On December 3, 2024, the FTC issued two orders highlighting the agency's continued focus on sensitive location data and foreshadowing its approach to privacy enforcement under new leadership. In separate actions against Mobilewalla and Gravy Analytics and its subsidiary Venntel, the FTC found both companies engaged in unfair practices related to the collection, use, and sale of consumers' location data. These orders echo its ongoing litigation against Kochava and similar enforcement against X-Mode and InMarket from earlier in 2024. 

Gravy Analytics and Venntel: Monetizing Precise Location Data Without Consent

The FTC's complaint against Gravy Analytics and Venntel centers on selling sensitive location data to private and public sector customers without properly obtaining consumer consent. The FTC alleges Gravy obtained precise location data from third-party suppliers to track consumers' visits to sensitive locations, such as reproductive health clinics, places of worship, and political gatherings. The complaint further alleges Gravy categorized consumers into "audience segments" based on sensitive inferences derived from their location data, such as medical conditions, political affiliations, and religious beliefs, and sold these segments to third parties.

Mobilewalla: Exploiting Real-Time Bidding Exchanges for Sensitive Data

The FTC alleged Mobilewalla collected precise location data from real-time bidding (RTB) exchanges for purposes beyond bidding on ad space. The data broker allegedly used this data to geofence sensitive locations, like healthcare centers or places of worship, to help customers build and target audience segments or track designated groups. Additionally, Mobilewalla disclosed sensitive location data, including app usage data from Grindr and Jack’d, to government clients.

Mobilewalla allegedly failed to adequately verify that its data suppliers obtained informed consent from consumers. The complaint states Mobilewalla's review of third-party supplier’s disclosures was superficial, checking only a handful of apps and failing to address deficiencies.

Key Provisions of the FTC Orders: Novel Requirements and Heightened Scrutiny

Both orders impose a range of requirements on the companies, including notable provisions that go beyond typical FTC settlements.

Supplier Assessment Program. The orders require companies to implement programs to assess their suppliers' compliance with consent requirements. This requires reviewing disclosures and consent mechanisms and stopping data use without informed consent, like in InMarket and X-Mode settlements from early 2024. The Mobilewalla order further mandates stopping use of location data from RTB exchanges for purposes other than bidding on ad space.

Sensitive Location Data Program. The companies must establish programs to identify and prevent the use of sensitive location data. This program must include developing a comprehensive list of sensitive locations, designating a senior officer to oversee it, implementing procedures to ensure sensitive information is not sold in violation of the order, and regularly assessing compliance. As with the supplier assessment program, businesses can implement a modified version of a sensitive location data program in their compliance efforts.

Prohibition on the Use, Sale, or Disclosure of Sensitive Location Data. Both companies are prohibited from using or selling data associated with enumerated sensitive locations, including medical facilities, places of worship, shelters, locations predominantly serving LGBTQ+ individuals, and locations of political gatherings. The list also includes “military installations, offices, or buildings,” which have not traditionally been considered sensitive but were brought to the fore by news stories on the national security risks of location tracking. Notably, however, the orders carve out from the prohibition disclosures for national security, an area with a notoriously broad and flexible mandate.

Commissioners' Statements Foreshadow Potential Policy Shifts

The Commissioners' statements reveal differing perspectives on the FTC's privacy enforcement approach that may indicate policy shifts under new FTC leadership.

Commissioner Holyoak agrees that selling precise location data without consent can cause substantial injury but cautions against an expansive interpretation of the FTC's unfairness authority. She argues that the Mobilewalla complaint goes too far in targeting data collection and categorization practices that are not inherently unfair and may have countervailing benefits. She also raises concerns about the FTC's preoccupation with targeting advertising as an unfair practice.

Commissioner Ferguson supports the allegations regarding the sale of sensitive location data without consent and the failure to verify supplier compliance. However, he dissents from those focusing on categorizing consumers based on sensitive characteristics, arguing that the FTC Act does not prohibit drawing conclusions from lawfully obtained data. This view could signal a shift away from regulating inferred designated sensitive data types — which Ferguson calls “an indeterminate naughty categories list” — and towards more straightforward unauthorized disclosures.

Ferguson and Holyoak dispute the charges of indefinite data retention against Mobilewalla, arguing keeping data forever can benefit businesses through enhanced predictive modeling or targeted advertising. Their positions suggest that data retention requirements may receive less scrutiny from a Republican-led FTC.

Commissioner Bedoya expresses concern about the porous line between government and private surveillance, arguing that the FTC's actions are necessary to safeguard Fourth Amendment protections. He highlights the sensitive nature of location data and the potential for misuse by private companies and law enforcement. A comprehensive federal privacy law may remain distant, but concerns around government data access resonate across the aisle. In 2024, a bipartisan coalition cosponsored the Fourth Amendment Is Not For Sale Act, which may provide a blueprint for regulating data sales to the public sector.

Takeaways for Navigating the Evolving Location Data Landscape

These actions send a clear message: businesses in the location data ecosystem must prioritize consumer privacy. Key takeaways include:

Obtain Affirmative Express Consent. Before collecting, using, or sharing their precise geolocation data, businesses must obtain heightened, GDPR-style consent from consumers. Businesses purchasing this data must ensure their suppliers have obtained this consent. Certain state privacy laws, like Washington’s My Health My Data Act or the Maryland Online Data Protection Act, prohibit the sale of certain precise geolocation data altogether, so particular attention should be paid to a business’s location data practices.

Implement robust due diligence frameworks. Businesses should vet their data suppliers to ensure they comply with privacy laws and obtain valid consent. Federal and state regulators have imposed supplier assessment programs with minor variations in several cases. Whether disclosing or receiving data, businesses have sufficient guidance to ensure third-party compliance.

Bidstream data is not unrestricted. Businesses should limit their use of data from RTB exchanges to the specific purposes allowed by the exchange. A business should not use data from lost bids. Mobilewalla allegedly unfairly collected and sold bidstream data — even from lost bids — for location tracking and sensitive data inferences. As a result, the FTC completely prohibited their use of data collected from RTB exchanges for any purpose other than auction participation.

Consider self-regulatory standards. Businesses in the location data space should look to industry organizations’ guidance. The FTC’s case against Kochava and settlements with InMarket and X-Mode have echoed self-regulatory standards, like The NAI’s Voluntary Enhanced Standards for Precise Location Information Solution Providers. Standards like The NAI’s could guide future enforcement in location data and beyond.