Privacy Policies Under Scrutiny: Location Tracking

In a recent enforcement action, the Federal Trade Commission (FTC) has settled charges against X-Mode Social, Inc., and its successor Outlogic, LLC, alleging violations of the Federal Trade Commission Act. The case revolves around the improper collection and use of sensitive geolocation data from consumers without proper consent.

Key Issues

• Misrepresentation – X-Mode and Outlogic misrepresented the extent to which they collected, used, and deleted consumers’ geolocation data, and whether such data was anonymized.
• Sensitive Location Data – The companies collected data from sensitive locations such as medical facilities and religious institutions without consent.
• Third-Party Sharing – There were inadequate safeguards against unauthorized third-party sharing of sensitive data.

FTC Order Requirements

• Prohibition of further misrepresentations regarding data practices.
• Establishment of a comprehensive privacy program.
• Deletion of all improperly collected historic location data.
• Implementation of a supplier assessment program to ensure consumer consent is obtained and verified before data collection.
• Regular reporting and recordkeeping to ensure ongoing compliance.

For a detailed examination of the FTC’s findings and the ordered provisions, please refer to the official decision and order: In the Matter of X-Mode Social, Inc., a corporation, and 2024 WL 1639515.

Call to Action. If your business handles consumer data, especially geolocation data, and you’re concerned about compliance with data privacy regulations, our attorneys can provide expert guidance. We can help you navigate the complexities of data privacy laws, implement robust privacy programs, and ensure your practices align with regulatory expectations. Contact us for a consultation to protect your business and your customers’ privacy.

Practical Tips for Data Collection and Processing

1. Explicit Consent– Obtain affirmative express consent from consumers before collecting and using location data, clearly outlining the data’s purpose.
2. Transparency -Provide clear and conspicuous disclosures, separate from privacy policies, detailing data usage and sharing practices.
3. Data Minimization – Limit the collection of data to what is necessary for the specified purposes and establish strict retention policies.
4. Third-Party Assessments– Conduct regular assessments of third-party partners to ensure they adhere to consent and privacy standards.
5. Sensitive Locations– Avoid collecting data from sensitive locations unless you have explicit consent for that specific purpose.
6. Consumer Control: Offer easily accessible options for consumers to withdraw their consent and request data deletion.
7. Privacy Program: Develop a comprehensive privacy program that includes risk assessments, employee training, and regular testing of safeguards.
8. Incident Response: Establish procedures for reporting and responding to third-party incidents involving unauthorized data sharing.

If you would like to discuss the issues raised here, please contact Rosenblatt Law Firm at (210) 562-2900.