Location Data Broker X-Mode and the FTC’s Unprecedented Settlement
Published by The Lawfare Institute
in Cooperation With
Editor’s note: This is the first article of a two-part analysis. The second article can be found here.
The Federal Trade Commission (FTC) has reached its first-ever settlement with a geolocation data broker—X-Mode Social and its successor company, Outlogic. Under the settlement, the broker, which sells precise geolocation data, will be prohibited from selling or sharing any data that could track people to defined, sensitive locations, such as reproductive health clinics, places of worship, and domestic abuse shelters. FTC Chair Lina Khan, joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya, said that “the Commission rejects the premise so widespread in the data broker industry that vaguely worded disclosures can give a company free license to use or sell people’s sensitive location data.”
X-Mode has been in the media spotlight before: Vice reported in November 2020 that X-Mode was selling location data to U.S. military contractors and, in turn, the U.S. military; Apple and Google subsequently told developers to remove X-Mode code from their apps or get kicked off the app store, although that action did not deter X-Mode from continuing to gather and sell geolocation data from apps on consumers’ phones. The unprecedented order, among others, compels X-Mode (now, Outlogic) to stop selling location data about “sensitive locations” (such as reproductive health clinics), start an internal program to prevent the use and sale of data about sensitive locations, prevent buyers of the location data from analyzing protests and other activities, and delete data already collected through its apps or software development kit (SDK).
This analysis dives into some of the biggest takeaways from the settlement, including X-Mode’s previous lack of due diligence in monitoring customer data use, the requirements to ensure better levels of consumer consent to use data, the mandatory implementation of a supplier assessment program for consent, and mandated protections for medical facilities, labor union offices, children’s schools and daycare facilities, and other sensitive locations. It notes that many location data brokers might not be deterred from selling data just because of the order. But the order does send a very strong signal to companies that selling persistently identified location data without consumers’ affirmative express consent (which many location data brokers do not get), and at a scale that consumers cannot reasonably escape, is clearly an unfair trade practice within the FTC’s enforcement authority.
The FTC’s Settlement With X-Mode, in Short
The second article in this analysis focuses on the use of lists of sensitive locations. Here, it is worth summarizing other key takeaways from the FTC’s sweeping settlement. Going forward, X-Mode is prohibited from misrepresenting its use, maintenance, disclosure, and deletion of covered information and the extent to which that information is “deidentified.” For instance, according to the FTC’s May 2023 complaint, X-Mode sells location data alongside mobile advertising IDs (MAIDs), which are widely used persistent identifiers to track consumers—and, as the FTC points out, can easily be linked via data brokers to people’s names. The broker cannot misrepresent this fact.
The order also requires that X-Mode notify the FTC within 30 days of determining there was a “third-party incident,” defined as a third party sharing X-Mode’s location data in violation of its contractual requirements. Based on the May 2023 complaint, this is not theoretical, either: X-Mode—in at least two known instances—“sold location data to customers who violated contractual restrictions limiting the resale of such data.” In both of those known instances, X-Mode did not even know “the full extent of the exposure such as the identities of all third parties that received the data, how those third parties used the data, or whether those third parties further distributed the data to other recipients.” Clearly, it lacked due diligence measures and controls to understand and mitigate these risks.
X-Mode is explicitly prevented from collecting, using, maintaining, or disclosing location data if a consumer has activated their mobile operating system’s features to opt out of, limit, or decline targeted ads or tracking. (That this requirement is not already standard practice underscores that many location data brokers quietly scrape up and aggregate individuals’ geolocation data.) The settlement requires X-Mode to implement a supplier assessment program to ensure that all the location data it receives was collected from consumers with consent—or, if that is not the case, to stop selling or disclosing that data.
As part of the program, X-Mode will have to create and maintain records from each of its data suppliers documenting consumers’ affirmative express consent. This is an imperfect situation, as Congress has not passed stronger privacy laws to emphasize that a person clicking “agree” on a privacy policy without reading is not “consent”—but the FTC is taking important measures by requiring “affirmative express consent” with a number of subcomponents. For instance, the disclosure to consumers requesting their “affirmative express consent” must be “clear and conspicuous” and separate from any existing terms of service, terms of use, or privacy policy. Someone hovering over a piece of content on a website, muting content, pausing content, or closing content, the settlement says outright, does not constitute affirmative express consent.
