Data broker X-Mode Social and its successor Outlogic will be prohibited from sharing or selling any sensitive location data to settle Federal Trade Commission allegations that the company sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.
In its first settlement with a data broker concerning the collection and sale of sensitive location information, the FTC also charged that Virginia-based X-Mode Social and Outlogic, LLC, the successor firm to which X-Mode transferred most of its operations in 2021, failed to put in place reasonable and appropriate safeguards on the use of such information by third parties. Today’s action underscores the FTC’s strong commitment to restraining the collection, sale, or disclosure of consumer’ sensitive location data.
“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data,” said FTC Chair Lina M. Khan. “By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”
The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device. This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited. In fact, some companies offer services that help companies match such data to individual consumers.
X-Mode/Outlogic sells and licenses precise location data that it collects from third-party apps that incorporate its software development kit (SDK) into their apps, from its own mobile apps, and by purchasing location data from other data brokers and aggregators. The company sells consumer location data to hundreds of clients in industries ranging from real estate to finance, as well as private government contractors for their own purposes, such as advertising or brand analytics.
According to the FTC’s complaint, until May 2023, the company did not have any policies in place to remove sensitive locations from the raw location data it sold. The FTC says X-Mode/Outlogic did not implement reasonable or appropriate safeguards against downstream use of the precise location data it sells, putting consumers’ sensitive personal information at risk.
The information revealed through the location data that X-Mode/Outlogic sold not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms, according to the complaint.
The FTC also says the company failed to ensure that users of its own apps, Drunk Mode and Walk Against Humanity, as well as third party apps that used the X-Mode/Outlogic’s SDK were fully informed about how their location data would be used. For example, X-Mode/Outlogic provided third party apps that use the company’s SDK with sample privacy disclosures that did not fully inform consumers about which entities would receive the data and also failed to ensure these third-party apps obtained informed consumer consent to grant X-Mode/Outlogic access to their sensitive location data.
The company also failed to employ the necessary technical safeguards and oversight to ensure that it honored requests by some android users to opt out of tracking and personalized ads, according to the complaint.
The company’s business has also involved creating custom audience segments based on characteristics of consumers. For at least one contract, X-Mode provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.
The FTC says these practices violate the FTC Act’s prohibition against unfair and deceptive practices.
In addition to the limits on sharing certain sensitive locations, the proposed order requires X-Mode/Outlogic to create a program to ensure it develops and maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations. Other provisions of the proposed order require the company to:
- Delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been deidentified or rendered non-sensitive;
- Develop a supplier assessment program to ensure that companies that provide location data to X-Mode/Outlogic are obtaining informed consent from consumers for the collection, use and sale of the data or stop using such information;
- Implement procedures to ensure that recipients of its location data do not associate the data with locations that provide services to LGBTQ+ people such as bars or service organizations, with locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual;
- Provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected;
- Provide a clear and conspicuous means for consumers to request the identity of any individuals and businesses to whom their personal data has been sold or shared or give consumers a way to delete their personal location data from the commercial databases of all recipients of the data; and
- Establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.
The proposed order also limits the company from collecting or using location data when consumers have opted out of targeted advertising or tracking or if the company cannot verify records showing that consumers have provided consent to the collection of location data.
The Commission voted 3-0 to issue the proposed administrative complaint and to accept the consent agreement. Chair Khan joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya issued a separate statement.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $50,120.
The lead staff attorneys on this matter are Bhavna Changrani and Brian Shull from the FTC’s Bureau of Consumer Protection.