(Sensitive) Location, Location, Location - FTC in X-Mode

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.” said FTC Chair Lina M. Khan in the new the X-Mode Outlogic decision/

Federal Trade Commission issues decision on X-Mode Outlogic sharing of sensitive data.

Two biggest eye openers which are not for classic data brokers only:

• Vague disclosures will NOT be tolerated: "Commission rejects the premise .....that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data". [but this goes for any sensitive information or any disclosure really]
• You ARE your client's keeper. When information is collected for you by a third party (like through a cookie or SDK) is it NOT enough to stipulate that they get informed consent in the contract; you also must CHECK the contract and ENFORCE (by stopping usage, requiring correction of the language or ending the relationship).

What (else) do you need to know

The issue:

X-Mode/Outlogic sells and licenses precise location data that it collects from third-party apps that incorporate its software development kit (SDK) into their apps, from its own mobile apps, and by purchasing location data from other data brokers and aggregators. X-Mode incentivizes app developers to incorporate the X-Mode SDK into their apps by promising the app developers passive revenue for each consumer’s mobile device that allows the SDK to collect their location data. In addition to collecting consumer location data through its SDK, X-Mode also purchases location data associated with MAIDs from data brokers and other aggregators. The company sells consumer location data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors for their own purposes, such as advertising or brand analytics.

The risk:

• “Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship.
• "Raw location data raw location data associated with mobile advertising IDs, which are unique identifiers associated with each mobile device... is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited"

If you collect / process sensitive data you must:

Mapping

Develop and maintain a comprehensive list of sensitive locations, and ensure you are not sharing, selling or transferring location data about such locations

Disclosure:

• Fully disclose the purposes for which the location data must be used. It is not enough to say "ad personalization and location based analytics" you need to be more specific. If you say that you are sharing for "ad personalization", that's not enough to account for sharing with government contractors for national security purposes.
• For the third party apps: you need a sample privacy disclosure that fully informs consumers about which entities would receive the data.

Informed Consent

• Ensure that third party apps in which your SDK is installed obtain informed consent from consumers for providing access to their sensitive location data.
• Requiring language in their contracts is not enough, you must also review them and take corrective action based on the review - like: not using the data; instructing to correct the notices; and suspending or terminating the relationship with them.

Consumer rights/choice:

• Employ the necessary technical safeguards and oversight to ensure that it honored requests by some android users to opt out of tracking and personalized ads, according to the complaint.
• If someone elects the "Opt out of Ads Personalization" on the mobile device you must honor those choices and may not provide access to this information to marketers or other customer.
• Provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected
• Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data
• Implement data retention limits

Vendor and downstream management:

• Develop a supplier assessment program to ensure that companies that provide location data to you are obtaining informed consent from consumers
• Implement procedures to ensure that recipients of your location data do not associate the data with locations that provide services to LGBTQ+ people such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual;
• BUT - a contractual restriction on your customer's use of the data is not enough by itself.

If you create custom audience segments based on characteristics of consumers:

You can't give sensitive location information for marketing and advertising purposes (e.g. location information on internal medical facilities and then pharmacies or specialty infusion centers)

X-Mode/Outlogic was also required to:

• Refrain from sharing sensitive locations
• Develop and maintain a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations
• Delete or destroy all the location data previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive
• Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.
• Refrain from collecting or using location data when consumers have opted out of targeted advertising or tracking or if the company cannot verify records showing that consumers have provided consent to the collection of location data.
• Additional privacy program requirements

#dataprivacy #dataprotection #locationdata #privacyFOMO

Image by Freepik

FTC press release: https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data?utm_source=govdelivery

FTC Complaint: https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-Complaint.pdf

FTC Order: https://www.ftc.gov/system/files/ftc_gov/pdf/X-Mode-D%26O.pdf

Separate statement by Khan Slaughter and Bedoya: https://www.ftc.gov/system/files/ftc_gov/pdf/StatementofChairLinaM.KhanandRKSandAB-final_0.pdf