FTC settles unprecedented case against geolocation data broker

The Federal Trade Commission (FTC) on Tuesday announced its first ever settlement with a data broker for selling location data, alleging the company peddled consumers’ precise locations and allowed third parties to track visits to health care providers, houses of worship and similarly sensitive destinations.

Under the terms of the settlement, data broker Outlogic, previously known as X-Mode Social, will no longer be able to share sensitive and precise location data, will have to destroy data already gathered, and will have to establish programs to prevent further abuses.

The FTC charged that X-Mode/Outlogic, based in Virginia, also had no guardrails set up to prevent third parties from using the information.

The data broker in this case failed to implement any policies to strip sensitive locations from the data it peddled until May 2023, the FTC’s complaint said.

“X-Mode/Outlogic did not implement reasonable or appropriate safeguards against downstream use of the precise location data it sells, putting consumers’ sensitive personal information at risk,” the FTC said in a press release.

In one example of how this lack of safeguards played out, the FTC said X-Mode/Outlogic did not have any technology in place to make sure it responded to requests from Android users to not be tracked.

The agency said X-Mode/Outlogic sold data tied to unique identifiers assigned to individual mobile phones. The data was sold in its “raw” form, the FTC said, meaning it was not anonymized and could reveal which locations identified consumers went to.

It also peddled “custom audience segments” and in at least one case sold data showing Ohio consumers’ visits to medical facilities and pharmacies to a clinical research company, in violation of the FTC Act’s unfair and deceptive practices clause.

A spokesperson for X-Mode/Outlogic said company officials "disagree with the implications of the FTC press release," and noted that "the FTC found no instance of misuse of any data and made no such allegation."

The company has always "imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities," the spokesperson said. "Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products."

Highlighting the increased attention it is paying to data brokers, the FTC signaled it has its eye on other companies, saying in a press release that some data brokers even “offer services that help companies match such data to individual consumers.”

In X-Mode/Outlogic’s case, the FTC said the company “licenses” precise location data it gathers from apps and builds it into its own apps, and then augments the information with location data supplied by other data brokers. From there, X-Mode/Outlogic sells consumer data to hundreds of customers working in a variety of sectors, including real estate, finance, and private government contractors for national security purposes. The FTC said the notifications X-Mode/Outlogic funneled to consumers through the apps did not fully disclose what their geolocation data would be used for.

“In most instances, X-Mode does not communicate directly with consumers,” the FTC complaint said. “Because X-Mode obtains most of its location data from third party apps, the company relies on these third parties to obtain informed consumer consent to collect, use, or sell location data.”

“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” FTC Chair Lina Khan said in a prepared statement.

“By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance,” she added.

Privacy watchdogs called the settlement groundbreaking but far from enough.

“This is both a milestone settlement and the tip of the iceberg,” John Davisson, director of litigation at the Electronic Privacy Information Center, said via email. “The FTC's order imposes real, piercing consequences on X-Mode and will make it much harder for the company to track and profit off of our movements through the world.”

However, Davisson noted that X-Mode/Outlogic is one of thousands of companies that traffic in such data, highlighting the need for stricter across the board rules.

Senator Ron Wyden (D-OR), a longtime critic of the data broker industry, also released a statement reinforcing the significance of the FTC’s action but lamenting the lack of industrywide regulation. Wyden noted that he discovered X-Mode/Outlogic was selling location data through defense contractors to military clients in 2020.

“While the FTC's action is encouraging, the agency should not have to play data broker whack-a-mole,” Wyden’s statement said. “Congress needs to pass tough privacy legislation to protect Americans' personal information and prevent government agencies from going around the courts by buying our data from data brokers."

X-Mode/Outlogic will not only be prohibited from sharing sensitive location data under the proposed order, but also will be forced to build a program that allows it to develop a list of sensitive locations; destroy location data it has already gathered; and formally track whether its suppliers are allowing consumers to give informed consent for collection of their data, among other provisions.