The Federal Communications Commission (FCC) has announced that it has levied almost $200 million in fines against “the nation’s largest wireless carriers for illegally sharing access to customers’ location information without consent and without taking reasonable measures to protect that information against unauthorized disclosure.”

The FCC’s allegations include that the carriers sold access to customers’ location information to aggregators, which then resold the data to third-party location-based service providers. The disclosure to the aggregators and the redisclosures to third parties did not include customer consent. The FCC alleged that “customers’ real-time location information, revealing where they go and who they are,” is some of the most sensitive data in carriers’ possession.”

The fines against the wireless carriers stem from a violation of § 222 of the Communications Act, which requires carriers to “take reasonable measures to protect certain customer information, including location information,” as well as maintain the confidentiality of the data and obtain “affirmative, express customer consent before using, disclosing, or allowing access to such information. The FCC maintains that these obligations apply when the carriers share customer information with third parties.

The FCC’s Privacy and Data Protection Task Force led the investigation, which started with customer complaints that a Missouri Sheriff was using a location-finding service to track the location of individuals.

On May 1, 2024, the Federal Trade Commission (FTC) announced a settlement with InMarket Media (InMarket), a digital marketing and data aggregator, to resolve the FTC’s allegations that InMarket “unlawfully collected and used consumers’ location data for advertising and marketing.”

The complaint filed by the FTC against InMarket alleged that InMarket collects and aggregates location information about consumers from different sources, including its apps and other third-party apps, then aggregates the location data with other publicly available data to determine consumers’ behavior for targeted advertising. The FTC alleged that InMarket failed to properly inform consumers about how it was collecting and using their location data and how it would be combined with other data for targeted advertising. It also alleged that InMarket failed to require that third-party app providers obtain consumers’ consent for the use of the location data.

The FTC has been focused on collecting and using location-based services due to this data “including sensitive information about where [consumers] live, work and worship.” This marks one of several settlements in the last year.

The Order prohibits InMarket from “selling, sharing or licensing any precise location data and any product or service that categorizes or targets consumers based on sensitive location data,” as well as other provisions related to the destruction of such data from its systems. The FTC’s continued enforcement of transparency and consumer consent for the collection and use of location services shows that the FTC is serious about this issue. Those who are collecting and using location services from consumers would do well to take a thorough look at internal processes and procedures, including updating Privacy Policies and consents, to react to the FTC’s focus.

In a matter of weeks, the Federal Trade Commission (FTC) has settled another case against a company it alleges tracks consumers and sells their “precise location data” to third parties. This continues the FTC’s aggressive approach toward location-based consumer data.

According to the FTC’s complaint, Texas-based InMarket offered two apps to consumers: shopping rewards app CheckPoints, and shopping list app ListEase. According to the FTC’s press release, the FTC alleged in its complaint that when InMarket requested consent to use a consumer’s location data, it told the customer that it was only using the data “for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list.” The FTC alleges that InMarket “fail[ed] to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising.”

Frankly, I don’t understand why my location would need to be shared to provide me with points or remind me what’s on my list. If I received that popup, I would think twice about the transparency and accuracy of the popup. At any rate, other consumers allowed access to precise location data for this alleged purpose, and the FTC intervened on behalf of consumers to stop the practice. According to the FTC, InMarket was combining precise location data with other data to profile consumers and then categorize them as “parents of preschoolers,” “Christian church goers,” and “wealthy and not healthy.” Ouch.

The settlement prohibits InMarket from selling or licensing any precise location data and from “selling, licensing, transferring or sharing any product or service that categorizes or targets consumers based on sensitive location data.”  If this settlement doesn’t tell you that the FTC has location-based services on its radar, nothing will. The clear messages from this settlement are: 1) if you are a business that is collecting and using precise location data of consumers, transparency with consumers about why you are collecting and how you are using that data is critical; 2) be mindful of the FTC’s message that “firms do not have free license to monetize data tracking people’s precise location”; and 3) read the popups and consider how your data will be used before clicking “I agree.” If the collection and use doesn’t make sense, consider not downloading it and find a better alternative.

