FTC Targets New Advertising Arena in Blocking Sale of Sensitive Location Data

The Federal Trade Commission (FTC) has taken enforcement action against data broker Mobilewalla, prohibiting the sale of sensitive location data. The action alleges that Mobilewalla violated the FTC Act by collecting location data from consumers – potentially revealing sensitive information that includes their home address and visits to places such as healthcare facilities, places of worship, military sites, and other highly sensitive locations – and then selling this information to third parties without verifying consumers had previously provided consent.

Ad exchanges in the enforcement spotlight

The case highlights a new focus on the collection, sale, and use of data through ad exchanges, in which digital space is auctioned to advertisers. The FTC’s complaint alleges that from June 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data. The raw data was not anonymized, and there were no policies to remove sensitive location information from the data collected. Among its uses, Mobilewalla used the data to build audience segments for its clients’ targeted advertising purposes, including providing sensitive segmented data of women who had visited pregnancy centers, and creating a report that analyzed individuals who had attended protests for the death of George Floyd along with information on their racial background and residential location.

Enforcing compliance

Under the proposed order, Mobilewalla will be prohibited from using, transferring, selling and disclosing consumer location data associated with sensitive locations like health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+-related locations, political gatherings, and military installations. The company is also prohibited from “misrepresenting how it collects, maintains, uses, deletes or discloses consumers’ personal information, and the extent to which consumers’ location data is deidentified.” More specifically, Mobilewalla is required to:

  • Not collect or retain consumer data while participating in online advertising auctions for any purpose other than participating in the online auctions.
  • Create a sensitive location data program that includes a comprehensive list of sensitive locations and is designed to prevent the use, sale or disclosure sensitive location data or otherwise using sensitive location data in any product or service.
  • Implement a method for consumers to request deletion of their location data from the company and to delete certain types of older data.
  • Create a comprehensive privacy program to protect consumers’ personal data, assess the program annually, and train employees and vendors with access to sensitive data.
  • Assess vendors and other third parties to confirm that consumers have provided consent for the collection and use of location data.
  • Provide consumers with a method for revoking consent, and delete the consumer’s data and cease collecting once a request has been received.

The FTC’s action against Mobilewalla follows similar enforcement against companies Kochava and X-Mode for selling raw or precise sensitive location data and reflects an emerging trend toward enforcement against use of sensitive location data and unexpected data collection and use.

Protecting your business’s data collection and use

In light of the Commission’s growing focus on protecting sensitive location data, what steps should businesses take to ensure ongoing compliance with expanding data privacy laws? We recommend these best practices:

1. Build Transparency and Consumer Trust
  • Clear Privacy Policies: Provide clear and concise privacy policies that explain what data is collected, how it is used, and with whom it is shared
  • Communicate with Consumers: Regularly inform consumers about their data rights and any changes to your data practices.
  • Obtain Clear Consent: Ensure that you have explicit consent from consumers before collecting their sensitive information like location data.
2. Enhance Data Security Measures
  • Implement Strong Security Protocols: Use encryption, secure access controls, and regular security audits to protect consumer data.
  • Monitor Data Access: Keep track of who accesses personal data and ensure that only authorized personnel have access.
  • Educate Employees: Provide regular training on data privacy and security best practices to all employees.
3. Comply with Regulations
  • Stay Informed: Keep up-to-date with state and federal data privacy laws and regulations, as well as enforcement actions that can provide a peek inside regulators’ minds.
  • Conduct Regular Audits: Perform regular compliance audits to ensure that your data practices align with current laws and regulations.
4. Data Minimization and Retention
  • Limit Data Collection: Only collect data that is necessary for the purposes you disclose to the consumer. Avoid gathering excessive or irrelevant information.
  • Be Extra Careful with Sensitive Information: If sensitive information like location, health, biometric, or certain demographic data is desired, be extra cautious and fully assess whether the information is truly necessary or if other non-sensitive or anonymized information could achieve the same goal.
  • Minimize Data Retention: Only retain data for as long as necessary for business purposes. Implement policies for regular data deletion.
  • Secure Disposal: Ensure that data is securely disposed of when no longer needed.
5. Third-Party Management
  • Vet Your Vendors: Make sure that any third parties you share data with comply with data privacy standards.
  • Limit Data Sharing: Restrict the amount of data shared with third parties and ensure they use it only for intended purposes.

And of course, our top recommendation: work with experienced privacy counsel to help you achieve all of the above. The privacy landscape is constantly evolving, especially at the state level. Our privacy team can help your business comply with existing laws and prepare for emerging ones while minimizing the impact to your operations.

Josh Stevens headshot

A Partner at M&S, Josh advises clients on a range of proactive and responsive matters, helping them achieve their business goals while complying with federal and state privacy and other consumer protection laws.

8492 5662 Josh Stevens
Share This Post:
Start Typing
Skip to content