Author: rkern

Image

The Federal Trade Commission is sending claim forms to consumers who bought deceptively marketed antivirus software from Avast.

The FTC alleged in a February 2024 complaint that Avast deceived users by claiming that its software would protect consumers’ privacy by blocking third party tracking, but it failed to adequately inform consumers that it would collect and sell their detailed, re-identifiable browsing data. The FTC alleged Avast sold that data to more than 100 third parties through its subsidiary, Jumpshot.

As part of a settlement order with the FTC, Avast was required to pay $16.5 million, which will be used to compensate consumers. The order also bans Avast from misrepresenting how it uses the data it collects and from selling or licensing any browsing data from Avast-branded products to third parties for advertising purposes, along with other requirements.

The FTC is emailing notices to 3,690,813 consumers who bought antivirus software from Avast between August 2014 and January 2020. Consumers who are eligible to apply will get an email notice between now and March 7, 2025.

Eligible consumers can file a claim online at www.ftc.gov/Avast. Payment amounts will depend on several factors, including how many people file claims.

The deadline for filing a claim is June 5, 2025. Consumers who have questions or need help filing a claim should call the claims administrator at 866-290-0165 or email [email protected]. The Commission never requires people to pay money or provide account information to submit a claim or receive a refund.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2024, FTC actions led to more than $285 million in refunds to consumers across the country.

The Federal Trade Commission is postponing a February 25 virtual workshop examining the use of design features on digital platforms aimed at keeping kids, including teens, online longer and returning more frequently.

When a new date is chosen, the FTC will post that information to the workshop’s event webpage along with other updates.

The Federal Trade Commission’s initial findings from its surveillance pricing market study revealed that details like a person’s precise location or browser history can be frequently used to target individual consumers with different prices for the same goods and services.

The staff perspective is based on an examination of documents obtained by FTC staff’s 6(b) orders sent to several companies in July aiming to better understand the shadowy market that third-party intermediaries use to set individualized prices for products and services based on consumers’ characteristics and behaviors, like location, demographics, browsing patterns and shopping history.

Staff found that consumer behaviors ranging from mouse movements on a webpage to the type of products that consumers leave unpurchased in an online shopping cart can be tracked and used by retailers to tailor consumer pricing.

“Initial staff findings show that retailers frequently use people’s personal information to set targeted, tailored prices for goods and services—from a person’s location and demographics, down to their mouse movements on a webpage,” said FTC Chair Lina M. Khan. “The FTC should continue to investigate surveillance pricing practices because Americans deserve to know how their private data is being used to set the prices they pay and whether firms are charging different people different prices for the same good or service.”

The FTC’s study of the 6(b) documents is still ongoing. The staff perspective is based on an initial analysis of documents provided by Mastercard, Accenture, PROS, Bloomreach, Revionics and McKinsey & Co.

Image

The FTC’s 6(b) study focuses on intermediary firms, which are the middlemen hired by retailers that can algorithmically tweak and target their prices. Instead of a price or promotion being a static feature of a product, the same product could have a different price or promotion based on a variety of inputs—including consumer-related data and their behaviors and preferences, the location, time, and channels by which a consumer buys the product, according to the perspective.

The agency will only release information obtained from a 6(b) study as long as all data has been aggregated or anonymized to protect confidential trade secrets from company respondents, and therefore the staff perspective only includes hypothetical examples of surveillance pricing. 

The staff perspective found that some 6(b) respondents can determine individualized and different pricing and discounts based on granular consumer data, like a cosmetics company targeting promotions to specific skin types and skin tones. The perspective also found that the intermediaries the FTC examined can show higher priced products based on consumers’ search and purchase activity. As one hypothetical outlined, a consumer who is profiled as a new parent may intentionally be shown higher priced baby thermometers on the first page of their search results.

The FTC staff found that the intermediaries worked with at least 250 clients that sell goods or services ranging from grocery stores to apparel retailers. The FTC found that widespread adoption of this practice may fundamentally upend how consumers buy products and how companies compete.

