The Federal Trade Commission will prohibit data broker Mobilewalla, Inc. from selling sensitive location data, including data that reveals the identity of an individual’s private home, to settle allegations the data broker sold such information without taking reasonable steps to verify consumers’ consent.
Under the FTC’s proposed settlement order, Mobilewalla will also be banned from collecting consumer data from online advertising auctions for purposes other than participating in those auctions, marking the first time the agency has alleged such a practice was an unfair act or practice.
“Persistent tracking by data brokers can put millions of Americans at risk, exposing the precise locations where service members are stationed or which medical treatments someone is seeking,” said FTC Chair Lina Khan. “Mobilewalla exploited vulnerabilities in digital ad markets to harvest this data at a stunning scale. The FTC is cracking down on firms that unlawfully exploit people’s sensitive location data and ensuring that we protect Americans from unchecked surveillance.”
The FTC alleges in a complaint that Georgia-based Mobilewalla collected data from real-time bidding exchanges and third-party aggregators. Often consumers had no knowledge that Chamblee-Georgia-based Mobilewalla had obtained their data.
“Mobilewalla collected massive amounts of sensitive consumer data – including visits to health clinics and places of worship – and sold this data in a way that exposed consumers to harm,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is acting today to stop these invasive practices and protect the public from always-on surveillance.”
When Mobilewalla bid to place an ad for its clients on a real-time advertising bidding exchange, it unfairly collected and retained the information in the bid request, even when it didn’t have a winning bid, according to the complaint.
The FTC’s complaint alleges that from January 2018 to June 2020, Mobilewalla collected more than 500 million unique consumer advertising identifiers paired with consumers’ precise location data. The raw location data Mobilewalla collected was not anonymized and the company doesn’t have policies to remove sensitive locations from the data set, meaning that such data could be used to identify individual consumers’ mobile devices and the sensitive locations they visited. The company sold access to this raw data to third-parties, including advertisers, data brokers and analytic firms.
Mobilewalla also uses its sensitive location data to develop audience segments for its clients to target consumers for advertising and other purposes, according to the complaint. For example, the company collected location data from women who visited pregnancy centers, which was used to build audience segments targeting pregnant women. It also used audience segments to create a June 2020 report analyzing people who protested the death of George Floyd and determined the protesters’ racial backgrounds and whether they lived in the cities in which they protested.
The FTC alleged that Mobilewalla violated the FTC Act by: selling consumers’ sensitive location data; selling audience segments of consumers for marketing and other purposes based on sensitive characteristics – like medical conditions and religious beliefs; collecting and retaining sensitive data from advertising exchanges; collecting and using data without taking reasonable steps to verify consumers’ consent; and retaining raw consumer location information indefinitely.
The FTC alleges that Mobilewalla’s actions not only compromised consumers’ personal privacy but exposed them to potential discrimination, physical violence, emotional distress, and other harms — risks consumers could not avoid given that most were unaware of the company’s activities.
Proposed Settlement Order
Under the proposed order, Mobilewalla will be prohibited from misrepresenting how it collects, maintains, uses, deletes or discloses consumers’ personal information, and the extent to which consumers’ location data is deidentified. It also is prohibited from using, transferring, selling and disclosing sensitive location data from health clinics, religious organizations, correctional facilities, labor union offices, LGBTQ+-related locations, political gatherings and military installations.
Other provisions of the proposed order include:
- Retention of data from auctions: The company is prohibited from collecting or retaining consumer data while participating in online advertising auctions for any other purpose than participating in the auction;
- Sensitive location data program: The company must create a sensitive location data program that develops a comprehensive list of sensitive locations and that is designed to prevent the use, sale or disclosure sensitive location data or otherwise using sensitive location data in any product or service;
- Data deletion: The company must implement a method for consumers to request deletion of their location data from the company and to delete certain types of older data. The company must also delete historic location data and any work product from this data.
- Mandated privacy program: The company is required to establish a comprehensive privacy program that protects consumers’ personal information; assess the program annually; and train employees and contractors who have access to sensitive data;
- Supplier assessment program: The company is required to set up a supplier assessment program designed to confirm whether consumers have provided consent for the collection and use of location data and will be prohibited from collecting or using location data if it cannot obtain records showing that consumers provided consent; and
- Disclosures to consumers: The company must provide a method for consumers to withdraw consent for the use of their data and must delete and stop collecting that data.
The Commission voted 4-1 to issue the administrative complaint and to accept the proposed consent agreement. Chair Lina Khan issued a concurring statement joined by Commissioner Alvaro Bedoya and Commissioner Rebecca Kelly Slaughter. Commissioner Melissa Holyoak issued a dissenting statement. Commissioner Andrew Ferguson issued a concurring and dissenting statement.
This is the FTC’s most recent action challenging the unfair handling of consumers’ sensitive location data by data aggregators. The agency has opened similar cases, including one with Kochava for selling data tracking people to reproductive health clinics, and has settled cases with X-Mode for selling raw location data and InMarket for selling precise user location data.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.
The lead staff attorneys on this matter are David Walko and Gorana Neskovic from the FTC’s Bureau of Consumer Protection.