The FTC announced an action last week against location data broker X-Mode Social and its corporate successor Outlogic (collectively, “X-Mode”) based on several alleged violations of Section 5 of the FTC Act. According to FTC Chair Lina Khan, the case, which X-Mode has agreed to settle via a proposed consent order, will result in the “first ever ban on the use and sale of sensitive location data.”

The case focuses in large part on X-Mode’s practices as a data broker, but should matter to any business that collects, uses, or discloses consumer location data. In this post, we offer five lessons for businesses looking to avoid being on the receiving end of the FTC’s ire.

X-Mode’s Practices: from Drunk Mode to National Security

According to the FTC’s complaint, X-Mode operated as a location data broker and dealt in precise consumer location data, including unique persistent identifiers and geolocation data that it advertised as being “70% accurate within 20 meters or less.” X-Mode obtained this location data from three sources:

• third-party mobile apps, including “games, fitness trackers, and religious apps,” that incorporated X-Mode’s software development kit (SDK), and whose publishers received a share of the revenue X-Mode derived from selling the data;
• X-Mode’s own mobile apps, called “Drunk Mode” and “Walk Against Humanity;” and
• third-party data aggregators and brokers.

X-Mode sold that location data in two forms.  First, customers could buy the raw data to analyze and use for their own purposes. Second, customers could buy “audience segments” created by X-Mode’s that categorized individuals into segments based on interests or characteristics revealed by the associated locations or events. X-Mode’s customers hailed from industries ranging from real estate to clinical research. But they also included private government contractors who, the complaint implies, used the data for national security purposes.

X-Mode did not restrict the collection of its location data from “sensitive” locations such as healthcare facilities, churches, or schools. But its agreements did impose some limitations on its customers’ use of the location data it sold. In particular, the company’s agreements prohibited customers from using the data “to associate any user, device, or individual with any venue that is related to healthcare, addiction, pregnancy, or pregnancy termination, or sexual orientation, or to otherwise infer an interest or characteristic” related to those matters.

The FTC’s Case: X-Mode’s Alleged Deception and Unfairness

According to the FTC, X-Mode’s practices created several threats to individuals’ privacy.

First, the data it collected and sold could, unbeknownst to consumers, be used to track them to sensitive locations, including medical facilities, places of religious worship, places that could be used to infer an individual’s LGBTQ+ identification, domestic abuse shelters, and welfare and homeless shelters. And customers could, through various methods, identify the consumers associated with the data such that it could not be considered “anonymized.”

Second, X-Mode, through its audience segment offerings, targeted consumers for advertising and marketing based on sensitive characteristics.  To that end, the FTC’s complaint cites an engagement in which the company sold a privately-held clinical research company custom audiences of consumers who had visited cardiology, endocrinology, or gastroenterology offices, a specialty infusion center, and a pharmacy or drugstore in Columbus, Ohio.

Third, X-Mode failed to ensure that consumers received appropriate notice of, and provided affirmative express consent to, the company’s collection, use, and disclosure of their location data.  In that regard, the FTC’s complaint describes examples that included:

• disclosing to consumers in its privacy notice and consent dialogue that their location data would be used for “ad personalization and location-based analytics,” failing to mention it would also be sold to government contractors for national security purposes;
• providing sample notices to the publishers of third-party apps incorporating its SDK that suffered from the same deficiencies; and
• failing to verify that consumers whose location data was collected through those third-party apps had provided informed consent to the collection, use, or sale of that data.

These practices, the FTC alleges, all violated Section 5 of the FTC Act’s prohibition on unfair and deceptive trade practices.

To settle the FTC’s claims, X-Mode agreed to a consent order imposing a long and wide-ranging list of requirements that notably includes:

• a requirement to delete (subject to certain narrow exceptions) all historic location data collected through X-Mode’s apps and SDKs and all models and algorithms derived from that data;
• a prohibition on using, selling or disclosing “sensitive location data” unless the data is first converted into data that is not sensitive location data; or:
  • X-Mode has direct relationship with the consumer;
  • the consumer provides affirmative express consent to X-Mode’s collection and use of the data; and
  • the sensitive location data is used only to provide service directly requested by consumer; and
• a requirement for the company to implement measures (i) to ensure that its customers do not associate location data it sells with sensitive locations or use the data to determine individual’s identity or location of their home; and (ii) to promptly correct customer violations of those measures.

To ensure compliance with those requirements, the company will be subject to ongoing monitoring by the FTC, and obligations to report to the FTC, for 20 years.

Lessons for Business

1. In general, the FTC views the use, sale, and disclosure of “sensitive location data” as per se unfair under Section 5.

Perhaps the most notable aspect of the X-Mode case is the agency’s position that nearly all uses, sales, and disclosures of “sensitive location information” are per se unfair under Section 5 because those activities present unacceptable risks to consumers that cannot be outweighed by any countervailing benefits to consumers or competition. In that regard, the FTC’s complaint claims that any use or collection of this data constitutes an “unwarranted intrusion into the most private areas of consumers’ lives” that can cause real-world injury in the form of “loss of privacy, exposure to discrimination, physical violence, emotional distress and other harms.”

The case does allow one narrow exception. The consent order permits X-Mode to collect and use sensitive location data when it has a direct relationship with the consumer (and didn’t simply buy the data from another party), obtains the consumer’s affirmative express consent, and uses the data only as necessary to deliver a product or service requested by the customer.

2. In the FTC’s view, using sensitive characteristics to target consumers with advertising is also per se unfair under Section 5.

The X-Mode case also suggests that using “sensitive characteristics,” to categorize and target consumers with advertising is per se unfair under Section 5. To that end, the FTC’s complaint argues that the use of information about individuals’ visits to sensitive locations, including healthcare facilities, to categorize and target consumers, “particularly by companies that consumers never directly interact with,” falls “far outside the expectations and experience of consumers, and can result in and cause additional injuries, including by exposing them to risks of discrimination.”

3. Collecting precise geolocation data always requires affirmative express consent.

As we’ve noted before, the FTC has repeatedly said that collecting and using sensitive consumer data requires affirmative express consent.  The X-Mode case confirms that requirement applies to precise geolocation data, whether related to sensitive locations or not.

4. Obtaining affirmative express consent requires clear and comprehensive disclosures.

The X-Mode case reaffirms that incomplete or ambiguous disclosures about how location data will be used or disclosed are deceptive under Section 5 of the FTC Act, and cannot support attempts by a company to obtain the consumer’s affirmative express consent to use or disclose that data. In that regard, the case echoes the disdain the agency recently expressed for business’ reliance on “euphemisms” in “dense privacy policies” to “cloak how they really use consumers’ health information.”

The lesson here is clear: failing to disclose any material uses of consumer location data (whether by government contractors for national security purposes or otherwise) will draw similar scorn from the FTC.

5. Contractual restrictions and representations are not enough to satisfy notice and consent obligations that apply to consumer location data.

It bears noting that X-Mode had taken some steps to protect user privacy with respect to its collection, use, and disclosure of consumer location data, including restrictions in its contracts with the sources and purchasers of the data it sold. But according to the FTC, Section 5 requires more: “contractual restrictions are insufficient to protect consumers from the substantial injury caused by the collection, transfer, and use of consumers’ location data from visits to sensitive locations.”

In that regard, the case teaches that when purchasing or otherwise receiving location data from a third-party mobile app or data aggregator, companies must take reasonable steps to verify that consumers provided their informed consent, and take corrective action whenever they learn of deficient notices.