As the FTC continues its work in this area, it is issuing a request for information today seeking public comment on consumers’ experiences with surveillance pricing. The RFI also asks for comments from businesses about whether surveillance pricing tools can lead to competitors gaining an unfair advantage, and whether gig workers or employees have been impacted by the use of surveillance pricing to determine their compensation. Comments are due by April 17.

Commissioners Andrew Ferguson and Melissa Holyoak issued a dissenting statement related to release of the initial research summaries.

The FTC has additional resources on the interim findings, including a blog post advocating for further engagement with this issue, an issue spotlight with more background and research on surveillance pricing and research summaries based on the staff review and initial insights of 6(b) study documents. 

The Federal Trade Commission issued a statement regarding its referral to the Department of Justice of a complaint against Snap Inc., which operates the Snapchat application.

During a closed meeting, the Commission voted 3-0-2 to authorize the issuance of the statement. Commissioners Melissa Holyoak and Andrew Ferguson were recorded as absent. Commissioner Ferguson issued a statement on the matter.

The Federal Trade Commission finalized changes to the Children’s Online Privacy Protection Rule to set new requirements around the collection, use and disclosure of children’s personal information and give parents new tools and protections to help them control what data is provided to third parties about their children.

The final rule requires parents to opt in to third-party advertising and includes other changes to address the emerging ways that consumers’ data is collected and used by companies, and particularly how children’s data is being shared and monetized.

“The updated COPPA rule strengthens key protections for kids’ privacy online,” said FTC Chair Lina M. Khan. “By requiring parents to opt in to targeted advertising practices, this final rule prohibits platforms and service providers from sharing and monetizing children’s data without active permission. The FTC is using all its tools to keep kids safe online.”

In January 2024, the FTC proposed changes to the COPPA rule to ensure it keeps pace with changes in the marketplace since the rule was last updated in 2013. The COPPA Rule, which first went into effect in 2000, requires certain websites and other online services to obtain verifiable parental consent before collecting, using or disclosing personal information from children under 13. It also provides other important rights for parents, including the right to require operators to delete personal information collected from their children, and imposes independent obligations on covered operators, for example with respect to data minimization and data retention.

In a notice that will soon be published in the Federal Register, the FTC made several amendments to the rule, including:

• Requiring opt-in consent for targeted advertising and other disclosures to third parties: Website and online service operators covered by COPPA will be required to obtain separate verifiable parental consent to disclose children’s personal information to third-party companies related to targeted advertising or other purposes.
• Limits on data retention: The rule requires covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected. This provision explicitly states that operators cannot retain the information indefinitely.
• Increasing Safe Harbor programs’ transparency: The  FTC-approved COPPA Safe Harbor programs, which are self-regulatory programs that implement the protections of the COPPA Rule, will be required to publicly disclose their membership lists and report additional information to the FTC as part of efforts to increase accountability and transparency in the programs.

The final rule includes several amended definitions, including expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.

After reviewing the nearly 300 comments the agency received on the proposed changes to the COPPA Rule, the Commission decided against adopting some proposed changes, including proposed requirements that were intended to limit the use of push notifications directed to children without parental consent and changes relating to the requirements applicable to educational technology companies operating in a school environment.

While the Commission declined to finalize those particular proposals, the agency notes that it remains concerned about the use of push notifications and other engagement techniques to keep kids online in ways that could harm their mental health.

The Commission vote approving publication in the Federal Register of the final rule was 5-0. Chair Lina Khan and Commissioner Andrew Ferguson issued separate concurring statements. Commissioner Alvaro Bedoya and Commissioner Rebecca Slaughter issued a joint concurring statement. The final rule will become effective 60 days after its publication in the Federal Register. Entities subject to the final rule will have one year from that publication date to come into full compliance with amendments that do not specify earlier compliance dates.

