“Browsing and location data are sensitive . . .. Full stop,” says the Federal Trade Commission. As is all granular data that can reveal “insights” that “can be attributed to particular people” through a “re-identification” procedure. This is one basis of complaints the FTC filed against Avast, X-Mode Social, and InMarket. A March 4, 2024 FTC blog post titled FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket describes why these three companies’ collection of consumers’ browsing and location data raised concerns for the agency, and looks at two other data governance practices by those companies that also concerned the agency. All companies operating in the United States that collect and use consumer data should understand the themes emerging from the proposed settlements and orders and heed the admonitions from the agency moving forward.

First. The FTC stated seemingly insignificant data can reveal sensitive personal information. The government’s complaint against Avast alleged that trillions of granular data points can be assembled to reveal intimate details: that a customer reviewed a paper on a study of symptoms of breast cancer or searched for government jobs in Fort Meade with a salary greater than $100,000. And X-Mode, the government contended, “ingested more than 10 billion location data points . . . that were linked to timestamps and unique persistent identifiers,” which can reveal a person’s movements. Even if these datasets intentionally exclude “traditional standalone elements of PII,” they may nonetheless contain sensitive and personally identifiable information if, when aggregated or otherwise analyzed, “re-identification” can be achieved.

Second. The FTC stated these companies failed to disclose how they used the data they had collected. The FTC’s complaint against X-Mode alleged the company misled people by asserting their location data would be used solely for “ad personalization and location-based analytics,” when in fact X-Mode was selling the data to government contractors for national security purposes. The government also alleged that users of InMarket’s apps had no way to know that InMarket would collect their precise location data and combine it with data collected from other sources to build extensive customer profiles.

Software development kits (“SDKs”) compound the problem. As the FTC’s blog post explains, when “a developer incorporates a company’s code into their app through an SDK, that developer amplifies any privacy risks” because “the app developer is not the company that created the SDK [and] may not know how their users’ data will ultimately be stored, used, and disclosed.” The upshot? Companies must have clear and conspicuous privacy policies that accurately describe how they use the data they collect and honor their privacy promises and obligations. The FTC has made this point in blog posts before.

Third. Contractual safeguards put in place to protect consumer data from misuse must be followed, and it’s no excuse to say the incentives to match data to particular people were too great and outweighed adhering to these safeguards. The FTC complained that, at least in one case, Avast allegedly failed to include contract provisions that restricted how a third-party could use the consumer data Avast had collected.  But even if the proper contractual language is in place, those provisions must be closely followed: “Promises and contract clauses are important, but they must be backed up by action.”

So what is the solution according to the FTC? More enforcement. And the FTC actions against Avast (which includes a $16.5 million settlement), X-Mode, and InMarket illustrate this trend. These enforcement actions, as well as the FTC blog post discussing them, are an important reminder: companies participating in the data economy must be cautious as to the who, what, when, where, and why of data collection and use.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Laura Foggan Laura Foggan

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was…

Laura Foggan is a partner in Crowell & Moring’s Washington, D.C. office, and chair of the firm’s Insurance/Reinsurance Group. She has been described by LawDragon 500 Magazine as “one of the most successful advocates for the insurance industry to ever practice.” Laura was recently recognized as a Global Elite Thought Leader for Insurance & Reinsurance by Who’s Who Legal (2019), who praised her as a “dynamic and creative thinker” who has “very high standards and delivers superior work.” She is a Chambers-ranked Band 1 practitioner and included in the Best Lawyers in America directory, and consistently named one of Washington D.C.’s “Top 100 Lawyers” and “Top 50 Women Lawyers” and a “Super Lawyer” for Insurance Coverage by Super Lawyers Magazine. Laura represents clients in a variety of litigation and counseling matters.

Photo of Jacob Canter Jacob Canter

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent…

Jacob Canter is an attorney in the San Francisco office of Crowell & Moring. He is a member of the Litigation and Privacy & Cybersecurity groups. Jacob’s areas of emphasis include technology-related litigation, involving competition, cybersecurity and digital crimes, copyright, trademark, and patent, as well as general complex commercial matters.

Jacob graduated from the University California, Berkeley School of Law in 2018, where he launched Berkeley’s election law outreach program and pro bono project. He joins the firm after a year of practice at an international law firm in Washington, D.C., and a year clerking in the Southern District of New York for the Hon. Lorna G. Schofield. Jacob was exposed to and provided support in a variety of complex substantive and procedural legal topics during the clerkship, including trade secrets, insurance/reinsurance, contracts, class actions, privacy, intellectual property, and arbitrability.