FTC and Sensitive Location Data; New Pen Register Class Actions

Want to receive these privacy recaps that matter to consent management, adtech and martech in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

USA

FTC Takes Action Against the Sale of Sensitive Location Data

The FTC announced two proposed settlement orders, both involving the sale of sensitive location data:

1. Data broker Mobilewalla allegedly violated the FTC Act by collecting data, including sensitive location data, from real-time bidding exchanges and third-party aggregators, even when it didn’t have a winning bid, and selling it to third-party advertisers, data brokers and analytic firms without anonymizing the data, removing sensitive locations from the data set, or taking reasonable steps to verify consumer consent.

Among other measures, the proposed order will: (a) prohibit Mobilewalla from collecting consumer data while participating in online auctions for any purpose other than participating in the auction; (b) prohibit Mobilewalla from collecting or using location data if it cannot obtain records showing that consumers provided consent; and (c) provide a method for consumers to withdraw consent for the use of their data. 

2. Location analytics company Gravy Analytics allegedly violated the FTC Act by unfairly collecting, using and selling consumer location data even after learning that consumers didn’t provide informed consent and by unfairly selling sensitive characteristics, such as health or medical decisions, political activities and religious viewpoints, derived from consumer location data and event attendance.

Among other measures, the proposed order will prohibit Gravy Analytics from selling or using sensitive location data except in limited circumstances and will require Gravy Analytics to delete all historical location data and data products developed using the data unless it is de-identified, rendered non-sensitive, or consumers consent to its use. 

TAKEAWAY

With these two actions, the FTC has taken action against five companies regarding the unfair handling of sensitive location data, including previous actions against Kochava, X-mode and Inmarket. The FTC also previously issued a blog post warning that “Browsing and location data are sensitive. Full stop“, that “collecting, storing, using, and sharing people’s sensitive information without their informed consent violates their privacy”, and that the FTC would use all of its tools to continue to protect Americans from “abusive data practices and unlawful commercial surveillance”. 

For an overview of different regulatory approaches to sensitive data privacy in the U.S., download our guide.

Three Major Publishers Hit with Pen Register Class Actions

The same plaintiff, John Deddeh, has filed class action complaints against Politico (case 3:24-cv-08745), Gannett (case 3:24-cv-08742) and Nexstar Media (case 3:24-cv-08744) in the Northern District of California, all alleging that the publishers violated the California Invasion of Privacy Act by embedding and using various trackers to store tracker cookies on website users’ browsers and to collect and share with third parties user browser and device data and personally identifiable data, such as IP addresses, without user knowledge or consent.

Specifically (among other allegations), the complaints allege that this activity constitutes an unlawful use of a pen register or trap and trace device, because each of the trackers “is a device or process that captures and records outgoing addressing or signaling information [IP addresses] from the electronic communications transmitted by Plaintiff’s and Class Members’ computers, computer systems, and computer networks as they are accessing and visiting the [defendant’s] website”.

TAKEAWAY

Complaints alleging that web tracking technologies are unlawful pen registers reflect the latest wave of class action complaints and demand letters alleging that web tracking technologies violate various state and federal laws that existed long before the Internet, including state laws prohibiting unlawful wiretapping and the federal Video Privacy Protection Act, which prohibits the sharing by “video tape service providers” of identifiable video viewing information.  

To learn more about digital tracking litigation risk, watch our webinar on demand.

Want more of the privacy highlights that matter for consent management, adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.