Scenes: Crowded cities or dark streets. (cue ominous music)
action: The camera will focus on the protagonist as they travel to a location – perhaps a place of worship, a doctor’s office, or a reproductive health clinic. They think they are alone, but they have no idea they are being followed. Additionally, highly personal information about their whereabouts will be shared with third parties without their knowledge or consent.
Private detective novel? A detective thriller on a streaming service? Won’t. It’s all in a day’s work for data broker X-Mode Social, which calls itself “the second largest location data company in the United States,” according to a settlement announced by the FTC. The FTC said that X-Mode and its corporate successor, Outlogic, LLC, sold consumers’ raw location data without their informed consent and without sensitivity to how X-Mode’s customers used the data purchased from X-Mode. Information is effectively restricted.
Data broker X-Mode collects precise consumer geolocation data from a variety of sources: third-party applications built into the X-Mode Software Development Kit (SDK), its own mobile applications, and from other data brokers and aggregators Purchase information from merchants. The company then collected consumers’ location data and sold it to hundreds of customers for advertising, brand analytics and other marketing purposes. The company also sells them to private government contractors, according to the complaint. The FTC said this was done without obtaining consumers’ informed consent and without disclosing all purposes for which consumers’ data would be used. The reality in the data brokerage industry is that in many cases, consumers do not know who X-Mode is or that they are a “product” of X-Mode.
How personal is the information X-Mode collects and sells? It is not an anonymous aggregation of zeros and ones. According to the FTC, X-Mode sold data that matched individual consumers’ mobile devices to the exact locations they visited. (In fact, some companies offer services that match this data to individual consumers.) How targeted are these messages? X-Mode claims its location data is “70% accurate at a range of 20 meters or less.” How big is the dataset collected by X-Mode? “Through its own applications, partner applications and other data brokers, X-Mode obtains more than 10 billion location data points every day from around the world,” the complaint states.
The FTC said that until May 2023, the company did not have a policy to remove sensitive locations from the original location data it sold. Additionally, the company failed to implement appropriate safeguards for how its customers used the data, putting consumers’ sensitive personal information at risk. The complaint also alleges that the company failed to take necessary technical safeguards and oversight measures to ensure that some Android users’ requests to opt out of tracking and personalized advertising were honored.
The complaint describes the threats X-Mode’s actions pose to consumer privacy. For example, “[T]Location data can be used to track consumers who have visited a women’s reproductive health clinic and therefore may have had or considered a sensitive medical procedure such as an abortion or in vitro fertilization. Using the data provided by X-Mode, third parties can locate consumers visiting such medical facilities and track the mobile device to a single-family home. ”
In addition, X-Mode uses consumers’ geolocation data to build a directory of people with common characteristics and even creates custom lists for customers. For example, X-Mode has a contract with a private clinical research company to provide information about consumers who have visited certain medical offices in the Columbus, Ohio, area—data that the company hopes to use for marketing purposes.
The seven-count complaint accuses X-Mode/Outlogic of multiple unfair or deceptive practices and violations of the FTC Act. In order to solve this case, The company has agreed to make significant changes to the way it does business going forward. Among other things, the proposed order sets substantial limits on the sharing of certain sensitive location data and requires companies to develop comprehensive sensitive location data programs to prevent the use and sale of consumers’ sensitive location data. X-Mode/Outlogic must also take steps to prevent customers from connecting consumers to locations that provide services to LGBTQ+ individuals or to public gathering locations such as marches or protests. Additionally, companies must take effective steps to ensure that customers do not use their location data to determine the identity or location of a specific individual’s residence. Even for location data that may not reveal access to sensitive locations, X-Mode/Outlogic must ensure that consumers provide informed consent before using that data. Finally, X-Mode/Outlogic must delete or desensitize historical data collected from its own applications or SDKs, and must notify its customers of the FTC’s request to delete or desensitize such data.
Another noteworthy aspect of the proposed settlement: X-Mode/Outlogic must provide consumers with an easy way to withdraw consent to the collection and use of their location data, request deletion of any location data previously collected, and request The identity of any individuals and businesses whose personal data was sold or shared. Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days.
The FTC’s action in this case sets out three fundamental principles regarding the privacy of consumer location data.
The status quo “doesn’t work” when it comes to collecting and selling consumer location information. What many companies do is collect all available location data without consumers’ consent and compile vast amounts of highly sensitive information. What some companies, including some data brokers operating behind the scenes and in the shadows, fail to realize is that consumers’ personal information is more than just another “raw material” for corporate commercial use. This is especially true for location data. Just because your business has access to location information doesn’t mean you can use it however you want.
Contractual terms regarding data use are a start, but they are not enough. According to the complaint, in some cases, X-Mode’s contracts with customers contained terms that at least superficially appeared to restrict third parties’ use of the materials, but words on paper alone were not enough. When the stakes are so high, privacy-focused companies can’t just pay lip service. They need to take steps to ensure compliance.
Since unauthorized and illegal trafficking of location data is a major concern for consumers and the FTC, this should be important to your company. Who has the responsibility to ensure that consumers consent to the collection and sharing of their location information? Savvy businesses think it’s theirs. This legal obligation goes both ways. Information about particularly sensitive locations, such as places where people worship or seek medical help, should not be used at all. Do not sell other location data and do not buy it without the consumer’s informed consent. While every participant in the location profile market is responsible for complying with the law, the FTC’s action in this case sends a specific message to location profile brokers, requiring them to reassess whether their practices comply with the law.
