Privacy & Information Security Law Blog

On January 9, 2024, in its first settlement with a data broker concerning the collection and sale of sensitive location information, the Federal Trade Commission announced a proposed order against data broker X-Mode Social, Inc. and its successor Outlogic, LLC (“X-Mode”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

According to the FTC’s complaint, X-Mode allegedly sold precise location data that could be used to reveal consumers’ visits to sensitive locations, including, among others, locations associated with medical care, reproductive health, religious worship, mental health, temporary shelters (such as shelters for the homeless, domestic violence survivors, or other at-risk populations) and addiction recovery. In particular, X-Mode failed to remove sensitive locations from the raw data it sold, and failed to implement safeguards against downstream use of precise location data.

The FTC also alleged that X-Mode unfairly: (1) failed to honor consumer privacy choices by collecting and selling location data for the purposes of developing consumer profiles, surveilling consumers and targeting consumers with advertising, even if consumers had opted-out of having their location data used for such purposes; (2) collected consumers’ location data from apps that X-Mode owned without obtaining consumers’ informed consent to the collection, use or sale of their data; (3) collected consumers’ location data through third-party apps that incorporate X-Mode’s software development kit without taking reasonable steps to verify that those consumers provide informed consent to the collection, use or sale of their data; and (4) categorized consumers into audience segments based on sensitive characteristics, such as visits to medical offices, derived from location data, and sold these audience segments to a third party for marketing purposes. In addition, X-Mode allegedly failed to disclose that consumers’ locations would be provided to government contractors for national security purposes. The misrepresentations were in disclosures to X-Mode app users as well as in language that X-mode provided to third-party app publishers for disclosure to their users.

The FTC’s proposed order would prohibit X-Mode from using, selling or disclosing sensitive location data, and require X-Mode to:

• Implement and maintain a sensitive location data program to prevent use, sale or disclosure of sensitive location data;
• Develop a supplier assessment program to ensure that companies that provide location data to X-Mode are obtaining informed consent from consumers for the collection, use and sale of the data;
• Delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive;
• Provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected;
• Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or disclosed, or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data;
• Establish and implement a comprehensive privacy program and create a data retention schedule; and,
• Limit the collection and use of location data without the required consent.