CSG Law Alert: The Federal Trade Commission Prohibits Data Broker from Collecting and Selling Sensitive Location Data

The Federal Trade Commission (the “FTC”) has accepted, subject to final approval, an agreement containing a consent order from a data broker and its successor concerning the collection and sale of sensitive location information.

According to the FTC, the data broker and its successor had purportedly published applications and created a software development kit for use in third-party applications. Through such applications and similar practices, the data broker and its successor deceptively collected billions of location signals daily and sold such location data to marketers, retailers, research organizations, private government contractors, and other data brokers.

Consequently, the FTC charged the data broker and its successor with violating Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” As a matter of law, acts or practices are “unfair” if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. Similarly, acts or practices are “deceptive” if they misrepresent or omit material facts.

Here, the FTC alleged that the data broker and its successor committed unfair and deceptive acts by selling consumers’ sensitive data; failing to honor consumers’ privacy choices; deceptively collecting and using consumers’ location data; collecting and using consumer location data without consent verification; categorizing consumers based on sensitive characteristics for marketing purposes; and deceptively failing to disclose use of location data.

To settle the FTC’s allegations against the data broker and its successor, the data broker and its successor agreed to, among other things, (i) prevent the use, sale, licensing, transfer, or disclosure of sensitive location data; (ii) establish, implement, and maintain a sensitive location data program; (iii) document the components of the sensitive location data program; and (iv) provide the written program and any evaluations thereof or updates thereto to their boards of directors or governing bodies at least every 12 months.