In a landmark decision, the Federal Trade Commission (FTC) recently reached a proposed settlement in its action against X-Mode Social and its successor, Outlogic, for their practices related to the collection and sale of sensitive geolocation data. This case underscores the FTC’s intensified scrutiny of data brokers and the broader implications for businesses handling personal data, particularly sensitive location data, or data that reveals personal details regarding healthcare, religion, or sexuality.
Understanding the Case
X-Mode/Outlogic, a Virginia-based data broker, collected precise location data through various means, including third-party apps and its software development kit (SDK). This data, linked to mobile advertising IDs, was sold to a wide range of clients, including private government contractors. Alarmingly, this data was not anonymized and could be traced back to individual consumers, revealing sensitive information like visits to healthcare facilities, religious institutions, and other personal locations.
FTC’s Allegations
The FTC’s allegations against X-Mode/Outlogic include:
- Sale of Sensitive Location Data: X-Mode/Outlogic were accused of improperly selling precise location data that could track individuals to sensitive locations, such as medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.
- Lack of Informed Consumer Consent: The companies allegedly sold consumers’ raw location data without obtaining their informed consent and without placing effective limits on how their customers used the sensitive information.
- Data Collection Sources and Usage: X-Mode/Outlogic collected geolocation data from various sources, including third-party apps with their SDK, their own mobile apps, and information purchased from other data brokers. This data was then compiled and sold to clients for various purposes, including advertising, brand analytics, and to private government contractors, often without disclosing all purposes for which the data would be used.
- Capability to Match Data to Individuals: The data sold by X-Mode/Outlogic was capable of matching an individual consumer’s mobile device with the exact locations they visited, posing significant privacy threats.
- Lack of Policies and Safeguards: Until May 2023, X-Mode/Outlogic reportedly did not have policies in place to remove sensitive locations from the data sold, nor did they implement appropriate safeguards for how their downstream customers used that data.
- Failure in Technical Safeguards and Oversight: The complaint also alleges that the company failed to employ necessary technical safeguards and oversight to ensure compliance with requests by some Android users to opt out of tracking and personalized ads.
- Use of Data for Creating Targeted Consumer Lists: X-Mode/Outlogic was also involved in using consumers’ geolocation data to create catalogs of people with shared characteristics and custom lists for clients, such as providing information for marketing purposes to a private clinical research company.
- Charges of Unfair or Deceptive Conduct: The seven-count complaint charges X-Mode/Outlogic with multiple instances of unfair or deceptive conduct, in violation of the FTC Act.
Proposed Settlement Requirements
The FTC’s proposed settlement with X-Mode/Outlogic includes the following requirements:
- Prohibit the sale of sensitive location data.
- Delete or destroy previously collected location data.
- Develop a comprehensive list of sensitive locations.
- Implement a supplier assessment program.
- Establish procedures to protect locations of LGBTQ+ services and political/social demonstrations.
- Provide options for consumers to withdraw consent and request data deletion.
- Provide a means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data.
- Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information
- Create a data retention schedule.
Key Takeaways for Businesses
Sensitive data such as precise location data, children’s data, and consumer health data are likely to be the subject of intense regulatory scrutiny in 2024 and beyond. Companies that handle any such sensitive data categories should consider the following key takeaways as they implement and/or renew their privacy compliance regimes in the new year:
- Importance of Informed Consent: Businesses must ensure that they have explicit and informed consent from consumers before collecting, using, or selling sensitive location data. This case highlights the consequences of failing to do so.
- Need for Transparency: Companies should be transparent about how they collect and use all personal data – sensitive an otherwise. This includes clear communication to consumers about data collection practices and the purpose of data use. Now more than ever: your privacy policy likely needs a major revamp.
- Implementing Robust Data Safeguards: Adequate safeguards to protect sensitive data are essential. This includes measures to anonymize data, prevent unauthorized access, and ensure data security. Also, make sure that contracts with service providers that may handle sensitive data contain contractual requirements to implement reasonable and appropriate security measures for personal data.
- Compliance with Regulations: Businesses must stay informed about and comply with evolving data privacy laws and regulations. Non-compliance can result in significant legal and financial repercussions. For instance, in California, a new “Delete Act” targeting data brokers was recently passed, and will go into effect in the coming years. The Delete Act imposes stringent new technical requirements regarding honoring consumers’ request to delete their personal data.
- Preparedness for Scrutiny: Data brokers, entities in the ad tech space, and companies dealing in sensitive personal data should be prepared for increased scrutiny from regulatory bodies like the FTC and California Privacy Protection Agency. Proactive measures in data handling and privacy can mitigate risks.