FTC Sets its Sights on “Sensitive Location Data”

Two recently announced actions signal to businesses how seriously the Federal Trade Commission takes the privacy of individuals’ precise location data. They demonstrate how broadly the FTC will interpret Section 5 of the FTC Act to go after what it considers unfair and deceptive practices involving sensitive personal data, and they provide a roadmap for the FTC’s expectations for companies dealing in such sensitive data.

What is “sensitive location data”?

In its consent orders with the companies discussed below, the FTC has defined “sensitive location data” to refer to any data that may reveal the precise location of a person or their mobile device and is associated with a sensitive location. Sensitive locations can include (1) medical facilities; (2) religious organizations; (3) correctional facilities; (4) labor union offices; (5) education or childcare facilities; (6) associations held out to the public as predominantly providing services based on racial or ethnic origin; and (7) facilities providing temporary shelter or social services to the homeless, survivors of domestic violence, refugees, or immigrants.

What did the FTC do?

On January 9, 2024, the FTC announced an enforcement action claiming location data broker X-Mode Social, Inc. and its successor Outlogic, LLC (together, “Outlogic”) sold precise location data that could be used to track individuals’ visits to sensitive locations, such as certain medical facilities and domestic abuse shelters. The FTC alleged in its complaint that Outlogic failed to not only obtain informed consent from consumers to collect their precise location, but also failed to implement appropriate safeguards on the use of such data by purchasers. The FTC alleged that Outlogic’s failures not only violated consumers’ privacy, but also exposed consumers to potential discrimination, violence, emotional distress, and other harms.

Additionally, on January 18, 2024, the FTC claimed digital marketing platform and data aggregator InMarket Media, LLC (“InMarket”) failed to obtain informed consent from consumers before collecting and using their precise location data for advertising and marketing purposes. The FTC alleged in its complaint that InMarket failed to fully inform users that their location data would be combined with other data about them and then used to target advertising to them.

The FTC has issued draft consent orders against both companies and will decide whether to make the orders final after a 30-day public comment period. Of particular interest in both the Outlogic and InMarket proposed orders are the requirements that each company establish a “Sensitive Location Data Program” and a “Supplier Assessment Program”:

• The Sensitive Location Data Program would require that each company implement procedures to identify sensitive locations and prevent the use or disclosure of sensitive location data with a few limited exceptions. The order would also require that each company assess the accuracy and completeness of its list of sensitive locations at least every six months, evaluate its Sensitive Location Data Program annually, and respond to changes in its operations that may affect the program’s effectiveness.
• The Supplier Assessment Program would require that each company implement a program to ensure consumers have consented to the collection and use of location data obtained from a third party. Each company would be required to assess (and document), within 30 days of entering into a third-party data sharing agreement and annually thereafter, whether consumers provided consent to the collection, use, and sale of their location data. The order would also require the companies to cease dealing in location data if it cannot confirm consumers have provided consent.

What does this mean for organizations that deal in location data?

In both orders, the FTC re-affirmed the need for businesses to attain informed consent before collecting, using, or selling consumers’ precise location data. A business wishing to stay on the right side of a Section 5 violation might also implement programs similar to the Sensitive Location Data and Supplier Assessment Programs required by the two orders. Perhaps the most significant development, however, is what appears to be a ban on certain dealings with sensitive location data. In its proposed order with Outlogic, the FTC broadly prohibits the company from disclosing or otherwise using sensitive location data in any products or services. However, the FTC did specify that these prohibitions would not apply if Outlogic will “(i) use Sensitive Location Data to convert such data into data that (a) is not Sensitive Location Data or (b) is not [location data]; or (ii) have a direct relationship with the consumer related to the Sensitive Location Data, the consumer has provided [informed and expressly given consent], and the Sensitive Location Data is used to provide a service directly requested by the consumer.”

Carson Martinez, an associate in Morrison Foerster's Privacy + Data Security practice, contributed to the writing of this alert.