FTC Takes Action Against Two Data Brokers For Unlawfully Selling Consumers’ Precise Geolocation Data
The Federal Trade Commission has taken action against two data brokers for alleged FTC Act violations related to the collection, use, and sale of sensitive geolocation data without user consent. Gravy Analytics Inc. and its subsidiary Venntel Inc. are alleged to have engaged in the unlawful tracking and sale of consumers’ sensitive location data, including visits to healthcare facilities, places of worship, correctional facilities, schools/childcare facilities, military installations, and other sensitive locations. According to the FTC’s complaint, both companies are alleged to have violated the FTC Act by collecting and using consumers’ geolocation data without verifiable user consent for commercial and government uses, and unfairly selling sensitive consumer location data.
Most Americans own a mobile phone and have it on their person or close by at all times. Since these devices usually precisely track the user’s location, records are generated of the user’s movements and location throughout the day and night. Geolocation data reveals the places a person visits regularly, where they live and work, and where they sleep at night. It is also possible to infer information such as a user’s religious beliefs, political leaning, sexual orientation, and likely medical conditions from the location data.
The FTC alleged that Ashburn, VA-based Gravy Analytics and Herndon, VA-based Venntel collected sensitive location data indirectly from other data suppliers through mobile applications or the mobile advertising marketplace, so consumers had no idea that their movements were being collected by the companies and sold to third parties. Since the location data is tied to the unique Mobile Advertising ID (MAID) specific to each mobile device, the data can be used by marketers to serve highly targeted advertising to consumers and potentially even identify individuals when combined with data from other sources.
Gravy Analytics and Venntel collected raw geolocation data to gain insights into consumers’ lives, with Gravy Analytics identifying consumers based on attributes and behaviors revealed by their geolocation data. Gravy Analytics was focused on selling data and products to commercial customers, including a product that allowed its customers to geofence certain locations and obtain the MAIDs of users that visited that location. The locations included specific churches and events related to certain medical conditions.
Through verification processes to remove potentially inaccurate location data, Gravy Analytics claimed its location data was precise to a distance of approximately 1 meter, which means the data not only shows the buildings a person visits but also the rooms in that building. Venntel was focused on selling the data to public sector customers and offered similar tools, including geo-fencing options for specific locations and the ability to continuously track a single device.
According to the FTC, the companies collected, processed, and curated more than 17 billion signals from around a billion mobile devices each day. Since the data is not anonymized and can be tied to individuals, people could potentially be identified by name. By selling this data, the FTC said the companies exposed consumers to potential privacy harms, and the nature of the locations visited put consumers at risk of stigma, discrimination, violence, and other harms.
The FTC’s proposed order settles the alleged violations and requires the companies to maintain a list of sensitive locations and establish a sensitive data location program that prevents the use, sale, license, transfer, sharing, or disclosure of consumers’ visits to those locations, except for law enforcement and national security reasons. The locations include medical facilities, correctional facilities, schools/childcare facilities, military installations, religious organizations, labor union offices, services supporting people based on racial and ethnic backgrounds, and services sheltering homeless, domestic abuse, refugee, or immigrant populations.
The companies are also required to delete all historic location data and any products developed using that data, unless the data is de-identified. Any company that received data from the companies must also be notified that they should delete, de-identify, or render the data non-sensitive. Further, all suppliers of user data to the companies must be assessed to ensure that consumers have provided valid consent for their data to be collected.