On January 9, 2024, the Federal Trade Commission (FTC) announced its settlement with X-Mode Social and its successor Outlogic that will prohibit them “from sharing or selling any sensitive location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

The FTC’s settlement with X-Mode/Outlogic marks its first with a “data broker concerning the collection and sale of sensitive location information.” The FTC’s complaint alleged that Outlogic failed to put reasonable and appropriate safeguards in place regarding the use of the data by third parties. It further alleged that the company “did not have any policies in place to remove sensitive locations from the raw location data it sold…putting consumers’ sensitive personal information at risk.” The FTC alleged that the location data that Outlogic sold exposed consumers “to potential discrimination, physical violence, emotional distress, and other harms.”

The FTC alleged that the privacy policies did not inform consumers about how their location data would be used, which entities would receive the data and did not obtain informed consent to obtain access to sensitive location data.

To illustrate how sensitive location data can be used by data brokers, the FTC provided an example of how X-Mode in one contract with a customer “provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.”

The complaint and settlement agreement provide a road map of how data brokers are accessing, using, and disclosing location services, and serves as guidance for both consumers and marketing companies.

For consumers, this is a reminder to read the privacy policies of any application that seeks access to location services, and to frequently check which apps you have allowed access to location services on your devices. When you turn location services on, all of those apps are tracking your specific location. Stay abreast of who you are providing access to, check the access frequently, and consider only turning it on when using a particular app.

For companies who wish to request access to location services of consumers for marketing purposes, you may wish to revisit your privacy policy to determine whether you are transparent about how you are collecting, using, and disclosing location services. You might also consider creating and developing a program “that maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations.” In addition, it may be a good idea to: review and update internal policies and procedures around destruction of location data; develop a supplier assessment program to confirm that consumer consent is being obtained before the collection, use, or disclosure of location data; and “ensure that recipients of location data do not associate the data with locations that provide services to LGBTQ+ people…locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual…and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.” The settlement terms offer valuable guidance for compliance teams to note and use for their internal compliance programs if location services are being collected from consumers.

INRIX, a company that provides location-based data analytics, has been collecting, analyzing, and selling aggregated vehicle, traffic, and parking data for over 17 years. Now, after the Roe v. Wade decision, INRIX is under scrutiny for its data collection tactics and the ability to view data related to Planned Parenthood clinics. In a brochure for its “Vehicle Trips” product, INRIX details the fact that it “captures over 150 million anonymous trips” and 36 billion “real-time data points” each day, with updates as frequent as every three seconds.

By using only the free trial version of the INRIX IQ Location Analytics platform, a user can locate at least 71 Planned Parenthood clinics in numerous states. The free version of this platform only lists the address, hours, and average annual daily traffic counts on nearby streets for each clinic, but the paid version shows more detailed statistics for sample points of interests in its database, including demographic and ethnic breakdowns of visitors, visitor counts by hour and day, aggregated heat maps of the origins and destinations for visitors, and drive times to and from the business location.

While this type of data collection, and availability and accessibility may seem problematic in the current legal landscape related to reproductive rights, INRIX has publicly stated that it only receives anonymized data and de-identifies it further as necessary, before aggregating those data for use in its products. According to INRIX, individual identities are not relevant to its business – the location analytics only display results based on the census block group level and the data are sourced from map providers, which are commercially available.

Other location-based data analytics companies, such as Safegraph and Placer. AI, also had Planned Parenthood visitor data in their products, but those data have been removed. Even some Internet search engines have pledged to delete visitor location data when a user visits an abortion provider, fertility center, or other sensitive reproductive health location. 

The problem with this data collection and sharing, although inclusive only of location-based data, comes when the individuals seeking an abortion face increased risks to their privacy, and potentially, their own safety and wellbeing. Before the recent overturning of Roe v. Wade, pro-life activists have used software and services like geofencing from the location data industry to dissuade abortion-seeking patients with targeted advertisements. With the procedure criminalized in nine states, the effects could be even more impactful.

