The FTC recently announced proposed consent orders with Outlogic (formerly X-Mode Social) and InMarket Media concerning their collection and monetization of precise geolocation data.  Both companies collect location data using software development kits (“SDKs”) installed in first and third party apps, among other data sources.  According to the FTC’s complaints, Outlogic sold this data to third parties (including in a manner that revealed consumer’s visits to sensitive locations) without obtaining adequate consent, and InMarket used this data to facilitate targeted advertising without notifying consumers that their location data will be used for targeted advertising.  In both cases, the FTC alleged that these acts and practices constituted unfair and/or deceptive acts or practices under Section 5 of the FTC Act. 

Outlogic

According to the FTC’s complaint, the data broker Outlogic engaged in unfair practices by selling precise location data that revealed consumers’ visits to sensitive locations, selling audience segments based on sensitive characteristics for marketing purposes, failing to honor consumer privacy choices related to tracking and personalized advertising, collecting precise location data without obtaining informed consent, and failing to take “reasonable steps” to verify that third-party apps using its SDK had obtained informed consent.  The FTC also alleged that Outlogic’s failure to disclose to consumers that the company provided location data “to government contractors for national security purposes” was deceptive. 

More specifically, the FTC alleged that Outlogic sold precise geolocation data that could be used to reveal visits to sensitive locations such as medical and religious sites, and did not have measures in place to ensure that sensitive locations were removed from its datasets prior to the sale of datasets.  The FTC took the position that the data was non-anonymized because of the inclusion of Mobile Advertiser IDs in the datasets.  The FTC also alleged that Outlogic unfairly created custom audience segments based on sensitive characteristics of consumers, including a segment based on devices that visited certain health care providers or infusion centers.  The FTC alleged that these business practices were likely to cause substantial injury, including because Outlogic did not implement sufficient safeguards to restrict downstream use of the data.

Under the terms of the proposed order, Outlogic is required to delete or destroy previously collected location data unless it obtains consumer consent to retain the data or ensures the data has been deidentified or rendered non-sensitive.  Outlogic is also required to delete or destroy any models, algorithmics, or derived data created from such data.  Further, and among other requirements, Outlogic is required to create a “sensitive location data program” to ensures it does not sell, share, or transfer sensitive location data, as well as a “supplier assessment program” to ensure that apps that provide data to Outlogic are obtaining informed consent from consumers to do so.

InMarket Media

The FTC’s complaint against InMarket Media also included both unfairness and deception claims.  The FTC alleged that the data aggregator collected sensitive information about consumers through its SDK without providing, or verifying that third-party apps had provided,  adequate notice to users that their data would be used for advertising purposes.  InMarket Media then allegedly used that data to create audience segments for advertising purposes, which it used to target ads on behalf of advertisers and made available for targeting on ad exchanges.  Further, the FTC alleged that InMarket Media retained sensitive location data for up to five years, and that this was longer than reasonably necessary for InMarket Media’s stated business purposes for collection.  The FTC alleged that these practices related to collection, use, and retention of customer location data were unfair, as well as that InMarket had deceptively failed to disclose its use of consumer location data for targeted advertising in its first-party apps.

Among other requirements, the proposed order for InMarket Media prohibits the company from selling or licensing location data.  In order to collect location data in connection with InMarket’s first party apps, the parties are required to obtain written consent and provide reminders about the collection of location data every six months.  InMarket Media must also provide “a simple, easily-located means” for users to revoke affirmative consent in connection with, or request deletion of, their location data.  Additionally, and similarly to Outlogic, InMarket Media must institute an SDK “supplier assessment program,” “sensitive location data program,” and privacy program.

Settlements are not legally binding, except on the parties that voluntarily enter into them.  In addition, the FTC recently lost a motion to dismiss its complaint against a data broker, Kochava, related to its sale of precise geolocation data from which the FTC alleged sensitive locations could be revealed.  In granting Kochava’s motion to dismiss, the court held that the FTC had not adequately alleged that Kochava’s practices would likely cause substantial consumer injury.  The FTC has filed an amended complaint, which remains pending, and the final outcome of that case will be even more closely watched in light of these recent settlements.

Photo of Jessica Ke Jessica Ke

Jessica Ke is an associate in the firm’s Privacy and Cybersecurity and Advertising and Consumer Protection practice groups. Jessica advises clients on a wide range of regulatory and compliance issues, including compliance with state comprehensive privacy laws, advertising substantiation issues, and participation in…

Jessica Ke is an associate in the firm’s Privacy and Cybersecurity and Advertising and Consumer Protection practice groups. Jessica advises clients on a wide range of regulatory and compliance issues, including compliance with state comprehensive privacy laws, advertising substantiation issues, and participation in the regulatory process. Jessica also maintains an active pro bono practice.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries.

Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.

Photo of Sarah Parker Sarah Parker

Sarah Parker is an associate in the firm’s Washington Office. Her practice focuses on privacy, advertising, and consumer protection regulatory matters and government investigations.

Sarah also maintains an active pro bono practice, with a focus on criminal justice and civil rights litigation

Photo of Ariel Dukes Ariel Dukes

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy…

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy laws, FTC and consumer protection laws and guidance, and laws governing the handling of health-related data. Additionally, Ariel routinely counsels clients on drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and responding to regulatory inquiries regarding privacy and cybersecurity topics. Ariel also advises clients on trends in artificial intelligence regulations and helps design governance programs for the development and deployment of artificial intelligence technologies across a number of industries.