FTC settles second case with geolocation data broker in two weeks
The Federal Trade Commission announced its second settlement with a location data broker in as many weeks Thursday, signaling the agency is more aggressively policing the sector for peddling individuals’ most sensitive data to the highest bidder, often without informed consent.
The agency alleges that data aggregator InMarket Media improperly collected, used and stored consumers’ location data which it then packaged into specific audience segments for advertisers and stored for five years.
Under the terms of the settlement, the Texas-based data broker will be barred from selling or licensing precise location data and from “selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data,” according to an agency press release.
As with its recent settlement with the data broker Outlogic, the FTC’s latest complaint largely relies on the fact that InMarket did not fully inform consumers or get their consent prior to amassing their location data and selling it to advertisers.
The companies’ failure to adequately alert consumers in these cases violates Section 5 of the FTC Act, which bars unfair and deceptive practices.
But the agency’s repeated use of the lever highlights the FTC’s somewhat limited power to rein in data brokers. Even if the companies do improve how they notify consumers, most people don’t read what are often dense and inaccessible terms and conditions.
Read more: Data brokers are selling US service members’ secrets, researchers find
According to the FTC, InMarket created a package of development tools called InMarketSDK that can be embedded in mobile applications. It used that technology to track consumers’ exact movements, placing the technology in apps which would request access to location data stored in a given mobile device’s operating system.
“If the user allows access, InMarket SDK receives the device’s precise latitude and longitude, along with a timestamp and a unique mobile device identifier, as often as the mobile device’s operating system provides it — ranging from almost no collection when the device is idle, to every few seconds when the device is actively moving — and transmits it directly to [InMarket’s] servers,” the FTC complaint said.
About 100 million unique devices sent InMarket location data each year from 2016 to now, the FTC said, adding that the SDK technology has been downloaded onto over 390 million unique devices since 2017. The vast number of downloads was fueled by InMarket’s promise of a portion of revenues to more than 300 app developers who incorporated their technology.
InMarket said in a statement that it has “no interest in selling consumer location data, and we have confirmed we will not do so.”
“We fundamentally disagree with the FTC’s allegations,” the statement said. “Notably, the FTC does not claim there were any issues with our privacy policy nor any specific instances of consumer harm.”
The company also said it is expanding its “existing sensitive location protections for consumers to provide a model for the industry, and we are working closely with our SDK partners to ensure their notice and consent processes are clear.”
“We share the FTC’s commitment to advancing consumer privacy,” the statement said.
'Serial data hoarders'
The FTC said InMarket’s location data fed a larger targeted advertising apparatus which cross-referenced location histories with specific locations to determine if those advertising-related locations had been visited. The company would then sort consumers across nearly 2,000 targeted advertising segments as specific as “Christian church goers,” “healthy and wealthy,” or “wealthy and not healthy,” according to the complaint.
InMarket also sold advertisers the ability to send consumers’ push notifications based on their locations, the complaint said.
“For example, a consumer who is within 200 meters of a pharmacy might see an ad for toothpaste, cold medicine, or some other product sold at that location,” the complaint said.
The FTC acknowledges that InMarket tells consumers in its privacy policy that it uses their data for targeted advertising, but argues the disclosure is insufficient because the consent screen does not link to the privacy policy. It also said “misleading prompts do not inform consumers of the apps’ data collection and use practices.”
InMarket did not get informed consent from users of its own apps, which offered shopping rewards and lists, and misled consumers into believing the location data it collected would only be used for the purpose of obtaining reward points or making the lists, according to the complaint.
Worse, the FTC said, InMarket did not ensure that third-party apps using its SDK technology obtained informed consent or even tell the app developers themselves that the location data the apps served up would be used to segment consumers for marketing purposes.
“All too often, Americans are tracked by serial data hoarders that endlessly vacuum up and use personal information,” FTC Chair Lina Khan said in a statement. “We’ll continue to use all our tools to protect Americans from unchecked corporate surveillance.”
The InMarket settlement is the first to include a blanket prohibition on selling or licensing precise location data. In addition to the ban, InMarket will have to delete all previously collected location data, make it easier for consumers to withdraw their consent for the collection and use of their location data, and create a way for consumers to request deletion of any location data that InMarket previously collected.
Abuse of location data is increasingly under scrutiny. In a complaint filed with the FTC Thursday, the Electronic Privacy Information Center (EPIC) and Accountable Tech urged the agency to investigate Google, which they said did not promptly erase location records for users who had visited abortion clinics — even though the tech giant allegedly said it would.
A spokesperson for Google said the company is “upholding our promise to delete particularly personal places from Location History if these places are identified by our systems - any claims that we’re not doing so are patently false or misguided."
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.