The Federal Trade Commission said Friday it has finalized a settlement order that prohibits the data broker Outlogic from selling certain location data.
The order, proposed in January, specifically bans Outlogic (formerly X-Mode) from selling data revealing visits to
“sensitive” locations -- including medical facilities, religious organizations, correctional facilities, labor union offices and shelters for domestic violence victims or refugees.
The settlement also requires Outlogic to obtain people's affirmative consent before using “non-sensitive” location data.
Privacy advocates including the Electronic Frontier
Foundation and Electronic Privacy Information Center urged the FTC to impose more restrictions on Outlogic's ability to use location data.
“The order should not introduce a distinction
between 'sensitive location data' and other location data, as all location data is inherently sensitive in nature,” those organizations wrote in comments filed
with the FTC in February.
advertisement
advertisement
They added that if the FTC decided to maintain the proposed order's distinction between sensitive and non-sensitive location data, the definition of sensitive
should be broadened to include data “that could reveal sensitive traits.”
“The proposed order’s definition of 'sensitive locations' is too narrow as it does not
include, for example, locations that could reveal a person’s sexual orientation, gender identity, or sexual preferences,” those groups wrote.
The FTC said in a letter sent Thursday that it agrees those locations are “sensitive,” but added that the order
will protect consumers' privacy by requiring Outlogic to “employ contractual restrictions and technical measures that prohibit associating location data with such locations.”
In a
separate filing, the advocacy group Free Press generally praised the settlement, but also suggested the restrictions didn't go far enough.
“The FTC should empower consumers rather than
regulators to determine what types of location data are sensitive in their own view, not necessarily to prevent any and all requested or permitted use of such location data, but to ensure that
entities like X-Mode obtain the same affirmative express consent and offer the same protections in all instances,” Free Press wrote in comments submitted in February.
The order stems from allegations
that X-Mode obtained precise location data from more than 300 apps and then sold the raw location data in combination with users' mobile ad identifiers (pseudonymous alphanumeric strings). Those
alleged sales allowed third parties to tie specific individuals to locations, the FTC charged.
Recipients of the data included “hundreds” of businesses “in industries ranging
from real estate to finance, as well as private government contractors,” the FTC alleged.
“The location data could be used to track consumers who have visited women’s
reproductive health clinics and as a result, may have had or contemplated sensitive medical procedures such as an abortion or in vitro fertilization,” the FTC alleged.
While the company
made some disclosures regarding data sales, it failed to fully reveal the extent of its practices, according to the FTC. For instance, in some cases Outlogic allegedly said app users’ location
data would be used for ad targeting and analytics, but actually sold the data to government contractors.
In other cases, X-Mode allegedly harvested mobile ad identifiers and location data from
Android users who had activated a setting that was supposed to opt them out of ad targeting, and then provided access to marketers and other third parties.
An Outlogic spokesperson previously
stated that the company disagrees with the FTC's "implications."
“Since its inception, X-mode has imposed strict contractual terms on all data customers prohibiting them from associating
its data with sensitive locations such as healthcare facilities,” the spokesperson said, adding that the new restrictions “will not require any significant changes
to business or products.”