The lead attorneys on this matter are James Trilling and Elizabeth Averill in the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission will require web hosting company GoDaddy to implement a robust information security program to settle charges that the company failed to secure its website-hosting services against attacks that could harm its customers and visitors to the customers’ websites.

The FTC alleges in its complaint that, since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.

In its proposed settlement order, the FTC is requiring GoDaddy to establish a comprehensive data security program that is similar to those in other FTC cases, including the recent settlement with Marriott International.

“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”

Arizona-based GoDaddy Inc. and its operating subsidiary GoDaddy.com, LLC make up one of the world’s largest web hosting companies, with approximately five million web hosting customers.

GoDaddy’s unreasonable security practices include failing to: inventory and manage assets and software updates; assess risks to its shared hosting services; adequately log and monitor security-related events in the hosting environment; and segment its shared hosting from less-secure environments, according to the FTC’s complaint.

The FTC says that GoDaddy’s data-security failures resulted in several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers’ websites and data. These breaches exposed consumers visiting the websites to risks, including that consumers were redirected to malicious websites.

Additionally, the FTC alleges that GoDaddy misled customers, through claims on its websites and in email and social media ads, by representing that it deployed reasonable security and that it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which require companies to take reasonable and appropriate measures to protect personal information.

Proposed Order Requirements

The FTC’s proposed order will prohibit GoDaddy from misleading its customers about its security practices in the future and ensure that it has reasonable security going forward.

The order will:

• Prohibit GoDaddy from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks;
• Require GoDaddy to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and
• Mandate that GoDaddy hire an independent third-party assessor who conducts an initial and biennial review of its information-security program.

The Commission voted 5-0 to issue the administrative complaint and to accept the proposed consent agreement. Commissioner Melissa Holyoak concurred, but dissented on Count III in the complaint.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744. The lead staff attorneys on this matter are Jarad Brown and David Walko from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission finalized an order banning data broker Mobilewalla Inc. from selling sensitive location data as part of a settlement with the company over allegations it sold such information without taking reasonable steps to verify consumers’ consent.

In a complaint first announced in December, FTC alleged that Mobilewalla unlawfully tracked and sold consumers’ sensitive location data, including data about their visits to healthcare facilities and places of worship.

Under the final order, Mobilewalla will be banned from collecting consumer data from online real-time bidding advertising exchanges for purposes other than participating in those auctions, marking the first time the agency has alleged such a practice was an unfair act or practice.

Mobilewalla is also banned from misrepresenting how it collects, maintains, uses, deletes or discloses consumers’ personal information, and the extent to which consumers’ location data is deidentified. It’s also prohibited from using, transferring, selling and disclosing location data from sensitive locations, such as health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+-related locations, political gatherings and military installations.

The Commission voted 4–1 to approve the final order and send responses to the commenters, with Commissioner Melissa Holyoak voting no.

The Federal Trade Commission finalized an order prohibiting Gravy Analytics and its subsidiary Venntel from unlawfully tracking and selling sensitive location data from users, including data about consumers’ visits to health-related locations and places of worship.

In a complaint first announced last month, the FTC alleged that Gravy and Venntel violated the FTC Act by unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses. The complaint alleged that Gravy Analytics used geofencing, which creates a virtual geographical boundary, to identify and sell lists of consumers who visited healthcare facilities and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics.

Under the final order, Gravy Analytics and Venntel will be prohibited from selling, disclosing, or using sensitive location data except in limited circumstances involving national security or law enforcement. The companies must also establish a sensitive data location program.

After receiving two substantive comments, the Commission voted 5-0 to approve the final order and send responses to the commenters.

The Federal Trade Commission finalized an order against IntelliVision Technologies Corp., settling allegations that the company made false, misleading, or unsubstantiated claims that its AI-powered facial recognition software was free of gender or racial bias.

