In January, the Federal Trade Commission issued a warning to data brokers by announcing two landmark settlements nine days apart that would prohibit companies from selling sensitive geolocation data. This follows years of warnings about the industry’s alleged failure to protect consumers’ information.
“What you want to get out of these orders is the idea that we take location data as a whole very seriously, and the nature of sensitive information that location data can reveal about people’s lives,” he said. I think it means they accept it,” said Bhavna Changlani, a lawyer at the Ministry of Justice. He worked on one of the orders of the FTC’s Division of Privacy and Personal Information Protection.
Enforcement actions issued against X-Mode Social Inc. and its successor Outlogic LLC on January 9th and against InMarket Media LLC on January 18th both involve companies selling sensitive location data. The lawsuit accuses the company of failing to obtain informed consent from consumers. How their data will be used. The FTC argued that such data, including visits to reproductive health clinics and religious institutions, could be used to harm consumers.
Lawyers and academics said the order breaks new ground in the legally murky area of defining “sensitive location data.”
Justin Sherman, a senior research fellow at Duke University’s Sanford School of Public Policy, said: “Their comments in quick succession tell us that the FTC is focused on the harm done by real location data.” . “Focusing on specific locations that are particularly dangerous for people to monitor and centralizing controls around them is a really interesting angle when it comes to harm prevention and mitigation.”
“It’s now clear to people that it wasn’t clear before that the bar is being raised when it comes to classified information,” said O’Dea Kagan, a partner at Fox Rothschild LLP. She said the agency’s focus on data related to “vulnerable communities,” such as visitors to correctional facilities and reproductive health clinics, does not necessarily align with what constitutes “sensitive information” under most state laws. I pointed out that I would not.
But pushing the limits of what defines sensitive data could cause confusion, experts said, as there is currently no clear definition of what a “sensitive location” is in the United States.
“The FTC is using claims of unfairness when there has been no announcement of what the law expects, or even what industry self-regulation itself should expect in terms of detail, granularity, and privacy notices. That’s surprising to me,” said Ronald Lazer, a partner at Troutman Pepper Hamilton Sanders. “What’s interesting to me is the FTC’s criticism of whether that notice and consent was specific and detailed.”
“It’s especially problematic when you focus on quote-unquote ‘sensitive location data,’ without first defining what that means,” Lazer said. “If you look at what they were focused on, sensitive location data, he seems to be focused on one political view of what is sensitive and what is not sensitive in terms of location data. .”
The FTC’s Changlani said enforcement is more complex than just defining sensitive location data.
“Anyone collecting location data should pay attention not only to the definition of a sensitive location, but also to the obligations set forth in sensitive location data programs,” she said.
long time no see
The recently proposed order is not the FTC’s first effort to fight data brokers.
The agency investigated nine data brokers in 2014 and found a lack of transparency in the industry. It recommended that Congress consider legislation that would increase broker transparency and create new requirements for customer access to information shared about brokers.
“Geolocation information can potentially reveal an individual’s personal information,” Jessica Rich, then-Director of the FTC’s Consumer Protection Division, testified before the Senate Judiciary Committee’s Privacy, Technology, and Law Committee in 2014. ”Did you go to the AIDS clinic last Tuesday? “What place of worship do you attend? Did you go to your psychiatrist’s office last week? Did you meet with any potential business clients?”
Following the Biden administration’s directive to protect reproductive health data in light of the 2022 Supreme Court ruling. Dobbs v. Jackson Women’s Health OrganizationIn August 2022, the FTC filed a complaint against data broker Kochava in federal court in Idaho for allegedly selling sensitive data that could be used to track users to abortion clinics. The case was dismissed in May and then refiled by authorities in June.
The two settlements proposed in January show what would have happened if the case had been settled, said Meredith Halama, co-chair of Perkins Coie’s privacy and security practice. Ta. The order shows that a comprehensive privacy policy that includes sample language is no longer sufficient to meet the consent standard, she said.
“Instead, you have to continually check that those companies are actually accurately informing you of their practices. This is really a game changer,” Halama said.
It could have far-reaching implications for the industry. In the InMarket case, the FTC did not specifically allege that the company sold location data directly, but rather that it sold products created from that information in the form of advertising segments, a common industry practice. he claimed. Regulators also took issue with the company’s retention policies, saying they increased the risk of data being misused.
“This is another example of the FTC making clear through enforcement that it means business when it comes to data minimization and data retention,” Kagan said.
The FTC also found that InMarket failed to verify that third-party apps incorporating its software kit had consumer consent and that location data provided to InMarket was used to create customer profiles. The company accused the company of not informing the app maker that this would happen. Such omissions can create new monitoring challenges for data aggregators.
The FTC’s Changlani said that “at a minimum,” aggregators include evaluations of each third-party supplier providing the data to ensure that consumers have specifically consented to the collection, use, and sale of their location information. He said there is a need to have a written program in place. Records of supplier responses should also be created and maintained, she said.
Industry standards may still play a role in addressing some of the concerns raised by the FTC. For example, industry group Network Advertising Initiative introduced voluntary standards in June 2022 restricting the use, sale, and transfer of sensitive location data for law enforcement and national security purposes, Jarama noted. did.
what’s next
Federal lawmakers are considering ideas such as data minimization and imposing affirmative consent requirements, most recently enacting a comprehensive data privacy bill approved by the House Energy and Commerce Committee in 2022. However, no similar comprehensive bill has been reintroduced in the current Congress.
The FTC’s move also raises questions about the government’s purchase of U.S. data.
X-Mode’s complaint alleges that the company deceived information from users by telling participants that their location data from two of its apps, Drunk Mode and Walk Against Humanity, would be used for targeted advertising. He is accused of collecting. Instead, X-Mode sold the data to government contractors for “national security purposes.”
Sen. Ron Wyden (D-Ore.) last week told the National Security Agency and the broader intelligence community that data brokers who did not obtain informed consent before selling Americans’ personal data He urged people to follow the FTC’s lead in suspending purchases.
In a Jan. 25 letter to Director of National Intelligence Avril Haines, Wyden said, “The U.S. government is not only unethical but also illegal in its flagrant violation of Americans’ privacy.” The industry should not be funded or legalized.” Going forward, we ask that the Division of IC adopt a policy that only data about Americans can be purchased that meets the FTC’s standards for legal data sales. ”
But despite the FTC’s enforcement actions, Congress must finally act to address the full threat of the data broker industry, Sherman said.
“This is an innovative approach that forces data brokers to obtain more consent from consumers as an interim measure,” he said. “But there’s still a big problem with not asking consumers for full consent, and that’s a legislative issue, not a regulatory issue.”