FTC Bars X-Mode from Selling Sensitive Location Data
Update, January 23, 2024: Another week, another win! The FTC announced a successful enforcement action against another location data broker, InMarket.
Phone app location data brokers are a growing menace to our privacy and safety. All you did was click a box while downloading an app. Now the app tracks your every move and sends it to a broker, which then sells your location data to the highest bidder, from advertisers to police.
So it is welcome news that the Federal Trade Commission has brought a successful enforcement action against X-Mode Social (and its successor Outlogic).
The FTC’s complaint illustrates the dangers created by this industry. The company collects our location data through software development kits (SDKs) incorporated into third-party apps, through the company’s own apps, and through buying data from other brokers. The complaint alleged that the company then sells this raw location data, which can easily be correlated to specific individuals. The company’s customers include marketers and government contractors.
The FTC’s proposed order contains a strong set of rules to protect the public from this company.
General rules for all location data:
- X-Mode cannot collect, use, maintain, or disclose a person’s location data absent their opt-in consent. This includes location data the company collected in the past.
- The order defines “location data” as any data that may reveal the precise location of a person or their mobile device, including from GPS, cell towers, WiFi, and Bluetooth.
- X-Mode must adopt policies and technical measures to prevent recipients of its data from using it to locate a political demonstration, an LGBTQ+ institution, or a person’s home.
- X-Mode must, on request of a person, delete their location data, and inform them of every entity that received their location data.
Heightened rules for sensitive location data:
- X-Mode cannot sell, disclose, or use any “sensitive” location data.
- The order defines “sensitive” locations to include medical facilities (such as family planning centers), religious institutions, union offices, schools, shelters for domestic violence survivors, and immigrant services.
- To implement this rule, the company must develop a comprehensive list of sensitive locations.
- However, X-Mode can use sensitive location data if it has a direct relationship with a person related to that data, the person provides opt-in consent, and the company uses the data to provide a service the person directly requested.
As the FTC Chair and Commissioners explain in a statement accompanying this order’s announcement:
The explosion of business models that monetize people’s personal information has resulted in routine trafficking and marketing of Americans’ location data. As the FTC has stated, openly selling a person’s location data the highest bidder can expose people to harassment, stigma, discrimination, or even physical violence. And, as a federal court recently recognized, an invasion of privacy alone can constitute “substantial injury” in violation of the law, even if that privacy invasion does not lead to further or secondary harm.
X-Mode has disputed the implications of the FTC’s statements regarding the settlement, and asserted that the FTC did not find an instance of data misuse.
The FTC Act bans “unfair or deceptive acts or practices in or affecting commerce.” Under the Act, a practice is “unfair” if: (1) the practice “is likely to cause substantial injury to consumers”; (2) the practice “is not reasonably avoidable by consumers themselves”; and (3) the injury is “not outweighed by countervailing benefits to consumers or to competition.” The FTC has laid out a powerful case that X-Mode’s brokering of location data is unfair and thus unlawful.
The FTC’s enforcement action against X-Mode sends a strong signal that other location data brokers should take a hard look at their own business model or risk similar legal consequences.
The FTC has recently taken many other welcome actions to protect data privacy from corporate surveillance. In 2023, the agency limited Rite Aid’s use of face recognition, and fined Amazon’s Ring for failing to secure its customers’ data. In 2022, the agency brought an unfair business practices claim against another location data broker, Kochava, and began exploring issuance of new rules against commercial data surveillance.
第44回独立行政法人評価制度委員会 議事録
第60回独立行政法人評価制度委員会評価部会 議事録
大臣官房企画課サイバーセキュリティ・情報化推進室 非常勤職員採用情報
無線設備規則及び標準テレビジョン放送等のうちデジタル放送に関する送信の標準方式の一部を改正する省令案等の制定・改正案に係る意見募集
日本放送協会のインターネット活用業務の競争評価に関する準備会合(第3回)
情報通信審議会 電気通信事業政策部会 接続政策委員会(第69回)の開催について
情報通信行政・郵政行政審議会 郵政行政分科会(第89回)
ユニバーサルサービスワーキンググループ(第1回)開催案内
大臣官房会計課厚生企画管理室 非常勤職員採用情報
令和6年能登半島地震に係る被害状況等について(第55報)
衛星放送ワーキンググループ(第3回)配付資料
サイバーセキュリティタスクフォース(第46回)
被災地におけるコミュニケーション支援用スマートフォンアプリのご案内(「外国語」でお困りの皆さま、「聴覚障害」をお持ちの皆さま、「聴覚障害」をお持ちの方の周囲の皆さまへ)
公正競争ワーキンググループ(第1回)配布資料・議事概要
令和6年能登半島地震に係る被害状況等について(第54報)
[B] 【1/27】入管法廃止デモ 渋谷で実施予定
Joint statement on the proposed cybercrime treaty ahead of the concluding session
The statement's signatories, including APC, stress that the proposed UN Cybercrime Convention must be narrowly focused on tackling cybercrime, and not used as a tool to undermine human rights. Unless meaningful changes are made to address current shortcomings, the Convention should be rejected.