FTC cracks down on two data brokers for sale of sensitive location data
The U.S. Federal Trade Commission (FTC) Tuesday filed a complaint and proposed Decision and Order against two Virginia-based data brokers alleging that they unlawfully tracked and sold sensitive consumer location data. This data, which included information about visits to health-related facilities and places of worship, was allegedly collected and sold to government and commercial parties without obtaining verifiable user consent in violation of the FTC Act.
Once finalized, the order will carry the force of law, and any violations may result in civil penalties of up to $51,744 per infraction. The FTC alleges in its complaint that Virginia-based Gravy Analytics and its subsidiary, Venntel Inc., “claim to ‘collect, process, and curate’ over 17 billion signals from approximately a billion mobile devices on a daily basis.”
The FTC alleges that the two companies “violated the FTC Act by unfairly selling sensitive consumer location data and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.”
Gravy Analytics’ website says it “respects consumer privacy and ensures that location data collected at sensitive locations is not used, shared, or resold.”
The latest action by the FTC marks the commission’s fifth enforcement action targeting data brokers for mishandling sensitive location data. Earlier actions – including two this year – for similar violations involving the sale of data linked to sensitive locations were taken against Kochava, X-Mode, InMarket, and Mobilewalla.
The latest move by the FTC against Venntel and Gravy Analytics could fuel the fire in Congress over the government’s purchase of consumer information from data brokers. In August, Biometric Update reported that a bipartisan bill was passed by the House that would ban the government from buying Americans’ personally identifiable information from data brokers and aggregators. The legislation would close the data-broker loophole in the law that allows governments to buy data they would otherwise need a warrant to obtain. The bill was passed in the wake of a massive security breach of data broker National Public Data that put gigabytes of information on possibly millions of individuals at risk.
Lawmakers and the Department of Justice (DOJ) are also concerned about the national security threat that’s posed by third-party data brokers and businesses selling the data that they collect to entities with ties to Russia, Iran, China, and other countries of concern. These data brokers are the primary targets of a proposed DOJ rule that was issued in October that would bar them from selling the data they collect to any entity that has ties to countries identified by DOJ in the rule.
DOJ unveiled its final proposed rules in October to carry out President Joe Biden’s February 28 Executive Order, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.
According to the FTC’s latest complaint, Gravy Analytics continued to use consumers’ location data after learning that consumers did not provide informed consent. Gravy Analytics also unfairly sold sensitive characteristics like health or medical decisions, political activities, and religious viewpoints that were derived from consumers’ location data, the FTC alleges.
The FTC’s proposed three-count complaint alleges that the two companies violated Section 5(a) of the FTC Act by unfairly selling sensitive location data and unfairly collecting, using, and transferring consumer location data without consent verification, and that Gravy Analytics violated Section 5 of the FTC Act by unfairly selling inferences about consumers’ sensitive characteristics derived from location data.
In July 2022, the American Civil Liberties Union (ACLU) published thousands of pages of previously unreleased records about how Customs and Border Protection, Immigration and Customs Enforcement, and other agencies of the Department of Homeland Security were “sidestepping the Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people’s cell phone location information quietly extracted from smartphone apps” by Venntel and Babel Street.
Four years earlier, the Supreme Court had ruled in Carpenter v. United States that the government needs a warrant to access a person’s cellphone location history from cellular service providers because of the “privacies of life” those records can reveal.
The ACLU said that “in the documents we received … we found Venntel marketing materials sent to DHS explaining how the company collects more than 15 billion location points from over 250 million cell phones and other mobile devices every day.”
As part of the FTC’s proposed settlement, Gravy Analytics and Venntel would be prohibited from selling, disclosing, or using sensitive location data in any product or service. They would also be required to establish a sensitive location data program to prevent further misuse of such data.
FTC Bureau of Consumer Protection Director Samuel Levine highlighted the broader implications of the companies’ practices, stating that “surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk. This is the FTC’s fourth action this year challenging the sale of sensitive location data, and it is past time for the industry to get serious about protecting Americans’ privacy.”