As a result of this data collection and use, lawmakers have sent letters to these location data companies to gather details about their data collection and requesting that they stop including abortion clinics in their platforms and reports.

While most of the data on the free version of the INRIX dashboard are aggregated, risks still remain. Most companies in the location data industry boast that individual privacy is protected due to the fact that they only sell aggregated data (e.g., the number of people visiting a particular business during a specific week). However, even aggregated data might carry risks for individual privacy because individuals could still be identified in some circumstances. If location data show that a particular user frequents one central location (e.g., home or work) while also visiting a Planned Parenthood clinic, it may be easier than you’d think to determine the identity of that individual.

For more on this investigation conducted by The Markup click here.

This is not the first post discussing location-based services on mobile phones [see posts here]. And it won’t be the last. After reading my colleague’s post on the priest who resigned from his high-profile position after his location was tied to Grindr, I thought it would be useful to remind readers to think about that privacy setting a bit more.

In sum, when you download an app, the Privacy Policy of that app will tell you what type of data that app is collecting from your phone. When you click “I agree” after downloading the app, you have just agreed to everything the app developer said it would collect in the Privacy Policy. This could include access to your microphone, camera, movement, contacts, photos and location. The app could literally be tracking everything you do.

Unfortunately, many people don’t understand how location services can be used and disclosed. If the app Privacy Policy says it will collect your location when you have your location services on, and also says it will sell it and disclose it to others, and you agree, that is exactly what they are doing. The information is no longer private and the app developer can use and disclose it to others freely (and legally) because you consented to the collection and use of the location based data.

Tips for the week with location-based services:

  • understand which apps are tracking your location and how they are tracking it (read the description under “Location Alerts” in Privacy Settings under Location Services);
  • consider only allowing your location to be tracked when using a specific app;
  • turn location services off when not using specific apps or after using the app ;
  • check Privacy Settings frequently to see which apps have access to location (and other) services and frequently reset them;
  • Read Privacy Policies of apps you have already downloaded or are about to download to see what data they are collecting from you and how they are using and disclosing it to others;
  • Read the disclaimers when they pop up to ask for specific consent and make an educated decision on whether to allow the access and collection to your data;
  • Make an educated decision on whether you will allow others to have access to your location by reading and understanding the “Share My Location” section of the Location Services under Privacy Settings; and
  • Delete any apps that you are not comfortable with the Privacy Policies.

Like the unfortunate situation with the priest who resigned from his position because he was reportedly associated with Grindr based on location services, people are often surprised to find out how their location is tracked and used. Now is the time to re-check your privacy settings and reset them as necessary.

Location data is data that marks the longitude/latitude location of a smartphone or other device at a particular time, or over a period of time. It works like this: each day our device, which has a unique identifier or ID, uses or connects to multiple location signals, like GPS, Wi-Fi, Bluetooth, cell towers or other external location signals. Each location signal combined with an identifier permits you to plot the location of the device at a particular time, and the movement of the device over time. Carriers, private companies, and apps collect users’ location data, usually automatically and often even when you aren’t using the app. You can literally track a device’s physical location over the course of a day by the monitoring of the external location signals, tracking from a home to an office, to the grocery store, to the gym, to the beach. As you use your device to look up information, data is collected that flags your interests, such as vacation spots, new mattress models, restaurants, etc.

Your location data is then sold to aggregators, advertisers and marketers, sometimes in real time and usually without your express consent. Advertisers then use the location data to target relevant ads to your device. Ever wonder why the special offer for airline fare pops up into your social media app while you are looking up hotels in Hawaii? Law enforcement and government agencies are also interested in location data as it can be used to put a suspect near a crime scene. Using location data, they can determine whether a particular device owned by the suspect was used to make a phone call near a particular cell tower at a particular time. Given this value and interest, it is no surprise that location data market continues to grow. Lots of data brokers, aggregators and marketing companies are profiting from these currently legal transactions, which are based on our tracked movements and activities as we go about our day. The New York Times 2019 piece has an interesting visual view of location data.