The list goes on. X-Mode must either (a) permit consumers to learn which companies and other organizations have bought their location data from X-Mode or (b) clearly and conspicuously give consumers a way to delete their data, passing those deletion demands on to X-Mode customers as well. It must provide consumers an easy means to withdraw any consent to sell their location data (and then comply within 15 days); maintain an easy way for consumers to request their location data be deleted (and then comply within 30 days), unless it is used for data security investigations or fraud prevention; and develop and publish, within 60 days, a data retention schedule for each type of data it collects. Further, a qualified employee at X-Mode has to lead the implementation of a privacy program within 60 days that will update the board of directors or governing body on the program’s status and ongoing evaluations, assess privacy risks to the broker’s data, train employees, implement and test safeguards, and evaluate and update the program as needed.
Then, there are the requirements around sensitive locations. In the settlement, the FTC defines “sensitive locations” as:
locations within the United States associated with: (1) medical facilities (e.g., family planning centers, general medical and surgical hospitals, offices of physicians, offices of mental health physicians and practitioners, residential mental health and substance abuse facilities, outpatient mental health and substance abuse centers, outpatient care centers, psychiatric and substance abuse hospitals, and specialty hospitals); (2) religious organizations; (3) correctional facilities; (4) labor union offices; (5) locations of entities held out to the public as predominantly providing education or childcare services to minors; (6) associations held out to the public as predominantly providing services based on racial or ethnic origin; or (7) locations held out to the public as providing temporary shelter or social services to homeless, survivors of domestic violence, refugees, or immigrants.
X-Mode is prohibited henceforth from selling, licensing, transfer, sharing, disclosing, or otherwise using location data associated with sensitive locations that are identified within 180 days of the order. However, there are two exceptions: The prohibition does not apply if the broker draws on sensitive location data to generate data that is not location data or about sensitive locations. It also does not apply if the broker has a direct relationship with the consumer, gets their affirmative express consent, and uses the sensitive location data to provide a service they directly request. Relatedly, X-Mode must create and maintain a “Sensitive Location Data Program” within 180 days to ensure the aforementioned sale, license, transfer, share, and disclosure of sensitive location data is prevented. This includes appointing a senior officer (such as a chief privacy or compliance officer) responsible for the program, providing written updates to the company’s board or governing body at least annually, implementing internal policies to prevent the use of sensitive location data, and updating the list of sensitive locations at least once every six months (among others).
In addition to all of that, X-Mode must implement protections around other locations not on the sensitive locations list. These protections include stopping companies from linking location data with locations predominantly providing services to LGBTQ+ individuals (such as community service organizations, bars, and other nightlife establishments), locations of political or social demonstrations (including public gatherings of individuals during demonstrations, marches, and protests), or individuals’ private residences. It must implement contractual requirements, technical measures (such as ways to detect buyers’ misuse of data sets), and corporate compliance assessments to ensure these requirements are followed—and to terminate contracts where they are not. Across all of these provisions, the FTC can submit written requests to X-Mode to receive updates on compliance, and the broker must file sworn responses within 14 days.
***
The FTC’s settlement with X-Mode is unprecedented and draws clearly on the FTC’s existing authorities to enforce against unfair trade practices. In the coming months, the FTC can use its authorities and the compliance and reporting requirements in the order with X-Mode to ensure the data broker is appropriately deleting data, constructing a privacy program, and so on. Zooming out beyond the one company, the X-Mode settlement may not deter all location data brokers from selling identified geolocation data; after all, only congressional legislation, or a mix of laws in most states, is likely to achieve that outcome.
Nonetheless, it sends a strong signal to location data brokers selling persistently identified geolocation data—and related, inferred data—about sensitive locations such as schools, medical centers, domestic abuse shelters, and places of worship. The message is that the FTC has the authorities and the expertise to take on these kinds of location data brokerage matters. Collecting location data from consumers who did not fully and affirmatively consent to the collection of their data—and the subsequent sale, linked with persistent identifiers and other inferred data—is an “unfair” trade practice because it causes a substantial injury to consumers, which they cannot reasonably avoid due to the scope of location data tracking, and which is not outweighed by any benefits to consumers or competition. It is highly likely that the FTC will pursue more cases and investigations like this one in the coming years. Indeed, just after announcing the X-Mode settlement, the FTC announced a settlement with data broker InMarket for selling consumers’ geolocation data.
The second part of this analysis will address a related question—to what extent other policymakers should consider the idea of sensitive locations lists in their approaches to companies gathering and selling Americans’ location data.