“You may not know anything about Gravy Analytics, but Gravy Analytics may know quite a bit about you,” said Commissioner Alvaro M. Bedoya, Chair Lina M. Khan, and Commissioner Rebecca Kelly Slaughter in a joint statement.
The commissioners allege that Gravy Analytics appended 1,100 labels “to individual consumers so as to sell their bundled data to private companies for targeted advertising — or to better understand the ‘persona’ of any given individual whose data a company has requested. According to our complaint, respondents actively encouraged their customers to identify individual people using the data they sold.”
The commissioners said in their statement that the cell phone data could tell when a person had breakfast at McDonald’s, purchased CBD oil, are a Republican or Democrat, bought lingerie, are pregnant, a stay-at-home parent, “a blue-collar Gen X parent” or a “golf-lover who has recently been looking into Medicare.”
The complaint says “Venntel tells potential customers that ‘location data makes it possible to gain real-life insight into a device users’ patterns-of-life (POL), locations visited, and known associates.’ Venntel further explains that, over a 90-day tracking of a ‘VIP Device,’ the company was able to identify the device user’s ‘bed down location, work location, and visits to … United States Government buildings.”
“Additionally,” the complaints states, “in a ‘Quick Guide’ document for one of its services, Venntel notes that where a device is located during the evening hours will show its customers when the consumer is at ‘home, gym, evening school, etc.’ Indeed, companies and other entities are using precise geolocation data to identify consumers and their activities.”
“In one well-publicized example,” the FTC complaints says, “a group used precise mobile geolocation data to identify by name a Catholic priest who visited LGBTQ+-associated locations, thereby exposing the priest’s sexual orientation and forcing him to resign his position. As another example, journalists who purchased precise mobile geolocation from a data broker were able to track consumers over time and, as a result, identify several consumers, including military officials, law enforcement officers, and others. One person the journalists were able to identify by name (and who confirmed her identity) was tracked attending a prayer service at a church.”
The FTC alleges that the two Virginia companies have collected more than 17 billion daily location signals from roughly a billion mobile devices. Far from anonymized, the commission said “these signals can be used to identify individual consumers. Gravy Analytics reportedly employed geofencing technology to track users visiting locations tied to sensitive activities, including medical events and religious practices.”
The FTC expressed concern over the potential harm to consumers resulting from these practices, including risks of stigma, discrimination, and violence. Sensitive characteristics derived from location data could expose users to various forms of harm, particularly when shared without their knowledge or consent, the FTC said.
Under the FTC’s proposed Decision and Order – which has a 30-day public comment period – the companies face strict prohibitions on the sale, transfer, or disclosure of sensitive location data, except in cases involving national security or law enforcement. The two companies would also be required to implement a program to identify and safeguard sensitive locations, including medical facilities, places of worship, schools, correctional facilities, and shelters for vulnerable populations.
Additionally, Gravy Analytics and Venntel would be required to delete all historical location data and any products derived from that data unless they can ensure the information is de-identified or rendered non-sensitive.
The settlement would also mandate that the companies inform customers who received sensitive location data within the past three years of their obligation to delete or de-identify this data. Furthermore, the companies would have to establish a supplier assessment program to verify consumer consent for the collection and use of precise location data, and would be barred from misrepresenting their data practices, including the extent to which they review compliance with consent frameworks and ensure the de-identification of data.
The FTC unanimously voted 5-0 to issue the administrative complaint and to approve the proposed consent agreement. Commissioners Bedoya, Khan, Slaughter, Christine Wilson and Andrew Ferguson issued statements supporting the action, some with additional commentary.
The proposed consent order will be published in the Federal Register for public comment, allowing stakeholders 30 days to submit feedback before the FTC determines whether to finalize the agreement. An Analysis to Aid Public Comment will accompany the Federal Register notice.
Article Topics
data privacy | data protection | FTC | Gravy Analytics | monitoring | smartphones | surveillance | U.S. Government
Comments