Nearly a quarter of the 47 location data companies we identified in 2021 have faced Congressional scrutiny or regulatory enforcement actions
By: Jon Keegan
In 2021, The Markup identified and began reporting on 47 companies in the multi-billion-dollar industry that trades location data from mobile devices. Since then, 11 of the 47 companies on our list have been the subject of Congressional scrutiny or federal regulatory enforcement actions, and there are signs that number will continue to grow.
The most recent development came earlier this month when the Federal Trade Commission announced settlements with companies included in The Markup’s initial location data story, X-Mode and InMarket. The settlements forbid both companies from selling information collected from “sensitive locations” such as medical facilities, religious organizations, correctional facilities and shelters. Both companies also must create comprehensive privacy programs, delete any sensitive location data collected without informed consent, and develop a sensitive locations policy. The FTC described the bans on selling or licensing precise location data as “a first for the FTC”.
The Markup had previously identified X-Mode as among the companies buying precise location data from popular family-tracking app Life360. The company limited the sale of such data after our reporting. The Markup later revealed a list of 107 mobile apps, including LGBTQ dating apps, video streaming apps and Muslim prayer and dating apps that had sent location data to X-Mode between 2018 and 2019.
Jason Knapp, InMarket’s Chief Legal and Privacy Officer told The Markup in an emailed statement, “We share the FTC’s commitment to advancing consumer privacy, and while we fundamentally disagree with the FTC’s allegations, we are happy to reaffirm the steps InMarket is taking to further our policies around data disclosure and use.”
Josh Anton, president of X-Mode’s successor Outlogic, told The Markup previously, “After a lengthy investigation, the FTC found no instance of misuse of any data and made no such allegation. Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities.”
The actions against X-Mode and InMarket are part of a broader crackdown that traces back to 2022.
Abortion Ruling Raised Alarm
The heightened scrutiny of location data companies is linked to the Supreme Court’s June 2022 decision to overturn the abortion-rights ruling Roe v. Wade. The ruling opened the door for dozens of states to potentially criminalize abortions.
Shortly after a draft of the decision leaked in May of 2022, Vice tech hub Motherboard reported that it had easily purchased a week’s worth of data on the movements of visitors to Planned Parenthood for $160. Such data could be used to target people for prosecution or harassment.
The company that sold the Planned Parenthood data, SafeGraph, was featured in our original data broker story and, like X-Mode, was identified in a subsequent story as having bought location data from Life360. Another company from our initial story, Placer.ai, was also found to be collecting location data at Planned Parenthood locations.
In May 2022, Senator Elizabeth Warren and 13 other Senate Democrats sent letters to SafeGraph and Placer.ai demanding that they “immediately account for [their] problematic practices to Congress and to the American people.”
Shortly after, Senators Amy Klobuchar and Tammy Baldwin and a group of 14 other Senate Democrats wrote FTC Chair Lina Khan urging the agency to look into the collection of location data of people seeking reproductive health care. The letter also cited The Markup’s initial reporting on the location data industry.
The Supreme Court’s final decision overturning Roe, Dobbs v. Jackson Women’s Health Organization, was published on June 24, 2022.
July brought a flurry of Congressional oversight. Sen. Warren announced that Placer.ai and SafeGraph had agreed in writing to permanently stop selling data collected at abortion clinics or family planning centers. Representatives Carolyn Maloney, Raja Krishnamoorthi and Sara Jacobs announced an investigation into reproductive health data privacy and sent letters to a number of companies seeking details about their data collection practices, including five location data companies on our list: SafeGraph, X-Mode (via their parent company Digital Envoy), Placer.ai, Gravy Analytics, and Babel Street.
Responding to Sen. Warren’s letter, SafeGraph stated at the time that the company “does not sell data that identifies individuals, and SafeGraph’s data cannot be “de-anonymized” using any known method of re-identification,” but agreed to remove data from abortion clinics and family planning centers and prevent further collection from such locations. In Placer.ai’s response, the company also denied selling data on individuals, noting their data was aggregated and said that “the Company commits, on a permanent basis, to disabling user access to data about any additional sensitive locations that raise similar concerns—including other reproductive health providers that may not have been identified in the Company’s prior reviews.”
Shortly after these letters, the Federal Trade Commission issued a blog post aimed at businesses that cited FTC actions against companies improperly handling sensitive data over the past year and a half. “The FTC does not tolerate companies that over-collect, indefinitely retain, or misuse consumer data,” it added.
Later in July, Representative Lori Trahan and a group of five other House Democrats sent letters citing The Markup’s reporting to Amazon’s AWS Data Exchange, Oracle, Near, and Mobilewalla. Each company was asked to detail their privacy policies related to data collection from sensitive locations and other business practices.
Enforcement, Enforcement, Enforcement
In August 2022, the FTC started to act against the location data companies on our list, suing data broker Kochava for selling location data collected from people visiting abortion clinics and other sensitive locations.
“Kochava does not sell this [precise location] data to entities or individuals that use data for the nefarious reasons theorized in the FTC’s lawsuit,” wrote Charls Manning, Kochava’s CEO in a blog post at the time of the lawsuit. Manning added that the FTC’s suggestion of the company selling or sharing data from sensitive locations “is entirely based on hypothetical scenarios.”
Last year an Idaho district court dealt a blow to the FTC by dismissing the case at Kochava’s request. The agency has since filed an amended complaint with greater detail about the company’s data collection practices, including specific examples found in a sample Kochava dataset of data collected at a reproductive health clinic and houses of worship. The case is still pending.
Kochava spokesperson Leslie Amadio told The Markup in an emailed statement that the company has not violated any rules or laws and that, “We remain hopeful that seeking regulatory clarity through the Court and challenging the FTC’s ambiguous claims will ultimately benefit consumers and advertisers as a whole.”
Kochava, along with Gravy Analytics, was among the companies The Markup identified in November 2022 that help political campaigns target voters by their location data.
The FTC is not being shy about its plans to go after other companies that it deems to be in violation of federal law. A recent post by FTC Senior Attorney Lesley Fair noted that the agency “will not stand for the deceptive or unfair collection of consumers’ sensitive geolocation information. Companies that illegally traffic in data of that nature are on notice: now is the time to reassess your practices.”
The FTC did not respond to a request for comment.
The tactic of going after individual companies may be the only tool that regulators have to change the data collection practices of location data companies. A federal privacy law such as the American Data Privacy and Protection Act, approved by the House Energy & Commerce Committee in 2022, could create an existential crisis for the location data industry, certainly reshaping it, and possibly even killing it. But with an increasingly deadlocked Congress and a volatile election on the horizon, the prospects of such a bill passing appear slim.
With obstacles to federal action, states may move faster to take action against the industry.
In Massachusetts, a proposed strong consumer privacy law may go further than any privacy law to date by banning the sale, rent or trading of location data to third parties. The Massachusetts Senate version of the bill is currently with the Joint Committee on Consumer Protection and Professional Licensure, and the decision to advance the bill has a deadline in February.
State Senator Cynthia Stone Creem, sponsor of the bill, recently tweeted, “Massachusetts can become the first in the nation [to] ban the sale of personal location data. With abortion rights under attack, it’s up to states to strengthen privacy protections for those seeking & providing Reproductive Healthcare.”
This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.