Federal Trade Commission Warns Data Brokers about the Uncontrolled Sale of Raw Location Data
A couple of weeks ago, we wrote about an important order from the US Federal Trade Commission (FTC). It set minimum privacy requirements for biometric surveillance in commercial settings, and marked an interesting move by the FTC to extend its activities in this area. As if to confirm that this was not just a one-off, the FTC has made an order concerning the vexed issue of selling sensitive location data:
Data broker X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle Federal Trade Commission allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.
The FTC press release explains that the raw location data sold by X-Mode/Outlogic was associated with mobile advertising IDs, which are unique identifiers for each mobile device. This raw location data was not anonymized and could therefore be used to match an individual consumer’s mobile device with the locations they visited. Some companies even offer services to help match such data to individual consumers.
According to the FTC’s complaint, until May 2023, X-Mode/Outlogic did not have any policies in place to remove sensitive locations from the raw location data it sold. In addition, according to the FTC, the company did not implement reasonable or appropriate safeguards against downstream use of the precise location data it sold, putting consumers’ sensitive personal information at risk. As a result, the FTC says the location data “not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms.” A further indication of the seriousness with which the FTC views privacy can be found in a joint statement by the FTC Chair Lina M. Khan and two commissioners. In what is clearly a warning to other data brokers, the statement says:
With this action, the Commission rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data.
The FTC will continue to use all our tools to protect Americans from abusive data practices, including the unlawful tracking and use of their sensitive information. As the proliferation of AI models and algorithmic decision-making further incentivizes businesses to endlessly vacuum up people’s personal data, placing substantive limits on how firms can track and use sensitive information is paramount.
Another significant figure offering comments on the FTC move is the US Senator Ron Wyden. He has been at the forefront of revealing illegal practices by the US intelligence services. He writes:
I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data. In 2020, I discovered that the company had sold Americans’ location data to U.S. military customers through defense contractors. While the FTC’s action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans’ personal information and prevent government agencies from going around the courts by buying our data from data brokers.
As that notes, Wyden was one of the first to call out the dangers of allowing smartphone location data about US citizens to be sold by data brokers. In this case, it was being bought by a military arm of the intelligence community, the Defense Intelligence Agency. PIA blog wrote about this back in 2021. Wyden has just released new information about how US intelligence and law enforcement agencies are buying potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly, specifically Internet metadata (but not the actual content of messages). Wyden notes that metadata is often enough to identify people who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse, or those ordering abortion pills by mail.
Wyden goes on to write that the FTC’s order against X-Mode/Outlogic should serve as a “much-needed wake-up call” for the US intelligence community. He requests that in the future the intelligence agencies should only buy data about US citizens that meets the standard for legal data sales established by the FTC. That’s further evidence that the FTC and its policies are becoming a key benchmark for privacy in the US, filling the gap left by the current lack of a federal privacy law.
It’s worth noting that breaches of privacy by intelligence agencies are not a niche concern and can have far-reaching consequences. For example, as we wrote two years ago, it was the revelation by Edward Snowden in 2013 that the US National Security Agency could access the personal data of EU citizens, thanks to the Prism program, that led to a complaint by privacy expert Max Schrems, which concerned the transfer of his personal data from the EU to the US. That in its turn saw not one but two frameworks for transferring personal data between the EU and the US being thrown out by the EU’s highest court, the Court of Justice of the European Union (CJEU). Wyden’s latest news that US intelligence services have been gathering metadata in an uncontrolled fashion makes it more likely that the third version of the US-EU data transfer , the Data Privacy Framework, will also be quashed by the CJEU if and when a legal challenge is brought against it.
Featured image by Wikimedia.
