Business Blog
How “location, location, location” can lead to “enforcement, enforcement, enforcement”
Do consumers attend a Christian church? Are they the parents of preschoolers? Would the description “wealthy and not healthy” apply to them? By tracking people’s mobile devices, Texas-based InMarket Media has collected their precise geolocation and cross-referenced their location histories with other personal data to categorize them into roughly 2,000 different audience segments that the company then marketed for the purpose of targeted advertising. According to a proposed FTC complaint, InMarket Media did that without fully informing consumers and without getting their consent to use their location – including information linking them to particularly sensitive places – for commercial purposes.
InMarket Media is a digital marketing platform and data aggregator that collects vast amounts of consumers’ location data by tracking their movements over time through their mobile devices and then matching that information with other specific details – for example, their purchasing histories, their demographics, and their socioeconomic backgrounds. As this case and others makes clear, a particular FTC concern is the extent to which collecting location data can reveal where people live and work, where they worship, where their kids go to school, where they seek medical treatment, and other sensitive information collected without consumers understanding what’s going on behind their backs.
The complaint alleges that InMarket compiled that mountain of personal information from two primary sources. First, it embedded a location-collecting software development kit (SDK) in its own two apps – shopping rewards app CheckPoints and shopping list app ListEase, which have been downloaded to more than 30 million unique devices since 2017. But it didn’t stop there. InMarket also made its SDK available to more than 300 third-party apps downloaded to more than 390 million different devices during that same period. The FTC says app developers had a particular incentive to use InMarket’s SDK because they got a portion of InMarket’s advertising revenue from each ad served through those apps.
You’ll want to read the complaint for details about how the FTC says InMarket’s practices violated consumers’ privacy, but it boils down to this. Based on the places people have visited, the company was able to create all those distinct audience segments – for example, low-income millennials, parents of home-schooled kids, well-off suburban moms, and blue-collar workers – that it then offered to clients. By combining that data with information collected from other sources, InMarket marketed highly specific information about individual consumers that could be used to target them with ads. It also held on to that information for as long as five years.
In addition, InMarket offered advertisers a product that sent push notifications based on a consumer’s location and “geofencing” – that person’s real-time proximity to a particular location. For example, a consumer who was within 200 meters of a pharmacy might have seen an ad for toothpaste, cold medicine, or similar products. In addition, InMarket made its advertising audience segments available on real-time bidding platforms. That way advertisers could select a particular audience and bid on what they were willing to pay each time their ad appeared on the mobile device of a person who fit the selected category. InMarket made money each time an advertiser used that process.
The complaint alleges that InMarket unfairly collected and used consumer location data derived from its own apps and third-party apps that included its location-grabbing SDK. The FTC also says the company deceptively failed to disclose its use of consumer location data and unfairly retained it for longer than was reasonably necessary to effectuate its business purpose.
To settle the case, InMarket has agreed to a proposed order that would prohibit the company from selling or licensing precise location data. Among other things, the settlement would require InMarket to implement an effective program to prevent it from using or sharing any products or services that categorize or target consumers based on sensitive location data. In addition, it must destroy all location data it previously collected and any products produced from that data unless it gets consumer consent or ensures the data has been deidentified or rendered non-sensitive. For consumers whose location data was collected through InMarket’s own apps, the company must notify them about the FTC’s action in this case and give them a way to request that their location data is deleted. What’s more, InMarket must provide an easy way for consumers to withdraw their consent for the collection and use of their location data. Once the proposed settlement is published in the Federal Register, the FTC will receive public comments for 30 days.
The proposed settlement sends important messages to others in the industry.
The FTC will take action to protect consumers against the illegal collection of their location data. This case and the recent proposed settlement with X-Mode Social convey the unmistakable conclusion that the FTC will not stand for the deceptive or unfair collection of consumers’ sensitive geolocation information. Companies that illegally traffic in data of that nature are on notice: now is the time to reassess your practices.
When it comes to consumer consent, half-truths are untruths. Savvy companies will take the time to read the InMarket complaint carefully to glean important compliance guidance about what constitutes effective consumer consent – and what doesn’t. For example, iOS users who downloaded InMarket’s rewards app were asked, “Allow CheckPoints to access your location? This allows us to award you extra points for walking into stores.” The consent screen for Android users said, “CheckPoints finds nearby earning opportunities by using your device’s location,” and then asked users to “Enable Location Services.” That was one purpose for which InMarket collected consumers’ location, but it was nowhere near the full story of what InMarket was doing with their personal data behind the scenes. The FTC says the company used similar half-truths to get consumers to agree that its shopping list app could collect their location. But as the complaint makes clear, “consent” to one use without an explanation of other uses is no consent at all.
Verify that third parties have effective consumer consent to share location information with you. The complaint also charges that InMarket failed to verify that users of third-party apps incorporating its SDK had been notified that their location data would be used to target advertising. What should companies do to avoid legal hot water? First, require third-party apps using your SDK to get consumers’ informed consent for the specific collection of geolocation data for advertising and marketing purposes – or for whatever purpose their data will be used. Second, maintain sufficient records of how third parties are fulfilling that obligation and the steps you’re taking to monitor compliance. (By the way, pro forma statements that developers must “comply with all applicable laws” won’t suffice.)
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
Developers must follow laws and comply
thank you, FTC, for this important activity. Would the Commission consider asking the public if the various penalties that it is authorized to seek or to impose are adequate? Greater costs to deliberate violators of the Commission's Rule and Regulations would reduce the frequency with which those Rules and Regs are ignored.