Before the 1970s, clandestine operations were primarily conducted by covert government agencies or the military in an effort to gather intelligence or “data collection” about an adversary or to influence events.
In the modern era, technology has made intelligence gathering a regular activity employed by countless private businesses that in a single day gather a massive amount of data collection about existing or potential customers that would surely dwarf any cold war CIA or KGB operation.
However, such intelligence gathering does not come without a significant cost, if the methods used violate applicable regulations, a fact clearly demonstrated by recent enforcement actions undertaken by the Federal Trade Commission (FTC) against three companies accused of violating rules restricting the collection, use, and transfer of customers’ location data.
It is important for businesses to understand the violations of which these companies were accused, so they can avoid finding themselves in the same unenviable position.
InMarket Media LLC - Geolocation Data Collection
In January of 2024, the FTC announced the settlement of a complaint against InMarket Media (InMarket), a Texas-based a digital marketing platform and data aggregator. According to the Complaint, InMarket used its own mobile app software for data collection detailed consumer location data along with the timestamps of each location. This information was then cross-referenced with other personal details, such as purchasing histories, demographics, and socioeconomic backgrounds, which the company acquired from other sources.
The InMarket apps were called CheckPoints, which offers users rewards for completing tasks such as watching videos and taking online quizzes, and ListEase, which helps users create shopping lists, which since 2017 were downloaded to over 30 million unique devices. InMarket also created a set of development tools that third party app developers can incorporate into their own mobile apps called InMarket SDK, which was built into more than 300 apps, which were downloaded onto over 390 million unique devices during the same period.
Both the InMarket apps and the third-party apps that incorporated InMarket SDK tracked user locations and transmitted it to InMarket, which was able to determine where the users lived and worked, where their children went to school, where they received medical treatments, the political rallies or demonstrations they may have attended, and other information that can be gleaned from someone’s day-to-day routine.
After categorizing hundreds of millions of consumers into approximately 2,000 audience segments, InMarket allegedly used the collected data for targeted advertising without properly notifying them or securing their consent. The company is also accused of retaining the extensive data collection of geolocation data it gathered for more than five years, well beyond any purpose for which it was gathered. Doing so heightened the likelihood of such sensitive data being exposed, misused, or connected to the consumer, thereby jeopardizing the confidentiality of consumer information.
The FTC Complaint accuses the company of violating Section 5(a) of the FTC Act by engaging in “unfair or deceptive acts or practices in or affecting commerce” through its data collection practices. Under the proposed order settling the charges, InMarket is prohibited from selling, licensing, transferring, or sharing any consumer location data, and any product or service that categorizes or targets consumers based on sensitive location data.
In addition to the ban on selling or licensing precise location data—a first for the FTC—the proposed order also requires InMarket to take several steps to strengthen protections for consumers, which includes deleting or destroying all the location data it previously collected and any products produced from that data unless the company obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive.
X-Mode Social, Inc. - Geolocation Data Collection
Also in January, the FTC announced a proposed settlement with data broker X-Mode Social, Inc. (X-Mode) which was accused of selling precise consumer location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.
As was allegedly the case with InMarket, X-Mode sold location data collected from users of its own apps, Drunk Mode and Walk Against Humanity, as well as third-party apps that were built using X-Mode’s software development kit, and by purchasing location data collection from other data brokers and aggregators. The company sold this data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors.
According to the FTC’s complaint, until May 2023, the company did not have any policies in place to remove sensitive locations from the raw location data it sold, and failed to implement reasonable or appropriate safeguards against downstream use of the precise location data it sold. The FTC also says the company failed to ensure that users of its own apps and third-party apps were fully informed about how their location data would be used.
The proposed order settling the Complaint incorporates similar terms as the InMarket order, banning X-Mode from sharing or selling any sensitive location data collection and requiring it to delete or destroy all the location data it previously collected, and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive.
Avast - Browsing Data Collection
In February 2024, the FTC announced a settlement against UK software provider Avast, Ltd. of a Complaint alleging that Avast collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent. The FTC also accused Avast of deceiving users by claiming that its software would protect their privacy by blocking third party tracking, but failed to adequately inform them that the company would sell their detailed browsing data collection, which was sold to more than 100 customers. In addition, Avast reportedly misled consumers about the protection of their privacy, promising only aggregate and anonymous disclosure of browsing information.
The settlement requires Avast to pay $16.5 million and prohibits the company from selling or licensing any web browsing data for advertising purposes.
Takeaway
The three enforcement actions summarized above serve to highlight the compliance obligations the FTC Act imposes upon companies that collect and handle consumers' sensitive personal data collection, and the potential consequences of failing to manage it correctly.
While the three companies targeted by the FTC were handling hundreds of millions of consumer data records, the same regulations apply to all companies conducting data collection, use, and sell the same kinds of data, and they require careful management of sensitive consumer data, robust privacy policies and practices, transparency, and informed consent from consumers.
By proactively addressing privacy concerns and adhering to regulatory requirements, businesses can safeguard their customers' trust and mitigate the risks associated with data collection and handling.
