InfoBytes Blog
FTC bans data aggregator company from selling consumer data
On January 18, the FTC issued a complaint against a digital platform and data aggregator (the company) and ordered the company to no longer sell or license precise location data, among other requirements. As previously covered by InfoBytes, the FTC’s order followed a recent FTC decision against a data broker in which the FTC alleged the data broker’s contracts were “insufficient to protect consumers from the substantial injury” caused by location data collection as consumers visited sensitive locations, such as churches, healthcare facilities, and schools.
In this case, the company obtained large amounts of personal data on consumers’ demographic data, movements, and purchasing history and retained that information for five years. The company had applications and third-party apps that have been downloaded over 390 million times, leading to about 100 million unique devices sending location data each year to the company. Like the previous FTC order, this FTC order alleged the company collected sensitive information on where consumers live, work, and worship; where their children went to school; where they received medical treatment; and if they attended rallies or demonstrations. The FTC alleged that the company cross-references consumers’ data location histories with points of interest to advertisers, including offering a push notification about a product when a consumer is located near a store that sells that product.
The FTC alleged the company failed to notify users that consumers’ location data is used for targeted advertising. Additionally, the FTC alleged the company retains consumer data “longer than reasonably necessary” which the FTC argues could lead to future consumer injury. According to the FTC, these allegations constitute deceptive or unfair practices as prohibited by Section 5(a) of the FTC Act. Under the order, the company must not materially misrepresent how the company collects or uses consumers’ location data, the company must not sell or license location data, and the company must implement a sensitive location data program as proscribed by the order. The company must also delete all historical location data for all consumers which does not affirmatively consent to the continued retention of such data. The company neither admits nor denies any of these allegations.