Location Not Found: Mitigating Precise Geolocation Consent Flow Risk
Feb 22, 2024 by Miles Light, Counsel, Privacy Technology, BBB National Programs
2024 is off with a bang! It is only February, but privacy-minded Federal Trade Commission (FTC) watchers have already seen two bombshell enforcement actions related to alleged mishandling of consumer geolocation data.
The complaints against software development kit (SDK) providers X-Mode Social (and its successor Outlogic) and InMarket Media demonstrate that the FTC is closely scrutinizing how companies handle precise geolocation data collected from mobile devices. These cases are notable as they signify a renewed enforcement focus on third-party data brokers.
X-Mode and InMarket both operate “data aggregation” businesses, receiving data from upstream mobile app publishers. However, due to material omissions within their own disclosures, as well as omissions within the disclosures of upstream mobile apps that integrate the X-Mode and InMarket SDKs, the FTC argued that neither X-Mode nor InMarket had informed consent for the collection, processing, or sale of consumer location data.
The standard of informed consent that the FTC has articulated in these cases goes against how many data brokers have operated their businesses. The FTC’s scrutiny appears to be aimed at better informing consumers about the potential collection and use of their data by third parties, including data brokers.
Recognizing that many consumers do not understand the third-party ecosystem for personal data and are unaware of third-party processing activities, the FTC’s proposed orders should be seen as a warning that failure to properly inform end users of third-party processing may result in a significant bar to future processing for sensitive categories of information, particularly consumer location data.
What is at stake?
Before delving into the alleged practices that the FTC took issue with, it is important to note the breadth of the penalties the FTC has included in the proposed orders. Both orders would place bans on the future sale and transfer of location data.
Both X-Mode and InMarket would be required to delete or destroy all location data previously collected (and any products produced from this data) unless they:
- Obtain consumer consent, or
- Ensure that existing data is deidentified or rendered non-sensitive.
On top of this disgorgement provision, both companies would be required to develop what appears to be a wholly new regulatory innovation, namely “supplier assessment programs” that require X-Mode and InMarket to monitor if and how upstream companies solicit informed consent before sharing a consumer’s location data.
If a supplier of location data (such as a mobile app publisher) does not obtain informed consent before passing location data downstream, X-Mode and InMarket would be barred from processing the consumer’s data. Both companies would also have to provide a simple and easy-to-find way for consumers to request deletion and withdraw further consent for the collection and use of location data.
What conduct did the FTC allege to be unfair and deceptive?
The FTC brought 7 counts against X-Mode and 4 counts against InMedia for unfair and deceptive business practices under Section 5 of the FTC Act. The allegations in both cases are quite similar; both entities provided non-affiliate app publishers with SDKs capable of collecting mobile phone GPS data, published their own first-party apps that collected user location data, and failed to fully inform consumers about the purpose for collection.
- 4 of the 7 counts against X-Mode Social alleged disclosure practices that failed to obtain consumer informed consent for the use and sale of precise location data collected from X-Mode-owned apps as well as apps that utilized the X-Mode SDK.
- Likewise, the matter of InMarket alleged 3 counts of disclosure practices that failed to obtain consumer informed consent for the use and sale of precise location data collected from InMarket-owned apps as well as from apps that utilized the InMarket SDK.
The Takeaways
- The crux of the FTC’s allegations stem from material omissions; if a company discloses some uses but fails to communicate other potential uses of data at the point of collection, it does not have informed consent to engage in such processing activities, regardless of whether collection is performed by a first-party application publisher or an SDK provider.
- Publishers who utilize third-party SDKs should keep in mind that the FTC did not just go after X-Mode and InMarket for their SDK business. The FTC also took issue with material omissions in X-Mode- and InMarket-owned first-party apps.
- Additionally, failure on the part of the SDK providers to perform necessary due diligence—verifying that upstream disclosures sufficiently informed consumers—meant that X-Mode and InMarket could not engage in undisclosed processing activities. While third-party due diligence to monitor upstream informed consent processes is not necessarily required by most state consumer privacy laws, these FTC complaints indicate that, in the FTC’s view, SDK providers and other downstream data aggregators should proactively investigate how upstream data suppliers communicate third-party data processing activities to end users.
Align Practices to Secure Informed Consent
These cases demonstrate that the FTC will closely scrutinize the disclosure language companies display before soliciting precise geolocation data, regardless of their role in the data flows process. SDK providers and other companies in this sector should be aware that these expectations are already being scrutinized and enforced through industry self-regulation. Since 2011, BBB National Programs’ Digital Advertising Accountability Program (DAAP) has acted as a self-regulatory watchdog under the Digital Advertising Alliance (DAA) Self-Regulatory Principles, which include a requirement to seek informed consent before soliciting precise geolocation data for third-party interest-based advertising activities.
Companies concerned that they may be making material misstatements or omissions within in-app disclosures should read the DAA Mobile Guidance section regarding Transparency and Control for Precise Location Data as well as DAAP’s Consent Compliance Warning. These documents outline an approach to informed consent, requiring publishers to provide clear, meaningful, prominent, and accurate in-app location disclosures to which users can directly respond and provide consent.
For example, rather than simply relying on a system popup with limited space, companies should provide a dedicated screen—before a system call to the phone’s GPS—that fully informs users of the purposes for which precise location is collected.
DAAP recommends that:
- Publishers take care with these in-app disclosures by describing, in plain language, both first-party and third-party purposes for location collection – which includes targeted advertising.
- To cut down on potential legalese, these disclosures should contain a link that takes users directly to additional relevant sections of a privacy policy, a location-specific disclosure, or relevant third-party disclosures when appropriate.
- Once the user has had an opportunity to read this prominent just-in-time notice, they may click a button and proceed to the system popup people have come to expect.
- Within the system popup, the user should be reminded of the information they have already seen, disclosing both first- and third-party uses of their data in a more succinct manner than the previous screen.*
While this approach may require the use of an additional disclosure screen, friction that holds up the user for a moment is important since it allows publishers to demonstrate a thoughtful approach to seeking and soliciting consent from end users. Regardless of whether a company is a publisher or an SDK provider, following these best practices and adhering to DAA guidance will help to protect all members of the ecosystem from potential regulatory risk.
*Please note that while our Accountability Program does recommend that first-party publishers and third-party advertisers take these steps to conform with their DAA self-regulatory obligations, this post does not constitute legal advice, nor does BBB National Programs seek to conflate DAA obligations with other regulatory considerations.