Brokers

FTC Moves to Ban Location Data Sales Raise New Broker Duties

February 1, 2024
0 5 minutes read

The Federal Trade Commission put data brokers on notice in January with two ground-breaking proposed settlements issued nine days apart that ban companies from selling sensitive geolocation data—making good on years of warnings over the industry’s alleged failures to protect consumers’ information.

“I think what you want to get from these orders is the idea that we take location data as a whole very seriously, and the nature of the sensitive information that it can reveal about people’s lives very seriously,” said Bhavna Changrani, an attorney in the FTC’s Division of Privacy and Identity Protection who worked on one of the orders.

The enforcement actions issued Jan. 9 against X-Mode Social Inc. and its successor Outlogic LLC, and Jan. 18 against InMarket Media LLC both bar the companies from selling sensitive location data and accuse them of failing to obtain informed consent from consumers as to how their data would be used. The FTC alleged that such data—including visits to reproductive health clinics and religious institutions—could be used to cause consumers harm.

The orders, attorneys and academics said, break new ground on a legally nebulous area: the definition “sensitive location data.”

“Having the two come out back to back speaks to the FTC’s focus on real location-data harm,” said Justin Sherman, senior fellow at Duke University’s Sanford School of Public Policy. “It’s a really interesting angle on harm prevention and mitigation to say that we’re going to focus on particular locations that are especially dangerous for people to surveil and to center controls around that.”

“It makes it clear to whoever it wasn’t clear to before that the bar is raised with respect to sensitive information,” said Odia Kagan, a partner at Fox Rothschild LLP. She noted that the agency’s focus on data related “vulnerable communities,” such as visitors to correctional facilities or reproductive health clinics, doesn’t necessarily align with what constitutes “sensitive information” in most state laws.

But pushing the limits on the definition of sensitive data could also create confusion, as there’s currently no clear definition in the US of what a “sensitive location” is, practitioners said.

“It’s surprising to me that the FTC is using the unfairness prong when there hasn’t been a pronouncement with respect to what the law expects, or even what industry self-regulating itself should expect in terms of details and granularity and privacy notice,” said Ronald Raether, a partner at Troutman Pepper Hamilton Sanders LLP. “What’s interesting to me is the FTC criticism as to whether that notice and consent was specific and detailed.”

“It becomes especially problematic if you’re focusing on quote-unquote ‘sensitive location data,’ without first defining what that means,” Raether said. “If you look at what they were focused on, sensitive location data seem to be focused on one political view of what’s sensitive and what’s not sensitive, in terms of location data.”

The FTC’s Changrani said enforcement is more complex than just defining sensitive location data.

“Anyone who does collect location data should be paying attention to not just the definition of sensitive locations, but really the obligations laid out in the sensitive location data program,” she said.

A long time coming

The recent proposed orders are not thethe first effort by the FTC tograpplewith data brokers.

The agency in 2014 studied nine data brokers and found the industry lacked transparency. It recommended that Congress consider legislation to increase brokers’ transparency and create new requirements for customer access to what information was shared about them.

“Geolocation information can divulge intimately personal details about an individual,” Jessica Rich, then-director of the FTC’s Bureau of Consumer Protection, testified in 2014 Senate Judiciary Committee’s Privacy, Technology and the Law panel.”Did you visit an AIDS clinic last Tuesday? What place of worship do you attend? Were you at a psychiatrist’s office last week? Did you meet with a prospective business customer?”

On the heels of a Biden administration directive to protect reproductive health data in light of the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization, the FTC filed a complaint in Idaho federal court in August 2022 against data broker Kochava Inc. for allegedly selling sensitive data that could be used to track users to abortion clinics. That suit was dismissed in May and then refiled by the agency in June.

The two settlements proposed in January show how that case might have gone had it settled, said Meredith Halama, co-chair of Perkins Coie LLP’s privacy and security practice. The orders signal that blanket privacy policies with sample language are no longer enough to meet the bar for consent, she said.

“Instead, you have to on an ongoing basis make sure that those companies are actually providing notice of your precise practices, and that’s really a game changer,” Halama said.

That could have wide-reaching industry implications. In the InMarket case, the FTC didn’t specifically allege that the company was directly selling location data, but rather that it was selling products created from that information in the form of advertising segments, a common industry practice. The regulator also took issue with the company’s retention policies, alleging they increased the risk that data could be abused.

“This is another instance where the FTC is making clear through enforcement that it means business with respect to data minimization and data retention,” said Kagan.

The FTC also accused InMarket of failing to ensure that third-party apps incorporating the company’s software kit had obtained consumer consent and to tell the apps’ makers that location data they provided back to InMarket would be used to create customer profiles. Such omissions could create novel oversight challenges for data aggregators.

Aggregators should “at a minimum” have a written program in place that includes assessments of each third-party supplier providing data to make sure consumers have specifically given consent for the collection, use, and sale of their location information, the FTC’s Changrani said. They also should create and maintain records of the suppliers’ responses, she said.

Industry standards could still play a role in addressing some of the concerns raised by the FTC. For instance, the trade group Network Advertising Initiative in June 2022 introduced voluntary standards restricting the use, sale, and transfer of sensitive location data, including to law enforcement and for national security purposes, Halama noted.

What’s Next

Federal lawmakers have explored ideas like imposing data-minimization and affirmative-consent requirements, most recently by in comprehensive data privacy legislation approved by the House Energy and Commerce Committee in 2022. But no similar comprehensive bill has been reintroduced in the current Congress.

The FTC moves also raise questions about government purchases of US data.

The agency’s X-Mode complaint accused the company of deceptively collecting information from users of two of its own apps, Drunk Mode and Walk Against Humanity, by telling participants their location data would be used for targeted advertising. Instead, X-Mode was selling the data to government contractors for “national security purposes.”

Sen. Ron Wyden (D-Ore.) last week called on the National Security Agency and broader Intelligence Community to follow the FTC’s lead in stopping purchases from data brokers that failed to obtain informed consent before selling Americans’ personal data.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence Avril Haines dated Jan 25. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Despite the FTC’s enforcement actions, though, Congress ultimately will need to act to address the full threat of the data broker industry, said Sherman.

“As an interim measure, it’s an innovative approach to force data brokers to get more consent from consumers,” he said. “But we still have a massive problem not asking consumers to get full consent, and that’s a legislative—not regulatory—problem.”

Source link

February 1, 2024
0 5 minutes read

Related Articles

OpenYield launches “cheap and easy” fixed income trading for brokers

March 29, 2024

Howden snaps up another Irish broker to gain foothold in North-East

April 15, 2024

TECH TUESDAY: Comments on SEC’s Proposed Ban on Exchange Volume Discounts for Brokers Reveal a Groundswell of Opposition

January 9, 2024

Management of real estate brokers to be tightened

March 28, 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
SUBSCRIBE TO OUR NEWSLETTER

Get our latest downloads and information first. Complete the form below to subscribe to our weekly newsletter.


    Input this code: captcha