In a complaint, which was first announced in December, the FTC alleged that IntelliVision lacked evidence to back up its claims that its software had one of the highest accuracy rates on the market and performs with zero gender or racial bias. The complaint also alleged that IntelliVision did not train its facial recognition software on millions of faces, as it claimed, nor did it have adequate support for its claims that its anti-spoofing technology ensures the system can’t be fooled by a photo or video image.

Under the final order, IntelliVision is prohibited from misrepresenting the accuracy and efficacy of its facial recognition software; the comparative performance of the technology with respect to different genders, ethnicities, and skin tones; and the accuracy or efficacy of the technology to detect spoofing. The order also prohibits IntelliVision from making representations about effectiveness, accuracy, or lack of bias of its facial recognition technology, or about the effectiveness of its facial recognition technology at detecting spoofing, unless it possesses and relies on competent and reliable testing of the technology.

After receiving no public comments, the Commission voted 5-0 to approve the final order.

The Federal Trade Commission finalized an order requiring Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide LLC to implement a comprehensive information security program to settle charges that the companies failed to implement reasonable data security, which led to three large data breaches affecting more than 344 million customers worldwide.

In a complaint first announced in October, the FTC charged that Marriott and Starwood deceived consumers by claiming to have reasonable and appropriate data security, when they in fact failed to deploy reasonable security to protect consumers’ personal information. These security failures resulted in at least three separate data breaches that enabled malicious actors to obtain vast amounts of personal information from hundreds of millions of consumers, including passport information, payment card numbers, and loyalty numbers, according to the complaint.

Under the order, Marriott and Starwood are required to establish a comprehensive information security program to help safeguard customers’ personal information, implement a policy to retain personal information only for as long is reasonably necessary, and establish a link on their website for U.S. customers to request for personal information associated with their email address or loyalty rewards account number to be deleted. The order also requires Marriott to review loyalty rewards accounts upon customer request and restore stolen loyalty points.

The companies are also prohibited from misrepresenting how they collect, maintain, use, delete or disclose consumers’ personal information; and the extent to which the companies protect the privacy, security, availability, confidentiality, or integrity of personal information.

After receiving two comments, the Commission voted 3-0-2to approve the final order and send responses to the commenters. Commissioner Ferguson and Commissioner Holyoak are recused from this matter.

The Federal Trade Commission is sending payments totaling nearly $500,000 to consumers who were harmed by home security company Vivint Smart Homes, Inc., which allegedly misused credit reports to help unqualified customers get financing for the company’s products and services.

Image

The FTC alleged in a complaint announced in April 2021 that Vivint’s sales representatives obtained financing for unqualified customers by using the credit history of an unrelated third party with the same or similar name, or adding cosigners without their permission. If customers who qualified using these deceptive tactics later defaulted on their loans, Vivint referred the unrelated third party or the impermissible cosigner to debt collectors, potentially harming that consumer’s credit. After hearing from these debt collectors, some affected consumers reported to the FTC that they were victims of identity theft.

Today, the FTC is sending its first round of payments in the matter, which includes checks to 470 consumers who filed a valid claim before the deadline. The FTC will distribute additional funds at a later date.

Recipients should cash their checks within 90 days, as indicated on the check. The average payment is $1,056.

Consumers who have questions about their payment or believe they should have been included in the distribution, should contact the refund administrator, Rust Consulting, Inc., at 1-833-472-1996. Consumers can also visit the FTC website to view frequently asked questions about the refund process. The Commission never requires people to pay money or provide account information to get a refund.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2023, FTC actions led to $330 million in refunds to consumers across the country.

The Federal Trade Commission is taking action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.

Under a proposed order settling the FTC’s allegations, Gravy Analytics and Venntel will be prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.

The FTC’s complaint alleges that Gravy Analytics and Venntel violated the FTC Act by unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.

According to the complaint, Gravy Analytics continued to use consumers’ location data after learning that consumers didn’t provide informed consent. Gravy Analytics also unfairly sold sensitive characteristics, like health or medical decisions, political activities and religious viewpoints, derived from consumers’ location data.

“Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This is the FTC’s fourth action taken this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.”

