FTC Prohibits Two Data Brokers From Selling Sensitive Location Data

The Federal Trade Commission is cracking down on several data brokers, including Gravy Analytics Inc. and its subsidiary Venntel Inc., as well as Mobilewalla, for tracking and selling consumer location data linked to sensitive places like medical or religious facilities.

Virginia-based Gravy Analytics said it offers products for gleaning business information from location data - enabling enterprises to carry out location-based advertising, or better understand “foot traffic and visitation trends,” for instance - while Georgia-based data broker Mobilewalla said it provides mobile marketing tools. 

But the FTC is alleging that the companies collected consumer location data for commercial and government uses - in Mobilewalla’s case, data that sometimes exposed the identity of an individual’s private home - without obtaining consumer consent. Moving forward, both companies are prohibited from collecting and selling sensitive location data, said the FTC in Tuesday press releases. 

Key Details:

• The FTC alleged that Gravy Analytics continued using consumers’ location data, even after learning that consumers hadn’t provided “informed consent”

• Gravy Analytics allegedly sold sensitive location data that exposed individual characteristics like medical and health decisions, political activities and religious viewpoints

• Between 2018 to 2020, Mobilewalla allegedly collected more than 500 million unique consumer advertising identifiers, paired with consumers’ precise location data that was not anonymized 

Why It Matters: The types of location data at stake here could potentially expose sensitive information about people, like their religious or political beliefs, or medical information. For instance, Gravy Analytics allegedly used its tools to create virtual location-based boundaries, also known as geofencing, to identify and sell lists of consumers that attended events related to health conditions or places of worship. Meanwhile, Mobilewalla did not have policies to delete sensitive locations from data sets it was selling to third-party companies, meaning that the data could be used to identify consumers’ mobile devices and the sensitive locations they visited.

The disclosure of this type of information can open consumers up to discrimination, emotional distress, or even physical violence. As Samuel Levine, director of the FTC’s Bureau of Consumer Protection, put it in a statement on Tuesday: “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk.”

The Background: The FTC has been paying particular attention to these types of privacy invasions, and the agency has taken action against several other companies this year that it alleges sold sensitive location data, including InMarket, X-Mode and more. The timing of this latest crackdown is notable, as FTC Chair Lina Khan likely has limited time remaining in her current role.

The Big Picture: Moving forward, the FTC is prohibiting Gravy Analytics and Venntel from selling, licensing, transferring, sharing, disclosing and leveraging sensitive data, “except in limited circumstances involving national security or law enforcement.” The companies must also delete all historic location data, and make sure that customers that received sensitive location data within the last three years delete it. 

The companies must also create a formal program that specifically lists sensitive location data types and that explicitly prevents the use of data linked to consumers’ visits of locations like medical, religious, or correctional facilities; labor union offices; schools; military installations; homeless, domestic abuse or immigrant shelters; or services for people based on racial and ethnic backgrounds.  

Meanwhile, Mobilewalla “will be prohibited from misrepresenting how it collects, maintains, uses, deletes or discloses consumers’ personal information, and the extent to which consumers’ location data is deidentified,” according to the FTC’s release. “It also is prohibited from using, transferring, selling and disclosing sensitive location data from health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+-related locations, political gatherings and military installations.”