Today, the U.S. Federal Trade Commission (FTC) banned data broker Outlogic, formerly X-Mode Social, from selling Americans’ raw location data that could be used for tracking purposes.
Under the order released today, the first time data brokers were barred from sharing and selling users’ sensitive location data, Outlogic must now delete all unlawfully collected sensitive location data, including any models or algorithms derived from this data.
This action is in response to data brokers’ practices of exposing individuals’ location data and revealing much more sensitive information, such as medical visits and religious affiliations.
The FTC’s complaint sheds light on Outlogic’s history of selling consumer location data to hundreds of clients across diverse industries, including real estate, finance, and government sectors. Despite these activities, the FTC says the company lacked protocols to remove sensitive locations from the raw data it sold.
To make matters worse, even when individuals opted out of using their location data for marketing purposes, Outlogic sometimes failed to respect their preferences.
“Geolocation data can reveal not just where a person lives and whom they spend time with but also, for example, which medical treatments they seek and where they worship,” said FTC Chair Lina M. Khan.
“The FTC’s action against X-Mode makes clear that businesses do not have free license to market and sell Americans’ sensitive location data. By securing a first-ever ban on the use and sale of sensitive location data, the FTC is continuing its critical work to protect Americans from intrusive data brokers and unchecked corporate surveillance.”
Outlogic specializes in selling and licensing precise location data sourced from its proprietary mobile apps, third-party apps using its software development kit (SDK), and purchasing data from other brokers.
However, it did not adequately inform users of their apps (Drunk Mode and Walk Against Humanity) or third-party apps that used Outlogic’s SDK about the use of their location data.
Outlogic also had shortcomings in providing complete disclosures regarding who would be able to buy the users’ location data and failed to obtain informed consent from consumers to access their sensitive location data, a critical oversight noted in FTC’s complaint.
Furthermore, Outlogic’s inadequate technical safeguards led to disregarding requests from certain Android users to opt out of tracking and personalized advertisements.
“As AI models further incentivize firms to vacuum up people’s personal data, placing limits on how firms can track and use sensitive information is paramount,” FTC Chair Lina Khan said.
“FTC will continue to use all our tools to safeguard Americans’ sensitive data from unchecked corporate surveillance.”
Today’s order follows an August 2022 Biden executive order safeguarding access to reproductive health care services and protecting patients’ privacy issued after an anti-abortion group also used mobile location data to target visitors of some Planned Parenthood clinics with ads.
Update January 09, 18:39 EST: In an email sent after this article was published, an Outlogic/X-Mode spokesperson told BleepingComputer that the company disagrees “with the implications of the FTC press release,” saying the “FTC found no instance of misuse of any data and made no such allegation.”
“Since its inception, X-Mode has imposed strict contractual terms on all data customers prohibiting them from associating its data with sensitive locations such as healthcare facilities. Adherence to the FTC’s newly introduced policy will be ensured by implementing additional technical processes and will not require any significant changes to business or products,” the spokesperson added.