[co-author: James O'Reilly*]
The Federal Trade Commission recently settled complaints against two data brokers over their handling of consumers’ sensitive location information. The agency alleged that such practices constitute unfair practices. Under the settlement, both Gravy Analytics and Mobilewalla, agreed to stop using and selling sensitive consumer location data.
The FTC alleged that Gravy Analytics and its subsidiary Venntel unlawfully tracked and sold precise (and thus sensitive) location information about millions of consumers. The information, according to the FTC, could be used to track individuals to places of worship, medical facilities, and political rallies. Similar to the FTC’s complaint against Kochava last year, the FTC argued that this constituted an unfair business practice and posed harm to consumers. In its complaint against Mobilewalla, the FTC argued that the data broker -which engaged in down-stream information collection as part of its digital advertising bidding exchange platforms- created audience segments based on visits to health clinics and places of worship. It did not, though, according to the FTC obtain consent directly from consumers, nor did it ensure that consumers were informed when their personal data was obtained. Among other things, the FTC pointed to the company’s “failure” to review privacy notices of the third parties who provided it with consumer information (the information used to create the audience segments).
Both companies have agreed to stop selling sensitive location information and will remove sensitive locations from their data sets. Both have also agreed to create supplier assessment programs. These programs will verify whether consumers provided consent to the collection and use of their location data. They will also be developing methods to allow consumers to withdraw consent and delete their data. These mirror similar provisions from the FTC’s settlement with X-Mode Social earlier this year.
*James O’Reilly is a Cybersecurity and Privacy Fellow in the firm’s Chicago office.
Putting it into Practice: These FTC settlements are a reminder of several areas of focus for the FTC and many regulators. First, the concern with passive information collection generally. Second, a focus on collection and use of precise location data that can be used to identify someone’s visits to “sensitive” venues like health clinics and places of worship. Third, expectations to understand business partners’ information collection when using information they provide. Given that data brokers continue to be in regulator’s sights, we anticipate that 2025 will continue to be a year focused on indirect data collection and data sharing.
