A recent FTC action against two major data brokers seems to have established that consumer location data that is sensitive cannot be sold off without consent, restraining the use of precise locations to whatever ad auction they were collected for.
The FTC placed collection bans on Mobilewalla Inc. and Gravy Analytics, both US-based data brokers that process huge amounts of information. Mobilewalla is one of the largest of these brokers in the world, claiming to have tracking profiles on over 1.6 billion devices across more than 35 countries. Gravy Analytics does not make key details about business size public but claims to process billions of mobile location data signals each day.
Data brokers restricted in sale of sensitive information, required to create privacy and data programs
Mobilewalla is subject to a proposed settlement order that includes terms that forbid it from collecting location data for purposes other than participating in an auction, the first time that restriction has formally been listed by the agency as an “unfair practice” and applied.
The Georgia-based company is among the world’s largest data brokers in terms of profiling, but is far from a household name. FTC Chair Lina Khan pointed out that consumers could not be reasonably expected to know what the company was, let alone that it was collecting location data and other sensitive items from them.
The company ran into hot water specifically due to its data collection practices from January 2018 to June 2020, a period over which it vacuumed up over 500 million unique and non-anonymized consumer advertising identifiers that were paired with precise location data. The company sold this collected data to numerous third parties including advertisers, data brokers and analytic firms. Even if consumers did somehow happen to be aware of this data collection, the company does not have policies in place to remove sensitive locations from their data sets.
Some examples of sensitive location data that may have been sold as part of these data sets includes visits to health care services and pregnancy clinics. The FTC took specific issue with a June 2020 report the company crafted that profiled participants in the Black Lives Matter protests that year.
The settlement order prohibits the company from using, transferring, selling and disclosing sensitive data categories; this specifies precise location data in many of the categories covered in national data protection laws established in other countries, such as sexual orientation and religious preference. The company must also exclude data taken from military bases, political gatherings, labor union offices and correctional facilities.
The order also establishes some data minimization and deletion requirements, as well as the establishment of certain programs. In addition to restricting data collection to purposes only for serving ad auctions, it must also allow consumers to request deletion of their data and to provide a method to withdraw consent for the use of their data. It must also create three new programs for data management: a sensitive location data program that compiles a comprehensive list of locations to be excluded, a comprehensive consumer privacy program to be assessed annually, and a supplier assessment program that tracks whether consumers consented to having their data collected.
Location data increasingly federally regulated even as national data protection law continues to lag
Gravy Analytics, through subsidiary Venntel, collected similar sensitive location data over a three-year period that was sold to government agencies including the IRS, FBI, ICE, DEA and CBP. Venntel offered tools that allowed these agencies (and other clients) to continuously track a single device, obtain device details such as operating system version and carrier type, and geo-fence specific locations, extending beyond the usual services offered by data brokers.
Though the proposed order only specifies these two particular data brokers, the same enforcement action could be carried out against others that similarly collect and sell the covered types of location data. This adds to a body of precedents and enforcement that the FTC has been building for several years now, beginning with a lawsuit against broker Kochava over similar collection and sale of location data from potentially sensitive destinations. It has also previously banned two other data brokers from selling similar information this year (Outlogic and InMarket Media).
Senator Ron Wyden, one of the lawmakers that has been a longtime leading advocate for a national data privacy law, supported the FTC actions by noting that these data brokers were offering private information about members of law enforcement and the military to anyone able to pay. He also criticized federal agencies for using data brokers such as these as a legal workaround for obtaining types of data that generally require a warrant or judge’s order.
Erich Kron, Security Awareness Advocate at KnowBe4, notes that the FTC actions appear to just be the beginning of the federal government having its hand forced on data brokers: “The collection of data on individuals has become a very controversial topic for many and is not being helped by the repeated failures to protect the sensitive information being collected by these organizations. Restricting the collection of things like location information is an important step, especially for those in professions where the disclosure of this information could be a danger to them and their families or might make them a target of hate groups due to religious or other affiliations. Unfortunately, we live in a time where we rely on the convenience provided by cell phones, connected vehicles and other devices that have the ability to track location through GPS or other means, and this information can easily be misused by bad actors. As more and more data is collected, and as more and more organizations that collect this information are breached or leave information open to the public internet accidentally, regulatory authorities will be forced to address the issues for the good of the American public.”
Chris Hauk, Consumer Privacy Champion at Pixel Privacy, adds: “While I applaud any limits on information that can be tracked, I particularly like it when any type of geographical location tracking has limitations placed on it. This type of tracking makes it too easy for users to be stalked, both online and in real life, by those that may wish to do them harm. It also provides too much information to government agencies like the alphabet agencies and other law enforcement, allowing them to track a targeted users’ every move, even if they are not engaging in illegal activities.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech, notes that this case should prompt review of exactly what constitutes protected categories of sensitive data: “This breach shows how mobile advertising IDs, which are often touted as non-identifying, can in fact be used to identify and track specific people. The threat of this data being sold goes beyond the usual threats of phishing and scams. It enables stalking, harassment, and domestic abuse. The FTC made the right call in banning data brokers from selling location info.”