Virginia-based Gravy Analytics and Venntel allegedly obtained consumer location information from other data suppliers and claimed to collect, process, and curate more than 17 billion signals from around a billion mobile devices daily. The location data the companies sold can be used to identify consumers and is not anonymized, according to the complaint.

The complaint alleges that Gravy Analytics used geofencing, which creates a virtual geographical boundary, to identify and sell lists of consumers who attended certain events related to medical conditions and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics.

The FTC says the companies exposed consumers to potential privacy harms, which could include disclosure of health or medical decisions, political activity, and religious practices. The unauthorized disclosure of sensitive characteristics puts consumers at risk of stigma, discrimination, violence and other harms, according to the complaint.

Proposed Settlement Requirements

Under the proposed order, Gravy Analytics and Venntel will be prohibited from selling, licensing, transferring, sharing, disclosing, or using sensitive location data except in limited circumstances involving national security or law enforcement. The order also requires the companies to maintain a sensitive location data program designed to develop a list of sensitive locations and prevent the use, sale, license, transfer, sharing, or disclosure of consumers’ visits to those locations, including locations associated with:

• Medical facilities,
• Religious organizations,
• Correctional facilities,
• Labor union offices,
• Schools or childcare facilities,
• Services supporting people based on racial and ethnic backgrounds,
• Services sheltering homeless, domestic abuse, refugee or immigrant populations, and
• Military installations.

The order also requires the companies to delete all historic location data and any data products developed using this data. It also requires that the companies inform customers that received historic location data within the last three years of the Commission’s requirement that such data should be deleted, de-identified, or rendered non-sensitive. The companies can retain historic location data if they ensure that it is deidentified or rendered non-sensitive or if consumers consented to the use of their data.

It also requires the companies to maintain a supplier assessment program designed to ensure that consumers have provided consent for the collection and use of all data that may reveal a mobile device or consumer’s precise location.

The companies also will be banned from making misrepresentations about the extent to which:

• they review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt in controls;
• collect, use, maintain, disclose, or delete any covered information; and
• the data they collect, use, maintain, or disclose is de-identified.

The Commission voted 5-0 to issue the administrative complaint and to accept the consent agreement with the companies. Commissioner Alvaro Bedoya issued a concurring statement joined in full by Chair Lina Khan and Commissioner Rebecca Kelly Slaughter and in part by Commissioner Holyoak. Holyoak issued a separate concurring statement joined in part by Bedoya.

This is the FTC’s fifth action challenging the unfair handling of consumers’ sensitive location data by data aggregators. The agency’s other cases include a 2022 action against Kochava for selling data tracking people to reproductive health clinics and other sensitive locations, and the January 2024 actions against X-Mode for selling raw location data and InMarket for selling precise user location data. Earlier today, the FTC announced an action against Mobilewalla for also selling data tracking users to military sites, health clinics, churches and other sensitive locations.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staffers on this matter are Jennifer Rimm, Brian Shull and Bhavna Changrani in FTC’s Bureau of Consumer Protection.

The Federal Trade Commission is taking action against IntelliVision Technologies Corp. for making false, misleading or unsubstantiated claims that its AI-powered facial recognition software was free of gender and racial bias and making other misleading claims about the technology.

Under a proposed consent order settling the FTC’s allegations, IntelliVision will be prohibited from misrepresenting the accuracy and efficacy of its facial recognition software and its performance across individuals with different genders, ethnicities, and skin tones.

In FTC’s complaint, the agency alleges that IntelliVision did not have evidence to support its claims that its software has one of the highest accuracy rates on the market and performs with zero gender or racial bias.

“Companies shouldn’t be touting bias-free artificial intelligence systems unless they can back those claims up,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Those who develop and use AI systems are not exempt from basic deceptive advertising principles.”

The San Jose-based IntelliVision sells facial recognition software used in home security systems and smart home touch panels sold by Nice North America, LLC.

