingly targeted location data practices, acting under its Section 5 authority to prevent "unfair or deceptive acts or practices." These orders follow similar actions against X-Mode and InMarket earlier in 2024. In separate actions against Mobilewalla and Gravy Analytics and its subsidiary Venntel, the FTC found both companies engaged in unfair practices related to the collection, use, and sale of consumers' location data.

Gravy Analytics and Venntel: Monetizing Precise Location Data Without Consent

The FTC's complaint against Gravy Analytics and Venntel focuses on selling sensitive location data to private and public sector customers without properly obtaining consumer consent. The FTC alleges Gravy obtained precise location data from third-party suppliers to track consumers' visits to sensitive locations, such as reproductive health clinics, places of worship, and political gatherings. The complaint further alleges Gravy categorized consumers into "audience segments" based on sensitive inferences derived from their location data, such as medical conditions, political affiliations, and religious beliefs, and sold these segments to third parties.

Mobilewalla: Exploiting Real-Time Bidding Exchanges for Sensitive Data

The FTC alleged Mobilewalla collected precise location data from real-time bidding (RTB) exchanges for purposes beyond bidding on ad space. The data broker allegedly used this data to geofence sensitive locations, like healthcare centers or places of worship, to help customers build and target audience segments or track designated groups. Additionally, Mobilewalla transferred sensitive location data, including app usage data from Grindr and Jack'd, to government clients.

Mobilewalla allegedly failed to adequately verify that its data suppliers obtained informed consent from consumers. The complaint states Mobilewalla's review of third-party supplier's disclosures was superficial, checking only a handful of apps and failing to address deficiencies.

Key Provisions of the FTC Orders: Novel Requirements and Heightened Scrutiny

Both orders impose a range of requirements on the companies, including notable provisions that go beyond typical FTC settlements.

Supplier Assessment Program. The orders require companies to implement programs to assess their suppliers' compliance with consent requirements. This requires reviewing disclosures and consent mechanisms and stopping data use without informed consent, like in InMarket and X-Mode settlements from early 2024. The Mobilewalla order further mandates stopping use of location data from RTB exchanges for purposes other than bidding on ad space.

Sensitive Location Data Program. The companies must establish programs to identify and prevent the use of sensitive location data. This program must include developing a comprehensive list of sensitive locations, designating a senior officer to oversee it, implementing procedures to ensure sensitive information is not sold in violation of the order, and regularly assessing compliance. As with the supplier assessment program, businesses can implement a modified version of a sensitive location data program in their compliance efforts.

Prohibition on the Use, Sale, or Disclosure of Sensitive Location Data. Both companies are prohibited from using or selling data associated with enumerated sensitive locations, including medical facilities, places of worship, shelters, locations predominantly serving LGBTQ+ individuals, and locations of political gatherings. The list also includes "military installations, offices, or buildings," which have not traditionally been considered sensitive but were brought to the fore by news stories on the national security risks of location tracking.

Commissioners' Statements Foreshadow Potential Policy Shifts

The Commissioners' statements reveal differing perspectives on the FTC's privacy enforcement approach that may indicate policy shifts under new FTC leadership.

Commissioner Holyoak agrees that selling precise location data without consent can cause substantial injury but cautions against an expansive interpretation of the FTC's unfairness authority. She argues that the Mobilewalla complaint goes too far in targeting data collection and categorization practices that are not inherently unfair and may have countervailing benefits. She also raises concerns about the FTC's focus on targeting advertising as an unfair practice.

Commissioner Ferguson supports the allegations regarding the sale of sensitive location data without consent and the failure to verify supplier compliance. However, he dissents from those focusing on categorizing consumers based on sensitive characteristics, arguing that the FTC Act does not prohibit drawing conclusions from lawfully obtained data. This view could signal a shift away from regulating inferred designated sensitive data types — which Ferguson calls "an indeterminate naughty categories list" — and towards a narrowed focus on unauthorized disclosures.

Ferguson and Holyoak dispute the charges of indefinite data retention against Mobilewalla, arguing keeping data forever can benefit businesses through enhanced predictive modeling or targeted advertising. Their positions suggest that data retention requirements may receive less scrutiny from a Republican-led FTC.

Commissioner Bedoya expresses concern about the porous line between government and private surveillance, arguing that the FTC's actions are necessary to safeguard Fourth Amendment protections. He highlights the sensitive nature of location data and the potential for misuse by private companies and law enforcement. A comprehensive federal privacy law may remain distant, but concerns around government data access resonate across the aisle. In 2024, a bipartisan coalition cosponsored the Fourth Amendment Is Not For Sale Act, which may provide a blueprint for regulating data sales to the public sector.

Takeaways for Navigating the Evolving Location Data Landscape

These actions send a clear message: businesses in the location data ecosystem must prioritize consumer privacy. Key takeaways include:

Obtain Affirmative Express Consent. Before collecting, using, or sharing their precise geolocation data, businesses must obtain heightened, GDPR-style consent from consumers. Businesses purchasing this data must ensure their suppliers have obtained this consent. Certain state privacy laws, like Washington's My Health My Data Act or the Maryland Online Data Protection Act, prohibit the sale of certain precise geolocation data altogether, so particular attention should be paid to a business's location data practices.

Implement robust due diligence frameworks. Businesses should vet their data suppliers to ensure they comply with privacy laws and obtain valid consent. Federal and state regulators have imposed supplier assessment programs with minor variations in several cases. Whether disclosing or receiving data, businesses have sufficient guidance to ensure third-party compliance.

Bidstream data is not unrestricted. Businesses should limit their use of data from RTB exchanges to the specific purposes allowed by the exchange. A business should not use data from lost bids. Mobilewalla allegedly unfairly collected and sold bidstream data — even from lost bids — for location tracking and sensitive data inferences. As a result, the FTC completely prohibited their use of data collected from RTB exchanges for any purpose other than auction participation.

Consider self-regulatory standards. Businesses in the location data space should look to industry organizations' guidance. The FTC's case against Kochava and settlements with InMarket and X-Mode have echoed self-regulatory standards, like The NAI's Voluntary Enhanced Standards for Precise Location Information Solution Providers. Standards like The NAI's could guide future enforcement in location data and beyond.

www.fkks.com

This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More