“Browsing and location data are sensitive . . .. Full stop,” says the Federal Trade Commission. As is all granular data that can reveal “insights” that “can be attributed to particular people” through a “re-identification” procedure. This is one basis of complaints the FTC filed against Avast, X-Mode Social, and InMarket. A March 4, 2024 FTC blog post titled FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket describes why these three companies’ collection of consumers’ browsing and location data raised concerns for the agency, and looks at two other data governance practices by those companies that also concerned the agency. All companies operating in the United States that collect and use consumer data should understand the themes emerging from the proposed settlements and orders and heed the admonitions from the agency moving forward.
First. The FTC stated seemingly insignificant data can reveal sensitive personal information. The government’s complaint against Avast alleged that trillions of granular data points can be assembled to reveal intimate details: that a customer reviewed a paper on a study of symptoms of breast cancer or searched for government jobs in Fort Meade with a salary greater than $100,000. And X-Mode, the government contended, “ingested more than 10 billion location data points . . . that were linked to timestamps and unique persistent identifiers,” which can reveal a person’s movements. Even if these datasets intentionally exclude “traditional standalone elements of PII,” they may nonetheless contain sensitive and personally identifiable information if, when aggregated or otherwise analyzed, “re-identification” can be achieved.
Second. The FTC stated these companies failed to disclose how they used the data they had collected. The FTC’s complaint against X-Mode alleged the company misled people by asserting their location data would be used solely for “ad personalization and location-based analytics,” when in fact X-Mode was selling the data to government contractors for national security purposes. The government also alleged that users of InMarket’s apps had no way to know that InMarket would collect their precise location data and combine it with data collected from other sources to build extensive customer profiles.
Software development kits (“SDKs”) compound the problem. As the FTC’s blog post explains, when “a developer incorporates a company’s code into their app through an SDK, that developer amplifies any privacy risks” because “the app developer is not the company that created the SDK [and] may not know how their users’ data will ultimately be stored, used, and disclosed.” The upshot? Companies must have clear and conspicuous privacy policies that accurately describe how they use the data they collect and honor their privacy promises and obligations. The FTC has made this point in blog posts before.
Third. Contractual safeguards put in place to protect consumer data from misuse must be followed, and it’s no excuse to say the incentives to match data to particular people were too great and outweighed adhering to these safeguards. The FTC complained that, at least in one case, Avast allegedly failed to include contract provisions that restricted how a third-party could use the consumer data Avast had collected. But even if the proper contractual language is in place, those provisions must be closely followed: “Promises and contract clauses are important, but they must be backed up by action.”
So what is the solution according to the FTC? More enforcement. And the FTC actions against Avast (which includes a $16.5 million settlement), X-Mode, and InMarket illustrate this trend. These enforcement actions, as well as the FTC blog post discussing them, are an important reminder: companies participating in the data economy must be cautious as to the who, what, when, where, and why of data collection and use.