Privacy
Data Privacy Alert: FTC Secures First-Ever Ban on Sale of Sensitive Location Data
Why This Announcement Is Important
The Federal Trade Commission (FTC) has stepped forward over the past several years to limit privacy abuses against US citizens. In January 2024, the FTC announced a precedent-setting prohibition against a data broker alleged to have sold precise location data linking consumers to sensitive locations.
Overview
In September 2023, FTC Bureau of Consumer Protection Director Samuel Levine delivered prepared remarks on consumer surveillance, announcing that it “endanger[ed] our privacy, our financial welfare, and our liberty.” In January 2024, the FTC demonstrated that its words carry weight, securing the first-ever ban on the use and sale of precise location data that could link consumers with sensitive locations, including reproductive health clinics, places of religious worship, or domestic abuse shelters.
In the settlement, the FTC alleged that X-Mode Social, a data broker, and its successor company, Outlogic, LLC, failed to safeguard how third parties could use the geolocation data it collected and lacked “reasonable or appropriate safeguards” on such sensitive information. Outlogic collected the data through software development kits (SDKs) that software developers might use to build mobile apps without coding them individually, so many end users were not even aware that their location data was being collected.
Outlogic sold the data to hundreds of clients, who would then use it for their own purposes, such as advertising. However, the data could readily be associated with individual consumers identities, compromising their privacy regarding their healthcare, religious practice, or other sensitive activities.
What It Covers
The FTC said that these practices constituted “unfair and deceptive” practices, and in the settlement imposed the following requirements on X-Mode/Outlogic:
- Delete or destroy all the location data it previously collected unless it obtains consent or deidentifies the data
- Ensure that companies that provide location data to X-Mode/Outlogic are obtaining informed consent from consumers
- Ensure that its customers do not associate the data with sensitive locations, such as those serving LGBTQ+ people, political rallies, social demonstrations, or protests
- Provide an easy way for consumers to withdraw consent or find out who has received access to their data
- Implement a comprehensive privacy program including a data retention schedule
While sensitive data has increasingly been the focus of state comprehensive privacy laws, the FTC’s settlement shows that there is also significant federal attention on sensitive data nationwide. The FTC has shown its willingness to force advanced privacy compliance measures, such as data retention and minimization, on entities who may not otherwise have a legal obligation to enact these measures under existing federal or state privacy laws. Finally, the FTC’s conclusion that precise geolocation could reveal other sensitive personal information about an individual should be a warning to companies that a deeper understanding of their processing activities is required: while a surface-level analysis may not reveal risks, a comprehensive risk assessment of processing can led to better insights regarding potential impacts to data subjects.
Data Privacy Tip
Organizations should develop and implement defensible, operational data retention policies to minimize the risk of data breaches if they occur. Learn the fundamentals of data retention in Exterro’s Data Retention Handbook.