Privacy & Information Security Law Blog

On January 14, 2025, the Federal Trade Commission (“FTC”) announced that it had issued final orders against data brokers Gravy Analytics, Inc. (“Gravy Analytics”) and Mobilewalla, Inc. (“Mobilewalla”). The FTC’s announcement follows a series of recent FTC actions concerning data brokers’ collection and sale of consumer precise geolocation data. Our blog posts covering these prior actions can be viewed here and here.

Gravy Analytics

According to the FTC’s complaint, Gravy Analytics is a data broker that does not have a direct relationship with consumers. Instead, it purchases consumer data (including precise geolocation data) from its data suppliers and sells such consumer data to its customers, which include both commercial and government entities. The FTC alleged that Gravy Analytics and its subsidiary violated Section 5 of the FTC Act by (1) failing to verify that its data suppliers obtained consent from consumers to collect, use and share their precise geolocation data for the purposes used by Gravy Analytics; (2) selling consumers’ precise geolocation data that revealed consumers’ visits to sensitive locations; and (3) creating and selling inferences derived from location data drawn about consumers based on sensitive characteristics, such as medical conditions, political activities and religious beliefs According to the complaint, the precise geolocation data obtained by Gravy Analytics, associated with other unique consumer identifiers licensed, used and sold by the data broker, could be used to track consumers to sensitive locations, including places of religious worship, domestic abuse shelters, homeless shelters, medical facilities, political rallies, and places that could be used to infer an LGBTQ+ status. Gravy Analytics used this data to create audience segments that categorized consumers into groups based on health or medical decisions made by consumers (e.g., “pharmacy visitor during COVID quarantine”), family status (e.g., “having children,” “getting married”), religion (e.g., based on a consumer’s visit to a particular church) and political activity (e.g., identifying a consumer as a member of a particular party based on attendance at political events). Additionally, the complaint alleged that Gravy Analytics used geofencing to create a virtual geographic boundary to identify consumers who visited certain sensitive locations and subsequently categorized these consumers into audience segments based on inferred sensitive characteristics from their visits, such as medical conditions, sexual orientation, political activities and religious beliefs. Its customers could then use these segments to serve targeted ads to consumers in these groups.

The final order requires Gravy Analytics and its subsidiary to stop selling, disclosing or using sensitive location data within 90 days of the order’s effective date, unless the companies: (1) have a direct relationship with the consumer related to the sensitive location data; (2) have obtained affirmative opt-in consent from the consumer and (3) are using sensitive location data solely to provide a service directly requested by the consumer.

Key provisions from the final order also include requirements to:

• maintain a sensitive location data program to identify a list of sensitive locations, and prevent the disclosure of consumers’ visits to those locations;
• establish and maintain policies and procedures to prevent the companies from (1) associating consumer precise geolocation data with locations predominantly providing services to LGBTQ+ individuals or locations of political or social demonstrations, marches, and protests and (2)using consumer precise geolocation data to determine the identity or location of an individual’s home;
• submit a report to the FTC within 30 days of making a determination that a third party shared consumers’ precise geolocation data in violation of a contractual requirement, including a description of the incident and the number of consumers affected by the disclosure;
• delete all historic precise geolocation data and any data products developed using this data;
• maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of their precise geolocation data; and
• not misrepresent the extent to which the companies (1) review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt-in controls; (2) collect, use, maintain, disclose, or delete any information by the final order; or (3) de-identify the data they collect, use, maintain, or disclose.
  
  

Relatedly, days before the FTC finalized its order against Gravy Analytics, the company was reported to have experienced a data breach. The company currently faces a proposed class action lawsuit in the US District Court for the District of New Jersey, alleging that it failed to adequately secure sensitive consumer location data.

Mobilewalla

In its complaint against Mobilewalla, the FTC alleged that the company collected consumer information, without consent, from real-time bidding exchanges (“RTB ad exchanges”), which data included consumers’ mobile advertising identifiers (“MAID”) and precise geolocation data. The FTC alleged that Mobilewalla then shared this information with third parties. This FTC action is the first to focus on the collection and use of consumer data through RTB ad exchanges.

During RTB ad exchanges, online publishers (i.e., websites and apps) auction off their empty ad space so that advertisers can submit bids for an ad placement. To conduct the exchange, an app or website uses a software development kit (SDK) or cookie to collect consumers’ personal information from their devices and passes it along to participating advertisers, so that they can bid to place advertisements based on the consumer information contained in the bid request. As a result, advertisers can obtain consumer information from the bid request process, even if they do not win the bid for an ad placement. In its complaint, the FTC alleged that when Mobilewalla bid to place an advertisement through an RTB ad exchange, it collected and retained the consumer information contained in the bid request, even when it did not have a winning bid. The FTC also alleged that Mobilewalla collected information from other data brokers without verifying whether consumers consented to Mobilewalla’s collection and use of their information.

Key provisions in the FTC’s final order against Mobilewalla include requirements to:

• stop collecting, purchasing or acquiring personal information covered in the order during online advertising auctions for any other purpose other than participating in such auctions;
• stop selling, sharing, or disclosing sensitive location data;
• maintain a sensitive location data program to identify a list of sensitive locations and prevent the disclosure of sensitive location data; and
• maintain a supplier assessment program to ensure consumers have provided consent for the collection and use of location data.