The Federal Trade Commission is taking action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Under a proposed order settling the FTC’s allegations, Gravy Analytics and Venntel will be prohibited from selling, disclosing, or using sensitive location data in any product or service, and must establish a sensitive data location program.
The FTC’s complaint alleges that Gravy Analytics and Venntel violated the FTC Act by unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.
According to the complaint, Gravy Analytics continued to use consumers’ location data after learning that consumers didn’t provide informed consent. Gravy Analytics also unfairly sold sensitive characteristics, like health or medical decisions, political activities and religious viewpoints, derived from consumers’ location data.
“Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “This is the FTC’s fourth action taken this year challenging the sale of sensitive location data, and it’s past time for the industry to get serious about protecting Americans’ privacy.”
Virginia-based Gravy Analytics and Venntel allegedly obtained consumer location information from other data suppliers and claimed to collect, process, and curate more than 17 billion signals from around a billion mobile devices daily. The location data the companies sold can be used to identify consumers and is not anonymized, according to the complaint.
The complaint alleges that Gravy Analytics used geofencing, which creates a virtual geographical boundary, to identify and sell lists of consumers who attended certain events related to medical conditions and places of worship and sold additional lists that associate individual consumers to other sensitive characteristics.
The FTC says the companies exposed consumers to potential privacy harms, which could include disclosure of health or medical decisions, political activity, and religious practices. The unauthorized disclosure of sensitive characteristics puts consumers at risk of stigma, discrimination, violence and other harms, according to the complaint.
Proposed Settlement Requirements
Under the proposed order, Gravy Analytics and Venntel will be prohibited from selling, licensing, transferring, sharing, disclosing, or using sensitive location data except in limited circumstances involving national security or law enforcement. The order also requires the companies to maintain a sensitive location data program designed to develop a list of sensitive locations and prevent the use, sale, license, transfer, sharing, or disclosure of consumers’ visits to those locations, including locations associated with:
- Medical facilities,
- Religious organizations,
- Correctional facilities,
- Labor union offices,
- Schools or childcare facilities,
- Services supporting people based on racial and ethnic backgrounds,
- Services sheltering homeless, domestic abuse, refugee or immigrant populations, and
- Military installations.
The order also requires the companies to delete all historic location data and any data products developed using this data. It also requires that the companies inform customers that received historic location data within the last three years of the Commission’s requirement that such data should be deleted, de-identified, or rendered non-sensitive. The companies can retain historic location data if they ensure that it is deidentified or rendered non-sensitive or if consumers consented to the use of their data.
It also requires the companies to maintain a supplier assessment program designed to ensure that consumers have provided consent for the collection and use of all data that may reveal a mobile device or consumer’s precise location.
The companies also will be banned from making misrepresentations about the extent to which:
- they review data suppliers’ compliance and consent frameworks, consumer disclosures, sample notices, and opt in controls;
- collect, use, maintain, disclose, or delete any covered information; and
- the data they collect, use, maintain, or disclose is de-identified.
The Commission voted 5-0 to issue the administrative complaint and to accept the consent agreement with the companies. Commissioner Alvaro Bedoya issued a concurring statement joined in full by Chair Lina Khan and Commissioner Rebecca Kelly Slaughter and in part by Commissioner Holyoak. Holyoak issued a separate concurring statement joined in part by Bedoya. Commissioner Andrew Ferguson issued a concurring and dissenting statement.
This is the FTC’s fifth action challenging the unfair handling of consumers’ sensitive location data by data aggregators. The agency’s other cases include a 2022 action against Kochava for selling data tracking people to reproductive health clinics and other sensitive locations, and the January 2024 actions against X-Mode for selling raw location data and InMarket for selling precise user location data. Earlier today, the FTC announced an action against Mobilewalla for also selling data tracking users to military sites, health clinics, churches and other sensitive locations.
The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.
The lead staffers on this matter are Jennifer Rimm, Brian Shull and Bhavna Changrani in FTC’s Bureau of Consumer Protection.