These purveyors of this widely available location data claim it is anonymized. By that they mean while the ads are delivered to your device and your apps based on your location data, the advertisers don’t know your name. While the data usually doesn’t include your name or phone number, it can contain other information, such as your gender, your age and your unique device ID. It is also very easy to combine location data with other purchased or acquired data, such as real estate records or office location, which can permit the identification of individuals by name. There are many examples where location data has been used against specific individuals.

The most recent example involves a Catholic priest who was confronted with location data that showed the use of gay social “hook-up” app Grindr almost daily over multiple years from locations near his office and his work-owned home, as well as trips to gay bars in other cities during timeframes he was known to have been there for work events. After being confronted, the priest resigned his high profile position. Some of the details are still murky as to how the data was acquired and tied to a specific person. Nonetheless, this story is likely to further concerns about the collection, sharing and sale of location data.

AT&T was sued this week in the Northern District of California by customers alleging that AT&T sold their location data to data aggregators without their consent. The proposed class action suit was filed on behalf of all AT&T wireless customers from 2011 to date.

The suit alleges that AT&T sold customers’ location data to LocationSmart and Zumigo, third party service providers that provide location-based services to corporations without AT&T customers’ consent [view related post]. Wireless companies agreed to limit the sale of location data last year at the request of several members of Congress.

The suit alleges that AT&T failed to protect the customers’ confidentiality and that it has breached its duties to customers by disclosing location information to “thousands of third-parties for years.” According to the suit, AT&T’s sharing of location based information to third-parties was not transparent and customers were unaware that the information was being shared while they were using their phones.

The suit asks for monetary damages and an order to ban the sale of location based information.

AT&T denies the allegations, and has stated that it only shares location data with customers’ consent and that it stopped sharing location data with aggregators after it pledged to do so

Last week’s Privacy Tip centered on how our cell phone geolocation data is being sold by the telephone companies Cell Phone Geolocation Data Being Sold. I sent out an APB to readers to answer my question about how they can do this when I turn off my location based services. My question was “…the thing I want to know is whether your location can be tracked if your location based services are turned off?”

I received multiple answers, and here are the most helpful that I want to pass along to you:

One reader responded: “To answer your question, ‘I want to know whether your location can be tracked if your location based services are turned off?’ The answer is yes.

The information the phone companies are selling is gathered from the phone’s administration communications with the cell sites, “Hi. I’m here. I can accept a call.” The signal is picked up from multiple cell sites and is evaluated to determine which site is receiving the strongest signal. Location is determined by triangulation. While not precise, it can get you into the neighborhood.

If they were using the phone’s GPS-based location services the location would be within a few yards.”

Another reader sent me several links to other articles, one of which I found to be concerning, and the other very helpful. I hope they help:

https://theconversation.com/your-mobile-phone-can-give-away-your-location-even-if-you-tell-it-not-to-65443

https://www.wired.com/story/google-location-tracking-turn-off/

It has also been reported that Senator Ron Wyden renewed efforts for the Senate to adopt his legislation that bans the carriers from selling users’ location data, and expressed disappointment with the carriers, who previously “pledged to end these practices.”

We previously cautioned that telephone companies sell customer data to third parties, including location data [view related posts here]. Last year, the telecom industry pledged to stop the practice after pressure by members of Congress.

Earlier this month, Joseph Cox of Motherboard released I Gave a Bounty Hunter $300. Then He Located Our Phone and outlined how he gave the individual his phone number and the individual (called a bounty hunter) was able to find the “current location of most phones in the United States.” When he did so for Mr. Cox, the bounty hunter was able to locate the phone within a few blocks of where the individual was located.

According to Mr. Cox, “The bounty hunter did this all without deploying a hacking tool or having any previous knowledge or the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves…” The article is fascinating and can be accessed here.

It is better to read it than for me to try to give it justice, but the thing I want to know is whether your location can be tracked if your location based services are turned off? I would love for someone to send me the answer, as I am a big fan of only using location based services when absolutely necessary (like when using ride-sharing apps or navigation). This is a tip to consider, particularly after reading the article.