BACKGROUND
In the week ended December 6, 2024, the FTC announced settlements in two significant enforcement actions, targeting American companies that trade in sensitive location data – namely data analytics provider Gravy Analytics, Inc. and data broker Mobilewalla, Inc.
GRAVY ANALYTICS INC.
On December 3, 2024, the FTC issued a decision and order against Gravy Analytics and its subsidiary Venntel Inc., two data brokers accused of selling sensitive location information derived from mobile devices. This data, often collected without proper consumer consent, allowed tracking of individuals at highly sensitive locations such as healthcare facilities, houses of worship, military sites, and schools.
The FTC’s complaint asserts that Gravy Analytics obtained consumer location data from other data suppliers, utilized location signals and other information gathered from consumers’ mobile phones, and used geofencing to “identify and sell lists of consumers who attended certain events related to medical conditions and places of worship” and then “sold additional lists that associated individual consumers to other sensitive characteristics.” Gravy Analytics advertised its location data as being very precise, identifying a consumer within approximately 1 meter of precision.
MOBILEWALLA INC.
Additionally, the FTC has taken action against Mobilewalla, after the company was also found to have collected detailed location data to track customers and target advertisements to them. This raw location data was not anonymized and the company lacks policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited.
REAL TIME BIDDING
In the Mobilewalla order, the FTC highlighted the potential for misuse of data collected through real time bidding (“RTB”, i.e. the process of purchasing advertisement space on mobile apps or websites through online auctions). According to the FTC, as a part of this auction process, the advertisers are sometimes provided “granular details like location or personal characteristics about the people downstream who could be the target of an ad.” In its action against Mobilewalla, the FTC highlighted its concerns regarding RTB, in particular that it incentivised the sharing of extensive consumer data, including precise location details; that it could be transmitted across geographic borders; and that its very nature made it difficult to control how data was used and retained by multiple parties involved in the bidding process.
FTC ORDERS
The FTC, in its orders, prohibited these companies from selling or sharing consumer location data. In particular, the FTC order against Mobilewalla prohibits the company from collecting consumer data from online advertising auctions for purposes other than participating in those auctions, marking the first time the agency has designated such activity an unfair act or practice. The settlement also requires the companies to delete all previously collected sensitive location data and implement measures to prevent the future collection or sale of such data, and establish comprehensive privacy programs, including methods for consumers to ensure consumer consent moving forward.
OTHER RELATED FTC ACTIONS:
These FTC orders follow a similar settlement with digital marketing and data aggregator InMarket Media in April 2024. The FTC had previously alleged in a January 2024 complaint that InMarket collected location information about consumers from a variety of sources, including its own apps and from third-party apps that incorporate its software development kit (SDK), and combined this location information with other data to help target advertising based on consumers’ behavior. The FTC charged that InMarket failed to fully inform consumers about how their location data—which can include sensitive information about where they live, work and worship—would be used and that it would be combined with other data about those users for targeted advertising. It also failed to ensure that third-party apps that use its SDK obtained informed consent from consumers.
In its order against InMarket Media, the FTC barred the company from selling, sharing or licensing any precise location data and any product or service that categorizes or targets consumers based on sensitive location data; and also required the company to:
- delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified;
- provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data for InMarket apps, and a mechanism to request deletion of any location data that InMarket previously collected;
- and create a sensitive location data program and privacy program.
Such enforcement efforts also build on the FTC’s earlier initiatives, such as actions against health apps selling ovulation and fertility data, emphasizing the agency’s commitment to combating surveillance that undermines privacy and civil liberties. With these measures, the FTC is sending a clear message to companies in the data industry: misuse of sensitive information has serious consequences.
LESSONS FOR THE DATA INDUSTRY
The key point to take away here is that the FTC clearly believes location data is sensitive data, and requires companies to not retain data for purposes outside of the original purpose(s) of collection, unless consumer consent is obtained.
The FTC’s decisions underscore a growing regulatory emphasis on holding private companies accountable for the misuse of sensitive personal data. This ties in closely to the themes explored in our Facing the Law: A Closer Look at AI and Facial Recognition Technology series, where in Part 2 we discussed the rising regulatory actions against private companies for their use of sensitive biometric information, and in Part 3 where we saw how “public security” exceptions raise critical questions about the balance between individual privacy and state use of sensitive data.
Authors: Shantanu Mukherjee, Varun Alase