A recent settlement between the FTC and data broker X-Mode Social, Inc. (and its successor company Outlogic) signals the FTC’s growing focus on protecting individuals’ location data privacy, particularly when it comes to sensitive location data. The settlement, the first of its kind, prohibits Outlogic from sharing and selling users’ sensitive location data and requires the company to obtain consumer consent, de-identify, or destroy all location data it previously acquired, and create extensive procedures and policies concerning its location data practices, among the settlement’s extensive other requirements.
What Happened
X-Mode/Outlogic collected consumers’ precise location data through its mobile applications, embedding its software into third-party applications, and buying location data from other data brokers. X-Mode/Outlogic sold the consumer location data to clients in raw data form and in “audience segments” (groups based on interests or characteristics associated with the consumers’ locations). After the FTC presented X-Mode/Outlogic with a draft complaint, the two parties agreed on the settlement terms found in the FTC Order.
The FTC’s Primary Concerns
According to the FTC’s complaint, X-Mode/Outlogic’s location data practices constituted “unfair or deceptive practices in or affecting commerce” in violation of the FTC Act in at least three ways, which the settlement aims to address: (1) by sharing and selling users’ “sensitive location data;” (2) by not implementing safeguards or procedures sufficient to protect users’ location privacy, honoring users’ choices regarding the information they are sharing, and protecting the user information downstream; and (3) by omitting material information about who user location data is being shared and for what purposes.
Sensitive Location Data
The FTC’s focus is on users’ “sensitive location data”— which includes medical facilities, religious organizations, labor union offices, and locations providing social services or temporary shelter. The complaint alleges X-Mode/Outlogic had no policies or procedures to remove sensitive locations from the data it sold nor restrictions on the collection of sensitive location data. Additionally, X-Mode/Outlogic created custom audience segments for its customers based on sensitive characteristics of consumers derived from sensitive location data, which allowed X-Mode/Outlogic’s customers to target specific consumers (for example, an audience segment comprised of users that had visited a specialty infusion center). The complaint characterizes the practice of “[i]dentification of sensitive and private characteristics of consumers from the location data sold by X-Mode” and the sale of sensitive location data as an invasion of privacy that “poses an unwarranted intrusion into the most private areas of consumers’ lives and causes or is likely to cause substantial injury to consumers.”
The Order broadly prohibits X-Mode’s use, sale, or disclosure of sensitive location data unless the data is nonidentifiable or the user has given affirmative express consent for X-Mode/Outlogic to use the data for services directly requested by the user. The Order also requires X-Mode/Outlogic to establish policies and procedures that identify and routinely update sensitive locations, prevents X-Mode/Outlogic from disclosing sensitive location data, and requires X-Mode/Outlogic to delete or deidentify/desensitize location data.
Safeguards, Policies, Procedures
The complaint also discusses various ways X-Mode/Outlogic’s policies and procedures fell short of protecting users’ privacy and honoring users’ privacy choices. While X-Mode/Outlogic’s agreements with customers contractually restricted how its customers could use users’ location data, according to the complaint, the FTC found the contractual clauses insufficient protection from substantial injury. The FTC also found the clauses insufficient because X-Mode/Outlogic had no policies and procedures in place to ensure its customers abided by the contractual terms nor did its licensing agreements require customers to employ reasonable and appropriate data security measures commensurate with the sensitivity of precise consumer location data. As a result, X-Mode/Outlogic had little or no control over downstream uses of the location data that it sells.
The settlement includes extensive requirements regarding implementing safeguards, policies, and procedures to identify and remove sensitive location data and better monitor downstream use of location data.
Misrepresentation and Informed Consent
The complaint also refers to X-Mode/Outlogic’s alleged failure to inform users that government contractors would be among the buyers of their location data and the data would be used for “national security purposes” as a failure to obtain informed consent because “these facts would be material to consumers” in deciding whether to provide consent.
The order explicitly prohibits misrepresenting the extent to which X-Mode/Outlogic collects, uses, maintains, discloses, or deletes user information; requires X-Mode/Outlogic to provide a way for consumers to request the identity of those to whom their location data is disclosed; and requires the company to implement a program designed to ensure consumers have provided consent for location data collection.
What Companies Should Do Next
- Review the company’s policies and procedures regarding the use and retention of any location data (particularly sensitive location data), informed consent for sensitive location data, and identification of sensitive locations.
- Implement safeguards regarding supplier and customers’ informed consent policies where sensitive location data is disclosed or transferred. Relying solely on contractual language may not be sufficient.
- Examine policies to ensure they do not misrepresent who may have access to customers’ location data and how customer location data may be used. Provide consumers with all material information, which, if applicable, includes notice that location data is provided to government contractors for national security purposes.
Some of this information—particularly concerning health-related sensitive location data—may sound familiar to companies preparing for Washington’s My Health My Data Act. If you have questions about your company’s location data policies, procedures, and safeguards, please contact our privacy & data security team.
This article is provided for informational purposes only—it does not constitute legal advice and does not create an attorney-client relationship between the firm and the reader. Readers should consult legal counsel before taking action relating to the subject matter of this article.