The FTC recently announced proposed consent orders with Outlogic (formerly X-Mode Social) and InMarket Media concerning their collection and monetization of precise geolocation data. Both companies collect location data using software development kits (“SDKs”) installed in first and third party apps, among other data sources. According to the FTC’s complaints, Outlogic sold this data to third parties (including in a manner that revealed consumer’s visits to sensitive locations) without obtaining adequate consent, and InMarket used this data to facilitate targeted advertising without notifying consumers that their location data will be used for targeted advertising. In both cases, the FTC alleged that these acts and practices constituted unfair and/or deceptive acts or practices under Section 5 of the FTC Act.
According to the FTC’s complaint, the data broker Outlogic engaged in unfair practices by selling precise location data that revealed consumers’ visits to sensitive locations, selling audience segments based on sensitive characteristics for marketing purposes, failing to honor consumer privacy choices related to tracking and personalized advertising, collecting precise location data without obtaining informed consent, and failing to take “reasonable steps” to verify that third-party apps using its SDK had obtained informed consent. The FTC also alleged that Outlogic’s failure to disclose to consumers that the company provided location data “to government contractors for national security purposes” was deceptive.
More specifically, the FTC alleged that Outlogic sold precise geolocation data that could be used to reveal visits to sensitive locations such as medical and religious sites, and did not have measures in place to ensure that sensitive locations were removed from its datasets prior to the sale of datasets. The FTC took the position that the data was non-anonymized because of the inclusion of Mobile Advertiser IDs in the datasets. The FTC also alleged that Outlogic unfairly created custom audience segments based on sensitive characteristics of consumers, including a segment based on devices that visited certain health care providers or infusion centers. The FTC alleged that these business practices were likely to cause substantial injury, including because Outlogic did not implement sufficient safeguards to restrict downstream use of the data.
Under the terms of the proposed order, Outlogic is required to delete or destroy previously collected location data unless it obtains consumer consent to retain the data or ensures the data has been deidentified or rendered non-sensitive. Outlogic is also required to delete or destroy any models, algorithmics, or derived data created from such data. Further, and among other requirements, Outlogic is required to create a “sensitive location data program” to ensures it does not sell, share, or transfer sensitive location data, as well as a “supplier assessment program” to ensure that apps that provide data to Outlogic are obtaining informed consent from consumers to do so.
The FTC’s complaint against InMarket Media also included both unfairness and deception claims. The FTC alleged that the data aggregator collected sensitive information about consumers through its SDK without providing, or verifying that third-party apps had provided, adequate notice to users that their data would be used for advertising purposes. InMarket Media then allegedly used that data to create audience segments for advertising purposes, which it used to target ads on behalf of advertisers and made available for targeting on ad exchanges. Further, the FTC alleged that InMarket Media retained sensitive location data for up to five years, and that this was longer than reasonably necessary for InMarket Media’s stated business purposes for collection. The FTC alleged that these practices related to collection, use, and retention of customer location data were unfair, as well as that InMarket had deceptively failed to disclose its use of consumer location data for targeted advertising in its first-party apps.
Among other requirements, the proposed order for InMarket Media prohibits the company from selling or licensing location data. In order to collect location data in connection with InMarket’s first party apps, the parties are required to obtain written consent and provide reminders about the collection of location data every six months. InMarket Media must also provide “a simple, easily-located means” for users to revoke affirmative consent in connection with, or request deletion of, their location data. Additionally, and similarly to Outlogic, InMarket Media must institute an SDK “supplier assessment program,” “sensitive location data program,” and privacy program.
Settlements are not legally binding, except on the parties that voluntarily enter into them. In addition, the FTC recently lost a motion to dismiss its complaint against a data broker, Kochava, related to its sale of precise geolocation data from which the FTC alleged sensitive locations could be revealed. In granting Kochava’s motion to dismiss, the court held that the FTC had not adequately alleged that Kochava’s practices would likely cause substantial consumer injury. The FTC has filed an amended complaint, which remains pending, and the final outcome of that case will be even more closely watched in light of these recent settlements.