US: FTC acts to limit sale of location data by data brokers
The US Federal Trade Commission (FTC) has banned data broker Gravy Analytics and its subsidiary Venntel from sharing and selling “sensitive location data.” The companies will be required to delete location data that they have already collected. Data broker Mobilewalla will likewise be prohibited from selling such data in the future, the agency announced on Tuesday.
The FTC accuses Gravy Analytics and Venntel of having violated the law by tracking and selling users’ location data without their consent.
Location data is collected by smartphone apps. The data is often linked to a “mobile advertising ID” assigned to each smartphone by its operating system. As the FTC notes, Gravy Analytics and Venntel didn’t collect location data themselves, but instead obtained it from other companies. The data brokers then processed the data and resold it.
According to the FTC, the companies advertise their ability to provide especially precise location data. The brokers claim to collect data from roughly one billion devices daily. This data is not anonymized and can be used to identify users.
Data can provide in-depth insights
Some of the data sold by the companies can reveal visits to “sensitive” locations. Places like hospitals, reproductive health clinics, union offices, correctional facilities, places of worship, and women’s shelters are classified as sensitive by the FTC.
According to the FTC’s complaint, the companies analyzed the data they had collected and sold information that purported to provide insights into consumers’ “health or medical decisions,” political activities, and religious views – as well as many other aspects of their lives. Gravy Analytics compiled data sets on individuals who shared certain characteristics and sold them to clients. These data sets are grouped into categories like “McDonald’s Breakfast Diners,” “Parents with Young Kids,” or “Political Activist.” The company also sells tools that allow its clients to use the mobile advertising IDs assigned to users to generate a list of devices that were present at a particular place at a particular point in time – enabling the clients to determine, for example, whether users attended a specific event.
In Tuesday’s announcement, the FTC wrote that by selling this location data the companies “exposed consumers to potential privacy harms.” The companies’ practices also put consumers “at risk of stigma, discrimination, violence, and other harms.”
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement: “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk.”
Deleting data
The FTC has now proposed an order prohibiting the two companies from “selling, licensing, transferring, sharing, disclosing or using” sensitive location data – though there would be exceptions in cases involving national security or a law enforcement response “to an imminent risk of death or serious bodily harm to a person.” The companies must also maintain a list of sensitive locations – including medical facilities, union offices, correctional facilities, schools, and shelters for refugees and victims of domestic violence – in order to ensure that data that might indicate that an individual has visited one of these locations is not sold or shared. The companies must delete any data they have already collected.
According to 404media, the two Virginia-based firms are among the most important companies in the US location data industry.
In 2020, media reported that the US Department of Homeland Security had entered into contracts with Venntel. Location data obtained from the company was used to track illegal border crossings. According to the Electronic Frontier Foundation, a US civil liberties organization, Venntel sold location data to other US agencies as well, including the FBI.
Demonstrators’ data collected
The FTC on Tuesday announced a second proposed order to prohibit the data broker Mobilewalla from selling sensitive location data. The company also improperly retained data acquired in advertising auctions, according to the FTC’s complaint.
Samuel Levine of the FTC said in a statement: “Mobilewalla collected massive amounts of sensitive customer data – including visits to health clinics and places of worship – and sold this data in a way that exposed consumers to harm.”
The agency accuses Mobilewalla of collecting more than 500 million unique advertising identifiers between 2018 and 2020. These identifiers were paired with location information. According to the FTC’s complaint, Mobilewalla offered data to clients looking to target specific audiences for advertising purposes – like women who have visited pregnancy centers. The company also authored a report in June 2020 that “”https://www.buzzfeednews.com/article/carolinehaskins1/protests-tech-company-spying" target="_blank">analyzed individuals who protested the death of Georg Floyd," according to the complaint.
Civil liberties groups have long criticized the data broker industry. The level of alarm increased in 2022, when the US Supreme Court revoked the right to abortion. Advocates warned that data collected from individuals, including commercially available location data, could be used by law enforcement and opponents of abortion to track and persecute women.
The FTC itself has acted to rein in data brokers in the past.
On Monday the Consumer Financial Protection Bureau also proposed new rules that would prohibit data brokers from selling certain data like social security and telephone numbers. Given the looming change in presidential administrations, however, US media doubt that the rules will actually be implemented. (js)