The FTC alleges in its complaint that IntelliVision’s claim that it has one of the highest accuracy rates on the market is false or misleading and that IntelliVision did not have support for its claim that its software was free of gender or racial bias.

Furthermore, the complaint alleges that IntelliVision did not train its facial recognition software on millions of faces, as it claimed, and instead trained its technology on images of approximately 100,000 unique individuals, and then used technology to create variants of those same images.

The FTC also says that IntelliVision did not have adequate evidence to support its claim that its anti-spoofing technology ensures the system can’t be tricked by a photo or video image.

Proposed Settlement Requirements

Under the proposed order, IntelliVision will be prohibited from making misrepresentations about:

• The accuracy or efficacy of its facial recognition technology;
• The comparative performance of the technology with respect to individuals of different genders, ethnicities, and skin tones; and
• The accuracy or efficacy of the technology to detect spoofing.

In addition, the proposed consent prohibits IntelliVision from making any representation about the effectiveness, accuracy, or lack of bias of its facial recognition technology or about the technology’s effectiveness at detecting spoofing unless it possesses and relies on competent and reliable testing of the technology.

This is the second major AI facial recognition case the FTC has brought in the last year. In a settlement first announced last December, the FTC banned Rite Aid from using facial recognition technology for surveillance purposes for five years over allegations that the retailer failed to implement reasonable procedures and prevent harm to consumers in its use of facial recognition technology in hundreds of stores.

The Commission voted 5-0 to issue the administrative complaint and to accept the consent agreement with the company. Commissioner Andrew Ferguson issued a concurring statement.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are Robin Rosen Spector and Amanda Koulousias with the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission will prohibit data broker Mobilewalla, Inc. from selling sensitive location data, including data that reveals the identity of an individual’s private home, to settle allegations the data broker sold such information without taking reasonable steps to verify consumers’ consent.

Under the FTC’s proposed settlement order, Mobilewalla will also be banned from collecting consumer data from online advertising auctions for purposes other than participating in those auctions, marking the first time the agency has alleged such a practice was an unfair act or practice. 

“Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking,” said FTC Chair Lina Khan. “Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale. The FTC is cracking down on firms that unlawfully exploit people’s sensitive location data and ensuring that we protect Americans from unchecked surveillance.”

The FTC alleges in a complaint that Georgia-based Mobilewalla collected data from real-time bidding exchanges and third-party aggregators. Often consumers had no knowledge that Chamblee-Georgia-based Mobilewalla had obtained their data.

“Mobilewalla collected massive amounts of sensitive consumer data – including visits to health clinics and places of worship – and sold this data in a way that exposed consumers to harm,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to stop these invasive practices and protect the public from always-on surveillance.”

When Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid, according to the complaint.

The FTC’s complaint alleges that from January 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data. The raw location data Mobilewalla collected was not anonymized and the company doesn’t have policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited. The company sold access to this raw data to third-parties, including advertisers, data brokers and analytic firms.

Mobilewalla also uses its sensitive location data to develop audience segments for its clients to target consumers for advertising and other purposes, according to the complaint. For example, the company collected location data from women who visited pregnancy centers, which was used to build audience segments targeting pregnant women. It also used audience segments to create a June 2020 report analyzing people who protested the death of George Floyd and determined the protesters’ racial backgrounds and whether they lived in the cities in which they protested.

The FTC alleged that Mobilewalla violated the FTC Act by: selling consumers’ sensitive location data; selling audience segments of consumers for marketing and other purposes based on sensitive characteristics – like medical conditions and religious beliefs; collecting and retaining sensitive data from advertising exchanges; collecting and using data without taking reasonable steps to verify consumers’ consent; and retaining raw consumer location information indefinitely.

The FTC alleges that Mobilewalla’s actions not only compromised consumers’ personal privacy but exposed them to potential discrimination, physical violence, emotional distress, and other harms — risks consumers could not avoid given that most were unaware of the company’s activities.

