FTC Settles with Data Broker Collecting Sensitive Location Data

The Lyon Firm is reviewing an FTC settlement with the data broker X-Mode Social and its successor Outlogic. The settlement prohibits the future sharing or selling of certain sensitive location data. Our data privacy lawyers are encouraging consumers nationwide to come forward with similar location data sharing or privacy violations. We represent plaintiffs in all fifty states and are currently involved in numerous class action data privacy cases.

The Federal Trade Commission (FTC) recently settled a case regarding the location data collection and sharing methods of X-Mode Social and Outlogic. The FTC alleged that the company sold location data that could potentially track individual’s visits to sensitive locations such as medical facilities, places of religious worship and domestic abuse shelters.

This is significant news because it marks the first settlement with a data broker regarding the collection and sale of “sensitive location” information. The federal agency also claimed that X-Mode Social and Outlogic failed to establish reasonable and appropriate safeguards on the use of such data by third parties.

The FTC explained that because geolocation data reveals where a person lives, which medical treatments they seek and where they worship, businesses do not have total free reign to collect and sell all individuals’ sensitive data. The legal action, they explain, is meant “to protect Americans from intrusive data brokers and unchecked corporate surveillance.”

A week after the FTC made news by cracking down on data brokers, they announced another settlement that bans data aggregation company InMarket from selling consumers’ precise location data. The FTC said the company’s policy of retaining geolocation data for five years was unnecessary and “increased the risk that this sensitive data could be disclosed, misused, and linked back to the consumer.”

How is Location Data Collected?

The data that X-Mode and Outlogic collected and sold was primarily associated with mobile advertising IDs, unique mobile device identifiers. Such mobile device raw location data is not anonymized, and can match any consumer’s mobile device with the locations they choose to visit. There is good reason for this. For targeted marketing purposes, for instance, it is more lucrative for data brokers to match data to individual consumers.

Data brokers like Outlogic will collect data from third-party apps and then sell this precise data to various clients in a number of industries for purposes, even beyond simple advertising.

According to the FTC’s complaint, X-Mode/Outlogic had no policy in place to remove any sensitive locations from the load of raw location data it sold. The lack of safeguards against any third-party improper use of the precise location data it sold, the agency said, put consumers’ sensitive personal information and privacy at risk. According to the complaint, such privacy violations could lead to potential discrimination, violence, and emotional distress.

Can Any Data Broker Collect and Sell Our Location Data?

There must be prior consent before a data broker collects and sells your personal information. This is generally in the very small print that most consumers never bother to read before or after they download an app.

The FTC said X-Mode/Outlogic failed to obtain informed consumer consent, and failed to fully inform consumers about which entities would receive the location data. There was even some doubt as to whether those who opted out of tracking and personalized ads saw their requests honored.

What is Included in the FTC – Outlogic Settlement?

In addition to the aforementioned limits on the sharing of certain sensitive locations, the FTC order requires Outlogic to create a program to ensure it develops and maintains a list of sensitive locations, and ensure it is not sharing or selling data that includes such locations.

How this will be implemented sounds much easier said than done. What a “sensitive location” is may vary from person to person. There are gray areas, for sure. It also seems improbable that such a list could be properly maintained and stay current.

Other provisions in the proposed FTC order include the following requirements for the data broker:

• Delete or destroy all previously collected location data and any products produced from this data unless it obtains additional consumer consent
• Develop a supplier assessment program to ensure that companies that provide location data to Outlogic are obtaining informed consent from consumers
• Implement procedures to ensure that recipients of its location data do not associate the data with “sensitive” locations such as those that provide services to LGBTQ+ people such as bars, or the locations of public gatherings of individuals at political or social demonstrations or protests
• The data broker cannot use data to determine the identity or location of a specific individual
• They must offer a “simple and easy-to-find” manner for consumers to withdraw their consent for the collection and use of their location data,  and for the deletion of any location data that was previously collected
• Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal data
• Establish a privacy program that protects the privacy of consumers’ personal information and create a data retention schedule
• The company is prohibited from collecting or using location data when consumers opt out of targeted advertising or tracking

Contact our data privacy and consumer protection lawyers to learn more about your rights as an American consumer. If you feel like a data broker or another company that collected your personal information violated your rights, legal action may be an appropriate response. Call for a free consultation and case review.