Full Report
The FTC has accused three data brokers, including Gravy Analytics and Venntel, of illegally tracking and selling non-anonymized consumer location data. The post FTC goes after three data brokers with enforcement actions appeared first on CyberScoop.
Analysis Summary
# Regulation/Compliance: FTC Enforcement Against Data Brokers for Location Data Misuse
## Overview
This summary addresses enforcement actions taken by the Federal Trade Commission (FTC) against three data brokers (Gravy Analytics, Venntel, and Mobilewalla) for allegedly unlawfully tracking, collecting, and selling non-anonymized, sensitive consumer location data, violating the FTC Act. The concern focuses on the sale of data revealing visits to sensitive locations such as healthcare facilities and places of worship, undermining civil liberties.
## Key Details
- Issuing Authority: Federal Trade Commission (FTC)
- Effective Date: Actions were taken recently (December 3, 2024), based on prior alleged violations. The consent orders establish immediate requirements.
- Jurisdiction: United States, applying to companies operating as data brokers collecting and selling consumer location data.
- Status: Final (Enforcement Actions/Settlements finalized).
## Requirements
### Mandatory Requirements
1. **Prohibition on Selling/Sharing Sensitive Location Data:** The companies are prohibited from selling or sharing any sensitive location data, except for specified critical needs (national security or law enforcement reasons).
2. **Sensitive Place Identification Program:** Companies must create and implement a program to actively identify and protect designated sensitive locations.
3. **Protection of Specific Sensitive Locations:** This program must specifically identify and protect data related to visits to:
* Hospitals and medical centers
* Places of worship
* Prisons or jails
* Labor union offices
* Schools or childcare centers
* Services that help people based on race or ethnicity
* Shelters (homeless, abuse victims, refugees, or immigrants)
* Military bases
### Recommended Practices
1. **Data Anonymization Verification:** While not explicitly mandated as a general practice in all contexts, companies should ensure that any location data sold or shared outside the prohibited areas is demonstrably and permanently anonymized, given the current action targets non-anonymized data.
2. **Enhanced Consumer Transparency:** Improve disclosures regarding the collection, processing, and curation of location signals, especially concerning sensitive visitation patterns.
## Affected Organizations
- Industries: Data Brokers, Location Intelligence Providers, Mobile Data Suppliers.
- Organization Size: Applicable to entities engaged in the described data practices, regardless of size.
- Geographic Scope: Primarily the United States, though operations affecting U.S. consumers are subject to FTC jurisdiction.
## Compliance Timeline
- Current Date (Dec 3, 2024): Enforcement actions filed/settlements reached.
- Immediate Compliance Required: The terms of the FTC order must be immediately adhered to, including stopping the sale of sensitive location data and beginning the implementation of the sensitive place identification program.
- Final deadline: Full compliance with the judicial order is required immediately upon settlement, with ongoing monitoring stipulated by the FTC.
## Implementation Guidance
### Assessment Phase
- Inventory all current data streams, suppliers, and purchasers of consumer location data, differentiating between general and sensitive location markers.
- Map collected data against the list of sensitive locations outlined by the FTC settlement.
### Implementation Phase
- Immediately cease the sale and sharing of location data linked to the explicitly protected sensitive locations.
- Develop and document the methodology for the new mandatory Sensitive Place Identification Program.
- Establish internal review gates to ensure all current and future data transfers comply with the exceptions (national security/law enforcement).
### Validation Phase
- Subject the new data handling and protection processes to internal audits that test data streams against the prohibited sensitive categories.
- Prepare evidence logs demonstrating compliance controls for potential FTC review under the terms of the final order.
## Technical Requirements
1. **Geofencing Technology Adjustments:** Review and modify any geofencing technology (like that used by Gravy Analytics) to prevent the creation of segmented lists based on visits to protected locations.
2. **Data Processing Review:** Ensure granular location data (17 billion signals daily, as alleged against Gravy Analytics/Venntel) is rigorously scrubbed or segmented according to the new restrictions.
3. **Home Location Identification:** Implement controls to prevent the exposure or sale of data segments that reveal a consumer's home address (as alleged against Mobilewalla).
## Penalties & Enforcement
- Fines: While the article notes the *actions* taken, the summary implies significant penalties or requirements stemming from violations of the FTC Act and the resulting settlements. Past similar actions suggest substantial monetary penalties or mandated corrective actions designed to fundamentally change business models.
- Other Consequences: Prohibition on future non-compliant data sales/sharing; requirement to establish detailed compliance programs; civil penalties for future violations of the order.
- Enforcement: Enforcement is overseen by the FTC Bureau of Consumer Protection, leveraging the authority of the FTC Act and the terms of the finalized consent orders. This is part of the FTC's recurring focus on location data mishandling (e.g., preceding actions against Kochava and X-Mode).
## Related Standards
- **FTC Act:** The foundational legal authority used for these enforcement actions, targeting unfair or deceptive acts or practices in commerce.
- **General Privacy Principles:** While not citing a specific framework like GDPR or CCPA directly, the focus aligns with general privacy guidelines concerning sensitive personal information and the need for robust de-identification.
- **CFPB Proposals:** Contextually linked to broader federal regulatory movement aimed at restricting data brokers' ability to sell sensitive personal information.
## Resources
- Official Documentation: FTC Press Release regarding actions against Gravy Analytics, Venntel, and Mobilewalla (search for the December 3, 2024 releases on FTC.gov).
- Guidance Documents: FTC guidance on data broker obligations and consumer privacy.
- Tools: Internal tools for data cataloging, access control, and geofence mapping are necessary for implementation.
## Practical Recommendations
1. **Immediate Data Audit:** Conduct an immediate review of all location data currently being processed or sold to determine if points of interest (POIs) match common sensitive locations (hospitals, churches, etc.).
2. **Review Data Broker Contracts:** Re-evaluate agreements with upstream data suppliers and downstream purchasers to ensure contractual flow-down requirements prohibit the exchange of data that violates the new FTC restrictions.
3. **Establish Governance for Sensitive Data:** Formalize internal policies defining what constitutes "sensitive location data" within the organization and establish a clear governance board responsible for authorizing any exceptions (national security/law enforcement).