Proposed Settlement Order

Under the proposed order, Mobilewalla will be prohibited from misrepresenting how it collects, maintains, uses, deletes or discloses consumers’ personal information, and the extent to which consumers’ location data is deidentified. It also is prohibited from using, transferring, selling and disclosing sensitive location data from health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+-related locations, political gatherings and military installations.

Other provisions of the proposed order include:

• Retention of data from auctions: The company is prohibited from collecting or retaining consumer data while participating in online advertising auctions for any other purpose than participating in the auction;
• Sensitive location data program: The company must create a sensitive location data program that develops a comprehensive list of sensitive locations and that is designed to prevent the use, sale or disclosure sensitive location data or otherwise using sensitive location data in any product or service;
• Data deletion: The company must implement a method for consumers to request deletion of their location data from the company and to delete certain types of older data. The company must also delete historic location data and any work product from this data.
• Mandated privacy program: The company is required to establish a comprehensive privacy program that protects consumers’ personal information; assess the program annually; and train employees and contractors who have access to sensitive data;
• Supplier assessment program: The company is required to set up a supplier assessment program designed to confirm whether consumers have provided consent for the collection and use of location data and will be prohibited from collecting or using location data if it cannot obtain records showing that consumers provided consent; and
• Disclosures to consumers: The company must provide a method for consumers to withdraw consent for the use of their data and must delete and stop collecting that data.

The Commission voted 4-1 to issue the administrative complaint and to accept the proposed consent agreement. Chair Lina Khan issued a concurring statement. Commissioner Melissa Holyoak issued a dissenting statement.

This is the FTC’s most recent action challenging the unfair handling of consumers’ sensitive location data by data aggregators. The agency has settled similar cases with Kochava for selling data tracking people to reproductive health clinics, X-Mode for selling raw location data and InMarket for selling precise user location data. 

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.

The lead staff attorneys on this matter are David Walko and Gorana Neskovic from the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission is taking action against Evolv Technologies over allegations that the company made false claims about the extent to which its AI-powered security screening system can detect weapons and ignore harmless personal items, including in school settings.

In the proposed FTC settlement order, Evolv would be banned from making unsupported claims about its products’ ability to detect weapons by using artificial intelligence and would also have to give certain K-12 school customers the option to cancel their contracts, which generally lock customers into multi-year deals.

“The FTC has been clear that claims about technology – including artificial intelligence – need to be backed up, and that is especially important when these claims involve the safety of children,” said Samuel Levine, Director of the Bureau of Consumer Protection. “If you make those claims without adequate support, you can expect to hear from the FTC.”

The FTC’s complaint alleged that Massachusetts-based Evolv deceptively advertised that its Evolv Express scanners would detect all weapons and made misleading claims that its use of artificial intelligence makes its screening systems more accurate, efficient, and cost-effective than traditional metal detectors.

Evolv’s Express AI-powered security scanners are used in thousands of schools and many other venues, such as sports stadiums and hospitals. School systems make up half of its business, with Express scanners located in over 800 schools across 40 states, according to the complaint. In its marketing materials, the company has touted its use of AI, claiming its scanners are a high-tech alternative to traditional metal scanners. In marketing its products to schools, the company claimed its products would help address the problem of guns and other weapons in schools.

The FTC alleged that Evolv misrepresented that its Evolv Express system will detect all weapons; ignore harmless personal items without requiring people to remove them from their pockets or bags; detect weapons more accurately and faster than metal detectors; reduce false alarm rates; and cut labor costs by 70% compared to metal detectors by reducing the need for additional personnel.

In its complaint, the FTC alleged that Evolv’s Express scanners failed in several instances to detect weapons in schools while flagging harmless personal items typically brought to schools, like laptops, binders, and water bottles. For example, Evolv’s Express scanners reportedly failed to detect a seven-inch knife brought into a school in October 2022 that was used to stab a student. Afterwards, school officials increased the system’s sensitivity settings, prompting a 50% false alarm rate.

