FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket
- Three recent FTC enforcement actions reflect a heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data.
- In January of this year, the FTC announced proposed settlements with two data aggregators, X-Mode Social and InMarket, to resolve a host of allegations stemming from how those companies handled consumers’ location data.
- X-Mode, the FTC alleged, sold consumers’ location data to private government contractors without first telling consumers or obtaining consumers’ consent to do so.
- X-Mode, the FTC alleges, ingested more than 10 billion location data points—which the company advertised as being 70% accurate within 20 meters or less—that were linked to timestamps and unique persistent identifiers.
- Indeed, the FTC’s proposed complaint against Avast acknowledges Avast’s use of a proprietary algorithm to find and remove these elements from its users’ browsing data before selling it.
- What makes the underlying data sensitive springs from the insights they reveal and the ease with which those insights can be attributed to particular people.
- Accordingly, the FTC’s proposed orders would require Avast, X-Mode, and InMarket to treat people’s browsing and location information as the sensitive data that it is.
- Where Avast did describe its information practices, the FTC’s proposed complaint alleges Avast deceptively promised that any sharing would be in “anonymous and aggregate” form.
- The FTC’s proposed complaint against X-Mode alleges in detail how the company misled people by asserting their location data would be used solely for “ad personalization and location-based analytics”—meaning consumers had no way to know that X-Mode also sold their location data to government contractors for national security purposes.
- The developer, however, will know if an SDK requires access to location permissions before they add the SDK to their app.
- [5] Similarly, offering people a flashlight app does not mean app developers can collect, use, store, and share people’s precise geolocation information.
- The FTC alleges that Avast, X-Mode, and InMarket each ignored this basic principle, and the proposed orders seek to hold them to account.
- Companies that sell or license data sometimes include language in their contracts prohibiting recipients from re-identifying the people in the data, or restricting how recipients use the data they buy.
- As the FTC’s proposed complaint against Avast alleges, some of the company’s underlying contracts did not prohibit data buyers from re-identifying Avast users.
- Going forward, the FTC’s proposed orders against Avast, X-Mode, and InMarket seek to ensure these companies comply with the law.
- As these actions underscore, the FTC is committed to protecting people from the unlawful collection, retention, use, and disclosure of their information.
- Collecting, storing, using, and sharing people’s sensitive information without their informed consent violates their privacy, and exposes them to substantial secondary harms like stigma, discrimination, physical violence, and emotional distress.
- The FTC will not stand for it.
- The Commission will use all of its tools to continue to protect Americans from abusive data practices and unlawful commercial surveillance.
[2]FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (January 9, 2024), available at https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-pr....
[3]FTC Order Will Ban InMarket from Selling Precise Consumer Location Data (January 18, 2024), available at https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-wi....
[4] See, e.g., Luc Rocher, Julien M. Hendrickx, and Yves-Alexandre de Montjoye, Estimating The Success of Re-Identifications in Incomplete Datasets Using Generative Models, 10 Nature Commc’ns 3069 (2019), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6650473/.
[5] Notice of Penalty Offenses Concerning Misuse of Information Collected in Confidential Contexts (Sept. 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/NPO-Misuse-Information-Coll....
[6] In the Matter of Goldenshores Technologies, LLC and Erik M. Geidl, FTC File No. 1323087 (2014), https://www.ftc.gov/legal-library/browse/cases-proceedings/132-3087-gold....
[7] For example, purporting to restrict recipients from using “the X-Mode Data (alone or combined with other data) to associate any user, device or individual with any venue that is related to healthcare, addiction, pregnancy or pregnancy termination, or sexual orientation.”
[8] Statement of Chair Lina M. Khan, Joined by Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro M. Bedoya, In the Matter of Avast Limited Commission File No. 202-3033 (February 21, 2024), available at https://www.ftc.gov/system/files/ftc_gov/pdf/2024.02.21StatementofChairK....
[9] FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (January 9, 2024), available at https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-pr....