In a landmark move, the U.S. Federal Trade Commission (FTC) has barred data broker Outlogic, previously known as X-Mode Social, from sharing or selling sensitive location data. The prohibition stems from allegations that the company facilitated the sale of precise location information, enabling the tracking of individuals visiting sensitive locations like medical facilities, places of worship, and domestic abuse shelters.

 

Allegations and Settlement Terms:

The settlement mandates Outlogic to cease sharing or selling sensitive location data and implement measures to address privacy concerns. The FTC accused the company of failing to establish sufficient safeguards against the misuse of location data by downstream customers. The order also requires the destruction of previously gathered location data unless consumer consent is obtained, or the data is de-identified.

Data Collection Mechanism:

Outlogic, previously X-Mode, operates by collecting precise location data from proprietary and third-party apps incorporating its software development kit (SDK). The company has faced scrutiny for obtaining data from other brokers and aggregators. Notably, the raw location data is associated with mobile advertising IDs, making it identifiable and traceable to individual mobile devices.

Privacy Risks and Violations:

Until May 2023, Outlogic lacked policies to remove sensitive locations from the sold location data, posing significant privacy risks. The FTC highlighted the potential for users to face discrimination, violence, emotional distress, and other harms due to the exposure of unsecured sensitive location information.

Lack of Transparency and Consent:

Outlogic was admonished for its lack of transparency regarding data recipients when a third-party app with its SDK was used. The company also failed to ensure informed consumer consent for location information access. Additionally, negligence in honoring opt-out requests from Android users raised concerns.

Company Response and Senator’s Statement:

Outlogic disagreed with the FTC’s “implications” in a statement to Reuters, asserting no misuse of location data. U.S. Senator Ron Wyden commended the FTC’s action but emphasized the need for comprehensive privacy legislation to safeguard personal information and prevent government agencies from procuring data through brokers.

 

Remediation Steps:

• SDK Removal: App developers should consider removing the Outlogic (X-Mode) SDK from their applications to align with Apple and Google’s previous recommendations.
• Privacy Policies: Implement clear and comprehensive privacy policies, ensuring transparent communication with users regarding data collection practices and recipients.
• Data Anonymization: Employ robust data anonymization techniques to dissociate location data from individual identities, reducing the risk of privacy violations.
• Consent Mechanisms: Enhance consent mechanisms for location data access, ensuring users are fully informed and granting explicit permission.
• Opt-Out Functionality: Implement effective opt-out mechanisms, respecting user preferences and providing the means to discontinue tracking and personalized ads.