Litigation over tracking tools, such as cookies and pixels, has become commonplace over the past few years. In general, plaintiffs’ claims revolve around the collection and sharing of data through session replay and/or chatbot tools that collect information about a user’s interaction with a web page. Lawsuits relating to the tracking technologies have been brought against individual companies and data brokers alike, typically asserting wiretap violations (in the relevant jurisdictions) and invasion of privacy claims.
Now the Federal Trade Commission wants in on the action. On January 9, 2024, the FTC announced an unprecedented settlement with a data broker relating to individual users’ geolocation data that, among other things, will restrict the data broker’s use of data for the next twenty (20) years. While the FTC was particularly focused on the data broker’s alleged practice of collecting and selling data that could be used to track a user’s visit to sensitive locations (including healthcare facilities, churches, and schools), the impact of this settlement is likely to be far-reaching.
The FTC’s Allegations
According to the FTC’s recent complaint, one of the largest U.S. location data brokers sells and/or licenses consumers’ raw location data to hundreds of clients, including advertisers, software as a service companies, analytics firms, consulting firms, research organizations, and private government contractors. Those third-party companies purportedly use that information for their own purposes, such as marketing and brand analytics, or they share the data with their own customers. According to the FTC, the data broker utilizes more than 10 billion location data points from all over the world.
The FTC specifically alleged that the raw location data given to the data broker’s clients includes mobile devices’ unique persistent identifier, along with the latitude, longitude, and timestamp of the observations. This information allows a company to match a user’s mobile device with the locations the user visited. The FTC claimed that the data broker advertises that the location data is 70% accurate within a 65-foot (or less) radius. The FTC also alleged that the data broker itself analyzes the location data and creates “audience segments.” These “audience segments” include groups based on the characteristics purportedly revealed by the geolocation data, such as “Size Inclusive Clothing Stores” or “Military Bases,” and this information is presumably shared with the data broker’s clients.
What The FTC Claims The Data Broker Did Wrong
The FTC complaint sets forth seven different ways in which the data broker allegedly violated Section 5(a) of the FTC Act, prohibiting unfair or deceptive acts or practices. See 15 U.S.C. § 45(a):
In order to avoid further litigation on these issues, the FTC and the data broker entered into a consent order that will limit the data broker’s practices for the next twenty (20) years. For instance, the data broker must impose limits on sharing data relating to certain sensitive locations and also implement procedures to ensure that consumers’ location and identity are protected in certain circumstances. The data broker must develop a supplier assessment program to ensure that companies providing information to the data broker have obtained consent from their consumers. In addition, consumers must be provided with an easy way to withdraw their consent for the collection/use of their data and the deletion of any data that was previously collected. Consumers must also be given a conspicuous way to request the identity of any individuals or businesses to whom their data was given, or provide consumers a way to delete the personal location data from the commercial databases of all the recipients of the data. Furthermore, the data broker must establish and implement a comprehensive privacy program that is designed to protect the privacy of consumers’ personal information.
This Settlement Will Likely Impact All Companies That Utilize Tracking Technologies
The agreement between the FTC and the data broker highlights some issues that will likely be included in future lawsuits (whether brought by the FTC or by consumers themselves). First, the FTC believes that there are, or should be, limits on how businesses can use a consumer’s data. The FTC rejects the idea that a company can use a consumer’s personal information in any way it wants as soon as it has access to such data. Instead, a business should be required to obtain explicit consent from the consumer regarding the collection and sale of their information.
Second, the FTC’s position is that if a business transfers consumer data to a third party, it needs to do more than impose a contractual limitation on how the third party can use the information. Instead, a company must take steps to ensure that a consumer gives consent for the collection and distribution of that data, including reviewing the disclosures, notices, and opt-in controls provided to consumers buy the third party. In other words, data brokers (or other entities that transfer data to third parties) will be held responsible for their clients’ or vendors’ compliance failures relating to data collection and distribution.
Sign up for our newsletter and get the latest to your inbox.