FTC Cracks Down on Selling Sensitive Location Info, Restricts Use of Consumer Data for 1st Time

The Federal Trade Commission (FTC) announced two significant enforcement actions this week – one against data broker Mobilewalla, Inc. and the other against data analytics provider Gravy Analytics, Inc. (and its subsidiary Venntel, Inc.) for unlawfully collecting and selling location data. The FTC further explained in its Technology Blog that it went a step further in its remedies as to Mobilewalla and restricted the use of consumer data collected during online advertising auctions to be used only for the purpose of participating in such auction processes, not for other purposes (such as selling to other advertisers and analytics providers). The FTC reiterates in these actions that location data is sensitive data and that companies must not retain data for purposes outside of the original purpose(s) of collection, unless consumer consent is obtained. These actions highlight the FTC's increased scrutiny and regulatory efforts to protect consumer privacy, particularly concerning data collected through websites that reveal, or can reveal, visits to sensitive locations, such as healthcare facilities, places of worship and military installations.

The FTC's Claims

The FTC's complaint against Gravy Analytics asserts that the company obtained consumer location data from other data suppliers. Gravy Analytics utilized location signals and other information gathered from consumers' mobile phones, including a unique Mobile Advertising ID. The FTC alleged that Gravy Analytics used geofencing to "identify and sell lists of consumers who attended certain events related to medical conditions and places of worship" and then "sold additional lists that associated individual consumers to other sensitive characteristics." (See FTC Press Release, "FTC Takes Action Against Gravy Analytics, Venntel for Unlawfully Selling Location Data Tracking Consumers," Dec. 3, 2024.) Gravy Analytics advertised its location data as being very precise, identifying a consumer within approximately 1 meter of precision.

Similarly, the FTC's complaint against Mobilewalla asserts that Mobilewalla collected unique consumer advertising identifiers along with the consumer's precise location data. Mobilewalla did not anonymize this data, rather, it "sold access to this raw data to third-parties, including advertisers, data brokers and analytic firms." (See a Dec. 3, 2024, FTC press release.)

Notably, the consumer data at issue in these two enforcement actions was likely collected through cookies, software development kits (SDKs) and similar technologies.

Real-Time Bidding and FTC Concerns

Unlike Gravy Analytics, which obtained location data from other data suppliers, the FTC asserts that Mobilewalla unfairly collected and retained location information that it had obtained through an auction process. Many companies may not be aware that when they sell advertisement space on their websites or mobile apps, there is an auction process to sell that space where advertisers can bid to place their advertisements. The FTC refers to this as "real-time bidding" (RTB). According to the FTC, as a part of this auction process, the advertisers are sometimes provided "granular details like location or personal characteristics about the people downstream who could be the target of an ad." (See a Dec. 3, 2024, FTC Technology Blog post.)

In the case of Mobilewalla, the FTC alleges that Mobilewalla retained the information it obtained during this auction process (even when it did not have the winning bid) and then turned around and sold this "raw data to third-parties, including advertisers, data brokers, and analytics firms." (FTC Mobilewalla Press Release)

The FTC's action against Mobilewalla includes provisions restricting Mobilewalla's use of consumer data obtained through RTB, marking a significant step in regulating this complex practice.

The FTC highlighted in its enforcement action against Mobilewalla its concerns relating to RTB:

• Invasive Data Sharing. According to the FTC, RTB incentivizes the sharing of extensive consumer data, including precise location details, to attract higher bids for ad placements. This can lead to the widespread dissemination (and potential misuse) of sensitive information.
• Cross-Border Data Transfers and Potential Data Misuse. Data collected through RTB can be transmitted across geographic borders, which the FTC states raises concerns about potential misuse by foreign adversaries (including for "surveillance, blackmail, or social engineering campaigns"). (FTC Technology Blog Post)
• Lack of Control. The rapid nature of RTB makes it challenging to control how data is used and retained by multiple parties involved in the bidding process. According to the FTC, there are few (if any) technical controls in place to ensure that advertisers who are bidding do not retain data in unintended ways. Notably, the FTC asserts that Mobilewalla retained data from auctions it did not win, which the FTC found was contrary to RTB exchange rules that prohibit the use of the consumer data for non-advertising purposes.

Key Actions by the FTC

As a result of the FTC complaints against them, Mobilewalla and Gravy Analytics agreed in their respective settlement orders to implement several measures to ensure that both companies respect consumer privacy and protect sensitive data. These measures include:

1. Prohibition on the Sale of Sensitive Location Data. Mobilewalla and Gravy Analytics are prohibited from selling sensitive location data. This includes data that can identify individuals' visits to sensitive locations.
2. Prohibition on the Collection of Consumer Data. Mobilewalla is banned from collecting consumer data from online advertising auctions for purposes other than participating in such auctions, which, the FTC asserts, is the first time it has alleged that such a practice is an unfair act or practice.
3. Data Deletion Requirements. Both companies must delete all previously collected sensitive location data and implement measures to prevent the future collection or sale of such data.
4. Comprehensive Privacy Programs. Both companies must establish comprehensive privacy programs, including methods for consumers to request data deletion and to withdraw consent for data collection.

Takeaways

In light of these recent FTC enforcement actions, companies should ensure they understand the types of data they are collecting, only use data for the purpose(s) it was collected and identify the third parties to which they disclose this data. In particular, companies should keep the following in mind:

1. The FTC Views Location Data as Sensitive Data. In its blog post about the Mobilewalla enforcement action, the FTC reiterates that "location data is sensitive data, full stop. Location data can reveal where we live, work, and worship, where we seek medical treatment, and even our presence at a protest or political event." Companies should therefore carefully consider their collection and use of location data and the risks associated with such data.
2. Data Collected by Cookies and Similar Technologies. Understanding what data is collected by cookies and how such data is used, shared or sold can be crucial for compliance with U.S. and international data protection laws and addressing FTC enforcement risk. Companies should also be aware of how advertisers may use data from cookies collected through their websites and mobile apps.
3. Heightened FTC Scrutiny. The FTC's actions against Mobilewalla and Gravy Analytics indicate an increase in regulatory scrutiny over the collection and sale of sensitive location data. Other companies engaged in such activities may be subject to similar enforcement actions.
4. Compliance Is Key. Ensuring compliance with data protection laws and obtaining explicit consumer consent for data collection, when required, are critical steps in mitigating legal and reputational risks.
5. Transparency and Trust. Clear communication with consumers about data collection and usage practices is essential in building and maintaining trust.
6. Proactive Measures. Implementing robust data management and privacy programs can help companies stay ahead of regulatory requirements and protect consumer privacy.
7. Implement Data Deletion Protocols. Establishing and enforcing data deletion protocols can help ensure that sensitive data is not retained longer than necessary.

Conclusion

The FTC's recent enforcement actions against Mobilewalla and Gravy Analytics underscore the importance of developing compliant programs to protect consumer privacy and reduce regulatory enforcement risk. Please contact the authors for assistance in reviewing data collection and privacy practices.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.