In its continued concentration on the collection and use of consumers’ precise geolocation, on January 16, 2024, the Federal Trade Commission (FTC) settled with General Motors (GM) over allegations that it collected, used, and sold drivers’ precise geolocation and driving behavior data from millions of vehicles—data that can be used to set insurance rates—without adequately notifying consumers and obtaining their affirmative consent.

The FTC accepted the proposed order for public comment, which will be open for 30 days.

The complaint against GM alleged that it “used a misleading enrollment process to get consumers to sign up for its OnStar connected vehicle service and the OnStar Smart Driver feature. GM failed to clearly disclose that it collected consumers’ precise geolocation and driving behavior data and sold it to third parties, including consumer reporting agencies, without consumers’ consent.” According to the complaint, GM collected driver data through OnStar as often as every three seconds. As in the previous four cases in 2024, the FTC alleges that “tracking and collecting geolocation data can be extremely [privacy-invasive], revealing some of the most intimate details about a person’s life, such as whether they visited a hospital or other medical facility, and expose their daily routines.” The proposed order, if accepted, “prohibits GM and OnStar from misrepresenting information about how they collect, use and share consumers’ location and driver behavior data.” In addition, the order prohibits them from disclosing consumers’ geolocation and driver behavior data to consumer reporting agencies for five years; requires them to obtain affirmative express consent from consumers before collecting connected vehicle data; allows consumers to obtain and delete their data; and allows consumers to limit data collection from their vehicles.

Many people do not understand how their geolocation data can be collected and used about them, or how massive the amount of precise location data collected from our devices.

The Federal Trade Commission (FTC) recently filed a complaint against Mobilewalla, Inc., alleging that it violated Section 5 of the FTC Act by selling consumers’ sensitive location information and targeting consumers based on sensitive characteristics without their consent. It further alleged that Mobilewalla conducted an unfair practice by collecting consumer information from real-time bidding (RTB) exchanges and indefinitely retained consumer location information.

According to the complaint, Mobilewalla is a data broker “that collects and aggregates huge quantities of consumer information, including precise location information tied to individual consumers that reveals sensitive information about those consumers. Mobilewalla touts its ability, among other things, to ‘create a comprehensive, cross channel view of the customer, understanding online and offline behavior.'” Mobilewalla collects this data from data suppliers, and consumers have no idea that their location information is being collected.

In addition, Mobilewalla has “collected large swaths of consumers’ personal information, including location data from multiple sources such as real-time bidding exchanges and data brokers. These sources may themselves obtain consumer data from other data suppliers, the mobile or online advertising marketplace, or mobile applications.” Most of the data is collected from RTB exchanges:  I had never even heard of an RTB exchange until I read the complaint. The complaint explains:

            The primary purpose of RTB exchanges is to enable instantaneous delivery of advertisements and other content to consumers’ mobile devices, such as when scrolling through a webpage or using an app. An app or website implements a software development kit, cookie, or similar technology that collects the consumer’s personal information from their device and passes it along to the RTB exchange in the form of a bid request. In an auction that occurs in a fraction of a second and without consumers’ involvement, advertisers participating in the RTB exchange bid to place advertisements based on the consumer information contained in the bid request. Advertisers can see and collect the consumer information contained in the bid request (even when they do not have a winning bid) and successfully place the advertisement.

The FTC alleges that Mobilewalla collected and retained information contained in a bid request in an RTB exchange even when it did not win the bid, including the consumer’s device mobile advertising identifier (MAID) and precise geolocation information if location-based services were turned on. Mobilewalla then used this information and paired it with other purchased consumer data (e.g., telephone numbers) to build profiles of individual consumers. Mobilewalla then sells access to this data, including raw location data, which is not anonymized. The FTC alleges that MAIDs can be used “to identify a mobile device’s user or owner.”

The FTC’s concern about this practice is that “Mobilewalla’s location data associated with MAIDs can be used to track consumers to sensitive locations, including medical facilities, places of religious worship, places that offer services to the LGBTQ+ community, domestic abuse shelters, and welfare and homeless shelters. It can also be used to infer sensitive information about those consumers.” In addition, “Mobilewalla’s collection and sale of consumers’ precise geolocation data to its clients to identify and target consumers based on sensitive characteristics causes or is likely to cause substantial injury in the form of stigma, discrimination, physical violence, emotional distress, and other harms.”

Similarly, the FTC recently issued a decision and consent order against Gravy Analytics, Inc. and Venntel, Inc. following an investigation of their collection and sale of precise consumer location and sensitive data. Take a look at the complaint if you want to learn more about how your precise location and other data can be collected when the location-based services feature is enabled on your device, and consider only keeping it on when you are using an app that requires it.

On May 1, 2024, the Federal Trade Commission (FTC) announced a settlement with InMarket Media (InMarket), a digital marketing and data aggregator, to resolve the FTC’s allegations that InMarket “unlawfully collected and used consumers’ location data for advertising and marketing.”

The complaint filed by the FTC against InMarket alleged that InMarket collects and aggregates location information about consumers from different sources, including its apps and other third-party apps, then aggregates the location data with other publicly available data to determine consumers’ behavior for targeted advertising. The FTC alleged that InMarket failed to properly inform consumers about how it was collecting and using their location data and how it would be combined with other data for targeted advertising. It also alleged that InMarket failed to require that third-party app providers obtain consumers’ consent for the use of the location data.

The FTC has been focused on collecting and using location-based services due to this data “including sensitive information about where [consumers] live, work and worship.” This marks one of several settlements in the last year.

The Order prohibits InMarket from “selling, sharing or licensing any precise location data and any product or service that categorizes or targets consumers based on sensitive location data,” as well as other provisions related to the destruction of such data from its systems. The FTC’s continued enforcement of transparency and consumer consent for the collection and use of location services shows that the FTC is serious about this issue. Those who are collecting and using location services from consumers would do well to take a thorough look at internal processes and procedures, including updating Privacy Policies and consents, to react to the FTC’s focus.

In a matter of weeks, the Federal Trade Commission (FTC) has settled another case against a company it alleges tracks consumers and sells their “precise location data” to third parties. This continues the FTC’s aggressive approach toward location-based consumer data.

According to the FTC’s complaint, Texas-based InMarket offered two apps to consumers: shopping rewards app CheckPoints, and shopping list app ListEase. According to the FTC’s press release, the FTC alleged in its complaint that when InMarket requested consent to use a consumer’s location data, it told the customer that it was only using the data “for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list.” The FTC alleges that InMarket “fail[ed] to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising.”

Frankly, I don’t understand why my location would need to be shared to provide me with points or remind me what’s on my list. If I received that popup, I would think twice about the transparency and accuracy of the popup. At any rate, other consumers allowed access to precise location data for this alleged purpose, and the FTC intervened on behalf of consumers to stop the practice. According to the FTC, InMarket was combining precise location data with other data to profile consumers and then categorize them as “parents of preschoolers,” “Christian church goers,” and “wealthy and not healthy.” Ouch.

The settlement prohibits InMarket from selling or licensing any precise location data and from “selling, licensing, transferring or sharing any product or service that categorizes or targets consumers based on sensitive location data.”  If this settlement doesn’t tell you that the FTC has location-based services on its radar, nothing will. The clear messages from this settlement are: 1) if you are a business that is collecting and using precise location data of consumers, transparency with consumers about why you are collecting and how you are using that data is critical; 2) be mindful of the FTC’s message that “firms do not have free license to monetize data tracking people’s precise location”; and 3) read the popups and consider how your data will be used before clicking “I agree.” If the collection and use doesn’t make sense, consider not downloading it and find a better alternative.