To reduce false positive rates, Evolv in 2023 introduced a more sensitive setting for Express users with the goal of detecting more knives. Despite this, Evolv said some knives will be missed, more false alarms will occur, and additional staffing may be required to run the machines. It also advised schools to add conveyor belts and other measures to divert harmless items by hand, which makes the system more like traditional lower-cost metal detectors according to the complaint.

Proposed Settlement Requirements

Under the proposed settlement, Evolv will be required to notify certain K-12 school customers that they can opt to cancel contracts signed between April 1, 2022, to June 30, 2023. In addition, the proposed order also will prohibit Evolv from making any misrepresentations about:

• the ability of its products to detect weapons, ignore harmless personal items, and ignore harmless personal items without requiring visitors to remove any such items from pockets or bags;
• its products’ accuracy in detecting weapons and false alarm rates, including in comparison to the use of traditional metal detectors;
• the speed at which visitors can be screened compared to the use of metal detectors;
• labor costs, including comparisons to the use of metal detectors;
• testing, or the results of any testing; and
• any material aspect of its performance, including the use of algorithms, artificial intelligence, or other automated systems or tools.

The settlement with Evolv builds upon FTC’s ongoing work to ensure that AI claims are backed up. Earlier this fall, the agency announced Operation AI Comply, with five new actions targeting the deceptive use of or claims around AI. Actions to ensure that AI marketing is truthful both protects consumers and helps ensure real innovators can thrive.

The Commission vote authorizing the staff to file the complaint and stipulated order was 5-0. The FTC filed the complaint and stipulated order in the U.S. District Court for the District of Massachusetts. Commissioner Andrew Ferguson issued a statement and Commissioner Melissa Holyoak issued a statement.

NOTE: The Commission files a complaint when it has “reason to believe” that the named defendants are violating or are about to violate the law and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.

The lead staff attorneys on this matter are Michael Atleson and Katherine Campbell with the FTC’s Bureau of Consumer Protection.

The Federal Trade Commission is sending payments totaling nearly $1.9 million to consumers who were harmed by fake rental ads and deceptive promises of “free” credit reports from Credit Bureau Center LLC.

In a lawsuit announced in 2017, the FTC alleged that the Credit Bureau Center, formerly known as MyScore LLC, impersonated property owners and offered tours for properties they were not authorized to offer for rent, if consumers first obtained credit reports and scores from their websites. These sites claimed to provide “free” credit reports and scores, but then enrolled consumers in a credit monitoring service with monthly charges of $29.94. Many consumers didn’t realize they were enrolled until they noticed unexpected charges on their bank or credit card statements, sometimes after several billing cycles.

“This case demonstrates that the FTC is persistent and tireless in its work to return money to defrauded consumers,” said Samuel Levine, the Director of the Bureau of Consumer Protection. “But it is yet another reminder that Congress must act to restore the FTC’s authority to obtain monetary relief so that when companies break the law, the FTC can get money back for injured consumers effectively and efficiently.”

In June 2018, a federal judge ordered Credit Bureau Center to pay money for violating Section 13(b) of the FTC Act. That award, however, was vacated in April 2021 when the Supreme Court ruled that the Commission cannot seek monetary relief under Section 13(b). Because of that ruling, the Commission lost its strongest tool for returning money to consumers. In September 2021, the judge in this case found that Credit Bureau Center also violated Section 19 of the FTC Act and reimposed the award. The defendants lost on appeal, and the lawsuit was resolved in June 2024.

The FTC is sending checks to 42,849 affected consumers. Recipients should cash their checks within 90 days, as indicated on the check.

Consumers who have questions should contact the refund administrator, Simpluris, at 1-844-804-5464. Consumers can also visit the FTC website to view frequently asked questions about the refund process. The Commission never requires people to pay money or provide account information to get a refund.

The Commission’s interactive dashboards for refund data provide a state-by-state breakdown of refunds in FTC cases. In 2023, FTC actions led to $330 million in refunds to consumers across the country.