American regulator slams data broker for selling mobile location data without consent

In a warning that American data brokers need to be careful about selling precise geolocation information of mobile phone users, the U.S. Federal Trade Commission has proposed banning a major company from taking advantage of all the data it can collect.

Assuming the settlement is confirmed, the FTC will forbid Outlogic LLC from sharing or selling any sensitive location data. This would settle allegations that the company sold precise location data of mobile users, without their consent, that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship, and domestic abuse shelters.

FTC also charged that Virginia-based Outlogic (the firm that acquired the operations of X-Mode Social in 2021, which is where the FTC investigation began) failed to put in place reasonable and appropriate safeguards on the use of such information by third parties.

“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” said FTC Chair Lina Khan. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”

X-Mode collected precise consumer geolocation data from a wide variety of sources, the FTC explained. That included third-party apps with X-Mode’s software development kit (SDK) built in, its own mobile apps, and information it bought from other data brokers and aggregators. The company then compiled consumers’ location data and sold it to hundreds of clients for advertising, brand analytics, and other marketing purposes. According to the  FTC complaint, the company also sold the raw data to private government contractors.

The FTC says this was done without consumers’ informed consent and without disclosing all of the purposes for which consumers’ data would be used, practices of unfair or deceptive conduct in violation of the FTC Act.

To settle the case, the company has agreed to make major changes to how it does business going forward, the FTC said. That includes putting substantial limits on sharing certain sensitive location data. The settlement requires the company to develop a comprehensive sensitive location data program to prevent the use and sale of consumers’ sensitive location data. Outlogic also must take steps to prevent clients from associating consumers with locations that provide services to LGBTQ+ individuals or with locations of public gatherings like marches or protests.

In addition, the company must take effective steps to see to it that clients don’t use their location data to determine the identity or location of a specific individual’s home. And even for location data that may not reveal visits to sensitive locations, Outlogic must ensure consumers provide informed consent before it uses that data. Finally, X-Mode/Outlogic must delete or render non-sensitive the historical data it collected from its own apps or SDK and must tell its customers about the FTC’s requirement that such data should be deleted or rendered non-sensitive.

Outlogic must also give consumers an easy way to withdraw their consent for the collection and use of their location data, to require the deletion of any location data that was previously collected, and to request the identity of any individual and business to whom their personal data has been sold or shared.

Once the proposed settlement is published in the Federal Register, the FTC will accept public comments for 30 days, after which the commission will decide whether to make the proposed consent order final.

In response to the settlement, Outlogic told TechCrunch that it disagrees with the implications of an FTC press release. “After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products.”

Meanwhile, the FTC continues with its investigation against data broker Kochava Inc. for allegedly acquiring and selling consumers’ sensitive, identifying, and mobile geolocation information without their consent.

The collection and sale of information by data brokers has worried consumers and regulators for years. In Canada, the federal Office of the Privacy Commissioner began an investigation into the practices of six data brokers in 2018.

Last November, the Irish Council for Civil Liberties warned extraordinarily sensitive information about key European and U.S. figures and military personnel is being sold to foreign states and non-state actors through online advertising’s Real-Time Bidding (RTB) system.

Also in November, Duke University reported that sensitive personal information about active-duty American armed forces members, their families, and veterans is being sold by data brokers for 12 cents a person.