The FTC is starting the year strong with a consent order against X-Mode Social, Inc. and its successor Outlogic, LLC., prohibiting it from sharing or selling any sensitive location data following a complaint that it sold sensitive location data without first obtaining informed consent from consumers in violation of the FTC Act.
What did X-Mode (a location data broker) do wrong (according to the FTC)?
🚫 X-Mode did not have any policies in place to remove sensitive locations from the raw location data it sold.
🚫 X-Mode did not have reasonable or appropriate safeguards against downstream use of the precise location data it sold.
🚫 X-Mode failed to ensure that users of its apps, as well as third-party apps that used the X-Mode's SDK, were fully informed about how their location data would be used.
🚫 X-Mode failed to employ the necessary technical safeguards and oversight to ensure that it honored requests by some Android users to opt out of tracking and personalized ads.
*Consider this your list of what not to do.
What are the Penalties?
✔ X-Mode must delete or destroy all the location data it previously collected and any products produced from this data unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive.
✔ X-Mode must provide a simple and easy-to-find way for consumers to withdraw their consent for the collection and use of their location data and for the deletion of any location data that was previously collected.
✔ X-Mode must establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also creates a data retention schedule.
✔ X-Mode must develop a supplier assessment program to ensure that companies that provide it with location data are obtaining informed consent from consumers for the collection, use and sale of the data (without such assurances, they must stop using the information).
*The consent agreement will be open for public comment before it is finalized.