FTC Halts Sale of Sensitive Location Data: X-Mode Social and Outlogic Prohibited from Unauthorized Practices

The Federal Trade Commission (FTC) has issued an order prohibiting data broker X-Mode Social and its successor, Outlogic, from selling sensitive location data. The decision comes in response to allegations that the companies sold precise location data that could potentially be exploited to track individuals’ visits to sensitive locations such as medical and reproductive health clinics, religious worship places, and domestic abuse shelters.

The settlement represents the FTC’s first action against a data broker specifically concerning the collection and sale of sensitive location information. X-Mode Social, based in Virginia, and its successor, Outlogic, allegedly failed to implement reasonable safeguards on the use of such information by third parties. The FTC's move underscores its commitment to curbing the collection, sale, or disclosure of consumers' sensitive location data.

FTC Chair Lina M. Khan emphasized the significance of the action, stating, “Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship. The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data.”

The raw location data sold by X-Mode/Outlogic is associated with mobile advertising IDs, unique identifiers linked to each mobile device. This data, which is not anonymized, can be used to match an individual consumer’s mobile device with the locations they visited, posing serious privacy concerns. Some companies offer services that help match such data to specific consumers.

X-Mode/Outlogic collects precise location data from third-party apps using its software development kit (SDK), its own mobile apps, and by purchasing location data from other brokers. The company sells this data to numerous clients in various industries, including real estate, finance, and private government contractors, for purposes such as advertising and brand analytics.

The FTC alleges that until May 2023, X-Mode/Outlogic lacked policies to remove sensitive locations from the raw location data it sold. Furthermore, the company purportedly failed to implement reasonable safeguards against downstream use of the precise location data, putting consumers’ sensitive personal information at risk.

The information revealed through the location data not only violated consumers’ privacy but also exposed them to potential discrimination, physical violence, emotional distress, and other harms, according to the complaint.

The FTC also accused the company of failing to inform users of its own apps and third-party apps that used X-Mode/Outlogic’s SDK about how their location data would be used. Privacy disclosures provided to third-party apps allegedly did not fully inform consumers about the entities receiving the data, and the company failed to ensure these apps obtained informed consumer consent.

The proposed order resulting from the settlement outlines several key provisions, including the creation of a program to ensure X-Mode/Outlogic does not share, sell, or transfer location data about sensitive locations. The order also requires the company to delete or destroy all previously collected location data unless obtaining consumer consent or ensuring the data's identification.

X-Mode/Outlogic is further mandated to develop a supplier assessment program to ensure informed consent from companies providing location data and implement procedures to prevent association with locations providing services to LGBTQ+ individuals or locations of public gatherings.

The proposed order also stipulates the establishment of mechanisms for consumers to withdraw consent, request information about data recipients, and outlines requirements for a comprehensive privacy program.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.