The U.S. Federal Trade Commission (FTC) on Tuesday prohibited data broker Outlogic, which was previously known as X-Mode Social, from sharing or selling any sensitive location data with third-parties.
The ban is part of a settlement over allegations that the company “sold precise location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”
The proposed order also requires it to destroy all the location data it previously gathered unless it obtains consumer consent or ensures the data has been de-identified or rendered non-sensitive as well as maintain a comprehensive list of sensitive locations and develop a comprehensive privacy program with a data retention schedule to prevent abuse.
The FTC accused X-Mode Social and Outlogic of failing to establish adequate safeguards to prevent the misuse of such data by downstream customers. The development marks the first-ever ban on the use and sale of sensitive location data.
X-Mode, which first attracted attention in 2020 for selling location data to the U.S. military, works by offering precise location data that it collects from proprietary apps and third-party apps that incorporate its software development kit (SDK) into its apps. It’s also said to have procured location data from other data brokers and aggregators.
Following the revelations in 2020, both Apple and Google urged app developers to remove the SDK from their apps or face a ban from their respective app stores.
“The raw location data that X-Mode/Outlogic has sold is associated with mobile advertising IDs, which are unique identifiers associated with each mobile device,” the FTC said. “This raw location data is not anonymized, and is capable of matching an individual consumer’s mobile device with the locations they visited.”
The agency further said that the company, until May 2023, did not have any policies in place to remove sensitive locations from the location data it sold, not only putting users’ privacy at risk, but also exposing them to potential discrimination, physical violence, emotional distress, and other harms.
The FTC also called out X-Mode for not being transparent about which entities would receive the data when a customer used a third-party app with its SDK and that it failed to ensure that these apps sought informed consumer consent to grant it permission to access their location information in the first place.
Lastly, X-Mode was alleged to have been negligent in honoring requests made by some Android users to opt out of tracking and personalized ads.
In a statement provided to news agency Reuters, Outlogic said it disagreed with the “implications” of the FTC announcement, and there was no finding it misused location data.
“I commend the FTC for taking tough action to hold this shady location data broker responsible for its sale of Americans’ location data,” U.S. Senator Ron Wyden said in a statement shared with The Hacker News.
“In 2020, I discovered that the company had sold Americans’ location data to U.S. military customers through defense contractors. While the FTC’s action is encouraging, the agency should not have to play data broker whack-a-mole. Congress needs to pass tough privacy legislation to protect Americans’ personal information and prevent government agencies from going around the courts by buying our data from data brokers.”