The Federal Trade Commission (FTC) recently reached two settlements in actions against data brokers concerning their use of consumer location data and banning them from collecting, using, or selling consumer location data without consent. This suggests the FTC will continue to scrutinize companies that collect, use, or sell location data going forward, and so it may be increasingly important to set up a robust process to obtain clear and express consent from consumers—especially for geolocation data.
The FTC brought actions against (1) X-Mode Social Inc. and its successor, Outlogic LLC, and (2) InMarket Media LLC alleging that the companies engaged in an “unfair” or “deceptive” practice in violation of the general provision of Section 5(a) of the FTC Act [1] by misrepresenting or failing to disclose material facts to their customers. In particular, the FTC alleged that X-Mode only told consumers that their geolocation data would be used for targeted advertising. However, in fact, X-Mode was selling consumer geolocation tracking data to its clients, including to private government contractors.
As to InMarket, the FTC did not allege the company directly sold geolocation data. Rather, the FTC claimed InMarket sold products created from geolocation data. In a more novel and strained application of the FTC Act, the FTC also alleged that InMarket did not ensure that third-party developers using its software had obtained consumer consent that consumers’ geolocation data would be sent back to InMarket.
The actions against X-Mode, Outlogic, and InMarket are the first two FTC settlements related to selling geolocation data or products made from that data. The FTC also brought an action in August 2022 against Kochava Inc. for allegedly selling sensitive location data, but that matter currently remains pending in Idaho federal court. [2]
In the consent orders, the FTC makes clear that each company is to obtain “affirmative express consent” before collecting or using “location data” from consumers. Location data is defined as “any data that may reveal a mobile device’s or consumer’s precise location, including but not limited to Global Positioning System (GPS) coordinates, cell tower information, or precise location information inferred from basic service set identifiers (BSSIDs), WiFi Service Set Identifers (SSID) information, or Bluetooth receiver information, and any unique persistent identifier combined with any such data” (emphasis added).
Both proposed orders incorporate the same requirements for “affirmative express consent” and provide a good indication as to what the FTC expects to see on company websites to avoid risk of misleading consumers. Specifically, affirmative express consent is a “freely given, specific, informed, and unambiguous indication of an individual consumer’s wishes demonstrating agreement by the individual” by disclosing
Under the proposed orders, the companies’ disclosures must be “clear and conspicuous.” That is, as the proposed orders state, if the disclosures are online, they must stand out from other accompanying text in size, contrast, location, or other clarifying characteristics so they are easily noticed, read, and understood. Any disclosure must also be understandable to ordinary consumers.
The FTC placed additional limits on the companies’ use of what it described as “sensitive location data,” or data that reveals where people live and work, where they worship, where their children go to school, or where they seek medical treatment, among other things. In particular, X-Mode, Outlogic, and InMarket are prohibited entirely from selling, sharing, or disclosing such data.
It is important to note that these FTC actions involved precise geolocation data. Specifically, these companies were using the GPS signal from a consumer’s mobile device, which can identify a location within a few feet. Many other technologies are far less precise at identifying location and will likely not be subject to the same level of scrutiny.
For example, a computer’s IP address can sometimes be associated with the physical address of its connection to the internet. This is frequently available at a zip code or city and state level. It is also often incorrect.
Similarly, asking a consumer to submit a zip code does not involve the same level of precision. The FTC orders also rely heavily on the “tracking” function—the fact that the technology has real-time movement information, not just a static location at a single point in time. Presumably less scrutiny should apply to a single location at a single point in time.
It is clear that the FTC intends to apply the FTC Act to misrepresentations or nondisclosures about the use, disclosure, or sale of precise geolocation data. By entering into these two settlements, the FTC provides guideposts on the robust and clear consent regime that it envisions. Going forward, companies collecting, using, or selling precise geolocation data should keep in mind the following.
First, companies that collect, use, or sell precise geolocation data should have a clear and easily accessible written policy that identifies for consumers (1) what specific categories of information they will collect, (2) why they are collecting the data and for what purpose the data will be used, (3) any third parties (or the types of third parties) that may collect or receive the data, and (4) the means by which the consumer can opt out of any such data collection. This applies not only to companies that collect geolocation data, but also to those that provide geolocation data to third parties or implement that data in their products or targeted advertising.
Second, companies should disclose their written policy clearly and conspicuously. If online, the disclosure, or a link to the disclosure, should stand out from any accompanying text by text size, contrast, color, location, or other characteristics. The disclosure must also be unavoidable. In other words, it is no longer sufficient to bury the disclosure at the bottom of the company’s webpage.
Third, companies may need to ensure they have unambiguous consent from the consumer. This may be accomplished online through a clickwrap agreement, provided that the aforementioned disclosure, or link to the disclosure, is near the consent button. Companies should also keep written documentation of the user’s agreement, including the date and time it occurred, as well as any withdrawal of that consent.
Finally, companies collecting sensitive location data, as described above, may draw increased scrutiny from the FTC. In those situations, it is important to have and to follow clear internal policies and procedures for how such data will be stored and used. Those procedures should make clear that consumers are not categorized or targeted based on their presence at sensitive locations.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: