The Federal Trade Commission (FTC) has prohibited data broker X-Mode Social and its successor Outlogic from sharing or selling sensitive location data as part of a settlement resulting from allegations that the company sold precise location data that could be used to track people’s visits to private locations.
In its first settlement with a data broker regarding the collection and sale of sensitive location information, the FTC also accused X-Mode Social and Outlogic of failing to put in place reasonable safeguards on the use of such information by third parties. This settlement ultimately represents the FTC’s strong commitment to preventing companies from selling their users’ sensitive location information.
“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” said FTC Chair Lina Khan. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”
X-Mode/Outlogic has been selling location information that is tied to each user’s phone. This data isn’t anonymous and can be used to track where a person with a specific phone has been. The company also sells consumer location data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors for their own purposes, such as advertising.
According to the FTC’s complaint, until May 2023, the company did not have any policies in place to remove sensitive locations from the location data it sold. The FTC says X-Mode/Outlogic did not implement any reasonable safeguards against use of the location data it sells, putting consumers’ sensitive and private information at risk.
The information revealed through the location data that X-Mode/Outlogic sold not only violated consumers’ privacy but also exposed them to “potential discrimination, physical violence, emotional distress, and other harms,” according to the complaint. The FTC also mentioned that the company didn’t make sure users of its apps, like Drunk Mode and Walk additionally Humanity, which used X-Mode/Outlogic’s software, were properly informed about how their location data would be used.
The company also failed to employ the necessary technical safeguards and oversight to ensure that it honored requests by some android users to opt out of tracking and personalized ads, according to the complaint. The FTC says these practices violate the FTC Act’s prohibition against unfair and deceptive practices.
FTC Mandates Preservation of User Location Privacy
In addition to the limits on sharing certain sensitive locations, the proposed order requires X-Mode/Outlogic to create a program to ensure it develops and maintains a comprehensive list of sensitive locations, and ensure it is not sharing, or selling data about such locations. Other provisions of the proposed order require the company to:
- Delete or destroy all the location data it previously collected, and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive;
- Ensure that companies that provide location data to X-Mode/Outlogic are obtaining informed consent from consumers for the collection, use and sale of the data or stop using such information;
- Implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual;
- Provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected;
- Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data; and
- Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.
The proposed order also limits the company from collecting or using location data when consumers have opted out of targeted advertising or tracking or if the company cannot verify records showing that consumers have provided consent to the collection of location data.