On January 9, 2024, the Federal Trade Commission (FTC) announced its settlement with X-Mode Social and its successor Outlogic that will prohibit them “from sharing or selling any sensitive location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

The FTC’s settlement with X-Mode/Outlogic marks its first with a “data broker concerning the collection and sale of sensitive location information.” The FTC’s complaint alleged that Outlogic failed to put reasonable and appropriate safeguards in place regarding the use of the data by third parties. It further alleged that the company “did not have any policies in place to remove sensitive locations from the raw location data it sold…putting consumers’ sensitive personal information at risk.” The FTC alleged that the location data that Outlogic sold exposed consumers “to potential discrimination, physical violence, emotional distress, and other harms.”

The FTC alleged that the privacy policies did not inform consumers about how their location data would be used, which entities would receive the data and did not obtain informed consent to obtain access to sensitive location data.

To illustrate how sensitive location data can be used by data brokers, the FTC provided an example of how X-Mode in one contract with a customer “provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.”

The complaint and settlement agreement provide a road map of how data brokers are accessing, using, and disclosing location services, and serves as guidance for both consumers and marketing companies.

For consumers, this is a reminder to read the privacy policies of any application that seeks access to location services, and to frequently check which apps you have allowed access to location services on your devices. When you turn location services on, all of those apps are tracking your specific location. Stay abreast of who you are providing access to, check the access frequently, and consider only turning it on when using a particular app.

For companies who wish to request access to location services of consumers for marketing purposes, you may wish to revisit your privacy policy to determine whether you are transparent about how you are collecting, using, and disclosing location services. You might also consider creating and developing a program “that maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations.” In addition, it may be a good idea to: review and update internal policies and procedures around destruction of location data; develop a supplier assessment program to confirm that consumer consent is being obtained before the collection, use, or disclosure of location data; and “ensure that recipients of location data do not associate the data with locations that provide services to LGBTQ+ people…locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual…and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.” The settlement terms offer valuable guidance for compliance teams to note and use for their internal compliance programs if location services are being collected from consumers.