On January 9, 2024, the Federal Trade Commission (FTC) announced its settlement with X-Mode Social and its successor Outlogic that will prohibit them “from sharing or selling any sensitive location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters.”

The FTC’s settlement with X-Mode/Outlogic marks its first with a “data broker concerning the collection and sale of sensitive location information.” The FTC’s complaint alleged that Outlogic failed to put reasonable and appropriate safeguards in place regarding the use of the data by third parties. It further alleged that the company “did not have any policies in place to remove sensitive locations from the raw location data it sold…putting consumers’ sensitive personal information at risk.” The FTC alleged that the location data that Outlogic sold exposed consumers “to potential discrimination, physical violence, emotional distress, and other harms.”

The FTC alleged that the privacy policies did not inform consumers about how their location data would be used, which entities would receive the data and did not obtain informed consent to obtain access to sensitive location data.

To illustrate how sensitive location data can be used by data brokers, the FTC provided an example of how X-Mode in one contract with a customer “provided a private clinical research company information for marketing and advertising purposes about consumers who had visited certain internal medical facilities and then pharmacies or specialty infusion centers within a certain radius in the Columbus, Ohio area.”

The complaint and settlement agreement provide a road map of how data brokers are accessing, using, and disclosing location services, and serves as guidance for both consumers and marketing companies.

For consumers, this is a reminder to read the privacy policies of any application that seeks access to location services, and to frequently check which apps you have allowed access to location services on your devices. When you turn location services on, all of those apps are tracking your specific location. Stay abreast of who you are providing access to, check the access frequently, and consider only turning it on when using a particular app.

For companies who wish to request access to location services of consumers for marketing purposes, you may wish to revisit your privacy policy to determine whether you are transparent about how you are collecting, using, and disclosing location services. You might also consider creating and developing a program “that maintains a comprehensive list of sensitive locations, and ensure it is not sharing, selling or transferring location data about such locations.” In addition, it may be a good idea to: review and update internal policies and procedures around destruction of location data; develop a supplier assessment program to confirm that consumer consent is being obtained before the collection, use, or disclosure of location data; and “ensure that recipients of location data do not associate the data with locations that provide services to LGBTQ+ people…locations of public gatherings of individuals at political or social demonstrations or protests, or use location data to determine the identity or location of a specific individual…and establish and implement a comprehensive privacy program that protects the privacy of consumers’ personal information and also create a data retention schedule.” The settlement terms offer valuable guidance for compliance teams to note and use for their internal compliance programs if location services are being collected from consumers.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chair’s the firm’s Data Privacy and Security Team. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.