Blue and white gears

Privacy Policies Under Scrutiny: Location Tracking

In a recent enforcement action, the Federal Trade Commission (FTC) settled charges against X-Mode Social, Inc., and its successor Outlogic, LLC, alleging violations of the Federal Trade Commission Act. The case revolves around the improper collection and use of sensitive geolocation data from consumers without proper consent. The FTC alleged the company sold the data that could be used to track people’s visits to medical and reproductive health clinics, places of worship, and domestic abuse shelters.

Key Issues

  • Misrepresentation – X-Mode and Outlogic misrepresented the extent to which they collected, used, and deleted consumers’ geolocation data, and whether such data was anonymized.
  • Sensitive Location Data – The companies collected data from sensitive locations such as medical facilities and religious institutions without consent.
  • Third-Party Sharing – There were inadequate safeguards against unauthorized third-party sharing of sensitive data.

FTC Order Requirements

  • Prohibition of further misrepresentations regarding data practices.
  • Establishment of a comprehensive privacy program.
  • Deletion of all improperly collected historic location data.
  • Implementation of a supplier assessment program to ensure consumer consent is obtained and verified before data collection.
  • Regular reporting and recordkeeping to ensure ongoing compliance.

 

For a detailed examination of the FTC’s findings and the ordered provisions, please refer to the official decision and order: In the Matter of X-Mode Social, Inc., No. 212-3038, 2024 WL 1639515 (F.T.C., Apr. 11, 2024). 

 

Practical Tips for Companies Engaging in Data Collection and Processing

  1. Explicit Consent– Obtain express consent from consumers before collecting and using location data; The consent must clearly outline the data’s purpose.
  2. Transparency -Provide clear and conspicuous disclosures, detailing data usage and sharing practices. These disclosures should be separate from company privacy policies.
  3. Data Minimization – Limit the collection of data to essential information for the specified purposes and establish strict retention policies.
  4. Third-Party Assessments– Conduct regular assessments of third-party partners to ensure adherence to consent and privacy standards.
  5. Sensitive Locations– Avoid collecting data from sensitive locations absent explicit consent for that specific purpose.
  6. Consumer Control: Offer easily accessible options for consumers to withdraw their consent and request data deletion.
  7. Privacy Program: Develop a comprehensive privacy program that includes risk assessments, employee training, and regular testing of safeguards.
  8. Incident Response: Establish procedures for reporting and responding to third-party incidents involving unauthorized data sharing.

How might this affect your Business?

If your business handles consumer data, especially geolocation data, compliance with data privacy regulations should be addressed carefully. RLF attorneys can provide expert guidance, help navigate the complexities of data privacy laws, implement robust privacy programs, and ensure your company’s practices align with regulatory expectations. Contact us for a consultation to protect your business and your customers’ privacy.

If you would like to discuss the issues raised here, please contact Rosenblatt Law Firm at (210) 562-2900.

Sign Up For Our Newsletter

ATTENTION BUSINESS OWNERS! Save the date for our Zoom Update on the Federal Trade Commission Non-Compete Ban.